You must log in to edit PetroWiki. Help with editing

Content of PetroWiki is intended for personal use only and to supplement, not replace, engineering judgment. SPE disclaims any and all liability for your use of such content. More information

Recommended methods for safety analysis

Jump to navigation Jump to search

The American Petroleum Institute (API) has developed RP 14C,[1] a safety-analysis approach based on a number of traditional hazards-analysis techniques such as failure-mode-effects analysis (FMEA) and hazard-and-operability studies (HAZOPS). The purpose of a safety analysis is to identify undesirable events that might pose a threat to safety and define reliable protection measures that will prevent such events or minimize their effects should they occur. Potential threats to safety are identified through proven hazards-analysis techniques that have been adapted to hydrocarbon-production processes. Recommended protective measures are common industry practices proved through many years of operating experience. The hazards analysis and protective measures have been combined into a "safety analysis" for onshore and offshore production facilities.

The RP 14C[1] safety analysis is based on the following premises.

  • Process components function in the same manner regardless of specific facility design.
  • Each process component is analyzed for "worst case" input and output conditions.
  • If fully protected when analyzed standing alone, the analysis will be valid for that component in any configuration.
  • If every component is protected, the system will be protected.
  • When components are assembled into a system, some devices can be eliminated.

The major benefits of this analysis are:

  • Concise, easy-to-audit documentation
  • Minimized subjective decisions
  • Consistent results

This page explains the basic concepts of protection used in the analysis, discusses the methods of analyzing the process, and establishes design criteria for an integrated safety system. The entire production process is covered, and a step-by-step summary for performing a safety analysis is provided.

Process variables

There are four main process variables in upstream production facilities:

  • Pressure
  • Liquid level
  • Temperature
  • Flow

A variable fluctuates between a lower and an upper extreme value. For example, the liquid level within a vessel can fluctuate from the bottom of the vessel (empty) to the top (full). Process variables allow movement of the fluids through the process components while simultaneously achieving the degree of separation required for sales or water disposal.

Process components

A process component is any piece of equipment that handles hydrocarbons. Identifying all the components that handle hydrocarbons in a production facility would be overwhelming. Instead of listing components by their common name, RP 14C[1] lists components by their functions, thus decreasing the number of names from hundreds to only ten. Regardless of what a piece of equipment is called, it can be described as one of the following ten process components:

  • Wellheads and flowlines
  • Wellhead injection lines
  • Headers
  • Pressure vessels
  • Atmospheric vessels
  • Fired and exhaust-heated components
  • Pumps
  • Compressors
  • Pipeline
  • Shell-and-tube heat exchangers

Normal operating ranges

Whenever hydrocarbons are present in a process component, each of the four main process variables take on some value. Values at which the variables can be found when things are going smoothly are called normal values. For example, the pressure on a flowline will fluctuate from reading to reading within a specified period of time (e.g., for a 1-hour period the readings may be 950 psi at 1300 hours, 1,010 psi at 1340 hours, and 979 psi at 1400 hours). As long as flow is occurring, the liquid level within a process component will be changing. For example, in a separator’s oil bucket, the level will steadily rise until the dump valve opens and drains some of the oil, at which time the liquid level falls until the dump valve closes. Within each process component, each variable has a normal operating range instead of having a single normal value.

One of the cornerstones of facility protection lies in protecting each component against certain undesirable events that are closely related to the four main process variables. For example, if the pressure within a component were to become too high, a component could rupture; a pressure too low within a component could indicate a leak. A liquid level within a component that is too high or too low could cause problems as well as indicate equipment failure.

Production operators establish normal operating ranges. The principal concern with the four main process variables is that their sensing devices, which respond to conditions outside normal ranges, have enough time to respond before problems occur. For example, the normal range for a separator’s liquid level can be wherever the operator wants it, provided that the level safety high (LSH) can shut off inflow before liquid overflow occurs and that the level safety low can respond before the level has completely disappeared and allows gas to flow out of the liquid outlet (gas blowby). The normal operating range for a component’s pressure can be established by attaching a pressure recorder to the component and recording the pressure variations over time.

Maintaining normal operating ranges requires normal process flow. When the four main process variables are kept within their normal ranges, process flow is occurring. Process flow is maintained by

  • Chokes
  • Regulators
  • Controllers
  • Influence of the main process variables on each other

Normal operating ranges are maintained by the same things.

Abnormal operating conditions

On average, process variables are found within their normal operating ranges, but horns do go off and shut-ins do occur. When chokes and controllers that normally keep the process variables in their normal ranges fail to function properly, the process variable being controlled can be outside its normal operating limits. Whenever a process variable exceeds its normal range, it is said to be in an abnormal condition. For example, in a component with a normal operating range of 800 to 900 psig, pressure greater than 900 psig or less than 800 psig are abnormal conditions. A liquid level above or below the point at which the dump valve opens or closes is an abnormal condition.

What is the significance of an abnormal condition? In reality, when the normal operating range is exceeded by only a small amount, it makes very little difference to the operation of the facility. However, the point is that if a variable exceeds its normal operating range at all, it could continue to escalate with potentially disastrous results. Operators are concerned mainly about the consequences that might result if abnormal conditions become extreme.


Several consequences can result from abnormal operating conditions. At best, there will be only a horn and a shut-in. The most serious consequences are:

  • Injury to personnel
  • Pollution
  • Loss of company assets

Abnormal conditions do not always develop into a serious consequence, but it could happen. According to RP 14C,[1] serious consequences usually are preceded by some abnormal condition. Abnormal conditions that are not dealt with quickly can escalate into worst-case scenarios.


The major causes of abnormal conditions are equipment failure or malfunction and human error. Examples of equipment failure or malfunction are chokes that become enlarged through contact with excessive sand in the flow stream, dump valves that hang open or stay closed, and regulators or controllers that change adjustment because of vibration. Human error can occur if an operator repairing a dump valve does not want to shut in to finish the job and uses the dump valve’s bypass line. If the operator fails to monitor the liquid level properly while the bypass valve is open, the liquid level in the component could get too high or too low. Human error also can occur if the operator monitored the level accurately but forgot to check to see if the newly repaired dump valve was operating properly.


The actual causes of abnormal conditions are varied and numerous. RP 14C[1] provides an analysis technique to identify potential abnormal conditions and prevent them from occurring.

Effects of hydrocarbon releases

Abnormal operating conditions could result in injury to personnel, pollution, and loss of assets. Whenever any of these worst-case consequences is at its most serious, the release of hydrocarbons is usually involved. While pollution of any type is undesirable, hydrocarbon pollution is the most serious. The May 1989 Exxon Valdez incident is a prime example of the attention drawn to and the expenses involved with hydrocarbon pollution in navigable waterways. Injury to personnel on a major scale also usually involves the release of hydrocarbons. Hydrocarbon releases alone are often sufficient to cause injury to personnel (e.g., whenever H2S is involved). Worst of all is a fire caused by or fed by hydrocarbon releases. An explosion or fire can cause extensive damage to equipment and personnel, which can result in extensive injury, pollution, and facility damage. Offshore platforms have melted to the water line because of released hydrocarbons, as occurred in the Piper Alpha incident in the North Sea in the summer of 1988. Onshore facilities have been completely leveled to the ground because of released hydrocarbons, as occurred in the Phillips incident in Pasadena, Texas, in 1988.

Safety devices

Safety devices offer a solution for hydrocarbon releases. Specific devices have been developed to protect production facilities. As these devices became more common, industry standards were established, such as:

  • Names
  • Symbols and identification
  • Installation locations

RP 14C Sec. 2[1] summarizes surface-production-facility-related standards.


Before installing a specific safety device, a standard way of referring to it is needed. RP 14C presents two groups of safety devices: "common" (i.e., typical oilfield) names such as check valve or pop-off valve and "proper" names from the Instrument Soc. of America (ISA), such as flow safety valve or pressure safety valve (PSV). With few exceptions, every ISA name includes the measured or initiating variable as the first part of the name and the word safety as the second part of the name. The third and usually final part of the name refers to either the device itself (i.e., valve or element) or to the type of function the device performs (i.e., high or low).

ISA device names usually are abbreviated with the first letter of each part of the name. If a single component has two or more of the same kind of device on it, each device is differentiated from each other by the addition of a number or letter following the device’s letters (LSH1 and LSH2, for example). The same convention is used for all safety devices.


Process flow diagrams must show safety devices. A graphic symbol represents each safety device. These symbols save space on the diagram and make the appearance neater. API RP 14C[1] contains standardized symbols used in hydrocarbon-facility diagrams.

Production process safety systems

Production-process safety systems provide a more extensive level of protection than an individual device. They include end devices and auxiliary devices, which are important not only to the system itself but also to the safety of the facility. A brief overview of these systems follows.

Surface safety system (SSS)

The SSS consists mostly, but not exclusively, of sensing-type individual safety devices. Devices respond to one of the four major variables. The main purpose of the SSS is to prevent the initial release of hydrocarbons and to shut in additional flow of the hydrocarbons already released. The SSS consists of three major components: sensing devices, relay devices, and end devices. Some devices both sense and respond as an end device (check valves, relief valves, etc.).

The SSS incorporates various sensing devices. When an abnormal condition is detected, the sensing device sends a signal to an end device. The end device diverts or shuts off flow, sounds an alarm, or takes some other corrective action. For example, if a component’s dump valve freezes in the closed position, the liquid level within the component will rise. When it rises high enough, the component’s LSH will sense the high level and send a signal that shuts in the wells flowing into the component. The same signal usually will also sound an alarm to notify facility personnel of the shut-in.

Emergency support system (ESS)

The ESS consists of seven major subsystems, all of which help protect the facility and environment. The main purpose of ESSs is to shut in additional flow and minimize the effects of hydrocarbons that have already been released. The API realizes that hydrocarbon releases ideally would be prevented through the use of sensing devices (i.e., the SSS), but the API also knows that there will be times in which hydrocarbons are released in spite of the SSS. To address this problem, the API mandates a backup means of protecting the facility. The ESS is a major part of those backup efforts. The seven subsystems that make up the ESS are an emergency-shutdown (ESD) system, a fire-detection system, a combustible-gas detection system, adequate ventilation, a liquid containment system, sumps, and subsurface safety valves.

Other support systems

Two additional systems are required to make a facility as safe as possible. They are:

  • Pneumatic supply system
  • System for discharging gas to the atmosphere (blowdown/vent)

The pneumatic supply system provides the power to operate most of the other systems. The blowdown/vent system provides a means for directing unwanted gas away from the facility while capturing as many liquid hydrocarbons as possible and thereby reducing pollution levels.

Ignition prevention measures

Ignition-prevention measures are designed to prevent released hydrocarbons from being ignited, thereby minimizing the effects of released hydrocarbons. They accomplish this task through four approaches: ventilation, compliance with all applicable electrical codes, locating equipment in areas where exposure to inadvertently released hydrocarbons is minimized, and hot surface protection. Refer to RP 14C, paragraph 4.2.4,[1] for more information about these measures.

Undesirable events

Abnormal operating conditions can lead to one or more undesirable events that, in turn, could lead to injury to personnel, pollution of the environment, and damage to the facility or its equipment. Safety devices and safety systems are added to prevent undesirable events and they provide the last chance to prevent worst-case consequences from occurring. At each stage, action can be taken to keep the main process variables from resulting in worst-case consequences. Chokes and controllers keep the variables within their normal ranges. Once the variables exceed their normal ranges, safety devices respond to keep the variables from getting further out of range. If the undesirable-event stage is reached, there are still ways of preventing or lessening the chance of the occurrence of worst-case consequences (e.g., ESS). Even though they occur less frequently than either normal or abnormal conditions, undesirable events are much more likely to lead to worst-case consequences than either of the other two conditions.

Eight undesirable events were identified by looking at all the possible ways injury, pollution, and loss of company assets could occur. The process was similar to that used to identify the ten process components. Each of the eight undesirable events was examined further to determine the most common causes of the undesirable event, the effects of the undesirable event, detectable abnormal conditions that usually precede the undesirable event, the most effective primary and secondary protective devices that could prevent the undesirable event, and the optimal location for the placement of the required safety device.

By studying each of these undesirable events, information can be gained to make a facility safe. For example, by knowing the possible causes of a particular undesirable event, those possible causes can be monitored and often corrected before they develop into an undesirable event. Knowing about the possible effects of each undesirable event allows for a more rapid or more appropriate response to the undesirable event. Information about the detectable abnormal condition provides a tool for better monitoring and provides information about which types of safety devices can be used to warn of an impending undesirable event. Primary and secondary protection information assists in determining which safety devices are best for that particular undesirable event. Location data provide information on where the safety devices must be positioned for the most effective protection.

RP 14C[1] does an excellent job of describing this information. It starts by defining an undesirable event as "an adverse occurrence in a process component which poses a threat to safety." There can be many different types of "threat(s) to safety." These can range from minor to the catastrophic. API defines undesirable events with catastrophic threats in mind.

The eight undesirable events identified by RP 14C[1] are overpressure, leak, liquid overflow, gas blowby, underpressure, excess temperature (fire and exhaust-heated components), direct ignition source, and excess combustible vapors in the firing chamber (fired components). The following issues are key points about undesirable events.

  • Worst-case threats to safety originating in process components are usually preceded by one or more of the eight undesirable events.
  • Each undesirable event has a cause that is usually, but not always, preceded by an abnormal condition. The abnormal condition, in turn, is usually detectable.
  • Primary protection must be provided to either prevent the undesirable event from occurring or to minimize the effects of the undesirable event once it occurs.
  • Secondary protection must be provided as a backup to the primary protection. Primary and secondary refer to levels of protection. While these levels are frequently provided by individual devices [e.g., pressure safety high (PSH)/pressure safety low, LSH/level safety low, PSV, etc.], levels of protection also can be provided by other means. For example, the secondary level of protection required for a leak in a pressure vessel is the ESS (and not individual devices).
  • Undesirable events do not always cause injury, pollution, or damage, but they always have the potential to do so. To design a protection system to prevent or minimize injury, pollution, or damage, prevention efforts must be based on the assumption that undesirable events will cause these things.

Safety analysis

Every process component can be grouped under one of the 10 process components listed in RP 14C,[1] and process-related causes of injury, pollution, and damage can be grouped under one of the eight undesirable events. A safety analysis ties these two things together and is a tool for ensuring that a facility is protected fully. A safety analysis examines every process component on the facility to determine which undesirable events could be associated with each component, which safety devices are required for the protection of the component, and what responses the safety devices must make to ensure adequate protection. The three main components of a safety analysis are safety-analysis tables (SATs), safety-analysis checklists (SACs), and safety-analysis function evaluation (SAFE) charts.

Safety analysis tables

SATs examine each process component as if it was standing alone. SATs consider each undesirable event that could possibly affect the component and then, for each undesirable event, lists associated causes, detectable abnormal conditions, and required locations for installing the protection devices. By examining each component as if it was standing alone, an adequate degree of protection can be determined for each particular component. When this is done for every component on the facility, the entire facility will be adequately protected. Verifying that each and every component is protected without considering other components ensures the greatest degree of consistent protection.

Safety analysis checklists

There are times when the safety devices called for in SATs are not needed because engineering controls eliminate the need for a particular device. For example, the SAT calls for a PSV to protect a wellhead flowline from overpressure. However, if the maximum allowable working pressure (MAWP) of the flowline and associated equipment is greater than the maximum shut-in tubing pressure of the well, the component is already protected and the device is not needed.

A SAT-required safety device also no longer may be required if the same degree of protection is provided by another device located elsewhere. For example, if a PSV has been installed on an upstream flowline segment and if that upstream PSV provides an adequate degree of protection for the downstream flowline segment and its equipment, then a second PSV located on the downstream flowline segment is redundant.

SACs provide a guideline for eliminating redundant devices while maintaining the required level of protection. If it was not possible to eliminate redundant devices, production facilities would contain many more devices without gaining any additional protection. The time and expense of purchasing, installing, and maintaining redundant devices would be significant and unnecessary. It is important to realize that when a device can be eliminated, the device is eliminated and not the required level of protection. Two levels of protection will always be required. The SAC ensures that both levels of protection are maintained, with as few individual devices as possible. API RP 14C[1] shows an example of an SAT and an SAC for a flowline segment.

Safety analysis function evaluation charts

SATs indicate which devices are needed on each component, and SACs determine which devices may be eliminated and what conditions must be met when eliminating the device. Neither SATs nor SACs indicate what the devices do or how the devices on one component relate to the devices on another component. SAFE charts are used to evaluate the function of each safety device and to document precisely what each safety device does. For example, the SAFE chart not only shows that a flowline PSH shuts off inflow, it indicates how it shuts off inflow (e.g., through the closing of a particular well’s surface safety valve).

SAFE charts also indicate everything else that happens when a PSH trips. SAFE charts provide a mechanism for considering every component in the facility and then, for each component, to fully account for each required safety device. SAFE charts are used to ensure that the facility is as fully protected as it should be and also can be used as a troubleshooting tool. For example, if a particular shut-down valve (SDV) keeps closing and nothing is out of range when investigated, the SAFE chart could be consulted to determine which specific devices cause the SDV to close. Each device then could be checked to determine which one is responsible for the SDV closures.

Conducting a safety analysis

The following steps comprise the process for conducting a production-facility safety analysis.

  • Obtain an accurate process flow schematic (i.e., one that shows every process component as well as relevant operating parameters). Once the flow schematic is located, it is necessary to verify its accuracy because changes may have been made to the facility over a period of years that were not noted on the schematic. Verification involves walking around the facility to make sure that every process component located in the facility is pictured on the schematic. It also involves making sure that the flow schematic does not depict components that are no longer a part of the process facility and that maximum operating or working pressures are accurate. Failure to take this step jeopardizes the accuracy of both the flow schematic and the SAFE chart.
  • Refer to each process component and the SATs to determine all required safety devices for each process component within the facility. Begin by referring to RP 14C, Appendix A-1 through A-10.[1] Consult the SAT for each process component shown on the corrected flow schematic. Make sure each safety device called for in each component’s section is shown on the schematic. Follow the example found in RP 14C, Appendix E; that is, use "balloons" and ISA names for each device. Before consulting the SAT for a particular component, it is important to first read everything written about that component in RP 14C.
  • Once each process component has been protected with the devices required by RP 14C,[1] consult the SACs in RP 14C to determine which, if any, devices provide redundant protection for each component. For each redundant device, make that device’s solid-line balloon, which represents an installed safety device, into a dotted-line balloon, which represents an eliminated safety device. Remember, there will be adequate protection if there is an SAC reference number that applies to the situation. Look carefully at the descriptions following each SAC reference number, and determine if all the required conditions are met. If all the conditions are met, that particular device may be eliminated or the device may be left on the component. Remember, SACs allow for the elimination of redundant devices but do not require that they be eliminated. For those devices that will be eliminated, revise the schematic by replacing the solid-line balloon with a dotted-line balloon. See RP 14C, Appendix E.[1]
  • Complete a SAFE chart for the facility; that is, fill out a blank SAFE chart with every component, safety device, and responding end device within the facility. Mark the SAFE chart to indicate the action taken by each safety device. In reality, completing a fresh, blank SAFE chart will seldom be required unless the initial safety analysis on a facility is being developed. Most often, an existing chart will be revised; however, knowing how to complete a fresh chart from scratch will make the job of revising an existing SAFE chart easier. Familiarity with SAFE charts enables them to be used to troubleshoot the facility.

The ability to complete a SAFE chart requires an understanding of how SAFE charts are arranged. SAFE charts are designed to be read horizontally and vertically. When read horizontally, the information pertains to all the process components within a facility plus their safety devices. When read vertically, the information pertains not only to the end devices affected by each safety device, but to their function as well (e.g., shut in well, minimize backflow, etc.). API RP 14C shows a typical SAFE chart.[1]


  1. 1.00 1.01 1.02 1.03 1.04 1.05 1.06 1.07 1.08 1.09 1.10 1.11 1.12 1.13 1.14 1.15 API RP 14C, Analysis Design, Installation and Testing of Basic Surface Safety Systems for Offshore Production Platforms, 1998. Washington, DC: API. Cite error: Invalid <ref> tag; name "r1" defined multiple times with different content Cite error: Invalid <ref> tag; name "r1" defined multiple times with different content Cite error: Invalid <ref> tag; name "r1" defined multiple times with different content Cite error: Invalid <ref> tag; name "r1" defined multiple times with different content Cite error: Invalid <ref> tag; name "r1" defined multiple times with different content Cite error: Invalid <ref> tag; name "r1" defined multiple times with different content Cite error: Invalid <ref> tag; name "r1" defined multiple times with different content Cite error: Invalid <ref> tag; name "r1" defined multiple times with different content Cite error: Invalid <ref> tag; name "r1" defined multiple times with different content Cite error: Invalid <ref> tag; name "r1" defined multiple times with different content Cite error: Invalid <ref> tag; name "r1" defined multiple times with different content Cite error: Invalid <ref> tag; name "r1" defined multiple times with different content Cite error: Invalid <ref> tag; name "r1" defined multiple times with different content Cite error: Invalid <ref> tag; name "r1" defined multiple times with different content

Noteworthy papers in OnePetro

Use this section to list papers in OnePetro that a reader who wants to learn more should definitely read

External links

API Standards

See also

Safety systems

Relief valves and relief systems

Flare and vent disposal systems