You must log in to edit PetroWiki. Help with editing

Content of PetroWiki is intended for personal use only and to supplement, not replace, engineering judgment. SPE disclaims any and all liability for your use of such content. More information

Safety systems

Jump to navigation Jump to search

Production facilities usually operate according to design. Oil and gas travel from the reservoir to the surface facilities where they are separated, cleaned, measured, and sent through a pipeline to the end user. During most of this process, everything operates according to plan. Occasionally, problems occur:

  • Things break
  • Malfunctions happen
  • Settings change
  • Horns go off
  • Shut-ins take place

Such problems usually can be solved quickly and easily without negative consequences. Unfortunately, some problems have the potential for serious consequences such as injury to personnel, pollution of the environment, and loss of company assets. Understanding, preventing, or minimizing potential negative consequences requires a fundamental understanding of basic protection concepts and safety analysis.

This page summarizes the basic protection concepts required for the safe design and operation of a production facility. It begins by developing a hazard tree for a generic production facility and then illustrates how hazards analysis can be used to identify, evaluate, and mitigate process hazards and reviews the safety-analysis technique presented in the American Petroleum Institutes (API’s) Recommended Practice (RP) 14C.[1]

Basic protection concepts

Most threats to safety from production involve the release of hydrocarbons; therefore, the analysis and design of a production-facility safety system should focus on preventing such releases, stopping the flow of hydrocarbons to a leak if it occurs, and minimizing the effects of hydrocarbons should they be released.


Ideally, hydrocarbon releases should never occur. Every process component is protected with two levels of protection: primary and secondary. The reason for two levels of protection is that if the first level fails to function properly, a secondary level of protection is available.

Shut in

If hydrocarbon releases occur (and, in spite of our best efforts, they sometimes do), inflow to the release site must be shut off as soon as possible. The problem should not be exacerbated with the continued release of additional hydrocarbons. Protective shut-in action is achieved by both the surface safety system (SSS) and the emergency support system (ESS). Shut-in systems are discussed in more detail in Recommended methods for safety analysis.


When hydrocarbons are released, their effects should be minimized as much as possible. This can be accomplished through the use of ignition-prevention measures and Emergency Support Systems (ESSs - i.e., the liquid-containment system). If oil spills from a process component, a release of hydrocarbons has occurred. A spill is never good, but component skids and deck drains (if offshore) minimize the effect of a bad situation when the spill would otherwise go into a freshwater stream or offshore waters.

Hazard tree

A hazard tree:

  • Identifies potential hazards
  • Determines the conditions necessary for a hazard to exist
  • Determines sources that could create this condition
  • Breaks the chain leading to the hazard by eliminating the conditions and sources

Because complete elimination is normally not possible, the goal is to reduce the likelihood of occurrence. With statistical analysis, the probability of occurrence can be determined. The effect of a safety procedure or device that reduces the probability of a condition or source occurring also can be quantified with this tool.

A hazard tree is somewhat subjective in that different evaluators may classify conditions and sources differently or they may carry the analysis to further levels of sources. The hazard tree helps the investigator focus attention on all of the aspects to be considered. No matter how the tree is formulated, conclusions reached concerning the design, maintenance, traffic patterns, lighting, etc., should be similar.

General production facility hazard tree

API RP 14J[2] shows a hazard tree for a generic production facility. It should be equally valid for an offshore or onshore facility. The major hazards are those of oil pollution, fire/explosion, and injury.

Oil pollution

Oil pollution derives from an oil spill that can be caused by one of the conditions shown in the hazard tree. If an oil spill were to occur, pollution could be avoided by installing adequate containment. Requirements for tank dikes, drip pans (offshore), and sumps reduce the probability of oil pollution from most small spills.


An oil spill or gas leak can provide fuel for a fire/explosion. An ignition source and oxygen are also required. The use of gas blankets minimize oxygen entry while good electrical design minimizes ignition sources.


Injury can occur directly from an explosion, an out-of-control fire, or one of the other conditions shown in the hazard tree. If there is sufficient warning before a fire develops, there should be enough time to escape before injury occurs. If the fuel can be shut off and adequate fire-fighting equipment is present to control the fire before it becomes a large fire, the probability of injury is small.

The inability to escape increases the probability of injury from any of these conditions. All the conditions are more likely to lead to injury the longer personnel are exposed to the situation; therefore, escape routes, lighting, appropriate survival capsules/boats (if offshore), and fire barriers all lead to a reduction in the probability of injury.

Severity of source

The hazard tree helps identify the severity of a source that can lead to a hazardous condition. Some of these sources are discussed here.


Overpressure can lead directly to all three hazards. It can lead directly and immediately to injury; it can lead to fire/explosion if there is an ignition source; and it can lead to pollution if there is insufficient containment. Because of the hazard potential, a very good level of assurance is needed that the probability of overpressure occurring is very small.

Fire tubes

Fire tubes can lead to fire/explosion if there is a leak of crude oil or glycol into the tubes or if there is a failure of the burner controls. An explosion could be sudden and lead directly to injury; therefore, a high degree of safety is required.

Excess temperature

Excess temperature can cause premature equipment failure at a pressure below its maximum design working pressure. Excess temperature can create a leak, potentially leading to fire/explosion if gas leaks or oil pollution if oil leaks. This type of failure should be gradual, giving off a warning as it develops, and thus does not require as high a degree of protection as those mentioned previously.


Leaks rarely lead directly to personnel injury, but they can lead to fire/explosion if there is an ignition source and to oil pollution if there is inadequate containment. The immediacy and magnitude of the developing hazard will be less than with overpressure; thus, although it is necessary to protect against leaks, this protection will not require the same level of safety required for overpressure.

Inflow exceeds outflow

Inflow exceeding outflow can lead to oil pollution if there is inadequate containment and can lead to fire/explosion and, thus, to injury if an oil spill occurs. This condition is more time dependent and lower in magnitude of damage; therefore, an even lower level of safety will be acceptable.

Need for other protection devices

The hazard tree also helps identify other protection devices to include in equipment design that may minimize the possibility that a source will develop into a hazardous condition. Additional protection devices that might be included are:

  • Flame arrestors
  • Stack arrestors
  • Gas detectors
  • Fire detectors
  • Manual shutdown stations

A hazards analysis can determine the need for safety devices and safety systems.

Hazards analysis

A hazards analysis:

  • Identifies potential hazards
  • Defines conditions necessary for each hazard
  • Identifies the source for each hazard

A hazard tree identifies potential hazards and determines the conditions necessary for these hazards to exist. A hazards analysis starts at the hazard tree’s lowest level and attempts to break the path leading back to the hazard by eliminating one of the conditions.

Many of the sources and conditions identified on the hazard tree require considerations that have nothing to do with the way the process is designed, such as escape paths, electrical systems, fire-fighting systems, and insulation on piping. A facility designed with a safety shutdown system is not necessarily “safe”; it has an appropriate level of devices and redundancies to reduce the risk of occurrence of those sources and conditions that can be anticipated by sensing change in process conditions. A hazard tree helps identify protection devices for inclusion in equipment design (e.g., flame/stack arrestors on fire tubes). Much more is required if the overall probability of any one chain leading to a hazard is to be acceptable, such as:

  • Maintenance
  • Operating procedures
  • Testing
  • Drills

Primary defense

The best defense against an undesirable event is the use of appropriate industry codes and design procedures. The defense also should ensure adequate inspection of the equipment and its fabrication into systems. If this is not done, sensors cannot sufficiently protect against overpressure, leaks, or other hazards.


  1. API RP 14C, Analysis Design, Installation and Testing of Basic Surface Safety Systems for Offshore Production Platforms. 1998. Washington, DC: API.
  2. API RP 14J, Design and Hazards Analysis for Offshore Production Facilities. 1993. Washington, DC: API.

Noteworthy papers in OnePetro

Use this section to list papers in OnePetro that a reader who wants to learn more should definitely read

External links

API Standards

See also

Recommended methods for safety analysis

Relief valves and relief systems

Flare and vent disposal systems