GP 48-04

Document No.
GP 48-04
Applicability Group
Date 5 June 2008
GP 48-04
Inherently Safer Design (ISD)
This Group Defined ETP has been approved by the GVP Safety
and Operations for implementation across the BP Group.
BP GROUP
ENGINEERING TECHNICAL PRACTICES
5 June 2008 GP 48-04
Foreword
Inherently safer design (ISD) is a way of thinking differently from traditional hazard management.
Instead of identifying hazards and adding layers of protection to prevent and minimise hazards,
inherently safer design first challenges whether the hazard can be eliminated completely or reduced in
severity.
This revision of Engineering Technical Practice (ETP) GP 48-04 includes the following:
1. Scope/applicability broadened from concept selection to apply to major projects and new
technology and additionally it is recommended for smaller projects, modifications, and
changes in existing operations. This prompted the title change.
2. ISD is clarified to address elimination of a hazard as well as strengthening the robustness
of a layer of protection.
3. The original flowchart, modified slightly, continues to be the backbone of the document.
4. It is written to be more inclusive across all BP Operations.
5. Definitions have been revised to be consistent with industry definitions and other ETPs.
6. The ETP has been moved from Category 24 (Fire and Blast Protection) to category 48
(Processes and Procedures) to be in the same category with the other similar type Group
Defined ETPs. The title has also been amended.
These changes were so extensive that revisions have not been indicated in the margin as is normal
practice.
Copyright © 2008 BP International Ltd. All rights reserved.

This document and any data or information generated from its use are classified, as a
minimum, BP Internal. Distribution is intended for BP authorized recipients only. The
information contained in this document is subject to the terms and conditions of the
agreement or contract under which this document was supplied to the recipient's
organization. None of the information contained in this document shall be disclosed
outside the recipient's own organization, unless the terms of such agreement or contract
expressly allow, or unless disclosure is required by law.
In the event of a conflict between this document and a relevant law or regulation, the
relevant law or regulation shall be followed. If the document creates a higher obligation, it
shall be followed as long as this also achieves full compliance with the law or regulation.
Downloaded Date: 6/17/2008 11:15:42 PM

The latest update of this document is located in the BP ETP and Projects Library
Page 2 of 27
5 June 2008 GP 48-04
Table of Contents
Page
Foreword ............................................................................................................................................2
1. Scope........................................................................................................................................5
2. Normative references ...............................................................................................................5
3. Terms and definitions ...............................................................................................................5
4. Symbols and abbreviations.......................................................................................................7
5. Philosophy ................................................................................................................................8
5.1. Intent..............................................................................................................................8
5.2. Strategies ......................................................................................................................8
5.3. Capex versus Opex .......................................................................................................8
6. Application ................................................................................................................................8
6.1. General ..........................................................................................................................8
6.2. Major projects ................................................................................................................9
6.3. New technology development .....................................................................................10
6.4. Facility modifications ...................................................................................................10
6.5. Changes in existing operations ...................................................................................11
7. Inherently safer design flowchart ............................................................................................11
7.1. General ........................................................................................................................11
7.2. Set ISD goals ...............................................................................................................13
7.3. Identifying hazards ......................................................................................................13
7.4. Brainstorming options ..................................................................................................13
7.5. Initial reduction of options ............................................................................................14
7.6. Identify and understand specific hazards and risks of remaining options....................14
7.7. Develop each remaining option for selection ...............................................................14
7.8. Select or reject option ..................................................................................................15
7.9. Develop selected option ..............................................................................................16
7.10. Handover .....................................................................................................................16
Annex A (Informative) Example lists for use in ISD considerations .................................................17
A.1. Personnel, activities, and equipment warranting specific attention in ISD activities, not all
inclusive ..................................................................................................................................17
A.2. Potential hazards, not all inclusive..........................................................................................17
A.3. Potential causes .....................................................................................................................18
A.4. Factors that impact incident severity and escalation, not all inclusive ....................................19
A.5. Potential options for hazard elimination or severity reduction, not all inclusive ......................19
Annex B (Informative) Brainstorming considerations .......................................................................22
B.1. Production targets: throughput and uptime.............................................................................22
B.2. Scheduling: design and construction ......................................................................................22
B.3. Location and separation of hazards........................................................................................22
Page 3 of 27
5 June 2008 GP 48-04
B.4. Staffing, operating, and maintenance .....................................................................................22

B.5. Construction............................................................................................................................22
B.6. Novel or untried technology ....................................................................................................22
B.7. Processing ..............................................................................................................................23
B.8. Production support structures for offshore upstream segment ...............................................23
B.9. Storage and export .................................................................................................................23
Annex C (Informative) Examples of fewer hazards, fewer causes, reduced severity, fewer
consequences.........................................................................................................................24
Bibliography .....................................................................................................................................27
List of Figures
Figure 1 - ISD through facility lifecycle ...............................................................................................9

Figure 2 - ISD flowchart ...................................................................................................................12
List of Tables
Table C.1 - Fewer hazards, including but not limited to: ..................................................................24
Table C.2 - Fewer causes, including but not limited to: ...................................................................25
Table C.3 - Reduced severity, including but not limited to: ..............................................................26
Table C.4 - Fewer consequences, including but not limited to: .......................................................26
Table C.5 - More effective residual hazard management, including but not limited to:....................26

Page 4 of 27
5 June 2008 GP 48-04
1. Scope
This GP addresses:
a. Strategies of inherently safer design.

b. Application of these strategies in projects, new technology, facility modifications, and
changes in existing operations.
c. How hazard and risk studies support these strategies.
d. Planning and conducting reviews focused on inherently safer design.
2. Normative references
The following referenced documents may, to the extent specified in subsequent clauses and normative
annexes, be required for full compliance with this GP:
• For dated references, only the edition cited applies.

• For undated references, the latest edition of the referenced document (including any
amendments) applies.
BP
Unknown Number Selection of hazard evaluation and risk assessment techniques.
GDP-31-00-01 Assessment, prioritisation, and management of risk.
GP 48-01 HSSE Review of Projects (PHSSER).
GP 48-02 Hazard and Operability (HAZOP) Study.
GP 48-50 Major Accident Risk (MAR) Process.
Health and Safety Executive (HSE)

CHIP/CHIP3 Chemicals Hazard Information and Packaging for Supply Regulations
2002.
3. Terms and definitions
For the purposes of this GP, the following terms and definitions apply:
BP Operations
BP Strategic Performance Units, Business Units, projects, facilities, sites, and operations.
Cause
Event, situation, or condition that results or could result directly or indirectly in an accident or
incident.
Concept safety evaluation (CSE)

Preliminary assessment of major accident hazards, potential consequences, and likelihood of
occurrence used to identify key control and mitigation requirements for design.
Entity (BP entity or Operating entity)

Whilst these terms are not used in this GP they have a specific meaning in OMS. If this GP refers to
BP Operation it should be interpreted as BP Entity or Operating Entity when working to OMS.

Page 5 of 27
5 June 2008 GP 48-04
Hazard
Condition or practice with the potential to cause harm to people, the environment, property, or BP’s
reputation.
HAZID
Technique of brainstorming used to identify potential hazards. HAZID studies are very broad in scope.
HAZID is sometimes called a preliminary hazard analysis.
HAZOP
Systematic, qualitative technique to identify and evaluate process hazards and potential operating
problems, using a series of guidewords to examine deviations from normal process conditions.
Layer of protection
Device, system, or action that is capable of preventing a postulated accident sequence from proceeding
to a defined, undesirable endpoint.
Layer of protection analysis (LOPA)

Method for evaluating the effectiveness of protection layers in reducing the frequency and/or severity
of hazardous events.
Lifecycle cost
Total cost of installation or asset, including capital expenditure, operating, maintenance, and
decommissioning costs.
Major Project
A project that is required to comply with requirements of MPCP (E&P) or Pcp (R&M)
Risk
A measure of loss/harm to people, the environment, compliance status, Group reputation, assets or
business performance in terms of the product of the probability of an event occurring and the
magnitude of its impact. Throughout this Practice the term “risk” is used to describe health, safety,
security, environmental, and operational (HSSE&O) undesired events.
Safeguard
Device, system, or action that would likely interrupt the chain of events following an initiating cause
or that would mitigate loss event impacts.
Safety instrumented function (SIF)

Safety function with specified integrity level that is necessary to achieve functional safety by putting
process to a safe state or maintaining it in a safe state under predefined conditions. SIF is implemented
using SIS.
Safety instrumented system (SIS)

Instrumented system used to implement one or more SIF. SIS is composed of sensors, logic solvers,
and final control elements. An emergency shutdown system (ESD) is a specific example of an SIS.
What if analysis
Scenario based hazard evaluation procedure using a brainstorming approach in which typically a team
that includes one or more persons familiar with the subject process asks questions or voices concerns
about what could go wrong, what consequences could ensue, and whether the existing safeguards are
adequate.

Page 6 of 27
5 June 2008 GP 48-04
4. Symbols and abbreviations
For the purpose of this GP, the following symbols and abbreviations apply:
Capex Capital expenditures.
COSHH Control of substances hazardous to health.
CSE Concept safety evaluation.
CVP Capital value process.
EA Engineering authority.
ESD Emergency shutdown system.
FPSO Floating production storage and offloading.
HAZID Hazard identification study.
HAZOP Hazard and operability (study).
HP High pressure.
ISD Inherently safer design.
KO Knockout.
LNG Liquefied natural gas.
LOPA Loss of protection analysis.
MAR Major accident risk.
MOC Management of change.
MSDS Material safety data sheet.
OMS Operating management system.
Opex Operational expenditures.
PHSSER Project health, safety, security, and environmental reviews.
SIF Safety instrumented function.
SIS Safety instrumented system.
SPA Single point of accountability.
SPU Strategic performance unit.
TR Temporary refuge.

Page 7 of 27
5 June 2008 GP 48-04
5. Philosophy
5.1. Intent
a. The intent of ISD, as discussed in this GP, is to:
1. “…Eliminate the hazard completely or reduce its magnitude sufficiently to eliminate
the need for elaborate safety systems and procedures. Furthermore, this hazard
elimination or reduction would be accomplished by means that were inherent in the
process and thus permanent and inseparable from it”. [1]
2. Go beyond elimination or reduction of a hazard. It also applies to layers of protection.
“In the broad sense, the strength of a layer of protection can be improved by features
that are permanent and inseparable from that layer”. [1]
Note 1 Inherently Safer Chemical Processes, American Institute of

Chemical Engineers, Center for Chemical Process Safety
(CCPS), 1996.
b. The ISD focus on elimination or reduction of hazards also applies to environmental

hazards.
5.2. Strategies
Approaches to ISD have been grouped into four strategies.
a. Minimise - use smaller quantities of hazardous substances (also called intensification).
b. Substitute - replace a material with a less hazardous substance.
c. Moderate - use less hazardous conditions, a less hazardous form of a material, or facilities
that minimise the impact of a release of hazardous material or energy (also called
attenuation).
d. Simplify - design facilities that eliminate unnecessary complexity and make operating
errors less likely and that are forgiving of errors which are made (also called error
tolerance).
5.3. Capex versus Opex

The full lifecycle costs shall be considered in inherently safer design evaluations.
6. Application
6.1. General
a. Application of ISD should include:
1. Early setting of ISD goals/criteria and development of a plan.
2. Early hazard identification.
3. Continued focus on ISD strategies as conceptual choices are progressively made at
overall development concept, system, and component level.
4. Recognition of lifecycle impacts of alternatives if choices are being made.
5. Articulating ISD delivery status at each stage gate.
b. ISD strategies shall be applied in major project design and new technology development.
c. BP Operations EA shall develop an ISD policy for facility modifications and changes in
existing operations.

Page 8 of 27
5 June 2008 GP 48-04
Figure 1 - ISD through facility lifecycle
Effectiveness in Risk Appraise Select Define Execute Operate

Reduction
Inherent
Safety Engineered
Safety
Procedural
Safety
Research Phase
~ 4 years Engineering Phase Operating Phase
25+ years
Conception Approval Startup

~ 4 years 25+ years
6.2. Major projects
6.2.1. General
a. The project EA should apply ISD strategies during the project appraise stage.
b. The project EA shall endorse plans defining implementation of ISD strategies in the
concept selection and design project stages.
c. These plans shall be included in either CVP documentation related to project execution,
project hazard and risk management documentation, or standalone ISD plan.
d. The ISD strategies should be maintained through all project stages, although it is
recognised that the greatest influence is in the earlier stages.
6.2.2. Plan content

a. The plan identified in 6.2.1.c shall include:
1. Hazards during full lifecycle through initial concepts, site selection, design,
construction, commissioning, operation, later life, final decommissioning, and site
restoration.
2. Specific focus on identifying design concepts and potentially selecting concepts that
have the lowest inherent risks.
3. Setting of goals and criteria by which achievement may be assessed at each CVP gate.
4. Identification of a schedule of activities, resources, and deliverables for the systematic
identification and management of hazards and risks within the structure of CVP.
5. Input from the future operator, if available, on operation and maintenance philosophy.
b. Accountability for ISD tasks shall not be delegated to a design contractor.
6.2.3. Plan resources

a. Resource allocation in support of ISD strategies should consider the following:
1. Management time and commitment to support delivery of ISD during concept
selection phase.
2. Time in the schedule and team availability for project and asset team to:
Page 9 of 27
5 June 2008 GP 48-04
a) Participate fully in the process of risk identification and evaluation.

b) Document the ISD process, decisions, and justifications.
c) Study lessons learned and set up action tracking.
d) Support PHSSER process as defined in GP 48-01.
e) Contract external specialist studies and support, if necessary.
b. Specific resources shall include:
1. Operations and maintenance input. If available, the future operator shall provide
experienced operations input.
2. Specialist support
a) Process safety engineering support should be provided to assist with hazard
identification and quantification processes.
b) Support should be allocated early in the project stages such that hazards may be
minimised through design of process, layout, structure, and equipment, rather
than retrospective analysis and management of hazards in design in the late
define stage.
3. Contractors are often integral part of design team and therefore should participate
fully in hazard identification and elimination process, especially during define stage.
4. Vendors. If major items of equipment are part of design concept, project team should
include potential vendors in effort to enhance ISD concepts.
6.3. New technology development

a. ISD strategies shall be applied to new technology development. Opportunities for ISD may
present themselves in the following;
1. Chemical selection.
2. Process selection.
3. Mechanical and materials selection and design.
b. Development of a new technology shall include a plan to implement ISD that is endorsed
by the project EA for projects or BP Operation EA for modifications.
c. Plan shall include identification of specific activities and resources. The complexity and
formality of the plan should be in line with the size and scope of the activity. It may be
simpler than that described for a major project.
6.4. Facility modifications

a. Future plant modifications should consider and implement strategies of ISD.
b. This should include conduct of studies to identify hazards and understand those hazards
and risks early in modification planning such that there is opportunity to eliminate or
reduce hazards.
c. While the size and complexity of a facility modification may not warrant a formal ISD
plan as described for major projects, the same concept should be applied at an appropriate
level of detail and formality for the modification. The BP Operations EA should endorse
the approach.

Page 10 of 27
5 June 2008 GP 48-04
6.5. Changes in existing operations

Changes in existing operations provide opportunities to implement ISD strategies. Processes
and procedures supporting the following activities should include application of the following
ISD strategies:
a. MOCs.
b. Response to audit, hazard analysis, or other review recommendation.
c. Learning lessons from past incidents.
d. Employee awareness.
e. Day to day operations.
f. Isolation and decommissioning of redundant facility and equipment.
7. Inherently safer design flowchart
7.1. General
a. The flowchart in Figure 2 illustrates a stepwise process to implement ISD strategies in
projects, facility modifications, and changes in existing operations. Requirements and
recommendations for each step in the flowchart are set out in further detail in this clause.
b. Detail, complexity, and formality of each step should be commensurate with size and
complexity of the project, facility modification, or existing operation activity being
addressed.

Page 11 of 27
5 June 2008 GP 48-04
Figure 2 - ISD flowchart
SET ISD GOALS
IDENTIFY HAZARDS
BRAINSTORM OPTIONS
INITIAL REDUCTION OF OPTIONS

Reject options that clearly cannot meet the goals
IDENTIFY AND UNDERSTAND THE SPECIFIC HAZARDS AND

RISKS OF REMAINING OPTIONS
DEVELOP EACH REMAINING OPTION FOR SELECTION

 Eliminate hazards
 Confirm that it will be practical to manage the residual
hazards
If multiple
iterations fail to
deliver a suitable
SELECT/REJECT OPTION
outcome
 Meets goals?
 Meets economic criteria?
No Final No
 Possible to manage residual risks with defined protection
layers and an aim of continuous risk reduction?
Yes
DEVELOP SELECTED OPTION

 Meets goals
 Minimise risks from residual hazards
RECOMMEND
 Define minimum design DISCONTINUING
standards/limits DEVELOPMENT
 Conduct risk management activities

Page 12 of 27
5 June 2008 GP 48-04
7.2. Set ISD goals

ISD goals shall be set.
a. For a project, goals shall be included in the plans to implement ISD strategies as endorsed
by the project EA.
b. For a facility modification on which ISD is applied. Goals may be set for the specific
modification or for facility in general and should be endorsed by the BP Operations EA.
c. For changes in existing operations on which ISD is applied. Goals should be part of the
overall risk management framework and should be approved as part of MOC.
7.3. Identifying hazards

a. Hazards shall be identified initially through a hazard identification analysis, such as a
HAZID.
b. Some potential hazards are listed in Annex A.
c. The scope of this hazard identification analysis shall include:
1. Health and safety.
2. Environment.
d. Additionally, the scope may include:
1. Privilege to operate.
2. Equipment damage or business value lost.
e. In projects, the EA should determine whether there is sufficient information about hazards
and uncertainties to allow the project to proceed further into development. The EA may:
1. Relax concept development schedule to allow more time to identify an alternative
ISD option.
2. Delay start of concept development until more information is available.
f. If it is anticipated that hazards identified could present major accident risks that may be at
or above the MAR group reporting line as described in GP 48-50, risk assessment may be
warranted to understand the hazards and risks in greater detail.
g. Responsibility for resolution of each hazard or group of hazards identified should be
clearly assigned to members of the project design or asset teams.
7.4. Brainstorming options

a. Early brainstorming should consider a wide range of conventional and radical options,
including those that are expected to be inherently safer.
b. Early brainstorming should also challenge schedule and facility or facility performance
targets if they may be:
1. Adding to risks by precluding some options.
2. Adding levels of complexity, activity, or simultaneous operations.
c. Topics for consideration in brainstorming options should include those listed in Annex A.
d. The brainstorming process should be:
1. Organised and documented.
2. Conducted by an open minded, multidisciplinary team.
3. Include experts in alternative or challenging technologies.

Page 13 of 27
5 June 2008 GP 48-04
4. Explicitly consider ISD strategies.
7.5. Initial reduction of options

a. The intent of this step is to reduce the options list developed in the brainstorming step to a
manageable size for further analysis.
b. This should be achieved by reviewing options in comparison to ISD goals and other
established project goals. Options may be eliminated for the following reasons:
1. Technological barriers cannot be overcome within the timescale of the project.
2. Risks from MAR studies identified to be priority level 1 or 2.
3. Options introduce one or more new hazards that are more severe than those being
addressed.
4. Rejection of the option by the endorser, as managed using the risk matrix and
endorsement levels in GDP 31-00-01, Appendices 1, 2, and 3.
5. Clearly uneconomic (not marginal).
6. Noncompliance with international or local legislation.
7. Rejection by project EA, supported by future operations representative, as available.
c. For simpler projects/modifications/changes using proven technology, the list of options
should be reduced to no more than two concepts, with at least one concept based on
inherently safer design strategies.
d. For complex developments with major technical challenges or significant risks, a number
of significantly different concepts should be taken forward for further development.
7.6. Identify and understand specific hazards and risks of remaining options
a. This hazard identification and risk management process shall build on initial hazards
identified and be improved as the details are understood.
b. This process of continued hazard identification should use established hazard identification
processes, such as HAZID, What If, or HAZOP. Requirements for selecting the
appropriate tool for the situation are provided in GP 48-02 and the Group Recommended
Operating Practice, Selection of Hazard Evaluation & Risk Assessment Techniques
[pending issue].
c. Hazard impact levels and likelihood shall be defined using GDP-31-00-01, Appendices 1,
2, and 3.
d. Risks should be assessed and compared using appropriate analysis tools, with analysis
scope focused on reduction of the identified hazards and risks.
e. Hazards and risks shall be managed through use of a hazard and risk register.
7.7. Develop each remaining option for selection

a. Development of options should be progressed in terms of greater engineering design
definition and a greater understanding of hazard impacts as this design definition is
developed.
b. The ISD strategies shall be applied to each option.
c. A hierarchical approach should be applied to risk reduction: elimination, prevention,
control, and mitigation of hazards (in order of preference from 1 to 4):
1. Elimination - completely remove hazard by choosing another concept (see Annex A).

Page 14 of 27
5 June 2008 GP 48-04
2. Prevention - minimise likelihood and eliminate causes, if possible, to reduce

probability of other causes (e.g., minimising activities and thus chance of human
error) (see Annex A).
3. Control - minimise severity of event, thus minimising damage and likelihood of
escalation (see Annex A).
4. Mitigation - minimise exposure of personnel and critical equipment to effects of any
initiating events, such as fires, explosions, or toxic releases (see Annex A).
d. If particular hazards dominate overall risk or if risks from particular hazards are uncertain
(e.g., new technology), further focused hazard evaluation and risk assessment may be
warranted to better understand the risk and how to reduce it. Refer to the OMS Group
Recommended Operating Practice, Selection of Hazard Evaluation & Risk Assessment
Techniques.
7.8. Select or reject option

a. Option selection or rejection shall be a process undertaken by a specifically nominated
team.
1. In projects, project EA shall endorse the team composition.
2. For modifications in existing operations, the BP Operations EA should endorse team
composition.
3. For existing operations procedures that include application of ISD strategies,
select/reject step described in c. is not applicable.
b. Data available for review of each option should include:
1. Hazard identification studies.
2. Understanding of protective systems anticipated to manage risks.
3. Future risk reduction options, if available.
c. Option selection/rejection shall be based on consideration of the following:
1. Risk
a) The preference is for elimination of risks first, then the reduction of risks
through passive controls over the management of risks through provision of
additional layers of protection.
b) Residual risk level - The preference is for an option that poses lower risk as
evaluated using the risk matrix in GDP 31-00-01 Appendices 1, 2, and 3. Risks
considered should be individual scenarios associated with an option, with layers
of protection in place, using risk matrix in GDP 31-00-01 Appendices 1, 2, and
3. Plans to manage this risk should be endorsed by the appropriate management
level as defined in GDP 31-00-01, Appendix 4.
c) The MAR process as defined in GP 48-50.
2. Layers of protection
a) Analysis that layers of protection are adequate to manage risk.
b) Integrity of layers of protection - ability of asset to provide anticipated
functionality, reliability, and survivability of layers of protection.
d. Technical feasibility - technology should either be proven, or it should be practical to
develop and ensure adequacy within timescale of project.
e. Project goals - extent to which an option meets project goals.
f. Economic feasibility
Page 15 of 27
5 June 2008 GP 48-04
1. Ability to provide the economic return required.

2. Both Capex and Opex.
3. Cost associated with testing and maintenance anticipated for layers of protection.
g. Selection/rejection conclusions should be one of the following:
1. An option is the clear choice.
2. Two or more options are attractive and further analysis of these options is
appropriate.
3. Economic criteria are such that all inherently safer options are excluded, in which
case these criteria should be challenged.
4. The project is not feasible - if multiple iterations through this ISD flowchart fail to
deliver a suitable outcome, it may be that none of the options can meet the criteria and
risk is not endorsed by level of management identified in GDP 31-00-01.
h. Justification of option selected and those rejected shall be documented including the
criteria considered in 7.8.c.
7.9. Develop selected option

a. The selected option should be further developed before it proceeds to next stage of design,
modification, or the next step in an operating procedure.
b. Further development may include design definition and further risk management.
7.10. Handover
a. The results of implementing the ISD strategies shall be documented and this
documentation shall be handed over to the SPA for the next project stage or appropriate
SPA in an operating asset.
b. Documentation shall include:
1. A description of process used to consider ISD and select the option.
2. Justification of the option selected and those rejected.
3. The hazard and risk register documenting residual hazards associated with the option
selected and the layers of protection provided to manage residual risks, including
anticipated survivability, functionality, and reliability specifications.
4. Assumptions about future design or operation.
5. Critical limitations or restrictions governing future activities.
6. Reference to supporting studies or documents.

Page 16 of 27
5 June 2008 GP 48-04
Annex A
(Informative)
Example lists for use in ISD considerations
A.1. Personnel, activities, and equipment warranting specific attention in ISD

activities, not all inclusive
E&P only Group

Locations of concentration of personnel
Accommodation. Control room.
Temporary refuge (fire, smoke, toxic). Office.
Escape routes and muster points.
Workshops.
Activities
Areas where escape to muster points may be more difficult Routine operational and maintenance activities, particularly
and exposed to effects. process areas.
Well completion. Online maintenance (routine and exceptional).
Turnaround.
Construction.
Major repair activities, such as removal of large equipment
items.
Equipment and structure
Risers. Process equipment, particularly containing high pressure
Wells. gas or large liquid inventory.
Well control equipment. Flare systems.
Flowlines on seabed. Fuel and chemical storage tanks.
Critical systems and equipment necessary for ensuring Gas bottle storage and other pressure vessels that may
buoyancy and stability. rupture catastrophically.
Critical systems and equipment necessary for ensuring SIS.
spar tensioning and location.
Mooring systems.
Primary structure supporting topsides.
Secondary structure supporting heavy loads, process
equipment, major hydrocarbon inventories, tall structures,
and safety systems.
A.2. Potential hazards, not all inclusive
E&P only Group

Relating to the site location
Marine hazards (e.g., water depth for offshore Extreme weather conditions (e.g., extreme temperature,
development). wind, humidity, rain, snow, ice, waves).
Logistics (helicopter, shipping hazards). Geological conditions for structural support.
Technological barriers and uncertain or new technology.
Relating to the structure or layout
Loss of buoyancy or stability. Structural failure or collapse.
Relating to the process or equipment
Reservoir and well fluid conditions (e.g., high pressure Hazardous material properties (that may lead to fire,
and temperature, corrosivity). explosive, toxic, and environmental impact scenarios).
Geology and seismic activity.

Page 17 of 27
5 June 2008 GP 48-04
A.3. Potential causes
E&P only Group

Relating to the site location
Facility complexity.
Construction activities.
Local culture or competence.
Remote locations.
Political instability and terrorism.
Relating to the structure or layout
Heavy lifts.
Relating to the process or equipment
Shallow gas. High or low temperatures and pressures.
Geology and seismic activity. Deterioration due to external environmental conditions.
Need for storage or gas reinjection. Deterioration due to internal conditions (e.g., corrosion,
Drilling hazards. erosion).
Subsea hazards. New technology.
Riser hazards. Decommissioning.
Monitoring system failure (e.g., gas detection).
Equipment deviation due to temperature, expansion,
contraction, embrittlement, or strength loss.
Control system failure.
Mechanical failure (e.g., component, joint, or weld).
Equipment startup and shutdown.
Relating to operations and maintenance
Human error in operation.
Human error in maintenance.
Unauthorised disassembly or operation.
Incorrect assembly or reassembly.
Failure to monitor deterioration.
Fatigue.
Design error.

Page 18 of 27
5 June 2008 GP 48-04
A.4. Factors that impact incident severity and escalation, not all inclusive
E&P only Group

Potential for and route to escalation that would require Location of initial failure and resultant effects.
evacuation, including: Hydrocarbon release rates, duration, and total release
Loss of topsides support. quantities.
Loss of well containment. Spread and accumulation of oil and liquid fuel releases.
Loss of riser containment. Kinetic energy and location of impacts (vehicles, ships).
Loss of well control during critical drilling activities. Potential energy and location of dropped objects.
Loss of integrity, buoyancy, stability, or tensioning Location and severity of explosion overpressures.
systems on floating installations. Location and severity of heat, flames resulting from
Exposure of helideck to effects of initial and escalating process, and other fires.
incident. Spread and density or toxicity of smoke from fires.
Exposure of evacuation routes, lifeboats, and evacuation Particular dangers and severity of access to hazardous
systems. areas (e.g., depths to which divers may be required to
Potential for impairment of accommodation. descend).
Height and weight of tall structures and areas onto which
they may collapse.
Loss of containment of major hydrocarbon or toxic
inventory (e.g., diesel fuel, separators, methanol, or
chemical storage).
Potential for impairment of temporary refuge, muster
areas, and control rooms.
Routes for progressive escalation.
Time during which escalation or impairment would occur.
A.5. Potential options for hazard elimination or severity reduction, not all
inclusive
E&P only Group

Arrangement of drilling facilities and pipe storage to avoid Minimisation of processing by exporting partially
lifts over top deck, process equipment, or processed or lower specification fluids.
accommodations. Fewer processing steps.
Location of high pressure gas equipment, particularly Use of permanently installed equipment to avoid heavy
compressors at elevated/naturally ventilated locations on lifts associated with transient facility.
top deck to avoid explosion arising from confined gas
release. Minimisation of potential for human error.
Minimisation of number of wells and well intervention Increased equipment and component reliability to
activity if installation is fully staffed and producing. minimise need for disassembly.
Use of inherently buoyant and stable floating structure. Inherent equipment resistance to external and internal
deterioration.
Natural weathervane behaviour of FPSO vessels to avoid
need for active heading systems. Inherent equipment strength to withstand unintentional
overload in normal operation.
Location of accommodation, TR, and control rooms
where not exposed to flames, smoke, or blast. Inherent equipment strength to withstand extreme and
accidental events.
Minimisation of heavy lifts involving hazardous
substances, such as fuel, chemicals, toxins, or Corrosion resistant materials.
pressurised containers. Reduced dependence on control systems.
Avoidance of location of processing and drains systems Minimisation of quantity of instruments on process
in enclosed areas, such as hull of floating installation. equipment.
Minimisation of activities requiring personnel on platform, Minimisation of equipment duplication, such as pumps
particularly in areas where personnel may be exposed to and compressors.
or trapped by incident effects. Avoidance of relief valves by designing equipment for
maximum anticipated pressure.
Fewer weak points (e.g., joints or stress concentrations).
Increased design tolerances to give greater equipment
longevity and longer periods between inspection
Page 19 of 27
5 June 2008 GP 48-04
E&P only Group

maintenance and changeout.
Increased design tolerances to absorb process deviations
or overloads that may arise from routine operations.
Optimisation of design and operating philosophies to
minimise number and location of heavy or routine lifts
over hazardous equipment or manned areas.
Optimisation of design and operating philosophy to
minimise logistics requirements for installation.
Use of permanently installed equipment rather than
transient equipment.
Optimisation of design to minimise number of hazardous
activities and requirement to enter hazardous areas (e.g.,
diving, confined space entry, working at height, working
over the side).
Maximisation of ability of equipment to absorb process
deviations, thereby minimising dependence on
instrumented control systems and resultant shutdown
rate.
Avoidance of need for automatic depressurisation to
control hazards, with resultant hazards and hazardous
restart.
Minimisation of hydrocarbon release rates by limitation of
potential hole sizes, such as instrument impulse lines.
Minimisation of quantity of hydrocarbons that can be
released by reduction of vessel numbers, capacity, and
piping lengths and diameters.
Location of TR and control rooms where not exposed to
flames, smoke, or blast.
Minimisation of hydrocarbon release rates, avoiding high
pressure processing.
Minimisation of explosion overpressures by minimising
volume that gas can fill.
Maximising explosion vent areas.
Minimisation of explosion overpressures by minimising
distances to vent areas.
Minimising gas cloud size by maximising ventilation.
Minimising type and frequency of activities requiring
scaffolding in process areas.
Minimising explosion overpressures by optimising layout
of process equipment, piping, and support utilities.
Minimising elevation and weight of lifts.
Optimising patterns of routine and heavy lifts to avoid
hazardous equipment and critical weak points.
Arrangement of design such that maintenance activities
can be performed without accessing extreme height or
depth.
Design of equipment to minimise sources of ignition in
process and production areas.
Planning to avoid modifications or maintenance requiring
hot work.
Location of HP gas and gas liquids away from other
major flammable inventories, such as oil processing or
fuel storage.
Control of ignited liquid spills such that they do not impact
critical equipment or process.
Optimisation of layout to minimise routine and heavy lifts
(particularly drill pipe and casing) over process equipment
or other critical areas.
Location of large low pressure or atmospheric liquid
Page 20 of 27
5 June 2008 GP 48-04
E&P only Group

inventories at lower level or in spar to avoid exposure of
tanks, vessels, and structure to fire beneath.
Providing equipment and structure with sufficient inherent
strength to withstand effects of initial incident.

Page 21 of 27
5 June 2008 GP 48-04
Annex B
(Informative)
Brainstorming considerations
B.1. Production targets: throughput and uptime
a. Production targets should be challenged if they stretch limits of equipment such that
repeated hazardous intervention or equipment duplication is required.
b. Small increase in production may have major effect on risks through increased complexity,
activity, and staffing and therefore may not be justified either in terms of risk or
economics.
c. Simple design with low staffing and moderate throughput may be better business option.
B.2. Scheduling: design and construction
a. Compressed design schedule will reduce opportunities to optimise design in both safety
and other aspects.
b. Condensed construction schedule will invariably lead to overlap of activities.
c. Project should consider options in which activities, such as design and construction or
construction and operation, do not occur simultaneously.
d. Simultaneous construction and operation will lead to increased risks.
B.3. Location and separation of hazards
Options should be considered that physically separate one hazard from another, such as
production from storage and personnel from effects of potential major accidents.
B.4. Staffing, operating, and maintenance
a. Facility that is normally staffed and has high occupancy of hazardous areas is by nature
less safe than unstaffed or minimally staffed one.
b. Options that do not require permanent personnel presence or minimise number of activities
and personnel should be considered.
B.5. Construction
a. Risks associated with transport of construction materials, large pieces of equipment, and
construction and assembly of equipment will vary considerably with different options.
b. Options that minimise number of heavy loads, heavy lifts, site assembly, and
commissioning should be actively considered.
B.6. Novel or untried technology
a. Novel technology should be considered if it might offer simpler, safer alternative.

b. It is possible to identify and evaluate hazards associated with novel technology and
particular techniques are available to do so.
c. New technology should be actively encouraged in search for inherently safer design.

Page 22 of 27
5 June 2008 GP 48-04
d. Novel and new technology can actually introduce hazards that have not been considered
because they are not obvious and there is no history on which to rely.
B.7. Processing
Need for extremes of pressure and temperature compared with alternate process options or
extremes of product or byproduct quality should be challenged if they lead to more processing
or larger inventories of flammable or toxic substances.
B.8. Production support structures for offshore upstream segment
Full range of options for facility should be considered, including fixed, floating, subsea, and
variations.
B.9. Storage and export
a. Range of export options and routes should be considered.

b. Storage, if required, should preferably be in a benign location that is not exposed to
hazards.

Page 23 of 27
5 June 2008 GP 48-04
Annex C
(Informative)
Examples of fewer hazards, fewer causes, reduced severity, fewer
consequences
Table C.1 - Fewer hazards, including but not limited to:
Fewer wells. How few wells might be possible with horizontal drilling?
Is field beyond reach of existing infrastructure?
What scope for subsea manifold commingling to reduce platform wellheads?
Fewer heavy lifts. Can topsides be single lift? Can it be floated over?
Eliminate lifting of heavy objects by design, especially over operating facility.
Maximise fixed lifting equipment.
Simpler construction, hookup, What opportunities exist to simplify structural design?
and decommissioning. What opportunities exist to simplify construction methods?
Minimise hours needed offshore to hook up and commission facilities.
Less rotating equipment. How much sparing is really needed if high quality equipment is used?
Consider slight increase in downtime against reduced cost, weight, cabling, control,
fire protection, structural loading, and maintenance.
Less hydrocarbon processing. What possibilities exist for:
Fewer separators, scrubbers, compressors?
Exporting wet oil/gas instead of dry?
Minimising HP gas and avoiding HP in congested areas?
Less product storage. Eliminate/reduce onboard storage.
No hazardous chemicals. If chemical injected for reaction modification, corrosion control, or deoxygenation is
toxic, consider substitution of less toxic chemical.
If toxic substance is intermediate product, seek ways to eliminate it.
Less offshore hookup or Minimise hours needed offshore to commission facilities as contribution to risk
commissioning. reduction.
Less maintenance for Take practical steps to eliminate maintenance that involves work in hazardous
expected life. locations.
Minimise rotating or reciprocating equipment (including sparing).
Use nobler metals and nonmetals to avoid corrosion (see “Less corrosion” in
Table C.2).
Use protective finishes on structures and facility that will last for facility life.
Adopt replace only policy (i.e., no facility repair).
Use sealed nonrepairable equipment if possible (including instruments).
Less movement of personnel Design for minimum staff.
and materials. Consider more automation but balance against increased automation maintenance.
Less need for fabric maintenance and process simplification make big contribution.
Minimise number of staff needed at every stage to reduce exposure to transport
accidents.
Limit site access for vehicles and install passive speed controls.
Train forklift and crane drivers. Retrain and recertify regularly.
Audit private aviation companies and use long term contracts to BP standards.
Fewer dangerous activities. Eliminate by design: diving, over side work, working at heights.
No simultaneous hazardous Eliminate drilling while producing adjacent wells.
activities. Eliminate construction or modification while producing.

Page 24 of 27
5 June 2008 GP 48-04
Table C.2 - Fewer causes, including but not limited to:
Less potential for human error. Design team should study accidents caused by human error and glean information
about common causes from BP intranet.
Minimise probability of wrong equipment selection or operation by good ergonomic
design, including:
Control panels or screens.
Switching or motor starting panels.
Numbering of spared equipment (accidents result from confusing similar
numbers).
Colour coding of pipes and other equipment.
Less corrosion. Choose nobler materials that eliminate need for active corrosion control,
maintenance, or replacement, minimising both risk and Opex over life of facility.
No routine breaches of See “Less corrosion”.
containment.
Less piping and joints. Less hydrocarbon processing (from Table C.1, “Less hydrocarbon processing”) will
help.
Eliminate main causes of leaks as derived from leak reduction project on intranet.
Minimise flanges and unions.
No screwed joints for hydrocarbon duty.
Minimise dead legs and drain points.
Minimise compression unions (none on flammable fluids, except instrument lines
after restrictor and, especially, none on turbine fuel or oil lines).
Fewer instruments. Eliminate unnecessary instrumentation, especially monitoring and telemetry.
Minimise use of intrusive instruments in favour of nonintrusive.
Less dependence on active Make equipment strong enough to minimise need for active protection.
protective devices. Design to never use a human as protective element.
Less working in hazardous No online:
areas. Painting.
Live electrical work.
Routine access by scaffolding.
No:
Manual sampling.
Manual tank dipping.
Manual chemical injection.
No breakdowns. Less rotating equipment (from Table C.1, “Less rotating equipment”) will help.
Specify high quality equipment.
Avoid reciprocating machines.
No weak points. Design to eliminate anything needing frequent critical inspection (e.g., expansion
bellows).
Greater reserves of strength in Design for longer fatigue life. Most facilities go on well beyond their design life.
structure and process Increase wall thickness (corrosion allowance) on pipework and pipelines.
equipment.
No routine lifts over process Design for no lifts over process equipment (see Table C.1, “Fewer heavy lifts”).
equipment.
No dropped objects. Eliminate or minimise need to take tools aloft.
Consider non crane ways of moving heavy objects.
Less working in dangerous Eliminate or minimise by design:
places. Work at heights (including flares).
Vessel entry.
Working below ground.
Working down deep shafts or columns.
Working on roofs, including tank roofs.
Working over water.
No harm from tools, By design, seek to standardise sizes and limit range of tools and equipment needed
equipment, or machinery. for maintenance.
Avoid need to work on running machines.

Page 25 of 27
5 June 2008 GP 48-04
No industrial illnesses. Ensure that design team understands carcinogenic nature of oil in long term contact
with skin.
Refer to COSHH, CHIP/CHIP3, and MSDS data.
Refer to causes of stress.
Table C.3 - Reduced severity, including but not limited to:
Smaller process inventories. Reduce number and size of separators to minimum.

Use advanced technology to reduce size of scrubbers and KO pots.
Minimise length and diameter of piping to minimise inventory.
Lower process pressures. Design to process and export at lowest possible pressures.
No HP gas in congested Minimise inventory of HP gas, minimise pressure, avoid congested areas to reduce
areas. escalation potential (also see Table C.1, “Less hydrocarbon processing”).
Fewer ignition sources. Eliminate or minimise:
Hot exhausts.
Direct fired equipment, including gas turbines and glycol regenerators.
Nonflameproof electrical equipment, including switchgear.
Naked flame, hot work during production.
Lowest explosion Design to minimise release rates and volumes available by segregation of
overpressures. equipment by shutdown valves.
Optimise layout and minimise congestion to lower explosion overpressures.
Maximise natural ventilation.
Table C.4 - Fewer consequences, including but not limited to:
Unmanned facilities. Try for possible unmanned or not normally manned facility.
Design for minimum staff but balance against cost and maintenance of automation.
No hazards near public. No third party should be within zone reachable by worst credible event.
No unnecessary presence in Design for minimum personnel and balance against increased maintenance cost of
facilities. automation.
Facilities may require more or less auxiliary control rooms, switch houses or
substations, analyser houses, T-shacks.
No exposure of living and rest If personnel need to live on facility, consider how best to separate living quarters
areas to effects of hazards. from worst credible event, preferably by distance rather than fire or explosion walls.
No exposure of critical Equipment should be designed such that worst credible event in one area cannot
equipment to effects of produce major failure in another.
hazards (no escalation).
No environmental impact. Consequence of worst credible event should be containable such that no
environmental damage occurs.
No need to evacuate for worst Design such that worst credible event does not necessitate emergency evacuation
credible event. of facility.
Table C.5 - More effective residual hazard management, including but not limited to:
Prevent rather than protect. Reduce probability of event, as this is more meaningful than trying to protect
personnel from event.
Preferential use of passive Maximise use of passive protective systems that have greater reliability than
systems. systems dependent on sensors to detect and controls to react.
No critical dependence on Avoid critical dependence on active systems with their propensity for failure.
active systems.
No critical dependence on Avoid dependence on personnel to react in correct way under stress. Data suggests
personnel. personnel will do so only 50% of the time.
No disabling of safety systems Design such that no credible event will disable safety systems.
due to effects of hazards.
Page 26 of 27
5 June 2008 GP 48-04
Bibliography
American Institute of Chemical Engineers (AIChE)

[1] CCPS, Inherently Safer Chemical Processes: A Life Cycle Approach.

Page 27 of 27

GP 48-04

Uploaded by

Copyright:

Available Formats

GP 48-04

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

GP 48-04

Uploaded by

Copyright:

Available Formats

Document No.

Inherently Safer Design (ISD)

Copyright © 2008 BP International Ltd. All rights reserved.

Downloaded Date: 6/17/2008 11:15:42 PM

B.4. Staffing, operating, and maintenance .....................................................................................22

Figure 1 - ISD through facility lifecycle ...............................................................................................9

Downloaded Date: 6/17/2008 11:15:42 PM

a. Strategies of inherently safer design.

• For dated references, only the edition cited applies.

Health and Safety Executive (HSE)

3. Terms and definitions

Concept safety evaluation (CSE)

Entity (BP entity or Operating entity)

Downloaded Date: 6/17/2008 11:15:42 PM

Layer of protection analysis (LOPA)

Safety instrumented function (SIF)

Safety instrumented system (SIS)

Downloaded Date: 6/17/2008 11:15:42 PM

4. Symbols and abbreviations

Capex Capital expenditures.

COSHH Control of substances hazardous to health.

CSE Concept safety evaluation.

CVP Capital value process.

ESD Emergency shutdown system.

FPSO Floating production storage and offloading.

HAZID Hazard identification study.

HAZOP Hazard and operability (study).

ISD Inherently safer design.

LNG Liquefied natural gas.

LOPA Loss of protection analysis.

MAR Major accident risk.

MOC Management of change.

MSDS Material safety data sheet.

OMS Operating management system.

Opex Operational expenditures.

PHSSER Project health, safety, security, and environmental reviews.

SIF Safety instrumented function.

SIS Safety instrumented system.

SPA Single point of accountability.

SPU Strategic performance unit.

Downloaded Date: 6/17/2008 11:15:42 PM

Note 1 Inherently Safer Chemical Processes, American Institute of

b. The ISD focus on elimination or reduction of hazards also applies to environmental

5.3. Capex versus Opex

Downloaded Date: 6/17/2008 11:15:42 PM

Figure 1 - ISD through facility lifecycle

Effectiveness in Risk Appraise Select Define Execute Operate

Conception Approval Startup

6.2. Major projects

6.2.2. Plan content

6.2.3. Plan resources

a) Participate fully in the process of risk identification and evaluation.

6.3. New technology development

6.4. Facility modifications

Downloaded Date: 6/17/2008 11:15:42 PM

6.5. Changes in existing operations

7. Inherently safer design flowchart

Downloaded Date: 6/17/2008 11:15:42 PM

Figure 2 - ISD flowchart

SET ISD GOALS