Safety in the design of offshore platforms: Integrated safety versus safety as an add-on characteristic

Safety Science 45 (2007) 107–127

www.elsevier.com/locate/ssci

Safety in the design of oVshore platforms: Integrated safety versus safety as an add-on characteristic

Urban Kjellén

Hydro Oil and Energy, N-0246 Oslo, Norway

Abstract

The Norwegian oVshore industry has established considerable experience and know-how in pre-venting accidents through design. This paper analysis the principles used by this industry during thediVerent phases of design from two diVerent perspectives. The Wrst is human centred and the focus ishere on the design of work places to allow the operators at the sharp end to function in an optimalway to minimise human errors and mitigate disturbances. The second “energy barrier” perspectiveaims at providing technical safety functions on the platform that intervene in the accident path tominimise loss. Accident and incident statistics show that the barrier perspective has been imple-mented in design to prevent Wres and explosions with considerable achievements, whereas its applica-tion in occupational accident prevention is more arbitrary. Design of Wre and explosion barriers Wtswell with the current engineering skills and work-processes in investment projects. The implementa-tion of a systematic human-centred design approach is of a more recent date. It has proved to bemore demanding and the merits have been more diYcult to demonstrate. The implications for theorganisation and management of the design process are discussed.© 2006 Elsevier Ltd. All rights reserved.

Keywords: Safety; Design process; Barriers; Human-centred design; Oil and gas industry

E-mail address: [email protected]

0925-7535/$ - see front matter © 2006 Elsevier Ltd. All rights reserved.doi:10.1016/j.ssci.2006.08.012

mailto: [email protected]

mailto: [email protected]

108 U. Kjellén / Safety Science 45 (2007) 107–127

1. Introduction

1.1. Nature of the problem

OVshore oil and gas production involves risks of accidents with a major loss-potential.Large quantities of energy are handled in a small and often conWned space that, if released,may cause considerable damage. Inside the process, a stream of oil, gas and water is con-tained under high pressure. A leak in the containment may result in Wres and explosionswith catastrophic eVects. Accident statistics from the Norwegian oVshore industry showthat in spite of these conditions, Wres and explosions are rare events. During 1990–2002there were no fatalities on oVshore oil and gas production installations due to such events(Norwegian Petroleum Directorate, 2003a).

OVshore oil and gas production also involves traditional hazards with the potential ofsevere occupational accidents. There are risks of dropped objects in heavy lifting and mate-rials handling in connection with drilling, maintenance and transportation of consumables.Operators work at height or between heavy mobile objects in various drilling, inspectionand maintenance operations. Adverse weather conditions may increase the probability ofserious accidents further. The work to prevent traditional occupational accidents has notbeen equally successful. During 1990–2002, there were eight fatalities in such accidents onoVshore production installations in Norway. This corresponds to a fatal accident rate(FAR) of 2,9 fatalities per 100 million hours of work. The oil and gas industry applies acombination of operational measures and measures in design to prevent and mitigate acci-dents. The focus of this paper is on the design aspects.

Oil and gas production started on the Norwegian continental shelf 30 years ago. In2002, there were about 50 manned production installations in operation (NorwegianPetroleum Directorate, 2003a). The Norwegian oVshore industry thus oVers abundantexperience of the management of safety in design. This industry is resourceful andconsiderable investments are put into the prevention of accidents through design. TheNorwegian Petroleum Directorate plays a signiWcant role in coaching the oVshoreindustry, through their requirements that oil companies shall manage safety systemati-cally in all stages of an installation’s life cycle. It is of interest to study the principlesselected by the industry in designing for safety and how this is accomplished in thecomplicated work process during an oVshore project. It is also of interest to studywhether experience on accidents and incidents may reveal shortcomings in these workprocesses.

1.2. This paper

This paper is based on the author’s experience through participation in communities-of-practice involved in the management of safety in the design of oVshore installations. Itanalyses the principles used in the prevention of accidents in design from two diVerent per-spectives: a human-centred design approach where safety is primarily part of the integraldesign and a barrier perspective with safety as an add-on characteristic. It furtheraddresses the following questions:

• Is it possible to attain an optimum level of safety by combining the two diVerent per-spectives or are they conXicting?

U. Kjellén / Safety Science 45 (2007) 107–127 109

• Is safety adequately accomplished by the ordinary design organisation or is supportfrom dedicated safety experts necessary?

• What does this safety expert knowledge comprise of and what is its contribution todesign?

• Should safety experts be integrated in the design organisation or be organised as anextra, auditing and review function?

The paper focuses on prevention of all accidents, i.e. both accidents with major-losspotential and occupational accidents. These activities constitute an important part of themanagement health, safety and environment (HSE), which are considered in an integratedway by the Norwegian oVshore industry.

2. Normative model for the management of safety in design

2.1. Capital value process

Management of safety in design is an integrated part of the governance process used incapital investments by oil companies. Although each company has its own procedures forcapital investments, the so-called capital value process (CVP) shown in Fig. 1 is representa-tive. An investment project starts with a feasibility study and ends with project execution.All investment projects, whether small or large, green-Weld or brown-Weld, should in princi-ple apply the same phase model. It clariWes the stepwise maturing of development plansand the necessary conditions for continuing with the project into the next phase.

CVP consists of three main processes: business idea development; investment studies(consisting of feasibility study, concept selection and preparation for execution); andinvestment project execution (including detailed engineering, procurement and construc-tion of the facilities). A decision gate (DG) is a predeWned event in a project, at which adecision maker (gatekeeper) makes a formal decision on whether to continue or discon-tinue the project. There are speciWed requirements to documentation of the decision basisat each decision gate. An independent team carries out a review of this documentation toassess the rationale and economic, technical and political uncertainties behind the solu-tions proposed by the project. The CVP model is normative in the sense that it rests on for-mal decision criteria. Funding of the next phase will not be granted unless the project hasbeen able to demonstrate a suYcient level of maturity as required for the speciWc decisiongate.

Fig. 1. Capital value process.


DiVerent actors execute the work in the diVerent phases. Oil companies carry out busi-ness development in-house. The focus in this phase is on understanding the geology of theWeld being studied and on estimates of oil and gas reserves. Technical and economicalassessments of possible development scenarios are also made as well as a pre-entry screen-ing of political, social and environmental conditions in the area. In the next three phases, aproject organisation within the company carries out the work. Dependent on the complex-ity of the oil and gas reservoirs, the focus is gradually shifted from geology and theresource basis to Weld development and design of facilities. Contractors and vendors carryout detailed design, construction and installation work in the execution phase under super-vision of a company project team. The hand-over of the responsibility for design fromcompany to contractors and vendors when the project moves into the project executionphase is very critical, since the facilities must be adequately deWned at this stage to avoidcost and schedule over-run or inferior quality. Finally, there is a hand-over of facilitiesfrom contractors and vendors to a company commissioning teams that is responsible fordynamic testing of the facilities and acceptance for start-up of operations.

2.2. The design process

Although the capital value process is aimed at governing investment decisions, there is adesign process embedded in it. Fig. 2 illustrates relations between the phases of the CVPand the design stages according to British Standard 7000:4 (BSI, 1996) on managing designin construction. An oVshore installation is normally made up of a combination of well-known modules, systems and subsystems. The aim of design is to ensure that the oil com-pany’s speciWcations and other requirements to the facilities are met. These are initiallydeWned in the design basis for the feasibility study and then further developed in the courseof the project in interaction with design. There are Weld-speciWc requirements due to waterdepth, environmental conditions, Xuid characteristics, production capacities etc. There isalso a set of general requirements, especially in the area of health, safety and environment.

Fig. 2. Comparison between the capital value process and the design stages according to British Standard 7000:4on managing design in construction.


The design process for process plants, which is described brieXy by Taylor in his contribu-tion to this special issue, has many similarities to that for oVshore platforms.

Safety is one of the items that are reviewed at each decision gate. In the investment stud-ies, one aim is to reduce uncertainties regarding the feasibility of the selected solutions inmeeting basic regulatory and company safety requirements. A second aim is to ensure thatthe cost estimates implement safety measures at a suYcient level of detail. At DG 4 in Fig. 1,i.e. before the start of project execution, the oil company has to demonstrate for the authori-ties that the selected solutions are viable from a safety point of view. A quantitative riskanalysis (QRA) is a core document in this respect. It shows how the selected concept relatesto the oil company’s criteria for tolerable risk of losses due to major accidents (NTS, 2001).Contractual documents must implement the authorities’ and oil company’s safety require-ments. In project execution, contractors are normally responsible for design as well as pro-curement and construction, and the oil company’s project organisation has a supervisoryrole. The Wnal acceptance (DG5) is based on a detailed inspection and testing of all areas andsystems on the platform for compliance with prescriptive requirements as well as approvedassumptions and measures coming out of the risk analyses performed during design.

2.3. Use of standards

The Norwegian oVshore industry relies on standards in ensuring that safety is ade-quately handled in design. They are implemented in contracts and purchase orders andhave cost and schedule implications for contractors and vendors responsible for design.Safety is thus one important aspect of the quality of the facilities delivered by them (ISO,2000). The Norwegian oVshore industry has developed a set of common so-called Norsokstandards within diVerent disciplines including health, safety and environment. Expertcommittees with members from oil companies, contractors and vendors write the stan-dards. The draft standards go through a formal review and sanctioning process before theyare published and used by the industry. The Norsok standard S-002 on working environ-ment is one example (NTS, 1997). It is the core document used in workplace design from ahuman-centred perspective. This standard provides two types of design requirements (pre-scriptive and goal oriented) and additional requirements for analyses and veriWcations tobe applied by the engineering organisation (process requirements). The process require-ments reXect the responsibilities of contractors and vendors to be able to demonstrate atthe design stage that their solutions meet the safety requirements of the standard (seeFig. 3). The analyses shall be integrated in the contractors’ and vendors’ quality manage-ment systems (ISO, 2000).

Fig. 3 shows some examples of prescriptive and goal-oriented requirements. The pre-scriptive requirements are usually expressed in such a way that it is straightforward for thedesigners of the relevant disciplines to implement them. VeriWcation is a separate activitytypically carried out by a safety engineer and is done by checking of drawings or in the Weldduring construction. Implementation of goal-oriented requirements is a more elaborateand usually iterative process. First, the designers aim at a solution based on experiencefrom similar designs in the past. Analyses and calculations must be carried out to checkthis solution and Wndings are fed back for modiWcation until a satisfactory solution hasbeen reached. This iterative process takes place in a dialogue between the designer and thesafety expert, the latter being responsible for the interpretation of the requirements and forthe analyses and calculations.


The Norsok Standard S-001 on Technical safety applies a similar philosophy for imple-mentation of measures against major accidents in design (NTS, 2000). It focuses on theprevention of Wres and explosions in particular. A QRA plays a major role in the designprocess, and here the aim is to analyse and verify that the oil company’s criteria for tolera-ble risk have been implemented (Kjellén, 1998).

2.4. Organising the project’s safety functions

The application of a structured phase model for the management of projects makes itpossible to integrate safety in a controlled way. The project team must understand the keydecisions aVecting safety in each phase, in order to take the necessary actions to securetimely and adequate implementation of safety measures. The responsibility for implement-ing safety in design rests with the line organisation in the project. Normally, a project hasdedicated safety personnel with speciWc roles and responsibilities. Fig. 4 shows a projectorganisation during the phase of preparation for execution. Similar project organisationsare applied in the other phases.

There are two safety ‘boxes’ in the organisation chart. The HSE manager is responsiblefor follow-up of the whole HSE area from a systems perspective. In particular, the HSEmanager is responsible for the identiWcation and documentation of safety requirements indesign, for the execution of certain safety analyses and studies like the QRA and for ensur-ing that safety is adequately taken care of in the interfaces between the major buildingblocks of the installation (platform, sub-sea wells and Xow lines, pipelines). The HSE man-ager also has a review and audit function.

The ‘safety discipline lead’ is integrated in the design organization. Even if the design ofman-machine interfaces and technical safety systems takes place in other disciplines suchas process, layout, piping, structure, mechanical and instrument, it is the safety disciplinelead who has the necessary expertise for interpretation of the safety requirements to suchsystems and stays in continuous contacts with the other disciplines for clariWcation of

Fig. 3. DiVerent processes to implement prescriptive and goal-oriented ergonomic requirements (adapted fromKjellén, 2000).


detailed design issues. The safety discipline comprises expertise on safety systems, workingenvironment and environmental care.

The safety personnel’s competence is a critical issue, because of the complexity of thework processes to implement safety requirements. An HSE manager is expected to apply asystems perspective on safety and the manager’s competence should preferably coverknowledge and experience about safety requirements and analysis methods, oil and gasprocessing technology, project management, contract work and quality management.These ideal competence requirements are very high and take one or more decades todevelop. InsuYcient competence may, for example, show up in an inability to schedulesafety activities adequately in relationship to the project’s needs and a focus on a limitedset of safety issues at the expense of the totality. In the safety discipline, technical safetyengineers with responsibility for follow-up of barrier design need knowledge about safetyrequirements and methods as well as on general system knowledge and knowledge aboutsafety equipment. A community-in-practice has developed within the oVshore industrywith members that have spent a life-long career building competence on these issues.

The working environment engineering expertise, aimed at controlling occupational acci-dents and exposures, has developed during the last 15 years. It is not as coherent and stableas the technical safety engineering community-in-practice. The focus here has been ondeveloping knowledge about ‘traditional’ working environment factors (physical working-environment factors, prevention of muscle-skeletal disorders) and on the ability to follow-up requirements in projects in a systematic way. Only recently have experts on informationergonomics and man-machine interface design entered this scene.

2.5. Operational feedback

The picture of the management of safety in design is not complete without touching onhow operational feedback to the design organisation is secured. Fig. 5 shows an idealisedmodel for how this feedback is accomplished.

The model depicts both the formal and informal communication channels. Of particularinterest here are the experience carriers and the arenas for experience exchange. In the Nor-wegian oVshore industry the diVerent communities-of-practice within safety and workingenvironment are responsible for the development of both company and Norsok standards

Fig. 4. Typical project organisation during preparation for execution phase (simpliWed).


in their respective area. There is a constant debate within each community-in-practice onthe implication for the experience carriers of operational experiences.

The arenas for experience exchange play another role. These are arenas where struc-tured reviews and analysis of design solutions are carried out with participation from bothproject and operations personnel. QRA is here an exception. This is normally outsourcedto a risk analysis consultant who applies generic data and engineering practice in the anal-ysis. Experience shows that the arenas play an instrumental role in developing goal-ori-ented requirements into prescriptive requirements and speciWc design solutions, especiallyin the area of human-centred design. This has to do with the arenas being a meeting placefor project engineers, ergonomics experts and subject-matter experts. They oVer an oppor-tunity for transference and integration of ergonomic knowledge and operational experi-ences and values into the design organisation.

3. Two perspectives on the prevention of accidents by design

This paper highlights two perspectives on the prevention of accidents. The Wrst perspec-tive is human-centred and acknowledges the fact that the operator at the sharp end is asigniWcant contributor to safety. The focus is here on the support given by the design ofworkplaces in allowing operators to function in an optimal way with respect to safe opera-tion and handling of disturbances. The second perspective on barriers acknowledges the

Fig. 5. Idealised model for operational feedback to the design organisation. Reprinted from System safety – Chal-lenges and pitfalls of intervention, Kjellén, U., Transfer of experience from the users to design to improve safetyin oVshore oil and gas production, p. 218, Fig. 11.5, Copyright (Kjellén, 2002), with permission from Elsevier.


fact that incidents may occur. The question is here how to design barriers that intervene inthe accident path to prevent, obstruct, dilute or divert an uncontrolled energy Xow before itcauses harm.

Ideally, the two perspectives are complementary and even overlapping and may wellco-exist in the design process. In practice, the two perspectives have to compete for thedesigners’ attention. In this competition, the most engineering-like perspective is likely toget the upper hand.

3.1. Human-centred design approach

The human-centred design approach has evolved from a combination of industrial engi-neering, socio-technical systems and systems analysis perspectives. It focuses on the correctallocation of functions to people and systems, deWning what people and systems should doand optimising interfaces between people and systems (Singleton, 1974). This approachhighlights the importance to safety of controlling production and preventing and recoveringdisturbances.

In a human-centred design, ergonomic requirements and guidelines are applied indesigning and evaluating workplaces with the view to eliminating or minimizing the poten-tial for human errors (ISO, 1999; ISO, 2001). Human-centred design requires safety expertswith the ability to integrate knowledge from the engineering and psychological sciencesand to communicate and get acceptance for this knowledge in an engineering environment.Experience shows that this is not a straightforward task (Kirwan, 2002).

Human-centred design aspects normally come in rather late in the capital value processin Fig. 1. Decisions at the conceptual stage (concept selection), such as the size of the plat-form and sub-sea development and location of platform modules will have a bearing onthe operator task demand, but this aspect is not usually considered in a systematic way atthis stage.

The ‘preparation for execution’ phase is critical for many aspects of safety. In this phase,layout and process are decided at a coarse level and functional requirements are translatedinto more speciWc design solutions for many aspects of signiWcance to safety. This phasealso oVers a window of opportunity for operational feedback, since it is common to orga-nise the project in an integrated team with participation from the oil company and a con-tractor. Human-centred design aspects are dealt with to a varying degree in this phase.Traditionally, there has been a focus on physical working environment factors, and aspectsrelated to task demand and human information processing have been de-emphasised. Thishas to do with a general lack of competence both among safety experts and generalmanagement in these areas.

During project execution, contractors and suppliers of machinery and equipment will beresponsible for the detailed ergonomic design solutions. Again, experience shows that theresults vary depending on the pressure to focus on ergonomics from the oil company andthe authorities and the availability of safety expertise.

3.1.1. Prescriptive requirementsErgonomic analyses and veriWcations take place at diVerent levels of sophistication in

connection with workplace design. Prescriptive requirements, such as the minimumwidth and height of access ways and minimum and maximum vertical location of con-trols above work surface are relatively easy to communicate and implement. It is here a


question of ensuring that the aVected disciplines (primarily layout and piping) havethe necessary design input and that the disciplines implement them in their typical designdrawings. Multi-disciplinary design review teams play an important role in checkingfor nonconformities. 3D CAD and virtual reality software have proven to be very helpfulin such reviews. Safety experts in the teams contribute with detailed knowledgeabout the requirements and operations personnel with assessments of the signiWcance ofdeviations.

3.1.2. Goal-oriented requirementsAs we have seen in Section 2 of this paper, goal-oriented requirements must be used in

combination with analyses to check whether the requirements are met or not in design. It ispossible to distinguish between four diVerent classes of goal-oriented requirements. TheydiVer with respect to the complexity of the necessary input to the analyses and the degreeof subjective judgement used in the analyses. There are:

1. Quantitative goal-oriented requirements which are straightforward to verify throughengineering calculations. They include design limits for the physical working environ-ment such as maximum area noise and illumination levels, wind-chill factor etc.Although the analysis methods may be very sophisticated and the interaction withdesign very complex, the implementation of these requirements fall well within the tra-ditional engineering realm.

2. Quantitative goal-oriented requirements whose veriWcation requires operational inputon work organisation and performance. A typical example is the requirement for maxi-mum individual noise exposure (less than 83 dBA for a 12-h work day). It is here a ques-tion of assessing the time an individual operator spends in areas and operations withvarying noise levels.

3. Quantitative goal-oriented requirements where analyses to demonstrate compliancerequire not only operational input but also involve a large degree of subjective judge-ment. An example is the acceptance criterion for individual risk exposure (typically lessthan one fatality per 1000 years at work). Analyses will in this case require operationalinput on manning and job assignments for diVerent groups of operators and input onidentiWed hazards (e.g. from accident records) and subjective assessments of associatedprobabilities and consequences of accidents.

4. Qualitative requirements for ergonomic conditions deWned in general terms such as,‘reduced danger of human errors’ or ‘quickly and simply receive necessary information’.Implementation should ideally be ensured through a work process, where safety expertsuse analytical tools in cooperation with engineers from other disciplines and subject-matter experts (operators).

In a situation where implementation of safety requirements in design have cost andschedule impacts, prescriptive requirements and quantitative and ‘uncomplicated’ goal-oriented requirements are more likely to survive the scrutiny of management. Deviations indesign from safety requirements have either to be corrected or accepted by the client (OilCompany) through a process called nonconformity handling. The client will likely notaccept deviations that are undisputable, as for deviations from prescriptive requirementsand goal-oriented requirements of type 1 above (unless they are insigniWcant). It might betempting for contractors and vendors, however, to dispute deviations from ‘softer’ goal-


oriented requirements, rather than making the necessary changes. It may also be temptingfor contractors and vendors to carry out the required analysis at a superWcial level andconclude that design is acceptable as it is. Next time, the needs of such ‘unproductive’analyses will be questioned.

Norsok S-002 reXects a combined strategy for dealing with these types of obstacles:

• Requirements for the application of deWned analysis and veriWcation methods. Theaim is to ensure the use of a transparent work process in arriving at conclusions(process requirements). The standard lists a number of methods to be applied indesign including job safety analysis, ergonomic job analysis, task analysis of normaland emergency operations and psychosocial analysis (Ingstad and Bodsberg, 1989;Kjellén et al., 2002).

• Requirements that the timing of the analyses shall be deWned in the project’s HSE pro-gram based on the project schedule and the needs of timely input. The standard does notprescribe a speciWc design process but is based on the main phases of the capital valueprocess.

• Ensuring participation in the analysis team by experts with adequate competence.• Participation by subject-matter experts (operations personnel) in the design process and

in the analyses. This participation by operations has four aims:– to ensure operational feedback to the design organisation;– to ensure that the values of the future users are made visible to the design organisa-

tion;– to ensure ownership to the design solutions among the future users; and– to meet regulatory requirements on employee participation.

3.1.3. Central control-room designThe central control room has a critical function on oVshore platforms from a safety

point of view. In 1999, the Norwegian Petroleum Directorate (NPD) launched a project toimprove the application of ergonomics in the design of control rooms. Through a series ofaudits, oil companies and contractors were made aware of the need to perform systematicergonomic analyses and veriWcations. The international standard ISO 11064 and a guide-line developed for NPD were used as reference documents (ISO, 2001; Norwegian Petro-leum Directorate, 2003b).

ISO 11064 deWnes an ergonomic design process for control centres. It speciWes the stepsin design that at a macro-level are congruent with to those shown in Fig. 2. It also speciWesergonomic design activities and analyses and veriWcations to be carried out in each phaseof design. The NPD guidelines are based on this standard. They are intended for use as asystematic tool for the auditing of the processes used in integrating human factors indesign and operation of control rooms.

Although there have been no systematic evaluations of the activities that followed, expe-rience showed that oil companies were able to meet the authority’s expectations. It seemsthat a combined strategy of pressure from the authorities and immediate successes throughthe involvement of the oil company’s operations personnel and the hiring of qualiWedergonomic experts has broken down the oil industry’s traditional scepticism about ahuman-centred design approach. It remains to be demonstrated, however, that these newlyachieved experiences from a human-centred design of control rooms will diVuse to thedesign of other areas of the platforms.


3.2. Design of barriers

3.2.1. The barrier conceptThe “energy barrier” perspective on accident prevention has a long standing. It

has recently come into renewed focus through the publications on the defence in depthphilosophy by Rasmussen and Reason (Rasmussen, 1993; Reason, 1997) and recent publi-cations by Hollnagel (2004). About 20 years earlier, Haddon oVered a systematic way ofdeWning so-called accident-prevention strategies. It is used here to analyse the barrier phi-losophies applied by the Norwegian oVshore industry to prevent accidents. Haddon dis-tinguished between ten diVerent accident prevention strategies, Wve of which focused onthe source of harmful energy (hazard), two on the separation of the hazard from thepotential victim and three on the victim, Table 1. The barrier perspective is relevant to theprevention of both major accidents (e.g. due to Wres and explosions) and occupationalaccidents.

There is no commonly accepted deWnition of barriers. A barrier is here deWned as a setof interrelated human, technical and/or organisational measures that accomplish a barrierfunction with the ability to intervene in a sequence of hazardous events in order to elimi-nate or reduce loss. Haddon’s 10 strategies are used to deWne the generic barrier functions.There are passive and active barriers. A passive barrier is an embedded barrier in the hard-ware of a system and is not dependent on operational control to fulWl its function in case of

Table 1Haddon’s ten strategies and examples of their use (Haddon, 1970; adapted from Kjellén, 2000)

Type of strategyaccording to Haddon

Examples of hazards and safety measures

Rotating machinery(circular saw)

Toxic materials (oil vapourand mist from drilling mudin shale-shaker)

Motor vehicle

I. Prevent build upof energy

Eliminate use of circularsaw by ordering pre-cutpieces of wood

Eliminate oil in mud byusing water-based mud

Avoid car drivingby using e.g. tele-conferencing insteadof face-to-face meetings

II. Modify the qualitiesof the energy

Using alternative cuttingtechnique (e.g. laser beam)

Use of low-toxicity oil Not applicable

III. Limit the amountof energy

Limit rotational speed Smaller evaporation area Speed limits

IV. Prevent releaseof energy

Design of start button thatprevents accidental start

Not applicable ABS (anti-skidsystem)

V. Modify rate andspatial distributionof energy Xow

Emergency stop General room ventilation Cars with shockabsorbing zones, safetybelt, airbag

VI. Separate energyfrom victimin time or space

Automatic sawing machine Remote control ofoperation from a localcontrol room

Separate lanes formeeting traYc

VII. Separate by barriers Machine guarding Air curtain Cars with safety cageVIII. Make the victim

more resistant toenergy Xow

Eye protection Respirators Helmet

IX. Counterdevelopment of injury

First aid Not applicable First aid

X. Rehabilitation Same for all


an accident. An active barrier, on the other hand, needs to be activated in an accidenteither by human actions or by a technical control system (or a combination of these) tofulWl its function. A Wre and explosion wall is a typical example of a passive barrier.A sprinkler system is an example of an active barrier that is initiated automatically or man-ually. Fire detection and initiation of the sprinkler are part of the barrier system necessaryto fulWl the purpose of the barrier.

The term barrier is here reserved for measures with a function that intervenes in theaccident sequence and stops, dilutes or diverts the uncontrolled energy Xow vis-à-vis thevictim. This starts with an uncontrolled build up of energy or the loss-of-control of anenergy Xow or the victim’s movements in relation to an energy Xow. It ends when theenergy Xow has stopped to penetrate the victim. This is a more precise and restricted use ofthe term barrier then found elsewhere in the literature (Hollnagel, 2004). The NorwegianPetroleum Directorate uses the term barrier to describe any measure that reduces the prob-ability of the development of errors and that limit loss (NPD, 2001). NPD’s deWnition iscongruent with the use of the term in the bowtie model (Fig. 6). This describes barriers onthe left-hand side of the bowtie as any control measures to prevent deviations that consti-tute circumstances for undesired events to occur, whilst limitation of loss refers to right-hand side barriers.

The limitations of barriers as preventive or mitigation measures are critical issues thathave to be considered in design. It is a concern that such limitations may be invisibleduring normal operation but turn out to be critical in an accident scenario, when the bar-rier is challenged.

There are several reasons why barriers may not be in place when needed. Seen from adesign perspective, barriers may simply not have been implemented in the Wrst placebecause they are considered unfeasible. It may also turn out that barriers implemented bythe designers are removed by the operations organisation because they obstruct work. Bar-riers designed into a system but needing activation or that may be deactivated are vulnera-ble to erroneous decisions by the operations organisation.

Fig. 6. Bowtie and barriers. Reprinted from Safety management – the challenge of change, J.P. Visser, Develop-ments in HSE management in oil and gas exploration and production, p. 58, Fig. 10, Copyright (Visser, 1998),with permission from Elsevier.


Barriers may also fail, partly or totally. Latent design weaknesses will not show up dur-ing normal operation but may jeopardise the barrier function in a critical situation. Barri-ers are subject to decay in case of insuYcient inspection/testing and maintenance and mayalso be put out of order during such operations (Reason, 1997). Robust design againstaccidental loads is also a concern. The load may be physical such as Wre heat or blast pres-sure. Finally, barriers may fail due to delayed or erratic activation by an operator due topsychological stress.

3.2.2. Prevention of Wres and explosionsThe Norwegian oVshore industry applies a defences-in-depth philosophy in preventing

Wres and explosions. Fig. 7 illustrates how the risk of losses is kept at an acceptable levelthrough the implementation of eight layers of barriers. Ideally, they are independent, butthis has turned out to be diYcult to achieve in practice. The Norsok S-001 technical stan-dard is the primary source for design requirements for the barriers involved.

The Norsok S-001 standard states a set of prescriptive and goal-oriented requirementsto the diVerent barriers and speciWes the use of risk analysis similar to that shown in Fig. 7.The process shutdown system, for example, aims at preventing the process enclosure frombeing overloaded. It must be independent of systems used for normal operation and fail-safe (prescriptive requirements). VeriWcations to ensure compliance involve the use of acombination of engineering tools such as design reviews, simulations and risk analysis, pri-marily Hazop (hazard and operability analysis). Project management rarely questionsresults of a Hazop that demonstrate the needs of measures to prevent hydrocarbons escap-

Fig. 7. Applying the principles of ‘defences in depth’ in preventing Wres and explosions on an oVshore installation.Copyright (2000) From Prevention of Accidents through Experience Feedback by U. Kjellén. Reproduced bypermission of Routledge/Taylor & Francis Group, LCC.


ing the process enclosure. A Hazop is, however, not a panacea for avoiding errors, since itis dependent on the participants’ experiences and imagination.

The same principles apply to the design of other barriers. QRA plays a critical role inthe rating or dimensioning of some of the barriers, and in particular the barriers of areaseparation, Wre and blast walls and escape and evacuation (Norsok standard Z-013, seeNTS, 2001). Oil companies have deWned a set of risk acceptance criteria that are used asstop rules in designing such barriers. A blast wall, for example, must be able to endure blastpressures that may occur at a frequency of once in every 10000 years or more often.

The implementation of barriers to prevent Wres and explosions is a systematic focus inall project phases. As early as the feasibility study phase, the project has to demonstratethat the concept alternatives considered are able to meet the oil companies’ risk acceptancecriteria. This is done in so-called delta analyses, where the speciWc conditions for this pro-ject are evaluated against known risks for standard platform alternatives (Kjellén, 1998).In the concept selection phase, barriers that are determined by global conditions on theplatform are evaluated. Such conditions include structural integrity against Wres andexplosions, separation of safe from hazardous platform areas and degree of enclosure andcongestion of hazardous areas. The project is in this phase manned with safety experts within-depth knowledge about such aspects.

In preparation for the execution phase, basic layout and process design are evaluatedwith respect to barrier integrity in the QRA, Hazops, etc. The project’s safety personnelspecify prescriptive requirements for the safety barriers based on these analyses. This phaseis also the time to consider intrinsic safety aspects such as working pressures and invento-ries of hydrocarbons in the process. Since there are no speciWed requirements coveringthese aspects, the extent to which they are the subject of attention is dependent on the qual-iWcations and experiences of systems and safety engineering personnel.

Contractors and vendors detail barrier design in detail engineering and construction.Again, the oil industry has the necessary competence and resources to meet regulatory andcompany requirements in this work. The Norwegian oVshore industry has developed acommon understanding of how to design barriers to prevent Wres and explosions. Thereexists a community-in-practice of engineers within oil companies and contractors with ashared understanding of how to implement regulatory and industry requirements in thisarea (Kjellén, 2001). Although each project experiences an ongoing debate on how to inter-pret speciWc requirements and results of risk analyses, the basic philosophy and its implica-tions for design are not challenged.

By and large, safety engineers with a human-centred focus are not members of this com-munity-in-practice, although the applicable safety standards recognise the need for qualiWedergonomics input to design. The general philosophy is to make the technical barriers morerobust by minimising or excluding the inXuence of the operators. The exception is of courseescape and evacuation and to some extent process shutdown. There is, however, a trendtowards an increased understanding of how human and organisational factors aVect barrierreliability and integrity, for example, in connection with inspection, testing and mainte-nance. The so-called MTO (man-technology-organisation)-analysis has contributed to thisdevelopment. This new insight has yet to manifest itself in design with one exception. Sec-tion 3.1.3 brought up an example of how attention has been focused on ergonomics in thedesign of a central control room. In this work, alarm Wltering was a key subject. The integ-rity of manually activated barriers providing process and emergency shutdown is dependenton the operator’s ability to detect critical alarms and to understand the underlying causes.


3.2.3. Prevention of occupational accidentsTraditionally, there has been no systematic application of a barrier philosophy in the

prevention of occupational accidents in the Norwegian oVshore industry. This situationhas changed during the last ten years mainly due to the European legislation in the areasof machinery safety and prevention of risks related to chemical agents (European Coun-cil, 1998/2001; European Council, 1998). The directives in question apply a combinedstrategy of inherent safety and safety through barriers. There are requirements to designsolutions that eliminate or reduce the risk at the source or separate the hazard from theoperators. Only residual risks are allowed to be mitigated through the use of personalprotective equipment or other operational measures. The directives and associatedEuropean standards rely on a combination of prescriptive and goal-oriented require-ments and requirements for the use of risk assessment for implementation. It has taken along time for the requirements in this legislation to disseminate to the NorwegianoVshore industry.

Machinery safety is here used to illustrate how the Norwegian oVshore industry com-plies with the legislation. The Norsok standard S-005 represents the oil industry’s bestpractice in machinery safety design (NTS, 1999). Experience from accidents showed thatthe assignment of responsibilities for safety of assemblies of machinery is a critical issue.This relates to the fact that the complex systems on large, integrated oVshore platformsconsist of many individual machines. Vendors and module contractors had a tendency toignore their responsibility for safety in the integrated solutions and limit themselves totheir own equipment and not its interfaces. The standard prescribes a work process to iden-tify limits of individual machines and assemblies of machinery in order to deWne responsi-bilities for the safety of them. This is done during the ‘preparation for execution’ stage(Fig. 1). The results are implemented in relevant contractual documents to deWne responsi-bilities for safety of machinery on the integrated platform. The standard also prescribes theuse of job safety analysis and other risk analysis methods to identify and assess accidentrisks during detailed design. This makes barrier implementation dependent on the partici-pants’ subjective judgements of the probability and consequences of accidents as well as onthe quality of the acceptance criteria used in evaluating the results.

3.2.4. Statistics on barrier failuresStatistics on barrier failure give an indication of how well the oil industry has been able

to implement safe design solutions. Table 2 below shows the result of so-called MTO-ana-lysis of 18 incidents from one oil company during 1999–2000 that had been subject to in-depth investigations with respect to barrier failure (Rollenhagen et al., 2001).

Although the selection of incidents is not random, the trend is clear. The implementedbarriers are by and large eYcient in stopping the accident path for major accident hazards.Typically, in the case of gas leaks, ignition control functions eVectively and the process isshut down. In occupational accident hazards, on the other hand, luck plays a signiWcantrole in avoiding severe injury, i.e. no person was at the wrong place at the wrong time.Implications are that major accidents are eVectively prevented through the use of a combi-nation of several independent barriers. International experience shows that major acci-dents may occur due to a unique combination of barrier failures. These involve latenterrors in design, where barriers have eroded or been deactivated or the barriers have notbeen robust enough against accidental loads. Further improvements in the safety level maybe achieved in design through a focus on the threats against barrier integrity.


The analysis shows that there is a shortage of barriers to prevent ordinary occupationalaccidents. The barriers are few and typically dependent on the operators at the sharp endto function eVectively. There could be considerable improvement potential in implement-ing layers of independent barriers equal to that in the area of major accident prevention.

3.3. Safety and economy

Whereas a human centred design approach may be accomplished with marginal addedcapital expenditures, provided that it is implemented in a timely way, there are signiWcantexpenditures involved in implementing an adequate barrier philosophy in design. Passiveprotection such as safe distances and Wre and blast walls will add to a platform’s size andweight. The costs are largely proportional to this addition and may be in the order of mag-nitude of 5% of the total topside cost. Active barrier system involving Wre and gas detectors,emergency shut down and pressure relief systems will also add to the capital expenditures.On the top of this comes the increased yearly operational expenditures and decreased reve-nues due to maintenance of barrier systems, training of personnel, spurious trips etc.

On the Norwegian continental shelf, the oil companies’ priorities regarding safety mea-sures have largely been regulatory driven. There are regulations that require companies toimplement a defence-in-depth philosophy consisting of multiple layers of barriers in accor-dance with Fig. 7 to prevent major accidents. The added costs will largely be covered byreduced taxes.

It is interesting to note that under another regulatory regime such as the one in the USGulf of Mexico, where it is largely up to the operator to deWne the necessary level of pro-tection and to pay for this through increased capital and operational expenditures, safetyagainst major accidents often based to a lesser degree on the implementation of barriers.Instead, operators may rely on the operations’ organisation to avoid disturbances that mayescalate into major accidents.

Table 2The role of barriers in disrupting the accident path

Type of event Number ofincidents

Accident pathinterrupted by barrier

No person in‘hit area’ of energy Xow

Injury

Major accident hazardGas leak 2 2Oil leak 1 1Ignited gas 1 1Fire 3 3Structural failure 1 1

Total 8 7 1

Occupational accidenthazardFalling object 7 7Flying object 1 1Uncontrolled movementof crane load

1 1

Fall to low level 1 1

Total 10 0 9 1


4. Discussion

4.1. The balance between the human centred and barrier perspectives

Statistics show that the implementation of safety as an add-on characteristic in oVshoreplatform design (i.e. through the implementation of barriers) has been an avenue of suc-cess, especially in the Weld of Wre and explosion prevention. Barrier design is speciWc andconcrete and Wts into the engineering work-processes used in projects. Systems optimisa-tion through application of an integrated human-centred design has proved more diYcultto achieve. This is due to the fact that many of the requirements for a human-centreddesign are goal-oriented and thus subject to analyses and evaluations during implementa-tion. Their implementation also requires a rarely available understanding within the engi-neering organisation of the complex interactions between technical systems and humanoperators.

The strong position of the barrier perspective in the Norwegian oVshore industrybecomes obvious in those circumstances where there are conXicts between the designsolutions preferred when applying this perspective and that of a human-centred. A much-discussed example is the (barrier perspective based) requirement to have open processareas with good natural ventilation to dilute leaking gas, with good explosion venting. Theaim is here to reduce the risk of explosion; i.e. a rare but high-consequence event. Openprocess areas will also result in windy conditions at the workplaces in these areas and thehuman-centred requirement for a limited maximum wind-chill eVect will frequently beexceeded. In such a conXict between design solutions preferred from a human-centred andbarrier perspective respectively, the design organisation often chooses an open process areasolution and it is transferred to the operations organisation to provide for temporary localprotection of operators during maintenance. It has not been possible to quantify the eVectsof reduced wind-chill on barrier availability through improved operation and mainte-nance. In the absence of this type of argument, it has not been possible to tilt the decisionsin favour of more human-centred design solutions.

The Norwegian oVshore industry has experienced an authority-driven trend to put moreemphasise on the human-centred design approach. Experience shows that it is possible toaccomplish signiWcant progress in this area, provided that there is adequate managementsupport and access to the required expertise. Will it, as a consequence, be possible to reduceinvestments in barriers, provided that the production systems are more intrinsically safeand that the operators become better at operating faultlessly and correcting disturbancesbefore they escalate? In contrast to what is found in other countries, the NorwegianoVshore industry has been reluctant to try to make such optimisation. The QRA methodsin current use will not be able to demonstrate that a human-centred design approach willcontribute to a lower risk of major accidents. They are based on generic failure data with atoo low resolution to make it possible to distinguish between designs with good human-factors solutions and those with inadequate solutions. Further, the authority climate inNorway will likely not tolerate a decrease in the built-in barrier integrity.

4.2. Needs of special expertise on safety in the design organisation

It goes without saying that the Norwegian oVshore industry is dependent on specialsafety engineering expertise in its quest for safe design solutions. The Norwegian legislation


is also clear that oil companies must be able to marshal own safety expertise to be able tomake independent evaluations of the safety of design. The need for good Wre-and-explosionprevention has been central in the development of safety specialists. We now see that thisemphasis on specialist knowledge has spread to other areas of safety. This does not meanthat other project disciplines may be ignorant about safety requirements and methods. Thesafety related competence of engineers from such disciplines as process, instrument, layout,mechanical and structural design is instrumental in the accomplishment of a safe design. Ina project setting, it is the safety expert’s task to maintain a multi-disciplinary safety per-spective and to cooperate with the other disciplines in interpreting the safety requirementsand in Wnding adequate design solutions across the disciplines. The responsibility to main-tain a safety perspective in evaluating the total platform design also rests with the safetyexperts.

Experience shows that safety experts are needed not only because they maintain a safetyperspective but also because they represent a unique combination of knowledge. For safetyexperts with a systems perspective (as opposed to safety engineers responsible, for example,for speciWc safety systems or implementation of prescriptive human-centred designrequirements), the required expertise and knowledge ranges from basic science (physics,psychology, medicine, etc.) within their area of profession, to in-depth knowledge andexperience of safety requirements, of analytical methods and tools and of production sys-tems for oil and gas. Many safety experts use a life-long career in maintaining and develop-ing their expertise, indicating the complexity and the challenging nature of the subjectmatter.

Systems safety experts involved in human-centred design need knowledge both fromthe technical and the human sciences. They have to be able to understand how technologyand design shape the provisions for an optimal mental and physical work performance, forthe ability to control one’s own work situation and for social relations at the workplace.Systems safety engineers involved in the design of barriers against Wres and explosionsneed an understanding of the physics behind potential accident scenarios and need in-depth knowledge about requirements for individual barriers and systems of barriers. Theyalso need knowledge about the methods of risk analysis used in barrier design. Recently,the community-in-practice of safety engineers has been challenged to improve their under-standing of how barriers degrade or disintegrate during operations and that operationalaspects such as inspection, testing and maintenance of barriers have to be taken intoaccount in design.

Systems safety experts usually have a university degree. They have typically worked as atechnical safety expert at an earlier stage of their career and have the necessary theoreticalbackground and capabilities to be able to analyse complex issues. It is not common, how-ever, to Wnd systems safety experts that master both the human-centred and the barrierdesign perspectives.

The development of the diVerent communities-of-practice of safety experts has beendemand-driven. Changes in regulations and in the industrial standards on safety havedeWned requirements within new areas of safety and have, as a consequence, generated newpositions in the project organisations and new labour-market opportunities. Newly gradu-ated engineers, as well as experienced engineers, have Wlled these positions and have, withina few years, developed an in-depth knowledge and understanding of how to work withthese new aspects of safety in projects. This also means that the communities-of-practiceare vulnerable to shifting trends.


4.3. Organisation of the safety experts

The question of whether to integrate safety experts into the ordinary design organisa-tion or to organise them in a separate safety function has to do with the role of this exper-tise, i.e. advisor or “police”. The answer is usually that both are needed, and this is indeedhow oVshore projects are organised with two separate safety positions in the organisation.The integrated safety engineering position is instrumental in the design of safety systems aswell as in the implementation of systems safety in design. The HSE manager, on the otherhand, has to lay down the philosophies and premises and ensure that all aspects of safety,health and environment are taken care of for the total development concept. QRA is herean important tool. He or she must maintain an independent position in relationship to theimplementation of safety in design in order to take on the auditing and veriWcation func-tions. This is a challenging position for a safety expert who is often recruited from thesafety engineering ranks and is used to involvement in discussions on detailed design solu-tions of barriers.

Although the arenas for experience exchange on safety issues, i.e. the risk analysis andreview teams, are not visible on a project’s organisational chart, they constitute an impor-tant ad-hoc part of a project’s organisation. The duty of these teams is to analyse andreview design by providing a unique combination of knowledge and values. Experienceshows that the teams are instrumental in pursuing goal-oriented safety design requirementsthat are not readily implemented through the ordinary engineering work processes.

5. Conclusions

To stay in business, oil companies in Norway have to master the production of oil andgas within a small and often conWned space on oVshore platforms. Industry has solved thistask by investing in barriers to prevent process disturbances from escalation into majorWres or explosions. These barriers come in addition to the minimum platform designrequired for production. Adequate barrier design has been achieved through the imple-mentation of a combination of speciWc and goal-oriented requirements to design and theuse of quantitative risk analysis as a design tool. As a result of about 35 years of invest-ments in oil production in Norway, a speciWc community-in-practice of technical safetyexperts has evolved with in-depth knowledge about Wre and explosion barriers.

At a later stage, a human-centred design approach developed in steps based on the samebasic management principles used in the design of barriers. The Wrst step involved thedevelopment and implementation of solutions to provide for an adequate physical workingenvironment. Only recently has system optimisation, taking into account the whole rangeof human characteristics and limitations, become an issue. The authorities and the users(oil companies’ operations personnel) have played a vital role in coaching this develop-ment.

Acknowledgements

The author is grateful to Adam Balfour, Human Factors Solutions, Jan Pappas andArne Tiltnes, Norsk Hydro, and Terje Salbo, Statoil, for comments on an earlier version ofthe paper.


References

BSI, 1996. British Standard 7000:4. Design management systems. Guide to managing design in construction BritishStandard Institute, London.

European Council, 1998. The Protection of the Health and Safety of Workers from the Risks Related to ChemicalAgents at Work. Council Directive 98/24/EC, Brussels.

European Council, 1998/2001. Machinery. Council Directives 98/37/EC, 98/79/EC and 2001/14/EC, Brussels.Haddon, W., 1970. On the escape of tigers: An ecologic note. Technology Review 12 (7).Hollnagel, E., 2004. Barriers and accident prevention. Ashgate Publishing Limited, Aldershot.Ingstad, O., Bodsberg, L., 1989. CRIOP: A scenario-method for evaluation of the oVshore control centre. SIN-

TEF, Report No. STF75 A89028, Trondheim.ISO, 1999. Human-centred design processes for interactive systems. International standard ISO 13407. Interna-

tional Organisation for Standardisation, Geneva.ISO, 2000. Quality Management System Requirements. International standard EN ISO 9001:2000. International

Organisation for Standardisation, Geneva.ISO, 2001. Ergonomic design of control centres. International standard ISO 11064:1. International Organisation

for Standardisation, Geneva.Kirwan, B., 2002. Soft systems, hard lessons – strategies and tactical approaches for the integration of Human fac-

tors into industrial organisations. In: Wilpert, B., Fahlbruch, B. (Eds.), System Safety – Challenges and Pitfallsof Intervention. Pergamon, Amsterdam.

Kjellén, U., 1998. Adapting the application of risk analysis in oVshore platform design to new framework condi-tions. Reliability Engineering and System Safety 60, 143–151.

Kjellén, U., 2000. Prevention of accidents through experience feedback. Taylor & Francis, London.Kjellén, U., 2001. Development of Professional Networks and a Best Practice Database to Improve Knowledge

Sharing and Learning in an Organization of Safety, Health and Environmental Engineers. Paper presented atthe 19th International Workshop “New Technologies and Work, Bad Homburg, Germany, May 31–June 2,2001.

Kjellén, U., 2002. Transfer of operational experiences to the project organisation. In: Wilpert, B., Fahlbruch, B.(Eds.), System Safety – Challenges and Pitfalls of Intervention. Pergamon, Amsterdam.

Kjellén, U., Gillberg, M., Jeding, K., 2002. Demand-resource analysis, a method for assessment of the workingenvironment at the planning stage. Paper presented at the SPE International conference on health, safety andenvironment in oil and gas exploration and production, Kuala Lumpur, Malaysia, 20–22 March 2002.

NPD, 2001. The Management Regulations (Styringsforskriften). Norwegian Petroleum Directorate, Stavanger.NPD, 2003a. Utvikling i risikonivå - norsk sokkel. Fase 3, hovedrapport 2002 (Development of the risk level on

the Norwegian Continental Shelf – Phase 3, Main report 2002). Norwegian Petroleum Directorate, Report no.ODS-03-07, Stavanger.

NPD, 2003b. Human Factors i kontrollrom (Human Factors in the Control Room). Norwegian Petroleum Direc-torate, Stavanger.

NTS, 1997. Working Environment. Norsk Teknisk Standardisering, Norsok standard S-002, Oslo.NTS, 1999. Machinery- working environment analyses and documentation. Norsk Teknisk Standardisering,

Norsok standard S-005, Oslo.NTS, 2000. Technical Safety. Norsk Teknisk Standardisering, Norsok standard S-001, Oslo.NTS, 2001. Risk and emergency preparedness analysis. Norsk Teknisk Standardisering, Norsok standard Z-013,

Oslo.Rasmussen, J., 1993. Learning from experience? How? Some research issues in industrial risk management. In:

Wilpert, B., Qvale, T. (Eds.), Reliability and Safety in Hazardous Work Systems. Lawrence Erlbaum Associ-ates, Hove, East Sussex.

Reason, J., 1997. Managing the Risks of Organizational Accidents. Ashgate, Hampshire.Rollenhagen, C., Evenéus, P., Eriksson, M., 2001. An Evaluation of 20 OVshore Events: Implications for Safety

Management. SwedPower, Stockholm.Singleton, T., 1974. Man-Machine Systems. Penguin, London.Visser, J.P., 1998. Developments in HSE management in oil and gas exploration and production. In: Hale, A.,

Baram, M. (Eds.), Safety Management – The Challenge of Change. Pergamon, Oxford.

Documents

Safety in the design of offshore platforms: Integrated safety versus safety as an add-on characteristic