DNV-OS-E402 Topside Facilities: Process Safety
DNV-OS-E402 covers hazardous area classification, HVAC pressurisation, gas detection thresholds, ESD levels
DNV-OS-E402 governs the design of topside facilities on offshore installations — the process, utility, and safety systems above the hull or jacket structure. It covers the layout principles, hazardous area classification, HVAC and pressurisation, fire and gas detection, and electrical system design that together protect personnel and asset integrity on FPSOs, semi-submersibles, jack-ups, and fixed platforms.
OS-E402 sits within the DNV offshore safety framework alongside DNV-OS-A101 (safety principles), DNV-OS-D101 (marine and machinery systems), and DNV-RP-A203 (risk management). The ALARP risk acceptance criteria established in OS-A101/RP-A203 drive the topside layout and hazardous area classification decisions governed by OS-E402.
1. Scope and Facility Types
DNV-OS-E402 applies to topside facilities on:
- Production platforms (fixed jacket, GBS, TLP, FPSO, FLNG, FSO)
- Drilling units (semi-submersible, jack-up, drillship) — the drilling-specific process equipment
- Accommodation vessels with process or utility facilities
- Offshore wind service vessels with significant electrical generation infrastructure
The standard covers topside systems including:
- Oil and gas processing train (separators, compressors, pumps, export metering)
- Utility systems (power generation, seawater lift, cooling water, instrument air)
- Safety systems (ESD, F&G detection, deluge, blowdown, emergency power)
- Accommodation and HVAC where integrated with process areas
- Flare and relief systems
2. Layout Principles and Area Separation
Topside layout is the most cost-effective risk-reduction measure available — separating ignition sources from hydrocarbon inventories before design is frozen is far cheaper than adding barriers after layout is fixed. DNV-OS-E402 requires the layout to be informed by the QRA (per DNV-RP-A203) at FEED stage.
Area Classification Zones
| Area | Characteristics | Design Requirement |
|---|---|---|
| Open process area | Naturally ventilated; hydrocarbon-containing equipment; potential leak sources | No ignition sources within specified exclusion distance from potential release points; F&G detectors zoned for open-area gas accumulation |
| Enclosed process module | Partially or fully enclosed; active HVAC forced ventilation required | HVAC supply ≥ 12 air changes/hour; continuous F&G monitoring; ESD-activated HVAC shutdown if gas detected |
| Safe area (non-hazardous) | Accommodation, control room, auxiliary equipment rooms — no routine hydrocarbon presence | Pressurised relative to process areas; supply air taken from safe location; fire/smoke detection in all rooms |
| Temporary refuge (TR) | Muster station providing protection for 1 hour post-major accident event | Blast-rated structure; self-contained atmosphere; communication and mustering systems; HVAC isolation on alarm |
Separation Distances
OS-E402 does not prescribe fixed separation distances (those are derived from the QRA gas dispersion and explosion analysis), but it requires that the layout demonstrate:
- The control room and TR are outside the 10⁻⁴ per year ignition probability contour for major HC releases
- Ignition sources (electrical equipment, hot surfaces, engines) are separated from flammable vent exits and pressure safety valve outlets by at least the dispersion distance for the worst credible release scenario
- At least two escape routes from each process deck to lifeboat stations, with routes on opposite sides of the facility
3. Hazardous Area Classification
Hazardous area classification identifies zones where flammable gas/vapour may be present and restricts the electrical and non-electrical equipment that can be installed there. DNV-OS-E402 references IEC 60079-10-1 (gas) and IEC 60079-10-2 (dust) for the classification methodology.
| Zone | Definition (IEC 60079-10-1) | Typical Offshore Locations |
|---|---|---|
| Zone 0 | Explosive atmosphere present continuously or for long periods | Interior of process vessels, tanks, piping above flash point fluid |
| Zone 1 | Explosive atmosphere likely to occur in normal operation | Within 1–3 m of flanges, pump seals, valve stems; enclosed process modules; compressor areas; within 3 m of wellheads |
| Zone 2 | Explosive atmosphere unlikely in normal operation; may occur in abnormal conditions | Beyond Zone 1 up to ~6 m of major equipment; below-deck spaces near HC equipment; transformer rooms with HC piping penetrations |
| Safe (non-hazardous) | No significant probability of explosive atmosphere | Accommodation, control room (pressurised), electrical room (pressurised), helideck (with exceptions) |
4. HVAC and Pressurisation Levels
HVAC on offshore topsides serves a dual purpose: thermal comfort for personnel, and maintaining safe (non-hazardous) conditions in enclosed areas. OS-E402 defines three pressurisation strategies:
| Strategy | Pressure differential | Air changes | Where used |
|---|---|---|---|
| Simple ventilation | No positive pressure — neutral or slight negative relative to exterior | ≥ 8 ACH for enclosed equipment rooms; ≥ 12 ACH for enclosed process modules | Enclosed process modules, battery rooms, non-pressurised aux rooms |
| Dilution ventilation | Slight positive pressure (typically 20–50 Pa above adjacent hazardous area) | ≥ 10 ACH; continuous monitoring of supply air quality | Motor control rooms, instrument rooms, control rooms in Zone 2 environment |
| Pressurised (safe) enclosure | Continuous positive pressure ≥ 50 Pa; alarm on pressure loss > 15 s | ≥ 10 ACH; air supply from safe location (≥ 6 m from any Zone 1 source) | Control rooms, accommodation modules, TR — all in Zone 1/2 environments |
HVAC Supply Air Intake Requirements
- Safe-area intakes must be located upwind of the process area, at a safe distance from flare stacks, vent outlets, and Zone 1 areas
- Two independent supply fans required for TR and control room (duty/standby); automatic changeover on primary fan failure
- HVAC system must be capable of automatic isolation (ESD activation) when gas detected in supply air
- CO₂/CO detectors required on accommodation supply air intakes where diesel engines exhaust is present
5. Fire and Gas Detection
Fire and gas detection on offshore topsides is a Safety Critical Element (SCE) per DNV-OS-A101 and is subject to barrier performance standards. OS-E402 provides the system design requirements:
Gas Detection Coverage
| Detector Type | Principle | Application | Key limitation |
|---|---|---|---|
| Point IR gas detector | Infrared absorption at hydrocarbon wavelength | Enclosed spaces, around major equipment — primary detector in enclosed process modules | Point measurement only; misses cloud if not in path |
| Open-path IR detector | Line-of-sight beam attenuation by gas cloud | Open process deck; wellhead areas; compressor halls — monitors horizontal cross-sections | Fails in rain/fog; requires clear line of sight |
| Catalytic bead (pellistor) | Catalytic oxidation of flammable gas | Confined spaces, enclosed areas — cheap, proven | Can be poisoned by silicones, sulphur compounds; fails in O₂-depleted atmosphere |
| Ultrasonic gas leak detector | Acoustic emission from high-pressure gas jets | High-pressure equipment in noisy environments; detects jet release before gas accumulates | Only detects pressurised releases; no sensitivity to low-velocity vapour emissions |
Detection Thresholds and Actions
- Low alarm (typically 20% LEL): alert to control room; increase ventilation; restrict hot work; investigate
- High alarm (typically 60% LEL): ESD Level 2 initiation — shut-in production, depressure if required, activate deluge in affected zone, isolate ignition sources
- Fire detection (smoke, heat, or flame): ESD Level 3 — full platform shutdown, evacuation alarm, activate fixed suppression
- Voting logic: 2-out-of-3 gas detector voting recommended for ESD to avoid spurious shutdown; 1-out-of-2 acceptable for non-critical zones
6. Electrical Equipment Selection (ATEX/IECEx)
All electrical equipment in classified areas must carry appropriate certification. DNV-OS-E402 requires compliance with IEC 60079 series; for equipment on the European market, ATEX Directive 2014/34/EU certification is also required.
| Zone | Required Equipment Category (ATEX/IECEx) | Common Protection Methods |
|---|---|---|
| Zone 0 | Category 1G (Group II, Temperature class T1–T6) | Ex ia (intrinsic safety level 'a'), Ex ma (encapsulation) |
| Zone 1 | Category 1G or 2G | Ex d (flameproof), Ex e (increased safety), Ex ib (intrinsic safety level 'b'), Ex p (pressurised), Ex n (non-sparking — Zone 2 only but widely used) |
| Zone 2 | Category 1G, 2G, or 3G | Ex nA (non-sparking), Ex nR (restricted breathing), Ex p, Ex e, Ex d |
Earthing and Bonding
- All metallic process equipment in classified areas shall be earthed and bonded to prevent electrostatic discharge — a potential ignition source in Zone 1/2
- Cathodic protection current interference with offshore earthing requires coordinated earthing design (typically isolated from the CP system)
- Intrinsically safe instrument loops require a separate earthing bar with isolation barrier verified by the system designer
7. Process Safety Systems
OS-E402 requires that process safety systems (ESD, high-integrity pressure protection systems, blowdown) be designed as safety instrumented systems (SIS) per IEC 61511, with SIL verification where required by the SIL assessment.
Emergency Shutdown (ESD) Levels
- ESD Level 0 (manual, total shutdown): from dedicated pushbuttons at muster stations; full shutdown of all production and utilities; activates all deluge and blowdown
- ESD Level 1 (process shutdown): shut-in of all wells and export; isolate production equipment from utility systems; flare routing; does not shut down power generation
- ESD Level 2 (area shutdown): isolate and depressurise the affected process module; maintain other modules in operation if safe
- ESD Level 3 (unit shutdown): individual equipment shutdown (e.g. single compressor); fault-tolerant, does not cascade
Blowdown and Depressurisation
Where a major HC inventory cannot be allowed to burn, rapid depressurisation via the blowdown valve to flare reduces the gas mass available for an explosion or prolonged fire. DNV-OS-E402 (and OS-A101) requires:
- Blowdown rate: reduce pressure from 100% SITP to 50% SITP in ≤ 15 minutes for most segments (major segments with large inventory may use ≤ 30 minutes)
- Minimum heat flux to structure assessed for fire duration after blowdown (passive fire protection dimensioning)
- All blowdown valves to be fail-open (spring-open) and ESD-activated
8. Common Pitfalls
- Classifying the control room as Zone 2 rather than safe area because it has instrument connections to process — a properly pressurised control room with safe-area air supply is a safe area; Zone 2 classification requires Ex-rated equipment unnecessarily and increases capital and maintenance cost
- Installing only point gas detectors in open process areas — point detectors have very limited coverage on open deck; open-path detectors across the likely gas cloud path are required for adequate coverage
- Voting logic 1-out-of-1 for ESD-Level-2 (area shutdown) activation — a single failed detector can trigger spurious platform shutdown; 2-out-of-3 voting for ESD-Level-2 reduces spurious trips without compromising safety response time
- Taking HVAC supply air from the leeward side of the process module — HVAC supply intakes must be on the safe side of the facility regardless of the prevailing wind direction; use a rose analysis covering all wind directions
- Designing HVAC systems without documenting the source of the safe-area classification for each intake — if a Zone 1 area expands during detailed design, the impact on HVAC safe-area intake locations must be re-evaluated; undocumented assumptions create gaps at HAZOP
- Treating the flare as always-safe to use for venting during emergency — flare tip failures or flare line liquid slugs can cause flashback or ground-level flame; verify flare hydraulics for emergency blowdown scenarios
- Involving the HVAC, F&G, and hazardous area teams in the HAZOP — most HVAC/F&G gaps are discovered in HAZOP when process deviations (e.g. high gas flow to atmosphere via PSV) are traced to their ignition-source consequences; having these specialists in the room catches interface gaps that multi-discipline coordination reviews miss
- Using the ATEX/IECEx equipment list as a living document during construction — re-issuing the classified equipment list at each design milestone (FEED → detailed design → construction) catches late-stage changes that place non-Ex equipment in classified areas
Query DNV-OS-E402 in Leide
Ask about hazardous area classification, HVAC pressurisation requirements, gas detector voting logic, ESD levels, or blowdown rates — Leide's AI has deep expertise in topside facility design requirements.
More from the Leide blog
- 30 April 2026Welcome to the Leide blog
Engineering articles on DNV, NORSOK, EN, and ISO standards — written for offshore and marine engineers.
- 15 April 2026Bolt Torque Calculator: K-Factor, VDI 2230, and Hydraulic Tensioning
Free bolt torque calculator with VDI 2230 systematic method, K-factor torque, hydraulic tensioning, ASME B16.5 flange presets, and gasket checks. 32 bolt sizes, 15 material grades.
- 15 April 2026Weld Sizing Calculator: Directional Method, Simplified Method, and Weld Group Analysis for Offshore Steel
Free weld sizing calculator for fillet, butt, and partial penetration welds. EN 1993-1-8 directional method, AWS D1.1 strength, weld group analysis, and electrode matching.