System Decomposition Report — Generated 2026-03-27 — UHT Journal / universalhex.org
This report was generated autonomously by the UHT Journal systems engineering loop. An AI agent decomposed the system into subsystems and components, classified each using the Universal Hex Taxonomy (a 32-bit ontological classification system), generated traced requirements in AIRGen, and built architecture diagrams — all without human intervention.
Every component and subsystem is assigned an 8-character hex code representing its ontological profile across 32 binary traits organised in four layers: Physical (bits 1–8), Functional (9–16), Abstract (17–24), and Social (25–32). These codes enable cross-domain comparison — components from unrelated systems that share a hex code or high Jaccard similarity are ontological twins, meaning they occupy the same structural niche despite belonging to different domains.
Duplicate hex codes are informative, not errors. When two components share the same code, it means UHT classifies them as the same kind of thing — they have identical trait profiles. This reveals architectural patterns: for example, a fire control computer and a sensor fusion engine may share the same hex because both are powered, synthetic, signal-processing, state-transforming, system-essential components. The duplication signals that requirements, interfaces, and verification approaches from one may transfer to the other.
Requirements follow the EARS pattern (Easy Approach to Requirements Syntax) and are traced through a derivation chain: Stakeholder Needs (STK) → System Requirements (SYS) → Subsystem Requirements (SUB) / Interface Requirements (IFC) → Verification Plan (VER). The traceability matrices at the end of this report show every link in that chain.
| Standard | Title |
|---|---|
| EN 13565-1 | — |
| EN 60079-29-1 | — |
| IEC 60268-16 | — |
| IEC 61508 | Functional safety of electrical/electronic/programmable electronic safety-related systems |
| IEC 61511 | Functional safety — Safety instrumented systems for the process industry sector |
| ISO 7731 | — |
| NFPA 15 | — |
| Acronym | Expansion |
|---|---|
| ARC | Architecture Decisions |
| CCCS | Completeness, Consistency, Correctness, Stability |
| EARS | Easy Approach to Requirements Syntax |
| IFC | Interface Requirements |
| LOPA | Layer of Protection Analysis |
| STK | Stakeholder Requirements |
| SUB | Subsystem Requirements |
| SYS | System Requirements |
| UHT | Universal Hex Taxonomy |
| VER | Verification Plan |
flowchart TB n0["system<br>Offshore Oil Platform Safety System"] n1["actor<br>Platform Operators"] n2["actor<br>Process Control System (DCS)"] n3["actor<br>Shore Emergency Coordination Centre"] n4["actor<br>Regulatory Authority"] n5["actor<br>Wellhead / Process Equipment"] n0 -->|Alarms, PA/GA, Evacuation Status| n1 n1 -->|Manual Override, Acknowledgement| n0 n2 -->|Process Data, Trip Setpoints| n0 n0 -->|Shutdown Commands, Valve States| n2 n0 -->|Emergency Notifications, Status Reports| n3 n4 -->|Safety Regulations, Audit Requirements| n0 n5 -->|Process Variables, Well Status| n0 n0 -->|ESD Commands, BOP Activation| n5
Offshore Oil Platform Safety System — Context
flowchart TB n0["system<br>Offshore Oil Platform Safety System"] n1["subsystem<br>Fire and Gas Detection System"] n2["subsystem<br>Emergency Shutdown System"] n3["subsystem<br>Process Safety System"] n4["subsystem<br>Fire Protection System"] n5["subsystem<br>Blowout Prevention System"] n6["subsystem<br>HVAC Safety System"] n7["subsystem<br>Public Address and General Alarm System"] n8["subsystem<br>Emergency Evacuation System"] n1 -->|Confirmed Hazard Alarms| n2 n1 -->|Fire Confirmed Signal| n4 n2 -->|Process Shutdown Trigger| n3 n2 -->|HVAC Isolation Commands| n6 n2 -->|Well Shutdown Command| n5 n2 -->|Alarm Activation Signal| n7 n7 -->|Muster and Abandon Commands| n8 n3 -->|Trip Escalation| n2
Offshore Oil Platform Safety System — Decomposition
| Ref | Requirement | V&V | Tags |
|---|---|---|---|
| STK-REQ-001 | The Offshore Oil Platform Safety System SHALL detect and respond to all credible major accident hazards — including hydrocarbon release, fire, toxic gas exposure, and well blowout — in sufficient time to prevent escalation to a platform-level emergency. Rationale: The duty holder has a legal obligation under the Safety Case Regulations to demonstrate that major accident hazard risks are reduced to ALARP. The safety system is the primary engineered barrier between a process upset and a catastrophic event. Without timely detection and response, minor releases escalate to fires, explosions, and potential loss of life. | Test | stakeholder, session-324 |
| STK-REQ-002 | The Offshore Oil Platform Safety System SHALL enable the safe evacuation of all personnel from the platform within the time-to-untenable-conditions established by the Safety Case quantified risk assessment. Rationale: Offshore Installation Managers and platform operators need confidence that in any credible emergency scenario, the safety system provides sufficient warning, communication, and evacuation support to get all personnel off the installation before conditions become unsurvivable. This is the overriding stakeholder concern — every other safety function exists to buy time for evacuation. | Demonstration | stakeholder, session-324 |
| STK-REQ-003 | The Offshore Oil Platform Safety System SHALL comply with IEC 61511 for safety instrumented systems and IEC 61508 for safety-related hardware and software, achieving the Safety Integrity Levels specified in the Safety Requirements Specification for each safety instrumented function. Rationale: The regulatory authority (HSE in UK, BSEE in US) requires formal demonstration that safety instrumented systems meet recognised functional safety standards. Non-compliance risks enforcement action including prohibition notices that halt production. IEC 61511 is the process-sector implementation of IEC 61508 and is the universally accepted basis for SIS design in oil and gas. | Inspection | stakeholder, session-324 |
| STK-REQ-004 | The Offshore Oil Platform Safety System SHALL achieve a spurious trip rate of no more than one per year per safety function on average, to prevent unnecessary production shutdowns while maintaining required safety integrity. Rationale: Platform operators and the duty holder need the safety system to be dependable in both directions: it must trip when needed (safety integrity) and not trip when not needed (availability). Each spurious platform shutdown costs approximately USD 1-5 million in lost production and restart costs. Excessive spurious trips also degrade operator confidence, increasing the risk of alarm overrides. The one-per-year target balances safety and operational economics per industry practice. | Analysis | stakeholder, session-324 |
| STK-REQ-005 | The Offshore Oil Platform Safety System SHALL support online proof testing and partial-stroke testing of safety instrumented functions without requiring process shutdown or degradation of the protected function below SIL 1. Rationale: Maintenance technicians on offshore platforms operate under severe logistical constraints — helicopter access, limited crew size, compressed maintenance windows during turnarounds. If proof testing requires a process shutdown, it either doesn't get done (degrading safety integrity over time) or requires costly production outages. Online testing capability is essential to maintain target SIL throughout the proof test interval. | Demonstration | stakeholder, session-324 |
| Ref | Requirement | V&V | Tags |
|---|---|---|---|
| SYS-REQ-001 | The Fire and Gas Detection System SHALL confirm a hydrocarbon gas release at or above 20% LEL within 10 seconds of gas reaching any detector in the affected zone, using 2ooN voting logic to eliminate single-detector false alarms. Rationale: The 10-second detection confirmation window derives from the overall escalation timeline analysis: a typical high-pressure gas release reaches flammable cloud dimensions within 30-60 seconds. Combined with the <1s ESD actuation requirement, a 10s detection window leaves approximately 20-50s margin before ignition probability becomes significant. The 20% LEL threshold is the industry-standard alarm setpoint per EN 60079-29-1, providing early warning before reaching the 60% LEL high-alarm trip threshold. | Test | system, detection, session-324 |
| SYS-REQ-002 | The Emergency Shutdown System SHALL actuate all designated final elements for an ESD Level 1 (total platform shutdown) within 1 second of receiving a confirmed hazard input, including closure of all ESD valves, isolation of ignition sources, and initiation of process depressurisation. Rationale: The 1-second actuation budget is allocated from the overall safety system response time target. Logic solver scan time (100ms) plus solenoid valve response (200ms) plus ESD valve stroke time (remaining budget) must fit within 1s. This is achievable with TMR logic solvers and spring-return fail-close actuators. Exceeding 1s delays isolation of the hydrocarbon source, allowing the flammable inventory to grow and increasing the probability and severity of ignition. | Test | system, esd, session-324 |
| SYS-REQ-003 | The Emergency Shutdown System SHALL achieve SIL 3 for all ESD Level 1 safety instrumented functions, with a probability of failure on demand (PFDavg) no greater than 1x10^-3 over a 12-month proof test interval. Rationale: SIL 3 allocation for ESD Level 1 functions derives from the LOPA (Layer of Protection Analysis) performed during the Safety Case. An ESD Level 1 failure leaves the platform with no automated means of isolating the entire hydrocarbon inventory during a confirmed major hazard. The 1x10^-3 PFDavg is the upper boundary of SIL 3 per IEC 61511 Table 4, and the 12-month proof test interval reflects the typical offshore maintenance cycle (annual turnaround). | Analysis | system, safety, session-324 |
| SYS-REQ-004 | The Public Address and General Alarm System SHALL deliver an audible alarm exceeding 65 dBA above ambient noise level in all occupied platform areas within 2 seconds of ESD activation, and provide intelligible voice announcements with a Speech Transmission Index of at least 0.5 in all muster areas. Rationale: The 2-second activation time ensures the PA/GA alert reaches personnel before the physical effects of the hazard (gas migration, radiant heat). The 65 dBA above ambient threshold is the minimum per ISO 7731 to ensure alarm audibility in process areas with ambient levels of 85-95 dBA. STI >= 0.5 (the 'fair' intelligibility threshold per IEC 60268-16) is necessary for personnel to understand verbal evacuation instructions above background noise — lower STI means personnel cannot distinguish muster commands from abandon commands. | Test | system, alarm, session-324 |
| SYS-REQ-005 | The Emergency Shutdown System SHALL achieve a mean time between spurious trips of at least 8760 hours (one year) for each ESD Level 1 safety function, demonstrated by SIL verification calculation using actual failure rate data. Rationale: Directly derived from the stakeholder one-per-year spurious trip target. The 8760-hour MTBST maps to this target for continuous-demand assessment. Achieving this with SIL 3 integrity requires careful architectural design — TMR voting (2oo3) in the logic solver, redundant sensors with voting, and diagnostic coverage to distinguish dangerous failures from safe failures. Without this target, the system would be over-conservative and economically unviable. | Analysis | system, availability, session-324 |
| SYS-REQ-006 | The Fire Protection System SHALL deliver a minimum water application rate of 10.2 L/min/m2 to the design fire area within 30 seconds of deluge valve activation, sustained for a minimum of 4 hours from the firewater storage reservoir without external water supply. Rationale: The 10.2 L/min/m2 rate derives from NFPA 15 / EN 13565-1 for hydrocarbon pool fire suppression on offshore platforms. The 30-second delivery time accounts for deluge valve opening (5s), ring main pressurisation (10s), and system charge time (15s). The 4-hour endurance derives from the worst-case fire scenario duration identified in the Quantitative Risk Assessment, accounting for the time to depressurise and isolate all hydrocarbon inventories plus a safety margin. | Test | system, fire-protection, session-324 |
| Entity | Hex Code | Description |
|---|---|---|
| Blowout Prevention System | DFF73859 | Well control safety system for an offshore oil production platform comprising subsea BOP stack (annular preventer, pipe rams, blind/shear rams), surface BOP controls, hydraulic accumulator unit (koomey unit), choke and kill manifold, and emergency disconnect system (EDS). Provides last line of defence against uncontrolled hydrocarbon release from the wellbore. Accumulator system must maintain sufficient stored energy to close all BOP functions plus one annular with no external power. Shear rams capable of cutting drill pipe and sealing the wellbore within 45 seconds. Interfaces with ESD system for automatic BOP closure on platform ESD Level 1. Compliant with API 53 and regional well control regulations. |
| Emergency Evacuation System | 50FD7A59 | Personnel evacuation and escape system for an offshore oil production platform comprising TEMPSC (totally enclosed motor propelled survival craft) with davit launch systems, secondary evacuation means (marine escape chutes, scramble nets, life rafts), escape route lighting (battery-backed photoluminescent and LED), muster area monitoring (electronic mustering via personnel-on-board tracking), and helicopter evacuation coordination. TEMPSC launch system must achieve full deployment within 10 minutes. Escape routes designed for maximum 800mm bottleneck with illumination maintained for minimum 3 hours post-power loss. Electronic mustering system tracks all personnel and provides real-time headcount to OIM (Offshore Installation Manager). Interfaces with PA/GA for muster and abandon commands. |
| Emergency Shutdown System | 51F77A59 | Safety Instrumented System implementing IEC 61511 SIL 3 safety functions for an offshore oil production platform. Executes hierarchical shutdown sequences (ESD Level 1: total platform shutdown; ESD Level 2: area isolation; ESD Level 3: unit/equipment isolation) based on confirmed hazard inputs from Fire and Gas Detection and process trip signals. Uses Triple Modular Redundant (TMR) logic solvers with <100ms scan time. Drives ESD valves (fail-safe-close), ignition source isolation, HVAC damper closure, and process depressurisation. Cause-and-effect matrix defines all input-output relationships. Must achieve <1 second from confirmed input to final element actuation for Level 1 shutdown. |
| Fire and Gas Detection System | 55F77A19 | Distributed network of hydrocarbon gas detectors (catalytic bead, infrared point, and open-path), flame detectors (UV/IR multi-spectrum), heat detectors (rate-of-rise and fixed-temperature), and smoke detectors deployed across an offshore oil production platform. Provides 2ooN voting logic per zone to minimise spurious trips while maintaining SIL 2 detection integrity. Covers process areas, wellhead deck, turret, and accommodation module. Outputs confirmed alarm signals to the Emergency Shutdown System within 3 seconds of hazard confirmation. Interfaces with F&G logic solver (typically TMR architecture) and diagnostic system for detector health monitoring. |
| Fire Protection System | 55F73A58 | Active fire suppression system for an offshore oil production platform comprising deluge water spray (process areas, wellhead), foam concentrate injection (helideck, storage tanks), CO2 flooding (enclosed electrical rooms, turbine enclosures), and dry chemical powder (small hazard areas). Firewater ring main pressurised by diesel-driven and electric firewater pumps with dedicated seawater intake. Deluge valve activation triggered by Fire and Gas Detection confirmed alarm or manual call points. Delivers minimum 10 L/min/m2 water application rate over protected areas. Includes passive fire protection monitoring (PFP integrity sensors on structural steel and vessel supports). Total firewater demand calculated per area-based worst-case fire scenario. |
| HVAC Safety System | 51F77A59 | Heating, ventilation, and air conditioning isolation and control system for emergency conditions on an offshore oil production platform. On confirmed gas detection or ESD activation, closes HVAC supply and return dampers to affected zones within 5 seconds, isolates air handling units, and activates pressurisation of safe refuge (temporary refuge/TR) to maintain positive pressure differential of minimum 50 Pa. Prevents migration of flammable or toxic gas into accommodation, control room, and electrical equipment rooms. Zone-based damper control linked to F&G detector zones via the ESD system. Includes smoke extraction for accommodation areas. Battery-backed damper actuators ensure fail-safe-close on power loss. |
| Offshore Oil Platform Safety System | 51F77A59 | Integrated safety instrumented system for an offshore oil and gas production platform (FPSO or fixed jacket). Comprises fire and gas detection, emergency shutdown (ESD), process shutdown (PSD), blowout prevention, fire suppression (deluge, foam, inert gas), HVAC isolation, emergency evacuation and escape systems, and safety-critical communications. Operates in harsh marine environment (North Sea or Gulf of Mexico class). Designed to IEC 61511 / IEC 61508 with SIL 2/3 safety functions. Interfaces with the process control system (DCS), platform management system, and shore-based emergency coordination centre. Must achieve <1s response time for ESD activation from confirmed hazard detection. Handles hydrocarbon release, fire, toxic gas, structural failure, and man-overboard scenarios. |
| Process Safety System | 55F77A59 | Safety Instrumented System providing SIL 1/2 safety instrumented functions for process parameter protection on an offshore oil production platform. Monitors process variables (pressure, temperature, level, flow) via dedicated safety transmitters and executes trip actions (close safety valves, activate pressure relief, stop pumps/compressors) when setpoints are exceeded. Separate from and independent of the Emergency Shutdown System — PSS handles process upsets before they escalate to ESD-level events. Uses 1oo2 or 2oo3 voting architectures depending on SIL level. Approximately 40-60 safety instrumented functions per platform. Proof test intervals typically 12-24 months. |
| Public Address and General Alarm System | 54FD7A18 | Integrated alarm and communication system for an offshore oil production platform providing audible and visual emergency notifications across all platform areas including open decks, process areas, accommodation, and helideck. General alarm activated automatically by ESD system or manually from control room and local alarm stations. Minimum 65 dBA above ambient noise in all areas (typically 110+ dBA in process areas). PA system provides intelligible voice announcements with Speech Transmission Index (STI) >= 0.5. Visual alarm beacons (xenon or LED) in high-noise areas. Interfaces with emergency response coordination for evacuation commands. Powered by dedicated UPS with minimum 30-minute battery backup. Zone-based alarm activation allows area-specific alerts. |
| Component | Belongs To |
|---|---|
| Fire and Gas Detection System | Offshore Oil Platform Safety System |
| Emergency Shutdown System | Offshore Oil Platform Safety System |
| Process Safety System | Offshore Oil Platform Safety System |
| Fire Protection System | Offshore Oil Platform Safety System |
| Blowout Prevention System | Offshore Oil Platform Safety System |
| HVAC Safety System | Offshore Oil Platform Safety System |
| Public Address and General Alarm System | Offshore Oil Platform Safety System |
| Emergency Evacuation System | Offshore Oil Platform Safety System |
| Source | Target | Type | Description |
|---|---|---|---|
| STK-REQ-004 | SYS-REQ-005 | derives | Spurious trip rate stakeholder need derives the ESD MTBST requirement |
| STK-REQ-003 | SYS-REQ-003 | derives | IEC 61511 compliance derives the SIL 3 PFDavg requirement for ESD Level 1 |
| STK-REQ-002 | SYS-REQ-004 | derives | Safe evacuation need derives the PA/GA alarm and intelligibility requirement |
| STK-REQ-001 | SYS-REQ-006 | derives | Hazard response need derives the firewater delivery requirement |
| STK-REQ-001 | SYS-REQ-002 | derives | Hazard response need derives the ESD Level 1 actuation time requirement |
| STK-REQ-001 | SYS-REQ-001 | derives | Hazard detection stakeholder need derives the F&G detection confirmation time requirement |
| Ref | Document | Requirement |
|---|---|---|
| STK-REQ-005 | stakeholder-requirements | The Offshore Oil Platform Safety System SHALL support online proof testing and partial-stroke testing of safety instrume... |