What is a DFU/DSHA?
A Defined Hazard and Accident Situation (DFSHA/DFU) is a specific and observable hazard or accident scenario identified by an operator. It is used as the basis for dimensioning emergency preparedness and designing the associated barrier strategy. Havtil’s English-language glossary defines DSHAs as “a collection of possible observable incidents which the companies must defend against in order to pursue prudent petroleum operations”. They include high-consequence incidents with major-accident potential, such as hydrocarbon leaks, well kicks and structural failure. The set also captures recurring operational events without major-accident potential, including falling objects, lifting incidents and man-overboard situations.
Two things matter about that definition:
- A DFU is observable. It is something that has happened, or that could plausibly happen, in real operations.
- A DFU is defined. It is named, scoped and counted. The same scenario is reported consistently across operators, enabling measurement of industry-wide trends.
DFU, MAH, top event, threat: how the terms relate
Process safety vocabulary has been shaped over several decades by multiple regulatory regimes, academic traditions and industry bodies. The mapping below reflects how the most common terms line up in the Norwegian regulatory framework. Readers from other traditions will recognise the same concepts under different labels.
- Hazard: A property of a system or situation that can cause harm. Examples include Crude oil under pressure,stored hydrocarbons in a process module or a drilling fluid column below hydrostatic balance. Hazards are intrinsic and they exist whether or not an event occurs.
- Top event: The moment control over a hazard is lost. In a bowtie diagram, the top event sits in the middle.
- Threat: A cause that can drive a hazard towards the top event. This can be corrosion. Operator error during a hot work permit or a passing vessel that loses navigational control. Threats sit on the left side of the bowtie.
- Consequence: What follows if the top event is not mitigated can be ignition leading to fire or explosion,personnel injury or anAcute pollution. Consequences sit on the right side of the bowtie.
- Major Accident Hazard (MAH): A subset of hazards whose realisation could cause multiple fatalities, severe environmental damage or significant asset loss. In RNNP, a storulykke (major accident) is defined as an event that, immediately or eventually, results in multiple serious injuries and/or fatalities, serious environmental harm and/or major economic loss.
- DFU / DSHA: The named scenario chosen as a reference point for emergency preparedness, performance standards and barrier strategy. A DFU may correspond to a top event in a bowtie, to a category of top events, or to an event family that an emergency preparedness assessment (EPA) dimension against.
How DFUs entered Norwegian petroleum safety
The DFU concept entered Norwegian petroleum regulation through the Beredskapsforskriften of 18 March 1992, one of thirteen thematic regulations issued that year by Oljedirektoratet and partner agencies in the wake of Alexander L. Kielland (1980), Bravo (1977) and Piper Alpha (1988). The regulation introduced emergency preparedness analysis as the basis for establishing emergency preparedness, specified three categories of DFU against which preparedness had to be dimensioned, and defined “beredskap” broadly as the technical, operational and organisational measures that prevent a hazard situation from developing into an accident or limit the harm if it does. The three-category split (dimensioning accident events from quantitative risk analysis, smaller-scale accidents, and situations of temporarily increased risk) and the broad barrier definition both remain in force today, although the 1992 thematic regulations themselves were superseded on 1 January 2002 by the integrated HMS regulations that Havtil now administers.
In Norwegian regulatory practice, every operator establishes its own DFU set through its risk analyses and Emergency Preparedness Analysis (EPA). That operator-specific set is what the facility’s emergency response is dimensioned against: fire team, evacuation capacity, oil-spill response, and area-based preparedness, and it must be kept live as the asset changes.
In 1999, building on that foundation, Havtil launched the Risikonivå i norsk petroleumsvirksomhet (RNNP) project. RNNP applies a fixed set of DFUs as the backbone for measuring how the risk on the Norwegian shelf evolves year by year. The most recent edition, RNNP 2025, published by Havtil in March 2026, reports on incidents and barrier performance across more than 50 production facilities and mobile units, drawing on tens of thousands of barrier tests, a workforce survey with over 6000 responses, and the full incident database since 1996. Many of these same DFUs recur in a similar form across operators’ own DFU sets.
The standard DFU set used in RNNP
RNNP works with a fixed catalogue of DFUs that has been refined since the project began in 1999. The current main report covers the following:
| DFU | Description | Category |
| DFU 1 | Non-ignited hydrocarbon leak in the process area | Major-accident |
| DFU 2 | Ignited hydrocarbon leak in the process area | Major-accident |
| DFU 3 | Well control incident (kick/loss of well control) | Major-accident |
| DFU 4 | Fires not initiated by hydrocarbon leaks | Major-accident |
| DFU 5 | Collision with vessel not related to field activity | Major-accident |
| DFU 6 | Drifting object on collision course | Major-accident |
| DFU 7 | Collision with field-related traffic | Major-accident |
| DFU 8 | Structural damage to the facility | Major-accident |
| DFU 9 | Leak from riser, pipeline or subsea production system | Major-accident |
| DFU 10 | Damage to riser, pipeline or subsea production system | Major-accident |
| DFU 11 | Evacuation (precautionary or emergency) | Emergency preparedness |
| DFU 13 | Man overboard | Personnel safety |
| DFU 14 | Occupational accidents (injuries and fatalities) | Personnel safety |
| DFU 16 | Total loss of electrical power | Operational |
| DFU 18 | Diving incident | Personnel safety |
| DFU 19 | H₂S-related incident | Process safety |
| DFU 20 | Crane and lifting operation incident | Personnel safety |
| DFU 21 | Falling object | Personnel safety |
Helicopter occurrences (historically DFU 12) are tracked separately in the RNNP helicopter chapter. DFU 17 is phased out.
The first ten DFUs in this list cover process-area hydrocarbon leaks, well control, fires, marine collisions, structural damage, and pipeline/riser/subsea events. These are the major accident hazards that dominate the storulykke (major accident) total indicator in RNNP. For each of those ten, the section below summarises the scenario and links to a starter bowtie in Presight OpenRisk that you can copy and adapt.
Bowties for the ten major-accident DFUs
Each DFU bowtie below sits in a public OpenRisk collection. You can open them, inspect the threats, consequences and barriers, and copy any of them into your own workspace to add plant-specific barrier elements, performance standards and metadata.
DFU 1 and DFU 2: Hydrocarbon leak in the process area
Click on the picture of Unignited Hydrocarbon Leakage, copy it and make it yours.
The classic process-safety top event. A loss of containment in the topside process system releases gas, oil or a two-phase mixture into a confined or congested area. DFU 1 covers non-ignited leaks; DFU 2 covers leaks that ignite, whether immediately or after a delay.
Typical threats: manual intervention errors during isolation or breaking containment; flange or valve leaks; degraded gaskets and seals; corrosion under insulation; impact from dropped objects. Typical preventive barriers: permit-to-work and isolation procedures, integrity inspection regimes, hot-work controls, leak-before-burst materials selection. Typical recovery barriers: gas and fire detection, emergency shutdown and blowdown, deluge, passive fire protection, and evacuation.
DFU 3: Well control incident
Click on picture to copy bowtie on Loss of well control and play around and make it yours.
The high-energy, high-inventory failure mode of the well system. A kick, an underground blowout, or a loss of primary or secondary well barriers during drilling, completion, intervention or permanent plug and abandonment (P&A). Macondo and the Bravo blowout sit in this DFU, and so does most of the well-related risk on the shelf at any given moment.
Typical threats: kick from underbalanced drilling, lost circulation, swabbing during tripping, tubing or casing leaks, annulus pressure build-up, degradation of the downhole safety valve. Typical preventive barriers: well design with two independent barriers, mud weight and well control procedures, BOP integrity, casing and cementing programmes. Typical recovery barriers: kill operations, BOP closure, relief well capability, evacuation and ignition-source control.
DFU 4: Fires not initiated by hydrocarbon leaks
Click on the picture of Fire in LQ picture, copy it and make it yours.
Fires originating from sources other than process-area hydrocarbon release: electrical fires, hot-work fires, machinery space fires, accommodation fires, and lubricating-oil fires on rotating equipment. The DFU exists because the consequences can still be severe, including escalation to hydrocarbon systems and smoke ingress to the temporary refuge, even when the initiating event is not a process leak.
Typical threats: electrical faults, hot work near combustibles, mechanical failures producing ignition sources, and accumulation of flammable liquids. Typical barriers: fire prevention design (compartmentation, drainage, ventilation), hot-work permit controls, fire detection by area, and fire and gas suppression systems.
DFU 5: Collision with a non-field-related vessel
Click on the picture of Collision with 3rd party vessel, copy it and make it yours.
A passing vessel, such as a cargo ship, fishing vessel or supply vessel transiting outside its plan, loses navigational control and enters the facility’s safety zone on a collision course. The DFU is unusual in that the initiating threat sits largely outside the operator’s control. The response chain is mostly about detection and intervention rather than prevention.
Typical threats: navigational error, equipment failure, loss of power on the passing vessel, weather-driven deviation. Typical barriers: traffic monitoring and vessel-traffic services, standby vessel intervention, evacuation procedures.
DFU 6: Drifting object on collision course
Click on the picture of Drifting Object on a collision Course, copy the bowtie and make it yours.
A vessel, container, barge or piece of equipment that has lost its means of propulsion or station-keeping drifts towards the facility. The DFU exists because the response time, intervention options and consequence profile differ from a vessel under power.
DFU 7: Collision with field-related traffic
Click on collision with field related traffic bowtie, copy it and make it yours
Field-related traffic, including supply vessels, standby vessels, intervention vessels and shuttle tankers, operates close to the facility by design. DFU 7 captures collisions during routine field operations rather than transits by unrelated vessels. Tanker-loading operations are particularly significant given the energy involved.
Typical threats: dynamic positioning failure, manoeuvring error, weather-related loss of control, communication failure. Typical barriers: vessel competency requirements, DP redundancy and proving, weather criteria, exclusion zones during critical operations.
DFU 8: Structural damage
Click on the structural damage bowtie, copy it and make it yours.
Damage to the load-bearing structure of fixed or floating facilities, including mooring failures, ballasting and stability problems, position-keeping issues on mobile units, and damage to closure devices such as watertight doors. Alexander L. Kielland (1980) sits in this DFU, and so does most of the ageing-asset risk on the shelf.
Typical threats: fatigue, corrosion, design-load exceedance, dropped object on structure, anchor-line failure, ballast-system fault. Typical barriers: structural integrity management, in-service inspection, mooring monitoring, ballast control redundancy.
DFU 9 and DFU 10: Leaks from and damage to risers, pipelines and subsea production systems
The subsea and pipeline DFUs sit between the topsides process and the reservoir. They differ from DFU 1/2 in that response options are limited (no manual access, no direct deluge), the inventories involved can be vast, and the environmental consequence profile often dominates the safety consequence.
Typical threats: corrosion (internal and external), trawl-board impact, anchor drag, manufacturing defect, fatigue at riser hang-off, vibration-induced fatigue, freezing or hydrate plug. Typical barriers: cathodic protection, in-line inspection, riser monitoring, ESDV at platform riser base, leak detection by mass balance or acoustic methods.
From DFU to Barrier Monitoring
Click on the Leakage from riser bowtie, copy it and make it yours.
Click on the bowtie on damage to riser and pipeline, copy it and make it yours.
Defining a set of bowties is the start of controlling your MAH’s. It helps to scope the risk management system. The next step is to connect measures and, if applicable, escalation factors to each barrier. In this way, barriers can be operationalised.
In the Norwegian regulatory framework, barrier elements are usually defined in one of three categories. 1) Technical elements (BOP, Gas Detectors, etc.), 2) Operational elements (procedures, competency, Permit to Work, ect) and 3) Organisational elements (Manning level, meeting cadence, escalation routes, ect). The Framework Regulations explicitly require that more than one barrier is provided where needed, that barriers are sufficiently independent, and that the operator publish a barrier strategy and barrier performance standards that make the barrier function auditable. The ‘’barrier function’’ (task or role of a barrier) is only realised when the three elements work in concert. For example, a pressure sensor (Technical) is only effective if the driller (Organisational/Competence) takes the correct action (Operational).
How Presight Barrier Management can help
With Presight Barrier Management, all these elements can be tracked continuously in a single view. Decision-makers (the OIM, the HSE manager, the operations supervisor, the rig manager during take-over) can see whether the barriers that should be defending each DFU are actually in the state the design assumed.
Click here to book a demo with of Presight Barrier Management to learn more.
About the Authors
Jouke Gastra
Rune Undheim
Rune Undheim is a Risk and Barrier Management Consultant at Presight Solutions. He has a master’s degree in Risk Analysis from the University of Stavanger, and he has a strong interest in contemporary risk science, Major Accident Hazards and Barrier Management.
References
Havtil. Terms and expressions. Available at: https://www.havtil.no/en/explore-technical-subjects2/terms-and-expressions/
Havtil. Management Regulations, Section 20: Registration, review and investigation of hazard and accident situations. Available at: https://www.havtil.no/en/regulations/all-acts/the-management-regulations3/VI/20/
Havtil. Activities Regulations, Section 77: Handling hazard and accident situations.
Vinnem, J. E. Definerte fare- og ulykkessituasjoner. Store norske leksikon. Available at: https://snl.no/definerte_fare-_og_ulykkessituasjoner
de Ruijter, A., & Guldenmund, F. (2016). The bowtie method: A review. Safety Science, 88, 211–218.
Larouzee, J., & Le Coze, J.-C. (2020). Good and bad reasons: The Swiss cheese model and its critics. Safety Science, 126, 104660.
Offshore Norge Guideline 135. Classification of well control incidents.
Offshore Norge Guideline 117. Recommended guidelines for well integrity.
