Most threats to safety from production involve the release of hydrocarbons; therefore, the analysis and design of a production-facility safety system should focus on preventing such releases, stopping the flow of hydrocarbons to a leak if it occurs, and minimizing the effects of hydrocarbons should they be released. Ideally, hydrocarbon releases should never occur. Every process component is protected with two levels of protection: primary and secondary. The reason for two levels of protection is that if the first level fails to function properly, a secondary level of protection is available. If hydrocarbon releases occur (and, in spite of our best efforts, they sometimes do), inflow to the release site must be shut off as soon as possible. The problem should not be exacerbated with the continued release of additional hydrocarbons. Protective shut-in action is achieved by both the surface safety system (SSS) and the emergency support system (ESS). Shut-in systems are discussed in more detail in Sec. When hydrocarbons are released, their effects should be minimized as much as possible. This can be accomplished through the use of ignition-prevention measures and ESSs (i.e., the liquid-containment system). If oil spills from a process component, a release of hydrocarbons has occurred. A spill is never good, but component skids and deck drains (if offshore) minimize the effect of a bad situation when the spill would otherwise go into a freshwater stream or offshore waters. A hazard tree identifies potential hazards, determines the conditions necessary for a hazard to exist, determines sources that could create this condition, and breaks the chain leading to the hazard by eliminating the conditions and sources. Because complete elimination is normally not possible, the goal is to reduce the likelihood of occurrence.