Asset integrity – the key to managing major incident risks

7/29/2019 Asset integrity the key to managing major incident risks

1/20

Asset integrity the key to managing major incident risks

Report No. 415

December 2008

I n t e r n a t i o n a l A s s o c i a t i o n o O i l & G a s P r o d u c e r s


2/20

2008 OGP

OGPs Managing Major IncidentRisks Task Force has developed thisguide to help organisations reducemajor incident risks by ocusing onasset integrity management. It may beapplied to new and existing assets atevery liecycle stage. The inormationpresented within it is derived romgood practices in mature operatingareas where operators are requiredto provide structured evidence osound risk management practices.

Although this guide may be usedby anyone who contributes to themanagement o asset integrity, itis particularly targeted at seniormanagers, including those rom anon-technical background, who leadoperating organisations. Use o theincluded question set(Appendix)can help assure that major incidentrisks are suitably controlled at alltimes or all upstream hydrocarbonoperations. This document alsoincludes reerences or those who

require more in-depth understand-ing o asset integrity management.

Purpose andtarget audience

2

Disclaimer

Whilst every eort has been made to ensure the accuracy o the inormation contained in this publication, neitherthe OGP nor any o its members past present or uture warrants its accuracy or will, regardless o its or their negli-gence, assume liability or any oreseeable or unoreseeable use made thereo, which liability is hereby excluded.Consequently, such use is at the recipients own risk on the basis that any use by the recipient constitutes agree-ment to the terms o this disclaimer. The recipient is obliged to inorm any subsequent recipient o such terms.

This document may provide guidance supplemental to the requirements o local legislation. Nothing herein, however,is intended to replace, amend, supersede or otherwise depart rom such requirements. In the event o any conictor contradiction between the provisions o this document and local legislation, applicable laws shall prevail.

Copyright notice

The contents o these pages are The International Association o Oil and Gas Producers. Permission is given

to reproduce this report in whole or in part provided (i) that the copyright o OGP and (ii) the source are ac-knowledged. All other rights are reserved. Any other use requires the prior written permission o the OGP.

These Terms and Conditions shall be governed by and construed in accordance with the laws o England and Wales.Disputes arising here rom shall be exclusively subject to the jurisdiction o the courts o England and Wales.


3/20

2008 OGP

E&P organisations need to managea complex portolio o risks. Theserange rom minor events to majorincidents that may involve seriouspersonnel injuries, signicant envi-ronmental damage or substantialnancial impact. Globally, the E&Pindustry has been relatively success-ul in managing major incident risk.Nevertheless, the challenge remains toreduce the likelihood o such events.

Over the past two decades, thedevelopment and implementation

o structured Health, Saety andEnvironmental Management Systems(HSE-MS) have provided a rameworkwithin which all hazards and the risksthey pose can be identied, assessedand managed. The substantialimprovements the industry has seen inLost Time Injury Frequency (LTIF) andTotal Recordable Incident Rates (TRIR)over this period (seeFigure 1) are,in part, testament to the benets oa systematic approach to risk man-agement where there are close links

between hazards and consequences.

In contrast to occupational injuries,large losses are typically the result othe ailure o multiple saety barri-ers, oten within complex scenarios.These are dicult to identiy using

a simple experience-based hazardidentication and risk assessmentprocess. Good occupational healthand saety perormance o an assetdoes not guarantee good majorincident prevention. A commoncontinual improvement managementsystem may be used, but additionaltechnical skills and competences areneeded to manage major incidentrisks. It is important to understand thatthe application o suitable equipmenttechnical standards, though vital,

is not a sucient requirement orthe prevention o major incidents.Well-managed organisationalpractices and individual competencesare also necessary to ensure theselected barriers remain eective.

This guide summarises ways tomanage major incident risk throughoutthe liecycle o E&P operations. It out-lines processes and tools that explicitlyaddress such risks within an overallHSE-MS or corporate risk manage-ment system. It also includes exampleso risk management process ailuresthat could lead to a major incident.

Being able to work with an inher-ently hazardous product in a saeand environmentally responsiblemanner is critical to the success o

any E&P organisation. Major incidentscan have severe consequences orpeople, the environment, assets and

company reputation. Although therisks o major incidents can never bereduced to zero, a systematic risk-management process as outlined inthis guide can signicantly reducetheir likelihood and limit their eects.

1 Introduction

0

1

2

3

4Overall

Contractor

Company

20072006200520042003200220012000199919980

2

4

6

8

10

12Overall

Contractor

Company

2007200620052004200320022001200019991998

LTIF company & contractorsper million hours worked

TRIR company & contrac torsper million hours worked

3

Figure 1 data from OGP Report Saety perormance indicators 2007 data1

Asset integrityWithin this guide, asset integrityis related to the prevention omajor incidents. It is anoutcome o good design,construction and operatingpractices. It is achieved when

acilities are structurally andmechanically sound andperorm the processes andproduce the products or whichthey were designed.

The emphasis in this guide is onpreventing unplanned hydrocarbonreleases that may, either directly or

via escalation, result in a majorincident. Structural ailure or marineevents may also be initiating causesthat escalate to become a majorincident. This guide applies to suchevents, but there may be additionalconsiderations not covered here.

Broader aspects o asset integrityrelated to the prevention oenvironmental or commercial lossesare not addressed. However, subjectto appropriate prioritisation, thesame tools can be applied or theserisks.

Definition


4/20

2008 OGP4

3R

iskassessment

Risk identification

1

Establishingthe context

Risk analysis

Risk evaluation

2

Communicationand

consultation

5

Monitoringand

review

This underpins the overall riskmanagement process, should

occur throughout the cycle andbe two-way, as shown by the

arrows

4

Risktreatment

Monitoring at every stage,feeding back to improvements

based on increasedunderstanding

Review of the entire process atintervals to ensure it continues

to be effective

Figure 2 based on ISO 31000 (draft)2

The outline process in Figure 2 isbased on a standard continualimprovement cycle: Plan, Do,Check, Act (PDCA). Minorvariations rom this processand terminology may be used inother management system documentsor standards. The ve steps shownshould preerably be part o thedesign process, but they may alsobe applied to existing assets, and becontinued throughout their liecycle.

Major incidentAn unplanned event withesclation potential or multipleatalities and/or seriousdamage, possibly beyond theasset itsel. Typically these arehazardous releases, but alsoinclude major structural ailureor loss o stability that could putthe whole asset at risk.

Definition

2 Asset integrityrisk managementprocess


5/20

2008 OGP 5

Establishing the context

What drives us?

Aspects include:

External context actors outsidethe organisation such as:

applicable legislation, codesand standards (includingthe terminology used)

key stakeholders such aspartners, regulators, localcommunities, NGOs, majorcontractors and suppliers

Some applicable regulations orstandards may speciy standardsaeguards and thus limit risk treatmentoptimisation as described in step 4.

Internal context actorsinside the organisation and,or this guide, only thosehazards that could result ina major incident such as:

corporate risk manage-ment standards, theirprocesses and targets

governance systems includ-ing internal organisation &delegation o responsibilities

internal capabilities includ-ing persons who operate,maintain and manageactivities at the acility

Communication & consultation

Who else should be involved?

The types, requencies, style andcontent o communications should bedetermined by the internal and exter-nal standards, documents, stakeholdergroups, etc. identied in step 1.

Risk assessmentWhat can happen? (A process carried out inthree sub-steps Figure 2)

Risk identifcation (may also betermed Hazard identifcation)

Identies potential harm topeople, the environment andassets. Unless applicable majorincident risks are identied,steps cannot be taken toeliminate or control them.

Risk analysis

This stage involves realistic anddetailed consequence assess-ments. An example would beto estimate how much gas orliquid might be released in theevent? Or by what mechanisms

could an initial small releaseescalate to aect people andother equipment? Risk Assess-ment Data can be used toestimate event requency3.

Risk evaluation

It is very important to determinewhat risks are acceptable. Fora new design, a wide rangeo risk reduction (treatment)options exist; or existingassets, the scope may belimited. Options generally

include elimination, preven-tion, control, mitigation andrecovery. Elimination is thebest way to deal with hazardsbut is not always possible.For hazards that cannot beeliminated, other treatmentsshould be considered and themost cost-eective combinationselected (see step 4 below).

Risk treatment

What do we do?

Risk treatment involves consideringall the easible options and decid-ing on the optimal combination tominimise the residual risk so ar asis reasonably practicable. This steplies at the heart o the overall assetintegrity management process.Successul risk treatment includesensuring the selected barriers areactually in place, not just on paper.

Engineered saeguards are typi-cally more reliable than procedural

ones (see Barriers). Likewise, passivesystems such as use o open space,gravity drainage and natural ventila-tion are typically more reliable thansystems requiring activation such asrewater, oam, emergency teams,emergency isolation valves and blowdown. But no saeguards are inal-lible. Thereore, a combination o bothactive and passive systems is typicallyused to minimise the consequences ointegrity loss and expedite recovery.Some risk treatment options may notbe possible or an existing asset (e.g.increasing open spaces); others mayinvolve major modications, requir-ing appropriate evaluation o the riskreduction benets relative to the costs.

Monitoring and review

What could we do better?What can we learn, rom ourselves androm others?

As an asset is designed, constructed,operated, maintained and modied,the understanding o associatedrisks and good practices or itstreatment will improve. This allowsbetter risk management. It is alsoimportant to review periodically theapproach taken or asset integrity

risk management; ensuring that newknowledge is considered, changesare understood and the selectedbarriers continue to be cost-eective.

This review step is also importantor newly acquired mature assets,or those being systematically risk-assessed or the rst time. Someo the original design philosophyor key maintenance records maynot be available and the use oadditional barriers may be prudentuntil integrity monitoring provides

sucient experience or knowledgeo the asset to make inormed riskmanagement decisions. Changesin key operating parameters (pres-sure, temperature, composition, etc)should also trigger an overall reviewo asset integrity risk management.


6/20

2008 OGP

Hazardousevent

Threats Consequences

Controls/barriers Event

H

a

z

a

r

d

Consequences

6

3 Barriers

BarrierA unctional grouping osaeguards and controlsselected to prevent therealisation o a hazard.

Each barrier typically includesa mix o: plant (equipment),process (documented andcustom and practice) andpeople (personal skills and theirapplication). The selectedcombination o these ensuresthe barrier is suitable, sufcientand available to deliver itsexpected risk reduction.

DefinitionBarriers are the unctional groupingso saeguards and controls in place to

prevent the occurrence o a signicantincident. A good way to understandbarriers is a model that likens themto multiple slices o Swiss cheese,stacked together side-by-side. Eachbarrier is represented as one cheeseslice. The holes in the slice representweaknesses in parts o that barrier.Incidents occur when one or moreholes in each o the slices momentar-ily align, permitting a trajectory o

accident opportunity so that a hazardpasses through several barriers,

leading to an incident. The sever-ity o the incident depends on howmany barriers (cheese slices) haveholes that line up at the same time.

The Swiss cheese model covers bothactive ailures and latent ailures.Active ailures are unsae acts orequipment ailures directly linked to aninitial hazardous event. Latent ailuresare contributory actors in the systemthat may have been present and notcorrected or some time (days, weeks,months or in some cases, years) until

they nally contributed to the incident.

Figure 3 Application of the Swiss cheese model4,5

As shown in Figure 3, the Swisscheese model asserts that no barrieris ever 100% eective because holesare always present, even though eachmay be temporary. The aim shouldbe to identiy holes and then makethem as small and as short-lived as

possible, recognising that they arecontinually changing (equipment

deterioration, temporary saeguardbypasses, operational changes, main-tenance lapses, personal and teamcompetences, etc). Hence, multiplebarriers are used to manage the risk omajor incidents, thereby reducing thechance that all o the holes line up

and the worst-case event is realised.

An alternative way to visualiseand determine the need or barri-ers is to use the Bow Tie model(Figure 4). This indicates how bar-riers can both reduce the threatsrom a hazard and limit conse-quences i the hazard is realised.

Figure 4 Bow Tie model


7/20

2008 OGP 7

Typical equipment barriersFor E&P assets, integrity bar-riers can be considered inthe ollowing categories:

Prevention primary contain-ment, process control, primaryand secondary structure.

Detection control room alarms,re/gas/leak detection.

Control and mitigation equip-ment orientation and spacing,

secondary containment anddrainage, blow-down systems,re-protection and suppression.

Emergency response localalarms, escape and evacuation,emergency communications,emergency power.

With this approach, the number obarriers (hardware or managementsystem) or an asset can be held at alogical and manageable level (usuallyless than 20). In contrast, a listing oindividual critical equipment itemscould number thousands and makesystematic management dicult.

A detailed description is needed othe operational perormance require-ments or the whole barrier to meetthe intended risk reduction. Hence,step 4 in Figure 2 risk treatment has two levels o increasing detail:

dene barriers at a system level1.

dene high level perormance2.requirements or each barrier

dene the required perorm-3.ance standards in detail including those or constitu-ent parts as appropriate.

Within each barrier, individualequipment items may be suitablyitemised and prioritised or criti-cality using risk criteria.

Perormance standardA measurable statement,expressed in qualitative orquantitative terms, o theperormance required o asystem, item o equipment,person, or procedure, and thatis relied upon as the basis ormanaging a hazard.

Definition

Perormance standards orbarriers

Perormance standards or barriersare typically described in terms ounctionality, availability, reliabilityand survivability. Perormancestandards thus determine equipmentdesign specications (original suit-ability) and also set requirements ormaintenance and testing throughoutthe assets liecycle (ongoing suitabil-

ity). It is helpul to consider a range opossible perormance standards oreach component typically based onrecognised design standards andthen optimise the overall barrier togive the most cost-eective risk reduc-tion. Such barrier optimisation needsinput rom designers, operations andoten risk assess-ment specialiststo ensure that allrelevant actorsare considered.

There can alsobe perormancestandard optimi-sation betweenbarriers.

Once perormance standards aredened, assurance processes shouldbe put in place to conrm that barriersremain t or purpose. Typically, thiswill require initial equipment type-testing and/or barrier commissioningperormance tests; operational controlsand limits; maintenance, inspection

and testing plans; perormancerecords or both individual equipmentitems and the overall barriers; auditand review. Perormance standardsmay be changed over a acilitysliecycle to refect changes in operat-ing parameters or a need to improveinspection and leak detection iprocess equipment deteriorates.

Emergency responseAs noted above, one or more o thedened barriers should be emer-gency response: an optimised mix ohardware, procedures and person-nel, with associated perormancestandards. However, as asset integrityimproves, the justication or exten-sive emergency response (mitigationand recovery barriers) may reduce.Consequently, it can be challengingto convince designers and operators

working hard to ensure asset integ-rity that they should also plan andimplement robust emergency responsebarriers in case integrity is lost.

The major incident scenarios orwhich the emergency responsebarriers should be designed will bethose identied in step 3 o the riskassessment process. This assumes ullor partial ailure o the preceding bar-riers, as appropriate. Similar scenariosand barrier ailures may be used asa basis or operational training andassessment o the acility emergencyresponse procedures and people,including both ront-line personneland those responsible or managerialresponse. Such training reinorcesunderstanding o the purpose o majorincident barriers and helps to ensurethat suitable, timely actions are takeni their perormance degrades.

A aster blow-downtime may reduce there protectionrequirements, butmay also result inadditional pipework,cooling or increasedfare radiation.

ex

ample


8/20

2008 OGP8

4 Integrity throughoutthe asset lifecycle

Concept selectionOptimising early design choices canpositively infuence asset integrity costand eectiveness throughout the lie oa acility. However, optimisation alsotakes time and resources. Thereoreit requires organisational leadershipthat recognises and balances assetintegrity and ull liecycle costs againsta design with the cheapest capitalcost or shortest construction time.

Some design concepts are inherentlymore reliable than others.Identiy-ing key hazards and the barriersneeded to control them will alsohelp avoid concepts with hard-to-manage asset integrity issues. Conceptdesign decisions may also determineother operations and maintenanceactivities which have their ownimpacts on asset integrity risks.

Perormance standards or the mainasset integrity barriers should beset during this stage to ensure aircomparison o options. It is easyto underestimate the true cost outure operations and maintenance.Doing so results in under-investment

in asset integrity capital equipment.Ater concept selection, there is lessavailable fexibility or eliminatinghazards, reducing risk or simpliy-ing asset integrity management.

Asset denitionAs asset design is developed, thebarriers or maintaining asset integ-rity should be worked in parallel.Overall perormance standards orthe main barriers should already bedened, so perormance standardsor systems and sub-systems shouldbe ready to be determined. Thisensures that equipment specica-tions take account o maintenanceneeds and operational capacities.

Barrier maintenance, inspectionand testing requirements, includ-ing estimates o the associatedsystem downtimes, are a designdeliverable at this stage. It is alsoimportant to ensure the selecteddesign is suitable or the ultimatedecommissioning requirements.

At this stage a catalogue o appli-cable codes and standards shouldbe compiled, with particular reer-

ence to those required to assure thebarriers. This catalogue reducesthe potential or misunderstandingsor disputes about required barriersand perormance standards duringlater stages. Also, by identiyingand applying appropriate codesand standards, an initial estimate oresidual risk can be made throughcomparison with a similar plant.

Detailed designBy this point, most key assetintegrity decisions have been made.However, poor detailed design cansignicantly reduce asset integrityby making planned barriers ineec-tive. Full documentation is needed todescribe the asset design, operatingand maintenance strategies, and themajor hazards management philoso-phy. Maintenance, inspection andtesting routines should be developed

or all barriers. Risk assessmentsshould demonstrate that hazards andrisks are appropriately managedthrough equipment specications(plant), procedures and delegatedresponsibilities (process), and compe-tent personnel (people). Operabilityreviews and amiliarisation by main-tenance and operations personnelshould commence during this stage,and continue through the constructionstage. At the completion o this stageall asset integrity barriers should

be ully dened and documented.

Construction and

commissioning

It is critical to ensure thatany necessary changesmade to the design aresuitably managed andauthorised so as to maintainasset integrity standards.

All required operating,maintenance and testingprocedures should benalised beore com-missioning begins, andcompetent personnelshould be recruited and trained.This ensures that, as ar as pos-sible, the procedures and peopleelements o major incident barriersare ully unctional when the plantelements are rst operated. Systemcommissioning tests may be needed

to veriy the unctional perormanceelements o some barriers, eg blow-down systems, isolation valves.

Corrosion resistant pipework ully rated ormaximum pressure is less likely to ail due tooverpressure or corrosion than pipework that

relies on instrumented pressure protection andthe addition o corrosion inhibitors to maintainintegrity, but there may be higher costs andnew problems.e

xam

ple

It is unreasonable to expect 96% uptime i keyequipment requires 15 days annual inspectiondowntime, as there is then no contingency orany other downtime, planned or unplanned.

example

Must just the asset be totally recyclable, ormust all land or seabed contamination also beremoved?

eg

Selecting a diesel-powered main generatorrather than an external electric supply requiresconsideration o:

Main generator system maintenance andbackup

Local diesel storage acilities, and increasedre protection in case o loss o storage

integrityDiesel-supply operations, with associatedtransport and transer spillage risks

e

xample


9/20

2008 OGP 9

Operation,modication

and maintenance

All the asset integrity barriers denedin the earlier stages should be imple-mented and maintained. All subsequentchanges to asset design, operating limitsor maintenance requencies should besubject to change control and review bya competent technical authority. This isalso the time or operating limits to comeinto play, including control o systemover-rides. Barrier perormance shouldbe tested regularly and any decienciesappropriately addressed. To the extentthat the earlier concept selection stageeliminated or reduced hazards, the needor ongoing intervention, maintenance andtesting tasks can be greatly reduced. Thiscan be particularly important with higherhazard materials and operating condi-tions, eg HPHT reservoirs, high H

2S levels.

Operations and maintenance manag-

ers should have the competence tounderstand and communicate majorincident hazards and to describehow the equipment and proceduresare designed to provide suitable andreliable asset integrity barriers, includ-ing recovery rom minor deviations.

With operating conditions changingover time, an initial design premise mayno longer be valid. All such changespotentially aect operating limits andso should be covered by the changecontrol process. Codes and standards

may also change within the liecycle othe acilities. The original design shouldbe reviewed against such changes tosee i modications are required byregulation or justied or reductiono new or newly understood risks.

AcquisitionWhen considering asset acquisition, at whatever liecycle stage, theavailability o essential asset integrity inormation should be checkedas part o the due diligence process. The costs o replacing anymissing inormation should be included in the overall acquisitioncosts. Examples would be: design perormance standards or themajor barriers required to understand whether inspection and testingactions assure operating asset integrity, or detailed design inorma-tion needed to dene the scope o uture decommissioning methodsand costs. The same considerations apply or any mature asset where

inormation about major incident risks and barriers is incomplete.

Decommissioning,

dismantling and removal

Asset integrity can be a signicantactor at this stage. As selectedequipment is shut down or dismantled,the normal barriers or protectingthe acility may be compromisedor eliminated, such as escape orevacuation routes. In addition, theneed to ensure removal o all process

materials and other hazardoussubstances rom both equipment

and the aected site may be asignicant concern to regulators

or decommissioning personnel.Environmental impacts mayalso occur at lower quanti-ties or concentrations thanwould be meaningul ora purely saety incident.Preventive asset integ-rity barriers that haveremained ully eective

and documented can beextremely benecial atthis stage o the liecycle.

A reservoir may produce solids (sand orproppant), water or unexpected hazardoussubstances (H

2S, mercury, CO

2, etc)

eg


10/20

2008 OGP10

There is a separate OGP guideon human actors6, but it is worthhighlighting those aspects that arerelevant to major incidents. Aterall, human error is a key actor inmost major incidents, so reduc-ing the potential or errors is anessential part o asset integrity.

Without proper consideration o thehuman component, even the mostsophisticated acilities are susceptibleto loss o integrity caused by incorrectoperations, unsuitable maintenance

or de-motivated people. Designingacilities, work processes and tasksto properly address human actorscan contribute signicantly to theoverall reliability and integrity o theasset, including the ability to manuallyinitiate recovery i other barriers ail.

Equipment design and controlslayout

Arrange equipment or easy

access and maintenanceEasy manual activation withcontrols labeled or conguredto make correct action obvious

Standard congurations and/or colour schemes to rein-orce consistent operation.

5 Human factors

Human actorsAll the interactions oindividuals with each other, with

acilities and equipment, andwith the management systemsused in their workingenvironment.D

efin

ition

Displays and alarmsshould have the ollowing characteristics:

Provide sucient inormation toconrm the status o the operationand the eects o control actions.

Alert personnel to abnormalor emergency conditions thatrequire a specic response.

Ensure alarms are not acti-vated by routine operations orwhen changes do not require

a response. High volumes oinsignicant alarms may maskmore serious events and producea culture o automated acknowl-edgement by operators withoutproper assessment o the situation.

Work practices andprocedures

should be similar to those or preventing oc-cupational incidents, including:

Clear roles and responsibilities,understood by all parties.

Applicable work prac-tices that take account oall relevant hazardsand are applied

consistently.Clear proce-dures that allowusers to identiy therequired steps, complete them inthe proper order and under-stand what to do i abnormal orunexpected conditions arise.

Pre-Task reviews should beundertaken to identiy all threatsto people and plant, their currentcontrols and what more might bedone. Existing approaches exist

in many companies looking at theoccupational threats and are vari-ously called Job Saety Analyses,Personal Risk Assessments orTask Risk Assessments. However,these need to be reviewed toensure they also cover threats tothe plant capable o leading tomajor accidents, diminishing theability o the plant to control amajor accident or reducing theability o personnel to escapein an emergency situation.

Tasks on or near energised oroperating systems shouldconsider loss o processcontainment or structuralintegrity and how task activitiesmight either initiate such a loss,

or contribute to its escalation,and personnel involved shouldbe competent to do this.

ex

ample


11/20

2008 OGP 11

Work management andauthorisation

roles should be defned.

For tasks that could impactthe acility or other workers, apermit-to-work system should bein place to agree, communicateand manage the necessarycontrols, task authorisation andhandover o responsibilities.

Permit systems should provideclear denitions and consist-ent application o the isolationand integrity testing minimumstandards required or live worktasks on the various process fuidsand pressure systems present.

In complex acilities it may bebenecial to use sotware-basedsystems to provide automatic andconsistent guidance on suitabletask precautions, including systemisolations, de-isolations and

integrity tests. Such tools maybe reerred to as an IntegratedSae System o Work (ISSOW).

Task design and individual orteam workload

Worker atigue and overload arekey causes o human error. Tasks thatexceed workers capabilities, or whosescope, duration or pace result in

atigue, can lead to a decline in workquality, omissions, or aulty decision-making. Any o these can contributeto loss o integrity. Thereore:

Tasks should be designed inconsistence with the knowledge,skills, and physical capabili-ties o the person or team.

Work scope and responsi-bilities or each role should avoidoverload. In upset or emergencysituations particularly, thesimultaneous actions or responsesrequired rom a person or teammust be within their capability orthe event will escalate, possiblyleading to a major incident.

Work schedules should addressthe need or periodic rest to avoidboth short-term and longer-termeects o atigue, leading toerrors and incidents. This appliesto routine work schedules andhigh workload periods such asacility commissioning or turna-

rounds. Task schedules shouldtake account o any physicalconditions that increase atigueand error rates such as restrictedaccess, temperature or humidityextremes, or a noisy, damp orcontaminated work environment.

Process saety culture

A culture that successully managesoccupational saety and healthrisks may still ail to deal with

major incident risks indeed, anineective process saety culturemay be a common hole in multipleasset integrity barriers, leading toa major incident. Consequently:

Leaders should encourageinput rom workers and provideadequate eedback or simpliy-ing or improving the perormance,reliability and availability oasset integrity barriers.

Saety culture assessment anddevelopment tools7 should beadapted and applied to the keymajor incident managementelements outlined in this guide.


12/20

2008 OGP12

6 Competences

Competences or a position orteam are analogous to the perorm-ance standards developed or ahardware system. This section con-centrates on competences requiredto manage major incident risks.

Relevant competences are clearlyrequired by construction, opera-tions and maintenance techniciansworking directly on an asset. Suitablecompetences are also required bytechnical authorities, supervisorsand managers. Regulators and

other independent bodies who haveoversight o major hazard assetsalso need suitable competences.This category includes insurers andmanagement system auditors.

From the earliest stages o assetdesign to nal shut down and disman-tling, competent people can make thedierence between fawless perorm-ance and major incidents. A requentnding o major incident investigationsis that though individuals involved

had the necessary knowledge andskills, they were discouraged by thelocal culture rom applying those skillsto break the chain o escalation.

Competence or each role shouldbe managed as ollows:

Identiying the requiredcompetences.

Providing relevant training(knowledge and skills).

Assuring or veriying thesecompetences (ability to apply

knowledge and skills).Rereshing competencesas appropriate.

Identiy the requiredcompetences

Dene the key tasks or each role(job position) associated withassuring major incident barriers.

For each role, determine therange o skills, knowledge andpersonal attributes (compe-tence elements) to successullyexecute these tasks. Thesecompetences apply whether the

person in the position is a directemployee or a contractor.

Determine the required level oprociency or successul perorm-ance o each competence elementwithin the role. Consider eachrole separately, as the requiredprociency levels may varywidely. Prociency levels may beexpressed as ormal qualica-tions, or as internally-denedgeneric descriptors such as begin-ner, competent, expert or master.

Identiy which competences areprerequisites or lling the role,and which can then be assessedater an initial period in the role.This is especially important ordeputies, stand-ins, and othernon-regular workers in that role.

Provide relevant training

Some training may be apre-entry requirement, eg arecognised apprenticeshipor a university degree.

Internal training may includeclassroom instruction, practi-cal sessions or exercises,and eld experience underthe direction o a mentor.

Additional on-the-job experiencemay be specied to achievethe required level o amiliarityand prociency in the identiedcompetence, eg minimum ve-years operations experience.


13/20

2008 OGP 13

CompetenceA persons ability to accuratelyand reliably meet theperormance requirements or adefned role.

Competence includes the skillsand knowledge necessary toperorm the required taskssuccessully, the ability torecognise personal limits and soseek physical help or input romothers when appropriate, andthe conscientious application oskills and knowledge every timethey are used.

Competence thus includes abehavioural element, ie abilityto apply personal skills andknowledge in typical workplacesituations.

DefinitionAssure or veriy competences

The most eective verication ocompetence includes a combina-tion o written or verbal testingo basic concepts and a dem-onstration o applicable skills.

Assessors o competence testsand demonstrations shouldthemselves be competent tocarry out the assessment.

Documentation o assessed

competence elements is animportant component inmanaging a competence assur-ance process. For technicalproessionals, maintenance opersonal Continuing ProessionalDevelopment (CPD) records andcertication by an accreditedorganisation is one way to veriycompetence in the required skillareas. Other ways to documentindividual qualications andcompetences include an internal

database or saety passports. Typical competencesThe ollowing are examples o generic roles with compe-tence requirements or ensuring asset integrity:

Technician

Understands current operatinglimits; responds appropriately tooperational alarms; understandstasks required to successully operateor veriy a barrier, including taskhazards and controls; accuratelyinstalls and removes temporaryinhibits; identies and records testresults, including any deects; seeksassistance or critical deects.

Technical authority

Develops and denes suitablebarrier or equipment perormancestandards; accurately interpretsrelevant codes and standards;advises on test methods andprocedures; risk assesses perorm-

ance standard variations andtest results; or deective barriers,advises whether eective alternatetemporary controls are possible.

Asset supervisor

Ensures operations are withincurrently dened envelope;authorises barrier tests, temporaryinhibitions, etc. based on overallrisk assessment; monitors barrierperormance and ceases opera-tions immediately i barriers areunacceptably degraded; consultstechnical authority about actualor potential barrier deciencies.

Asset manager/leader

Provides leadership to demonstratethe value o eective barriers(example by using the QuestionSet); ensures suitable budget andcompetent resources are available tooperate, monitor, test and manage

barriers; monitors major incidentleading and lagging indicators;acts on relevant audit ndings.

Reresh competencesPeriodically review whichcompetences and associatedprociency levels are requiredor each role, as the requirementsmay change due to changes intechnology, acility size, reorgani-sation, or identied deciencies.

Periodically re-veriy personalcompetences to assure there hasbeen no erosion, particularlyin areas not regularly used, eg

emergency response. Rereshertraining at set intervals althoughwidely practiced is oten anineective use o resources andis not a substitute or competencere-assessment when required.


14/20

2008 OGP14

7 Monitoringand review

Monitoring and reviewing assetintegrity perormance (Check, Act) isas important as developing and imple-menting integrity plans and systems(Plan, Do). Integrity monitoring shouldbe act-based, rather than opinion-based, and may include the ollowing:

Key Perormance Indicators (KPIs).

Barrier perormancestandard verication.

Audit ndings.

Incident and accident

investigations.Benchmarking and lessonslearned rom external events.

Key Perormance Indicators(KPIs)

KPIs can be used to evaluate assetintegrity perormance againststated goals. Because major loss-o-integrity events are relativelyrare, it is important to record and

monitor even minor incidents. TheKPIs which record actual integrityailures are typically called laggingindicators. By contrast leadingindicators can be used to assessthe health o the saeguards andcontrols which make up the barriers.

Facility level KPIsThere is no universal set o KPIs thatapplies to all major hazard acili-ties rather the KPIs selected shouldbe aligned with the risk-managementprocess or the acility, and thesespecic KPIs may then be used toaid the management o the ve stepsoutlined above (see asset integritymanagement process). In addition,the leading and lagging indicatorsselected should cover all three aspects

o incident prevention plant, processand people. The major hazardsregulator in the UK, the Health andSaety Executive(HSE), has produceda guidance document DevelopingProcess Saety Indicators8 outlining amethod that may be used to developsuitable KPIs or an operating site. Themethod advocated by HSE is similarto that dened in this document, ie:

Immediate causes o a signicant1.release are identied (wear,corrosion, overlling, impactdamage, over/under pressurisa-tion, operations error, etc.).

Various Risk control systems are2.identied or each hazard typi-cally each system will contributeto risk reduction or more thanone type o incident scenario.

Each Risk control system (3. eginspection/maintenance; stacompetence see table opposite)is analysed to dene suitablesite-specic lagging and leading

KPI. These KPIs should be specicto the actual opera-

tions carried outat the acility.

The typicalhigh-level risk

control system listed in the tableopposite is likely to be relevantor many major hazard acilities.Example KPIs are also summarisedin the table but should be urthercustomised or a specic acility.

The Center or Chemical ProcessSaety (CCPS) document Processsaety leading and lagging metrics9denes lagging KPIs which may beused to assign a severity rating toa hazardous release. These ratingscan then be used in conjunction with

worker exposure hours to calculatestandard lagging process saetymetrics, or perormance comparisonsbetween acilities and organisations.A lower level o lagging KPI oracilities is also suggested based ona process saety near miss report-ing system, with examples o thetypes o event to be considered.

This CCPS publication alsoidenties possible leading KPIsor the ollowing areas:

Maintenance o mechani-

cal integrity

Action items ollow-up

Management o change

Process saety training andcompetence, including assurance.

The CCPS book Guidelines orRisk Based Process Saety10 pro-vides urther advice on settingsuitable KPIs, including a our-levelrating system or assessing howdependable KPIs are or improv-

ing organisational perormance.The Norwegian Petroleum SaetyAuthority (PSA) has also led work inthe area. Their Trends in risk levelproject monitors the risk level devel-opment using various methods suchas incident indicators, barrier data,interviews with key inormants, workseminars, eld work and a major ques-tionnaire survey every other year. Theresults are presented in annual reports.


15/20

2008 OGP 15

Generic barriers and example KPIs

(Based on table 5 rom the UK HSE guidance document: Developing process saety indicators)

Risk control system Example lagging KPI Example leading KPI

Inspection/maintenance Number o loss-o-containment incidents

% o saety-critical plant/ equipment that perorms tospecifcation when tested

% maintenance plan completed on time.No. o processleaks identifed during operation or during downtime

Sta competence

Number o loss-o-containment incidentsplant trips, equipment damage, etc. linkedto insufcient understanding, knowledgeor experience o correct actions

% personnel meeting local assessed competence criteria(inc Supr/Mgr)

Average period required to become ully competent aterappointment to a new position

Operational proceduresNumber o operational errors due toincorrect/unclear procedures

% o procedures reviewed and updated versus plan

Instrumentation and alarmsNumber o incidents linked to ailure oinstrumentation or alarms

% unction tests o alarms/trips completed on schedule

Plant change managementNumber o incidents linked to ailure oMOC

% plant changes suitably risk assessed and approvedbeore installation

Average time taken to ully implement a change onceapproved

Permit to work (PTW)Number o incidents where errors in PTWprocess are identifed as a contributorycause

% PTWs sampled where all hazards were identifed and allsuitable controls were specifed

% PTWs sampled where all controls listed were ully inplace at worksite

Plant designNumber o incidents where errors in plantdesign are identifed as a contributorycause

No. o post-startup modifcations required by Operations

No o deviations rom applicable codes and standards

% saety-critical equipment/systems ully in compliancewith current design codes

Emergency arrangementsNumber o emergency response elementsthat are NOT ully unctional whenactivated in a real emergency

% o persons sampled who have participated in anemergency exercise in past X months

% ESD valves and process trips tested, using a scheduledefned in a relevant standard or the acility saety case

Perormance standard

verifcationWhere possible, testing, recordingand veriying actual barrier perorm-ance, reliability, and availabilityshould be carried out at intervalsthroughout the assets operating lie.Direct operational testing is preerred,but some barriers may have to beveried largely by suitable modellingat the design stage (eg structural) orby type testing (eg re protection),as unctional operational testing

is not practical. In such cases it istypical to require periodic inspec-tion o physical condition to checkor evidence o degradation.

Operational unctional testing should

be realistic, objective and resultsshould be properly recorded, soas to demonstrate reliability overtime. In some regulatory regimes,independent verication o criticalbarriers is mandatory. Wherebarriers are tested routinely assub-units (eg individual detec-tors, isolation valves,

process trips, deluges, emergency

lights) some overall system perorm-ance testing should also be required.


16/20

2008 OGP16

Audit fndingsAudits should be an inte-gral part o the system ormanaging major incident barri-ers. The purpose o audits is to:

Determine whether the asset integ-rity management system elementsare in place and perormingeectively relative to companyobjectives and applicable regula-tory or technical standards.

Identiy areas or improvement

o asset integrity management.Improvements may include betterresults or improved eciency(same results using less resource).

The risk prole o the asset shoulddetermine the type and requencyo integrity audit. Audits may besel-assessments conducted bypersonnel rom within the organisa-tion, or external audits conducted byresources outside the audited organi-sation. Audit scope should be the

overall operation o the asset integritymanagement system and its integra-tion into line activities. The scope mayspecically address the ollowing:

Policy, organisation anddocumentation

Risk evaluation and managementPlanning and resourcing

Implementation and monitoring.

Asset integrity audits require adequateand knowledgeable resources usingobjective protocols. Auditors shouldidentiy sound practices where nochange is needed, opportunitiesor improvement, and any seriousnon-conormances. Auditors maysuggest solutions to identied prob-lems, or they may simply note the

nature o the problems and allowmanagement to devise and imple-ment appropriate solutions. In eithercase, the recommendations shouldbe ollowed-up in the next auditcycle, to ensure identied issues havebeen addressed appropriately.

Lack o comment about assetintegrity issues during generalacility inspections by regulators,insurers, etc. should not be taken asevidence that asset integrity man-agement is satisactory. However,

the results o any targeted inspec-tions by external bodies may beincluded in the evidence submit-ted or management review.

Management reviewAsset management should regularlyconsider evidence rom each o theactivities outlined above and shouldalso look at the practices o industryleaders or possible improvementopportunities in asset integrity. Lessonslearned rom incidents and nearmisses within the company and in theoperations o others may also highlightpossible improvements. Case studies,such as those reerenced in the next

section, can provide valuable reallie input to compare with existinginternal strategies and practices.

Based on these data, managers canset suitable objectives or the nextimprovement cycle. Resources devotedto asset integrity monitoring and toimprovements should be risk-based,iebased on the current acility-widerisk reduction benets provided byassured barrier perormance andthe opportunities or improvement.


17/20

2008 OGP 17

GeneralCCPS. Guidelines or Risk Based Process Saety, Center or Chemical Process Saety.WileyBlackwell. 2007. ISBN 978-0470165690.

IntroductionOGP. Guidelines or the development and applications o health, saety and environmental management systems.Report No 210. The International Association o Oil & Gas Producers, London, UK. 1994.

Asset Integrity Management ProcessISO 17776: 2000. Petroleum and natural gas industries oshore production installa-tions guidelines on tools and techniques or hazard identifcation and risk assessment.

ISO 13702: 1999. Petroleum and natural gas industries control and mitigation o fres andexplosions on oshore production installations requirements and guidelines.

OECD. Guidance on Saety Perormance Indicators. Organization or Economic Co-operation and Development (OECD). 2003. ISBN 978-9264019102.

BarriersHSE. Guidance on risk assessment or oshore installations. Health & Saety Execu-tive, Aberdeen, UK. Oshore Installation Sheet 3/2006.

CompetenceWaterall, Kevin; Young, Clyde; and Al-Anazi, Khala S. Health, Saety, Security, and Environmen-tal Competence Finds a Level Playing Field in the Industry. Paper SPE 98516 presented at the SPE

International Health, Saety, and Environment Conerence, Abu Dhabi, 24 April 2006.

Case studiesCCPS. Incidents That Defne Process Saety. WileyBlackwell. 2008. ISBN 978-0470122044

References

Bibliography

OGP.1. Saety perormance indicators 2007 data. Report No 409. 2008.The International Association o Oil & Gas Producers, London, UK.

ISO/DIS 31000.2. Risk management principles and guidelines on implementation.

OGP.3. Risk Assessment Data Directory(to be published in 2009).The International Association o Oil & Gas Producers, London, UK.

James Reason.4. Human Error. Cambridge University Press. 1990. ISBN 978-0521314190.

James Reason.5. Managing the risks o organizational accidents. Ashgate. 1997. ISBN 978-1840141047.

OGP. Website:6. Human Factors area. http://info.ogp.org.uk/hf

OGP.7. Human Factors a means o improving HSE perormance. Report No 368.The International Association o Oil & Gas Producers, London, UK. 2005.

Developing Process Saety Indicators; A step-by-step guide or chemical and major8.

hazard industries. HSE Books, re. HSG254. 2006. ISBN 978-0717661800CCPS.9. Process Saety: Leading and Lagging Metrics. Center or Chemical Process Saety, New York, USA. 2008.

CCPS.10. Guidelines or Risk Based Process Saety. WileyBlackwell. 2007. ISBN 978-0470165690


18/20

2008 OGP

AssetFacilities and associated inra-structure, e.g. structures, wells,pipelines, reservoirs, accom-modation & support services.

Asset integrityThe prevention o major incidents (seeexpanded denition on page 3).

AvailabilityThe ability, measured in terms o

uptime percentage, o a system toperorm its required unction.

BarrierA unctional grouping o saeguardsand controls selected to preventthe realisation o a hazard.

CompetenceA persons ability to meet accu-rately and reliably the perormancerequirements or a dened role.

Controlsee also Barrier. Used specicallyor a barrier which mitigates theconsequences o an initial event.

Glossary

EscalationThe process by which initial &sometimes small events triggerurther sometimes larger events.

FunctionalityWhat a device or systemis designed to do.

Human actorsAll the interactions o indi-viduals with each other, with

acilities and equipment, and withthe management systems usedin their working environment.

KPIKey Perormance Indicator, mayalso be called metrics. See Re-erences or detailed denitionand asset integrity examples.

Major incidentAn unplanned event with esclation

potential or multi-atalities and/orserious damage, possibly beyond theasset itsel. Typically these are hazard-ous releases, but also include majorstructural ailure or loss o stabilitythat could put the whole asset at risk.

MitigationA barrier whose role is to limitconsequences, generally by limit-ing escalation, but which doesnot prevent the initial event.

Perormance standardA measurable statement, expressedin qualitative or quantitative terms,o the perormance required o asystem, item o equipment, person orprocedure, and that is relied upon asthe basis or managing a hazard.

RecoverySae and timely resumption o normaloperations ater an incident.

ReliabilityProportion o occasions abarrier or equipment item willunction as designed (%).

Residual riskRisk that remains when abarrier, or combination o bar-riers, operates as intended.

Risk treatmentsee Barrier.

SurvivabilityProtection required by a barrier orequipment item to ensure continuedoperation during a major incident.

18


19/20

2008 OGP 19


20/20

Documents

Asset integrity – the key to managing major incident risks