ogp asset integrity- the key to managing major incident risks

7/26/2019 OGP Asset Integrity- The Key to Managing Major Incident Risks

1/20

Asset integrity the key to managing major incident risks

Report No. 415

December 2008

I n t e r n a t i o n a l A s s o c i a t i o n o f O i l & G a s P r o d u c e r s


2/20

OGP

OGPs Managing Major IncidentRisks Task Force has developed thisguide to help organisations reducemajor incident risks by focusing onasset integrity management. It may beapplied to new and existing assets atevery lifecycle stage. The informationpresented within it is derived fromgood practices in mature operatingareas where operators are requiredto provide structured evidence ofsound risk management practices.

Although this guide may be usedby anyone who contributes to themanagement of asset integrity, itis particularly targeted at seniormanagers, including those from anon-technical background, who leadoperating organisations. Use of theincluded question set(Appendix)can help assure that major incidentrisks are suitably controlled at alltimes for all upstream hydrocarbonoperations. This document alsoincludes references for those who

require more in-depth understand-ing of asset integrity management.

Purpose andtarget audience

2

Disclaimer

Whilst every effort has been made to ensure the accuracy of the information contained in this publication, neitherthe OGP nor any of its members past present or future warrants its accuracy or will, regardless of its or their negli-gence, assume liability for any foreseeable or unforeseeable use made thereof, which liability is hereby excluded.Consequently, such use is at the recipients own risk on the basis that any use by the recipient constitutes agree-ment to the terms of this disclaimer. The recipient is obliged to inform any subsequent recipient of such terms.

This document may provide guidance supplemental to the requirements of local legislation. Nothing herein, however,is intended to replace, amend, supersede or otherwise depart from such requirements. In the event of any conflictor contradiction between the provisions of this document and local legislation, applicable laws shall prevail.

Copyright notice

The contents of these pages are The International Association of Oil and Gas Producers. Permission is given

to reproduce this report in whole or in part provided (i) that the copyright of OGP and (ii) the source are ac-knowledged. All other rights are reserved. Any other use requires the prior written permission of the OGP.

These Terms and Conditions shall be governed by and construed in accordance with the laws of England and Wales.Disputes arising here from shall be exclusively subject to the jurisdiction of the courts of England and Wales.


3/20

OGP

E&P organisations need to managea complex portfolio of risks. Theserange from minor events to majorincidents that may involve seriouspersonnel injuries, significant envi-ronmental damage or substantialfinancial impact. Globally, the E&Pindustry has been relatively success-ful in managing major incident risk.Nevertheless, the challenge remains toreduce the likelihood of such events.

Over the past two decades, thedevelopment and implementation

of structured Health, Safety andEnvironmental Management Systems(HSE-MS) have provided a frameworkwithin which all hazards and the risksthey pose can be identified, assessedand managed. The substantialimprovements the industry has seen inLost Time Injury Frequency (LTIF) andTotal Recordable Incident Rates (TRIR)over this period (seeFigure 1) are,in part, testament to the benefits ofa systematic approach to risk man-agement where there are close links

between hazards and consequences.

In contrast to occupational injuries,large losses are typically the result ofthe failure of multiple safety barri-ers, often within complex scenarios.These are difficult to identify using

a simple experience-based hazardidentification and risk assessmentprocess. Good occupational healthand safety performance of an assetdoes not guarantee good majorincident prevention. A commoncontinual improvement managementsystem may be used, but additionaltechnical skills and competences areneeded to manage major incidentrisks. It is important to understand thatthe application of suitable equipmenttechnical standards, though vital,

is not a sufficient requirement forthe prevention of major incidents.Well-managed organisationalpractices and individual competencesare also necessary to ensure theselected barriers remain effective.

This guide summarises ways tomanage major incident risk throughoutthe lifecycle of E&P operations. It out-lines processes and tools that explicitlyaddress such risks within an overallHSE-MS or corporate risk manage-ment system. It also includes examplesof risk management process failuresthat could lead to a major incident.

Being able to work with an inher-ently hazardous product in a safeand environmentally responsiblemanner is critical to the success of

any E&P organisation. Major incidentscan have severe consequences forpeople, the environment, assets and

company reputation. Although therisks of major incidents can never bereduced to zero, a systematic risk-management process as outlined inthis guide can significantly reducetheir likelihood and limit their effects.

1 Introduction

0

1

2

3

4Overall

Contractor

Company

2007200620052004200320022001200019991998 0

2

4

6

8

10

12Overall

Contractor

Company

2007200620052004200320022001200019991998

LTIF company & contractorsper million hours worked

TRIR company & contrac torsper million hours worked

3

Figure 1 data from OGP Report Safety performance indicators 2007 data1

Asset integrityWithin this guide, asset integrityis related to the prevention ofmajor incidents. It is anoutcome of good design,construction and operatingpractices. It is achieved when

facilities are structurally andmechanically sound andperform the processes andproduce the products for whichthey were designed.

The emphasis in this guide is onpreventing unplanned hydrocarbonreleases that may, either directly or

via escalation, result in a majorincident. Structural failure or marineevents may also be initiating causesthat escalate to become a majorincident. This guide applies to suchevents, but there may be additionalconsiderations not covered here.

Broader aspects of asset integrityrelated to the prevention ofenvironmental or commercial lossesare not addressed. However, subjectto appropriate prioritisation, thesame tools can be applied for theserisks.

DEFINITION


4/20

OGP4

3R

iskassessment

Risk identification

1

Establishingthe context

Risk analysis

Risk evaluation

2

Communicationand

consultation

5

Monitoringand

review

This underpins the overall riskmanagement process, should

occur throughout the cycle andbe two-way, as shown by the

arrows

4

Risktreatment

Monitoring at every stage,feeding back to improvements

based on increasedunderstanding

Review of the entire process atintervals to ensure it continues

to be effective

Figure 2 based on ISO 31000 (draft)2

The outline process in Figure 2 isbased on a standard continualimprovement cycle: Plan, Do,Check, Act (PDCA). Minorvariations from this processand terminology may be used inother management system documentsor standards. The five steps shownshould preferably be part of thedesign process, but they may alsobe applied to existing assets, and becontinued throughout their lifecycle.

Major incidentAn unplanned event withesclation potential for multiplefatalities and/or seriousdamage, possibly beyond theasset itself. Typically these arehazardous releases, but alsoinclude major structural failureor loss of stability that could putthe whole asset at risk.

DEFINITION

2 Asset integrityrisk managementprocess


5/20

OGP 5

Establishing the context

What drives us?

Aspects include:

External context factors outsidethe organisation such as:

applicable legislation, codesand standards (includingthe terminology used)

key stakeholders such aspartners, regulators, localcommunities, NGOs, majorcontractors and suppliers

Some applicable regulations orstandards may specify standardsafeguards and thus limit risk treatmentoptimisation as described in step 4.

Internal context factorsinside the organisation and,for this guide, only thosehazards that could result ina major incident such as:

corporate risk manage-ment standards, theirprocesses and targets

governance systems includ-ing internal organisation &delegation of responsibilities

internal capabilities includ-ing persons who operate,maintain and manageactivities at the facility

Communication & consultation

Who else should be involved?

The types, frequencies, style andcontent of communications should bedetermined by the internal and exter-nal standards, documents, stakeholdergroups, etc. identified in step 1.

Risk assessmentWhat can happen? (A process carried out inthree sub-steps Figure 2)

Risk identification (may also betermed Hazard identification)

Identifies potential harm topeople, the environment andassets. Unless applicable majorincident risks are identified,steps cannot be taken toeliminate or control them.

Risk analysis

This stage involves realistic anddetailed consequence assess-ments. An example would beto estimate how much gas orliquid might be released in theevent? Or by what mechanisms

could an initial small releaseescalate to affect people andother equipment? Risk Assess-ment Data can be used toestimate event frequency3.

Risk evaluation

It is very important to determinewhat risks are acceptable. Fora new design, a wide rangeof risk reduction (treatment)options exist; for existingassets, the scope may belimited. Options generally

include elimination, preven-tion, control, mitigation andrecovery. Elimination is thebest way to deal with hazardsbut is not always possible.For hazards that cannot beeliminated, other treatmentsshould be considered and themost cost-effective combinationselected (see step 4 below).

Risk treatment

What do we do?

Risk treatment involves consideringall the feasible options and decid-ing on the optimal combination tominimise the residual risk so far asis reasonably practicable. This steplies at the heart of the overall assetintegrity management process.Successful risk treatment includesensuring the selected barriers areactually in place, not just on paper.

Engineered safeguards are typi-cally more reliable than procedural

ones (see Barriers). Likewise, passivesystems such as use of open space,gravity drainage and natural ventila-tion are typically more reliable thansystems requiring activation such asfirewater, foam, emergency teams,emergency isolation valves and blowdown. But no safeguards are infal-lible. Therefore, a combination of bothactive and passive systems is typicallyused to minimise the consequences ofintegrity loss and expedite recovery.Some risk treatment options may notbe possible for an existing asset (e.g.increasing open spaces); others mayinvolve major modifications, requir-ing appropriate evaluation of the riskreduction benefits relative to the costs.

Monitoring and review

What could we do better?What can we learn, from ourselves andfrom others?

As an asset is designed, constructed,operated, maintained and modified,the understanding of associatedrisks and good practices for itstreatment will improve. This allowsbetter risk management. It is alsoimportant to review periodically theapproach taken for asset integrity

risk management; ensuring that newknowledge is considered, changesare understood and the selectedbarriers continue to be cost-effective.

This review step is also importantfor newly acquired mature assets,or those being systematically risk-assessed for the first time. Someof the original design philosophyor key maintenance records maynot be available and the use ofadditional barriers may be prudentuntil integrity monitoring provides

sufficient experience or knowledgeof the asset to make informed riskmanagement decisions. Changesin key operating parameters (pres-sure, temperature, composition, etc)should also trigger an overall reviewof asset integrity risk management.


6/20

OGP

Hazardousevent

Threats Consequences

Controls/barriers Event

H

a

z

a

r

d

Consequences

6

3 Barriers

BarrierA functional grouping ofsafeguards and controlsselected to prevent therealisation of a hazard.

Each barrier typically includesa mix of: plant (equipment),process (documented andcustom and practice) andpeople (personal skills and theirapplication). The selectedcombination of these ensuresthe barrier is suitable, sufficientand available to deliver itsexpected risk reduction.

DEFINITIONBarriers are the functional groupingsof safeguards and controls in place to

prevent the occurrence of a significantincident. A good way to understandbarriers is a model that likens themto multiple slices of Swiss cheese,stacked together side-by-side. Eachbarrier is represented as one cheeseslice. The holes in the slice representweaknesses in parts of that barrier.Incidents occur when one or moreholes in each of the slices momentar-ily align, permitting a trajectory of

accident opportunity so that a hazardpasses through several barriers,

leading to an incident. The sever-ity of the incident depends on howmany barriers (cheese slices) haveholes that line up at the same time.

The Swiss cheese model covers bothactive failures and latent failures.Active failures are unsafe acts orequipment failures directly linked to aninitial hazardous event. Latent failuresare contributory factors in the systemthat may have been present and notcorrected for some time (days, weeks,months or in some cases, years) until

they finally contributed to the incident.

Figure 3 Application of the Swiss cheese model4,5

As shown in Figure 3, the Swisscheese model asserts that no barrieris ever 100% effective because holesare always present, even though eachmay be temporary. The aim shouldbe to identify holes and then makethem as small and as short-lived as

possible, recognising that they arecontinually changing (equipment

deterioration, temporary safeguardbypasses, operational changes, main-tenance lapses, personal and teamcompetences, etc). Hence, multiplebarriers are used to manage the risk ofmajor incidents, thereby reducing thechance that all of the holes line up

and the worst-case event is realised.

An alternative way to visualiseand determine the need for barri-ers is to use the Bow Tie model(Figure 4). This indicates how bar-riers can both reduce the threatsfrom a hazard and limit conse-quences if the hazard is realised.

Figure 4 Bow Tie model


7/20

OGP 7

Typical equipment barriersFor E&P assets, integrity bar-riers can be considered inthe following categories:

Prevention primary contain-ment, process control, primaryand secondary structure.

Detection control room alarms,fire/gas/leak detection.

Control and mitigation equip-ment orientation and spacing,

secondary containment anddrainage, blow-down systems,fire-protection and suppression.

Emergency response localalarms, escape and evacuation,emergency communications,emergency power.

With this approach, the number ofbarriers (hardware or managementsystem) for an asset can be held at alogical and manageable level (usuallyless than 20). In contrast, a listing ofindividual critical equipment itemscould number thousands and makesystematic management difficult.

A detailed description is needed ofthe operational performance require-ments for the whole barrier to meetthe intended risk reduction. Hence,step 4 in Figure 2 risk treatment has two levels of increasing detail:

define barriers at a system level1.

define high level performance2.requirements for each barrier

define the required perform-3.ance standards in detail including those for constitu-ent parts as appropriate.

Within each barrier, individualequipment items may be suitablyitemised and prioritised for criti-cality using risk criteria.

Performance standardA measurable statement,expressed in qualitative orquantitative terms, of theperformance required of asystem, item of equipment,person, or procedure, and thatis relied upon as the basis formanaging a hazard.

DEFINITION

Performance standards forbarriers

Performance standards for barriersare typically described in terms offunctionality, availability, reliabilityand survivability. Performancestandards thus determine equipmentdesign specifications (original suit-ability) and also set requirements formaintenance and testing throughoutthe assets lifecycle (ongoing suitabil-

ity). It is helpful to consider a range ofpossible performance standards foreach component typically based onrecognised design standards andthen optimise the overall barrier togive the most cost-effective risk reduc-tion. Such barrier optimisation needsinput from designers, operations andoften risk assess-ment specialiststo ensure that allrelevant factorsare considered.

There can alsobe performancestandard optimi-sation betweenbarriers.

Once performance standards aredefined, assurance processes shouldbe put in place to confirm that barriersremain fit for purpose. Typically, thiswill require initial equipment type-testing and/or barrier commissioningperformance tests; operational controlsand limits; maintenance, inspection

and testing plans; performancerecords for both individual equipmentitems and the overall barriers; auditand review. Performance standardsmay be changed over a facilityslifecycle to reflect changes in operat-ing parameters or a need to improveinspection and leak detection ifprocess equipment deteriorates.

Emergency responseAs noted above, one or more of thedefined barriers should be emer-gency response: an optimised mix ofhardware, procedures and person-nel, with associated performancestandards. However, as asset integrityimproves, the justification for exten-sive emergency response (mitigationand recovery barriers) may reduce.Consequently, it can be challengingto convince designers and operators

working hard to ensure asset integ-rity that they should also plan andimplement robust emergency responsebarriers in case integrity is lost.

The major incident scenarios forwhich the emergency responsebarriers should be designed will bethose identified in step 3 of the riskassessment process. This assumes fullor partial failure of the preceding bar-riers, as appropriate. Similar scenariosand barrier failures may be used asa basis for operational training andassessment of the facility emergencyresponse procedures and people,including both front-line personneland those responsible for managerialresponse. Such training reinforcesunderstanding of the purpose of majorincident barriers and helps to ensurethat suitable, timely actions are takenif their performance degrades.

A faster blow- downtime may reduce the

fire protec tionrequirements, butmay also result inadditional pipework,cooling or increased

flare radiat ion.

EX

AMPLE


8/20

OGP8

4 Integrity throughoutthe asset lifecycle

Concept selectionOptimising early design choices canpositively influence asset integrity costand effectiveness throughout the life ofa facility. However, optimisation alsotakes time and resources. Thereforeit requires organisational leadershipthat recognises and balances assetintegrity and full lifecycle costs againsta design with the cheapest capitalcost or shortest construction time.

Some design concepts are inherentlymore reliable than others.Identify-ing key hazards and the barriersneeded to control them will alsohelp avoid concepts with hard-to-manage asset integrity issues. Conceptdesign decisions may also determineother operations and maintenanceactivities which have their ownimpacts on asset integrity risks.

Performance standards for the mainasset integrity barriers should beset during this stage to ensure faircomparison of options. It is easyto underestimate the true cost offuture operations and maintenance.Doing so results in under-investment

in asset integrity capital equipment.After concept selection, there is lessavailable flexibility for eliminatinghazards, reducing risk or simplify-ing asset integrity management.

Asset definitionAs asset design is developed, thebarriers for maintaining asset integ-rity should be worked in parallel.Overall performance standards forthe main barriers should already bedefined, so performance standardsfor systems and sub-systems shouldbe ready to be determined. Thisensures that equipment specifica-tions take account of maintenanceneeds and operational capacities.

Barrier maintenance, inspectionand testing requirements, includ-ing estimates of the associatedsystem downtimes, are a designdeliverable at this stage. It is alsoimportant to ensure the selecteddesign is suitable for the ultimatedecommissioning requirements.

At this stage a catalogue of appli-cable codes and standards shouldbe compiled, with particular refer-

ence to those required to assure thebarriers. This catalogue reducesthe potential for misunderstandingsor disputes about required barriersand performance standards duringlater stages. Also, by identifyingand applying appropriate codesand standards, an initial estimate ofresidual risk can be made throughcomparison with a similar plant.

Detailed designBy this point, most key assetintegrity decisions have been made.However, poor detailed design cansignificantly reduce asset integrityby making planned barriers ineffec-tive. Full documentation is needed todescribe the asset design, operatingand maintenance strategies, and themajor hazards management philoso-phy. Maintenance, inspection andtesting routines should be developed

for all barriers. Risk assessmentsshould demonstrate that hazards andrisks are appropriately managedthrough equipment specifications(plant), procedures and delegatedresponsibilities (process), and compe-tent personnel (people). Operabilityreviews and familiarisation by main-tenance and operations personnelshould commence during this stage,and continue through the constructionstage. At the completion of this stageall asset integrity barriers should

be fully defined and documented.

Construction and

commissioning

It is critical to ensure thatany necessary changesmade to the design aresuitably managed andauthorised so as to maintainasset integrity standards.

All required operating,maintenance and testingprocedures should befinalised before com-missioning begins, andcompetent personnelshould be recruited and trained.This ensures that, as far as pos-sible, the procedures and peopleelements of major incident barriersare fully functional when the plantelements are first operated. Systemcommissioning tests may be needed

to verify the functional performanceelements of some barriers, egblow-down systems, isolation valves.

Corrosion resistant pipework fully rated formaximum pressure is less likely to fail due tooverpressure or corrosion than pipework that

relies on instrumented pressure protection andthe addition of corrosion inhibitors to maintainintegrity, but there may be higher costs andnew problems.E

XAM

PLE

It is unreasonable to expect 96% uptime if keyequipment requires 15 days annual inspectiondowntime, as there is then no contingency forany other downtime, planned or unplanned.

EXAMPLE

Must just the asset be totally recyclable, ormust all land or seabed contamination also beremoved?

EG

Selecting a diesel-powered main generatorrather than an external electric supply requiresconsideration of:

Main generator system maintenance andbackup

Local diesel storage facilities, and increasedfire protect ion in case of loss of storage

integrityDiesel-supply operations, with associatedtransport and transfer spillage risks

E

XAMPLE


9/20

OGP 9

Operation,modification

and maintenance

All the asset integrity barriers definedin the earlier stages should be imple-mented and maintained. All subsequentchanges to asset design, operating limitsor maintenance frequencies should besubject to change control and review bya competent technical authority. This isalso the time for operating limits to comeinto play, including control of systemover-rides. Barrier performance shouldbe tested regularly and any deficienciesappropriately addressed. To the extentthat the earlier concept selection stageeliminated or reduced hazards, the needfor ongoing intervention, maintenance andtesting tasks can be greatly reduced. Thiscan be particularly important with higherhazard materials and operating condi-tions, egHPHT reservoirs, high H

2S levels.

Operations and maintenance manag-

ers should have the competence tounderstand and communicate majorincident hazards and to describehow the equipment and proceduresare designed to provide suitable andreliable asset integrity barriers, includ-ing recovery from minor deviations.

With operating conditions changingover time, an initial design premise mayno longer be valid. All such changespotentially affect operating limits andso should be covered by the changecontrol process. Codes and standards

may also change within the lifecycle ofthe facilities. The original design shouldbe reviewed against such changes tosee if modifications are required byregulation or justified for reductionof new or newly understood risks.

AcquisitionWhen considering asset acquisition, at whatever lifecycle stage, theavailability of essential asset integrity information should be checkedas part of the due diligence process. The costs of replacing anymissing information should be included in the overall acquisitioncosts. Examples would be: design performance standards for themajor barriers required to understand whether inspection and testingactions assure operating asset integrity, or detailed design informa-tion needed to define the scope of future decommissioning methodsand costs. The same considerations apply for any mature asset where

information about major incident risks and barriers is incomplete.

Decommissioning,

dismantling and removal

Asset integrity can be a significantfactor at this stage. As selectedequipment is shut down or dismantled,the normal barriers for protectingthe facility may be compromisedor eliminated, such as escape orevacuation routes. In addition, theneed to ensure removal of all process

materials and other hazardoussubstances from both equipment

and the affected site may be asignificant concern to regulators

or decommissioning personnel.Environmental impacts mayalso occur at lower quanti-ties or concentrations thanwould be meaningful fora purely safety incident.Preventive asset integ-rity barriers that haveremained fully effective

and documented can beextremely beneficial atthis stage of the lifecycle.

A reservoi r may produce soli ds (sand orproppant), water or unexpected hazardoussubstances (H

2S, mercury, CO

2, etc)

EG


10/20

OGP10

There is a separate OGP guideon human factors6, but it is worthhighlighting those aspects that arerelevant to major incidents. Afterall, human error is a key factor inmost major incidents, so reduc-ing the potential for errors is anessential part of asset integrity.

Without proper consideration of thehuman component, even the mostsophisticated facilities are susceptibleto loss of integrity caused by incorrectoperations, unsuitable maintenance

or de-motivated people. Designingfacilities, work processes and tasksto properly address human factorscan contribute significantly to theoverall reliability and integrity of theasset, including the ability to manuallyinitiate recovery if other barriers fail.

Equipment design and controlslayout

Arrange equipment for easy

access and maintenanceEasy manual activation withcontrols labeled or configuredto make correct action obvious

Standard configurations and/or colour schemes to rein-force consistent operation.

5 Human factors

Human factorsAll the interactions ofindividuals with each other, with

facilities and equipment, andwith the management systemsused in their workingenvironment.D

EFIN

ITION

Displays and alarmsshould have the following characteristics:

Provide sufficient information toconfirm the status of the operationand the effects of control actions.

Alert personnel to abnormalor emergency conditions thatrequire a specific response.

Ensure alarms are not acti-vated by routine operations orwhen changes do not require

a response. High volumes ofinsignificant alarms may maskmore serious events and producea culture of automated acknowl-edgement by operators withoutproper assessment of the situation.

Work practices andprocedures

should be similar to those for preventing oc-cupational incidents, including:

Clear roles and responsibilities,understood by all parties.

Applicable work prac-tices that take account ofall relevant hazardsand are applied

consistently.Clear proce-dures that allowusers to identify therequired steps, complete them inthe proper order and under-stand what to do if abnormal orunexpected conditions arise.

Pre-Task reviews should beundertaken to identify all threatsto people and plant, their currentcontrols and what more might bedone. Existing approaches exist

in many companies looking at theoccupational threats and are vari-ously called Job Safety Analyses,Personal Risk Assessments orTask Risk Assessments. However,these need to be reviewed toensure they also cover threats tothe plant capable of leading tomajor accidents, diminishing theability of the plant to control amajor accident or reducing theability of personnel to escapein an emergency situation.

Tasks on or near energised oroperating systems shouldconsider loss of processcontainment or structuralintegrity and how task activitiesmight either initiate such a loss,

or contribute to its escalation,and personnel involved shouldbe competent to do this.

EX

AMPLE


11/20

OGP 11

Work management andauthorisation

roles should be defined.

For tasks that could impactthe facility or other workers, apermit-to-work system should bein place to agree, communicateand manage the necessarycontrols, task authorisation andhandover of responsibilities.

Permit systems should provideclear definitions and consist-ent application of the isolationand integrity testing minimumstandards required for live worktasks on the various process fluidsand pressure systems present.

In complex facilities it may bebeneficial to use software-basedsystems to provide automatic andconsistent guidance on suitabletask precautions, including systemisolations, de-isolations and

integrity tests. Such tools maybe referred to as an IntegratedSafe System of Work (ISSOW).

Task design and individual orteam workload

Worker fatigue and overload arekey causes of human error. Tasks thatexceed workers capabilities, or whosescope, duration or pace result in

fatigue, can lead to a decline in workquality, omissions, or faulty decision-making. Any of these can contributeto loss of integrity. Therefore:

Tasks should be designed inconsistence with the knowledge,skills, and physical capabili-ties of the person or team.

Work scope and responsi-bilities for each role should avoidoverload. In upset or emergencysituations particularly, thesimultaneous actions or responsesrequired from a person or teammust be within their capability orthe event will escalate, possiblyleading to a major incident.

Work schedules should addressthe need for periodic rest to avoidboth short-term and longer-termeffects of fatigue, leading toerrors and incidents. This appliesto routine work schedules andhigh workload periods such asfacility commissioning or turna-

rounds. Task schedules shouldtake account of any physicalconditions that increase fatigueand error rates such as restrictedaccess, temperature or humidityextremes, or a noisy, damp orcontaminated work environment.

Process safety culture

A culture that successfully managesoccupational safety and healthrisks may still fail to deal with

major incident risks indeed, anineffective process safety culturemay be a common hole in multipleasset integrity barriers, leading toa major incident. Consequently:

Leaders should encourageinput from workers and provideadequate feedback for simplify-ing or improving the performance,reliability and availability ofasset integrity barriers.

Safety culture assessment anddevelopment tools7should beadapted and applied to the keymajor incident managementelements outlined in this guide.


12/20

OGP12

6 Competences

Competences for a position orteam are analogous to the perform-ance standards developed for ahardware system. This section con-centrates on competences requiredto manage major incident risks.

Relevant competences are clearlyrequired by construction, opera-tions and maintenance techniciansworking directly on an asset. Suitablecompetences are also required bytechnical authorities, supervisorsand managers. Regulators and

other independent bodies who haveoversight of major hazard assetsalso need suitable competences.This category includes insurers andmanagement system auditors.

From the earliest stages of assetdesign to final shut down and disman-tling, competent people can make thedifference between flawless perform-ance and major incidents. A frequentfinding of major incident investigationsis that though individuals involved

had the necessary knowledge andskills, they were discouraged by thelocal culture from applying those skillsto break the chain of escalation.

Competence for each role shouldbe managed as follows:

Identifying the requiredcompetences.

Providing relevant training(knowledge and skills).

Assuring or verifying thesecompetences (ability to apply

knowledge and skills).Refreshing competencesas appropriate.

Identify the requiredcompetences

Define the key tasks for each role(job position) associated withassuring major incident barriers.

For each role, determine therange of skills, knowledge andpersonal attributes (compe-tence elements) to successfullyexecute these tasks. Thesecompetences apply whether the

person in the position is a directemployee or a contractor.

Determine the required level ofproficiency for successful perform-ance of each competence elementwithin the role. Consider eachrole separately, as the requiredproficiency levels may varywidely. Proficiency levels may beexpressed as formal qualifica-tions, or as internally-definedgeneric descriptors such as begin-ner, competent, expert or master.

Identify which competences areprerequisites for filling the role,and which can then be assessedafter an initial period in the role.This is especially important fordeputies, stand-ins, and othernon-regular workers in that role.

Provide relevant training

Some training may be apre-entry requirement, egarecognised apprenticeshipor a university degree.

Internal training may includeclassroom instruction, practi-cal sessions or exercises,and field experience underthe direction of a mentor.

Additional on-the-job experiencemay be specified to achievethe required level of familiarityand proficiency in the identifiedcompetence, egminimum five-years operations experience.


13/20

OGP 13

CompetenceA persons ability to accuratelyand reliably meet theperformance requirements for adefined role.

Competence includes the skillsand knowledge necessary toperform the required taskssuccessfully, the ability torecognise personal limits and soseek physical help or input fromothers when appropriate, andthe conscientious application ofskills and knowledge every timethey are used.

Competence thus includes abehavioural element, ie abilityto apply personal skills andknowledge in typical workplacesituations.

DEFINITIONAssure or verify competences

The most effective verification ofcompetence includes a combina-tion of written or verbal testingof basic concepts and a dem-onstration of applicable skills.

Assessors of competence testsand demonstrations shouldthemselves be competent tocarry out the assessment.

Documentation of assessed

competence elements is animportant component inmanaging a competence assur-ance process. For technicalprofessionals, maintenance ofpersonal Continuing ProfessionalDevelopment (CPD) records andcertification by an accreditedorganisation is one way to verifycompetence in the required skillareas. Other ways to documentindividual qualifications andcompetences include an internal

database or safety passports. Typical competencesThe following are examples of generic roles with compe-tence requirements for ensuring asset integrity:

Technician

Understands current operatinglimits; responds appropriately tooperational alarms; understandstasks required to successfully operateor verify a barrier, including taskhazards and controls; accuratelyinstalls and removes temporaryinhibits; identifies and records testresults, including any defects; seeksassistance for critical defects.

Technical authority

Develops and defines suitablebarrier or equipment performancestandards; accurately interpretsrelevant codes and standards;advises on test methods andprocedures; risk assesses perform-

ance standard variations andtest results; for defective barriers,advises whether effective alternatetemporary controls are possible.

Asset supervisor

Ensures operations are withincurrently defined envelope;authorises barrier tests, temporaryinhibitions, etc. based on overallrisk assessment; monitors barrierperformance and ceases opera-tions immediately if barriers areunacceptably degraded; consultstechnical authority about actualor potential barrier deficiencies.

Asset manager/leader

Provides leadership to demonstratethe value of effective barriers(example by using the QuestionSet); ensures suitable budget andcompetent resources are available tooperate, monitor, test and manage

barriers; monitors major incidentleading and lagging indicators;acts on relevant audit findings.

Refresh competencesPeriodically review whichcompetences and associatedproficiency levels are requiredfor each role, as the requirementsmay change due to changes intechnology, facility size, reorgani-sation, or identified deficiencies.

Periodically re-verify personalcompetences to assure there hasbeen no erosion, particularlyin areas not regularly used, eg

emergency response. Refreshertraining at set intervals althoughwidely practiced is often anineffective use of resources andis not a substitute for competencere-assessment when required.


14/20

OGP14

7 Monitoringand review

Monitoring and reviewing assetintegrity performance (Check, Act) isas important as developing and imple-menting integrity plans and systems(Plan, Do). Integrity monitoring shouldbe fact-based, rather than opinion-based, and may include the following:

Key Performance Indicators (KPIs).

Barrier performancestandard verification.

Audit findings.

Incident and accident

investigations.Benchmarking and lessonslearned from external events.

Key Performance Indicators(KPIs)

KPIs can be used to evaluate assetintegrity performance againststated goals. Because major loss-of-integrity events are relativelyrare, it is important to record and

monitor even minor incidents. TheKPIs which record actual integrityfailures are typically called laggingindicators. By contrast leadingindicators can be used to assessthe health of the safeguards andcontrols which make up the barriers.

Facility level KPIsThere is no universal set of KPIs thatapplies to all major hazard facili-ties rather the KPIs selected shouldbe aligned with the risk-managementprocess for the facility, and thesespecific KPIs may then be used toaid the management of the five stepsoutlined above (see asset integritymanagement process). In addition,the leading and lagging indicatorsselected should cover all three aspects

of incident prevention plant, processand people. The major hazardsregulator in the UK, the Health andSafety Executive(HSE), has produceda guidance document DevelopingProcess Safety Indicators8outlining amethod that may be used to developsuitable KPIs for an operating site. Themethod advocated by HSE is similarto that defined in this document, ie:

Immediate causes of a significant1.release are identified (wear,corrosion, overfilling, impactdamage, over/under pressurisa-tion, operations error, etc.).

Various Risk control systems are2.identified for each hazard typi-cally each system will contributeto risk reduction for more thanone type of incident scenario.

Each Risk control system (3. eginspection/maintenance; staffcompetence see table opposite)is analysed to define suitablesite-specific lagging and leading

KPI. These KPIs should be specificto the actual opera-

tions carried outat the facility.

The typicalhigh-level risk

control system listed in the tableopposite is likely to be relevantfor many major hazard facilities.Example KPIs are also summarisedin the table but should be furthercustomised for a specific facility.

The Center for Chemical ProcessSafety (CCPS) document Processsafety leading and lagging metrics9defines lagging KPIs which may beused to assign a severity rating toa hazardous release. These ratingscan then be used in conjunction with

worker exposure hours to calculatestandard lagging process safetymetrics, for performance comparisonsbetween facilities and organisations.A lower level of lagging KPI forfacilities is also suggested based ona process safety near miss report-ing system, with examples of thetypes of event to be considered.

This CCPS publication alsoidentifies possible leading KPIsfor the following areas:

Maintenance of mechani-

cal integrity

Action items follow-up

Management of change

Process safety training andcompetence, including assurance.

The CCPS book Guidelines forRisk Based Process Safety10 pro-vides further advice on settingsuitable KPIs, including a four-levelrating system for assessing howdependable KPIs are for improv-

ing organisational performance.The Norwegian Petroleum SafetyAuthority (PSA) has also led work inthe area. Their Trends in risk levelproject monitors the risk level devel-opment using various methods suchas incident indicators, barrier data,interviews with key informants, workseminars, field work and a major ques-tionnaire survey every other year. Theresults are presented in annual reports.


15/20

OGP 15

Generic barriers and example KPIs

(Based on table 5 from the UK HSE guidance document: Developing process safety indicators)

Risk control system Example lagging KPI Example leading KPI

Inspection/maintenance Number of loss-of-containment incidents

% of safety-critical plant/ equipment that performs tospecification when tested

% maintenance plan completed on time.No. of processleaks identified during operation or during downtime

Staff competence

Number of loss-of-containment incidentsplant trips, equipment damage, etc. linkedto insufficient understanding, knowledgeor experience of correct actions

% personnel meeting local assessed competence criteria(inc Supr/Mgr)

Average period required to become fully competent afterappointment to a new position

Operational proceduresNumber of operational errors due toincorrect/unclear procedures

% of procedures reviewed and updated versus plan

Instrumentation and alarmsNumber of incidents linked to failure ofinstrumentation or alarms

% function tests of alarms/trips completed on schedule

Plant change managementNumber of incidents linked to failure ofMOC

% plant changes suitably risk assessed and approvedbefore installation

Average time taken to fully implement a change onceapproved

Permit to work (PTW)Number of incidents where errors in PTWprocess are identified as a contributorycause

% PTWs sampled where all hazards were identified and allsuitable controls were specified

% PTWs sampled where all controls listed were fully inplace at worksite

Plant designNumber of incidents where errors in plantdesign are identified as a contributorycause

No. of post-startup modifications required by Operations

No of deviations from applicable codes and standards

% safety-critical equipment/systems fully in compliancewith current design codes

Emergency arrangementsNumber of emergency response elementsthat are NOT fully functional whenactivated in a real emergency

% of persons sampled who have participated in anemergency exercise in past X months

% ESD valves and process trips tested, using a scheduledefined in a relevant standard or the facility safety case

Performance standard

verificationWhere possible, testing, recordingand verifying actual barrier perform-ance, reliability, and availabilityshould be carried out at intervalsthroughout the assets operating life.Direct operational testing is preferred,but some barriers may have to beverified largely by suitable modellingat the design stage (eg structural) orby type testing (eg fire protection),as functional operational testing

is not practical. In such cases it istypical to require periodic inspec-tion of physical condition to checkfor evidence of degradation.

Operational functional testing should

be realistic, objective and resultsshould be properly recorded, soas to demonstrate reliability overtime. In some regulatory regimes,independent verification of criticalbarriers is mandatory. Wherebarriers are tested routinely assub-units (eg individual detec-tors, isolation valves,

process trips, deluges, emergency

lights) some overall system perform-ance testing should also be required.


16/20

OGP16

Audit findingsAudits should be an inte-gral part of the system formanaging major incident barri-ers. The purpose of audits is to:

Determine whether the asset integ-rity management system elementsare in place and performingeffectively relative to companyobjectives and applicable regula-tory or technical standards.

Identify areas for improvement

of asset integrity management.Improvements may include betterresults or improved efficiency(same results using less resource).

The risk profile of the asset shoulddetermine the type and frequencyof integrity audit. Audits may beself-assessments conducted bypersonnel from within the organisa-tion, or external audits conducted byresources outside the audited organi-sation. Audit scope should be the

overall operation of the asset integritymanagement system and its integra-tion into line activities. The scope mayspecifically address the following:

Policy, organisation anddocumentation

Risk evaluation and managementPlanning and resourcing

Implementation and monitoring.

Asset integrity audits require adequateand knowledgeable resources usingobjective protocols. Auditors shouldidentify sound practices where nochange is needed, opportunitiesfor improvement, and any seriousnon-conformances. Auditors maysuggest solutions to identified prob-lems, or they may simply note the

nature of the problems and allowmanagement to devise and imple-ment appropriate solutions. In eithercase, the recommendations shouldbe followed-up in the next auditcycle, to ensure identified issues havebeen addressed appropriately.

Lack of comment about assetintegrity issues during generalfacility inspections by regulators,insurers, etc. should not be taken asevidence that asset integrity man-agement is satisfactory. However,

the results of any targeted inspec-tions by external bodies may beincluded in the evidence submit-ted for management review.

Management reviewAsset management should regularlyconsider evidence from each of theactivities outlined above and shouldalso look at the practices of industryleaders for possible improvementopportunities in asset integrity. Lessonslearned from incidents and nearmisses within the company and in theoperations of others may also highlightpossible improvements. Case studies,such as those referenced in the next

section, can provide valuable reallife input to compare with existinginternal strategies and practices.

Based on these data, managers canset suitable objectives for the nextimprovement cycle. Resources devotedto asset integrity monitoring and toimprovements should be risk-based,iebased on the current facility-widerisk reduction benefits provided byassured barrier performance andthe opportunities for improvement.


17/20

OGP 17

GeneralCCPS. Guidelines for Risk Based Process Safety, Center for Chemical Process Safety.WileyBlackwell. 2007. ISBN 978-0470165690.

IntroductionOGP. Guidelines for the development and applications of health, safety and environmental management systems.Report No210. The International Association of Oil & Gas Producers, London, UK. 1994.

Asset Integrity Management ProcessISO 17776: 2000. Petroleum and natural gas industries offshore production installa-tions guidelines on tools and techniques for hazard identification and risk assessment.

ISO 13702: 1999. Petroleum and natural gas industries control and mitigation of fires andexplosions on offshore production installations requirements and guidelines.

OECD. Guidance on Safety Performance Indicators.Organization for Economic Co-operation and Development (OECD). 2003. ISBN 978-9264019102.

BarriersHSE. Guidance on risk assessment for offshore installations. Health & Safety Execu-tive, Aberdeen, UK. Offshore Installation Sheet 3/2006.

CompetenceWaterfall, Kevin; Young, Clyde; and Al-Anazi, Khalaf S. Health, Safety, Security, and Environmen-tal Competence Finds a Level Playing Field in the Industry. Paper SPE 98516 presented at the SPE

International Health, Safety, and Environment Conference, Abu Dhabi, 24 April 2006.

Case studiesCCPS. Incidents That Define Process Safety. WileyBlackwell. 2008. ISBN 978-0470122044

References

Bibliography

OGP.1. Safety performance indicators 2007 data.Report No409. 2008.The International Association of Oil & Gas Producers, London, UK.

ISO/DIS 31000.2. Risk management principles and guidelines on implementation.

OGP.3. Risk Assessment Data Directory(to be published in 2009).The International Association of Oil & Gas Producers, London, UK.

James Reason.4. Human Error. Cambridge University Press. 1990. ISBN 978-0521314190.

James Reason.5. Managing the risks of organizational accidents. Ashgate. 1997. ISBN 978-1840141047.

OGP. Website:6. Human Factorsarea. http://info.ogp.org.uk/hf

OGP.7. Human Factors a means of improving HSE performance.Report No368.The International Association of Oil & Gas Producers, London, UK. 2005.

Developing Process Safety Indicators; A step-by-step guide for chemical and major8.

hazard industries. HSE Books, ref. HSG254. 2006. ISBN 978-0717661800CCPS.9. Process Safety: Leading and Lagging Metrics. Center for Chemical Process Safety, New York, USA. 2008.

CCPS.10. Guidelines for Risk Based Process Safety. WileyBlackwell. 2007. ISBN 978-0470165690


18/20

OGP

AssetFacilities and associated infra-structure, e.g. structures, wells,pipelines, reservoirs, accom-modation & support services.

Asset integrityThe prevention of major incidents (seeexpanded definition on page 3).

AvailabilityThe ability, measured in terms of

uptime percentage, of a system toperform its required function.

BarrierA functional grouping of safeguardsand controls selected to preventthe realisation of a hazard.

CompetenceA persons ability to meet accu-rately and reliably the performancerequirements for a defined role.

Controlsee also Barrier. Used specificallyfor a barrier which mitigates theconsequences of an initial event.

Glossary

EscalationThe process by which initial &sometimes small events triggerfurther sometimes larger events.

FunctionalityWhat a device or systemis designed to do.

Human factorsAll the interactions of indi-viduals with each other, with

facilities and equipment, and withthe management systems usedin their working environment.

KPIKey Performance Indicator, mayalso be called metrics. See Ref-erencesfor detailed definitionand asset integrity examples.

Major incidentAn unplanned event with esclation

potential for multi-fatalities and/orserious damage, possibly beyond theasset itself. Typically these are hazard-ous releases, but also include majorstructural failure or loss of stabilitythat could put the whole asset at risk.

MitigationA barrier whose role is to limitconsequences, generally by limit-ing escalation, but which doesnot prevent the initial event.

Performance standardA measurable statement, expressedin qualitative or quantitative terms,of the performance required of asystem, item of equipment, person orprocedure, and that is relied upon asthe basis for managing a hazard.

RecoverySafe and timely resumption of normaloperations after an incident.

ReliabilityProportion of occasions abarrier or equipment item willfunction as designed (%).

Residual riskRisk that remains when abarrier, or combination of bar-riers, operates as intended.

Risk treatmentsee Barrier.

SurvivabilityProtection required by a barrier orequipment item to ensure continuedoperation during a major incident.

18


19/20

OGP 19


20/20

ogp asset integrity- the key to managing major incident risks

Documents