International Oil and Gas Operational Safety: A Guide To

A guide to
International Oil and Gas Operational Safety
Printed under licence no. PA916

RMS Publishing Limited
Victoria House, Lower High Street, Stourbridge, DY8 1TA
© RMS Publishing Limited

First Edition February 2013.
First Edition (Reprint) July 2013.
Second Edition March 2017.
All rights reserved. No part of this publication may be stored in a retrieval system, reproduced, or transmitted in any form or by any
means, electronic, mechanical, photocopying or recording except as specified under the terms of the RMS Publications Print Licence
Agreement made between ACT, RMS Publishing’s distributor, and the Course Provider.
This book may not be lent, resold, hired out or otherwise disposed of by way of trade in any form or binding or cover other than that in
which it is published, without the prior consent of the Publishers.
Whilst every effort is made to ensure the completeness and accuracy of the information contained herein, RMS can bear no liability for
any omission or error.
Crown Copyright material is reproduced with the permission of the Controller of HMSO and the Queen’s Printer for Scotland.
ISBN-13: 978-1-906674-67-0

Contents
Preface v
Figure list vii
List of abbreviations ix
Glossary x
Unit IOG1 - Management of international oil and gas operational safety
1 Health, safety and environmental management in context 01
1.1 - Learning from incidents 03
1.2 - Hazards inherent in oil and gas 10
1.3 - Risk management techniques used in the oil and gas industries 16
1.4 - An organisation’s documented evidence to provide a convincing and valid argument 24
that a system is adequately safe
Exam practice 26
2 Hydrocarbon process safety 1 27
2.1 - Contractor management 29
2.2 - Process safety management (PSM) 30
2.3 - Role and purpose of a permit-to-work system 35
2.4 - Key principles of safe shift handover 40
2.5 - Plant operations and maintenance 42
2.6 - Start up and shut down 48
Exam practice 51
3 Hydrocarbon process safety 2 53
3.1 - Failure modes 55
3.2 - Other types of failures 58
3.3 - Safety critical equipment controls 61
3.4 - Safe containment of hydrocarbons 66
3.5 - Fire hazards, risks and controls 75
3.6 - Furnace and boiler operations 79
Exam practice 81
4 Fire protection and emergency response 83
4.1 - Fire and explosion risk in the oil and gas industries 85
4.2 - Emergency response 92
Exam practice 97
5 Logistics and transport operations 99
5.1 - Marine transport 101
5.2 - Land transport 109
Exam practice 113
Assessment 115
Index 125

Preface
Publication users
This essential health and safety guide provides an excellent reference for all those from all around
the world who work in Oil and Gas and the connected industries. Oil and Gas is a hazardous
industry. Managers, supervisors, offshore and onshore workers need specialist skills and know-how
to fulfil their health and safety responsibilities.
It focuses on hydrocarbon process safety, so that candidates can effectively discharge workplace
health and safety responsibilities both onshore and offshore throughout the world. It also highlights
the importance of process safety management.
The guide is an excellent study book and source of information for those undergoing the NEBOSH
International Technical Certificate in Oil and Gas Operational Safety learning programme.
Scope and contents

Scope
Topics covered by the guide include:
 Hazards inherent in the extraction, storage and processing of raw materials and products.
 Hydrocarbon process safety.
 Fire protection and emergency response.
 Logistics and transport operations.
The publication contains an emphasis on practical solutions to workplace health and safety issues.
Full colour photographs, tables and sample documents are provided to enable an understanding of
how these risks can be managed.
International standards
The Essential Health and Safety Guide to International Oil and Gas Operational Safety refers to
international conventions, recommendations, codes, guidance and standards in context with the
topics covered. Examples of how the topics relate to health and safety globally support the
information provided.
Syllabus
Though the publication will suit all those interested in the topic in general and studying for other
qualifications, it has been structured to reflect the order and content of the NEBOSH International
Technical Certificate in Oil and Gas Operational Safety syllabus in particular. In this way, the student
studying for this award can be confident that the Essential Health and Safety Guide reflects the
themes of the syllabus and forms an excellent Study Book for that purpose. Each element of the
Essential Health and Safety Guide has an overview that sets out the learning outcomes of the
element, the content and any connected sources of reference.
Assessment
In order that users may check their understanding of the topic expressed in the Essential Health and
Safety Guide to International Technical Certificate in Oil and Gas Operational Safety and in particular
the syllabus for the NEBOSH International Technical Certificate in Oil and Gas Operational Safety
award, a number of exam style questions and answers have been included.
Photographs and schematics

We have taken particular care to support the text with a significant number of full colour photographs
and schematics. They are illustrative of both good and bad working practices and should always be
considered in context with supporting text. Readers will find this a useful aid when trying to relate
their background and experience to the health and safety issues being considered.
v
Where photographs, diagrams and text extracts are known to be drawn from other publications, a
clear source reference is shown and RMS Publishing (RMS) wish to emphasise that reproduction of
such items within the Essential Health and Safety Guide is for educational purposes only and the
original copyright has not been infringed. Reference to these other sources will assist the reader in
establishing an understanding of the connected resources available related to health and safety
internationally.
Production of the publication

Managing Editor
Barrie Newell, Former Director ACT, FCIM; Lead Auditor OHAS 18001, former member of the
NEBOSH Diploma Panel, current member of the NEBOSH Certificate Panel, former senior manager
in the chemical industry with over 20 years’ experience in the management of high risk facilities
processing highly flammable and toxic chemicals, including HAZOP implementation. Implemented
waste management systems including, waste reduction, recycling, reuse, incineration, including
energy recovery and disposal to land fill.
Acknowledgements
RMS Publishing Ltd wishes to acknowledge the following contributors and thank them for their
assistance in the preparation of the International Oil and Gas Operational Safety publication:
Keith Walters, CFIOSH; current NEBOSH examiner for the International Technical Oil and Gas
Certificate with more than 30 years of experience of operational, environmental and health and safety
management within the petrochemical industry.
Julie Skett, senior project development and co-ordinator. Nick Attwood and Kris James layout and
formatting.
Publications available from RMS:
Publication Edition ISBN

A Study Book for the NEBOSH National General Certificate in Eighth 978-1-906674-44-1
Occupational Health and Safety
A Study Book for the NEBOSH Certificate in Fire Safety and Fifth 978-1-906674-32-8
Risk Management
The Management of Construction Health and Safety Risk Fourth 978-1-906674-37-3
The Management of Environmental Risks in the Workplace Third 978-1-906674-24-3
The Management of Health and Well-being in the Workplace First 978-1-906674-14-4
A Guide to International Oil and Gas Operational Safety First 978-1-906674-19-9
A Guide to International Health and Safety at Work Fifth 978-1-906674-47-2
Study Books for the NEBOSH National Diploma in Occupational Health and Safety:
 (Unit A) Managing health and safety Sixth 978-1-906674-55-7
 (Unit B) Hazardous substances/agents Sixth 978-1-906674-56-4
 (Unit C) Workplace and work equipment safety Sixth 978-1-906674-57-1
Study Books for the NEBOSH International Diploma in Occupational Health and Safety:
 (Unit IA) Managing health and safety Fourth 978-1-906674-52-6
 (Unit IB) Hazardous substances/agents Fourth 978-1-906674-53-3
 (Unit IC) Workplace and work equipment safety Fourth 978-1-906674-54-0
Controlling Skin Exposure (BOHS) First 978-1-906674-00-7
vi
Figure List (including tables and quotes)
Figure Ref Title and Source Page No.
UNIT IOG1 - MANAGEMENT OF INTERNATIONAL OIL AND GAS OPERATIONAL SAFETY
Element 1
1-1 Accident ratio study. Source: Frank Bird - ILCI. 03
1-2 Accident causation domino. Source: Frank Bird - ILCI. 03
1-3 Causes of accidents. Source: HSE. 06
1-4 Learning from accidents. Source: Kletz. 06
1-5 What is LEL and UEL. Source: RKI Instruments. 11
1-6 Flammable/explosive limits gases/vapours. Source: RMS/Multiple. 11
1-7 Typical drill-mud setup system. Source: Howstuffworks. 15
1-8 Main stages in the process of risk management. Source: University of Queensland. 18
1-9 5 x 5 matrix. Source: www.howishow.eu. 18
1-10 FMEA technique. Source: FMEA info centre. 21
1-11 Bow-tie barrier diagram. Source: Blacktip project. 22
Element 2
2-1 Removal of LOTO. Source: www.roughneckcity.com. 37
2-2 Locking out equipment. Source: www.roughneckcity.com. 38
2-3 Spades and spectacled plates. Source: HSE HEG 2563. 38
2-4 Pipe line plug. Source: HSE HEG 2563. 39
2-5 Pipe line freezing. Source: HSE HEG 2563. 40
2-6 Swiss cheese model. Source: The Bly Report. 43
2-7 Plant ageing. Source: HSE - Plant ageing research report RR509. 45
2-8 The Lucas Gusher at Spindletop, Texas (1901). Source: The Paleontological Research Institution. 49
2-9 A large gas hydrate plug formed in a subsea hydrocarbon pipeline. Source: Petrobras (Brazil). 50
2-10 Dehydration system. Source: http://www.hse.gov.uk/comah/sragtech/techmeasoperatio.htm. 50
Element 3
3-1 Tension. Source: RMS. 55
3-2 Compression. Source: RMS. 55
3-3 Shear stress. Source: Ambiguous. 55
3-4 A tensile test-piece. Source: Ambiguous. 56
3-5 Example of stress corrosion cracking. Source: Ambiguous. 56
3-6 Tensile stress and brittle failure. Source: Ambiguous. 57
3-7 Types of welding defects. Source: esab.com. 58
3-8 Emergency shut down valve. Source: Wikimedia. 61
3-9 Steam assisted elevated flare system. Source: KLM Technology Group. 63
3-10 Typical ground system. Source: KLM Technology Group. 63
3-11 Oil separator. Source: www.psinternational.com/models.htm. 64
3-12 Gravimetric API separator. Source: BT Techno Services. 65
3-13 A typical parallel plate separator. Source: BT Techno Services. 65
3-14 Pressure/vacuum relief valve. Source: Elmac Technologies. 66
3-15 Rim seal. Source: Ambiguous. 67
3-16 Floating roof tank. Source: e Notes. 67
3-17 Fixed roof tank. Source: Metrology Centre. 68
3-18 Concrete bund. Source: Safeguard Europe Ltd. 69
3-19 Brick bund. Source: Safeguard Europe Ltd. 69
3-20 LPG storage. Source: tradeKorea.com. 70
3-21 LPG storage. Source: HSE. 70
3-22 Pipeline to be buried in the ground. Source: HSE. 73
3-23 Smart PIG. Source: Paint Square. 74
3-24 PIG launcher/receiver. Source: Pigging Products and Services Association. 74
3-25 Heavy lift vessel. Source: EMAS.com. 75
3-26 Fire triangle. Source: RMS. 76
3-27 Temperature class or ignition temperature. Source: RMS. 79
3-28 Boiler layout. Source: NTPC 6 weeks project report. 79
3-29 Simple industrial furnace. Source: http://maps.thefullwiki.org/Furnace. 80
Element 4
4-1 Infrared point gas detector. Source: J.Hind. 85
4-2 Catalytic gas detector. Source: J.Hind. 86
4-3 Toxic gas detector. Source: J.Hind. 86
4-4 Point leak detector. Source: J.Hind. 86
4-5 Example of point smoke detector. Source: J.Hind. 87
4-6 Rate compensated heat detector. Source: J.Hind. 87
4-7 Fire resistant rated wall with fire door. Source: Wikipedia. 88
4-8 Fire protection enclosure around ESD actuator. Source: IREX Contracting Group. 88
4-9 Sprayed coating on steel beam. Source: DCI Flooring. 89
4-10 Sublimation coating on LPG vessel. Source: Donelli. 89
4-11 Fire monitor converted for foam use. Source: Williams Fire and Hazard Control. 90
4-12 Foam monitor: may be used to protect tanks or jetties. Source: Narfoam Kar Company. 90
4-13 Sprinkler head with frangible bulb. Source: J.Hind. 90
Printed under licence no. PA916 vii

4-14 Deluge water spray system. Source: J.Hind. 90
4-15 Water mist sprinkler head. Source: J.Hind. 91
4-16 Foam protection on floating roof tank. Source: Indiamart. 91
4-17 Fixed foam chamber: generally for use on fixed roof or covered floating roof tanks. Source: Narfoam Kar 92
Company.
4-18 LPG storage sphere fire protection. Source: Imgur. 92
4-19 Helideck fire protection. Source: Blaze Manufacturing Solutions Ltd. 92
4-20 Lifeboat in cavite. Source: Safety first. 94
4-21 Free fall lifeboat. Source: Safety first. 94
4-22 Free fall lifeboat interior. Source: Safety first. 94
4-23 Skyscape - entering the next cell. Source: Safety first. 95
4-24 Skyscape - next person get ready. Source: Safety first. 95
Element 5
5-1 LNG carrier. Source: Wikipedia. 101
5-2 Melkoya LNG Plant with LNG Carrier Arctic Princess. Source: Statoil Hydro. 101
5-3 SS Northwest Seaeagle - liquid natural gas carrier. Source: www.ipahl.com/nauticus. 102
5-4 FPSO Ship. Source: Marine Insight. 102
5-5 Knock Nevis floating storage unit. Source: Wikipedia. 102
5-6 Supply vessel. Source: Fearnley Offshore Supply. 103
5-7 Platform supply vessel. Source: www.aker-yard.com. 103
5-8 Typical offshore drilling process. Source: Ambiguous. 103
5-9 Drilling barge. Source: I. Castaneda, University of Minnesota. 104
5-10 Jack-up rig. Source: Drilling Contractor. 104
5-11 Submersible rig. Source: Friede & Goldman. 104
5-12 Semi-submersible rig. Source: Husky. 104
5-13 Drilling ship. Source: www.maritime-connector.com. 105
5-14 North Sea production platform. Source: Ambiguous. 105
5-15 Offshore drilling platforms. Source: MMS. 105
5-16 Subsea system. Source: INPEX. 106
5-17 Crane vessel on offshore construction. Source: Intership Ltd. 106
5-18 Supertanker AbQaiq during loading. Source www.wermac.org.uk. 107
5-19 Transfer basket. Source: touchoilandgas.com. 108
5-20 Transfer from supply vessel. Source: marinelink.com. 108
5-21 Column type gangway. Source: Ambiguous. 108
5-22 Personnel basket. Source: Ambiguous. 108
5-23 Personal protective clothing. 109
Sourced and adapted from: http://www.imh.mug.edu.pl/attachment/attachment/5257/R10.pdf.
5-24 Classes of dangerous goods. Source: ADR. 110
5-25 Dangerous Goods Note. Source: NCEC. 110
5-26 GB registered vehicle on GB domestic journey. Source: HSE. 111
viii Printed under licence no. PA916

List of abbreviations
LEGISLATION
CDGUTPER Carriage of Dangerous Goods and Use of Transportable Pressure Equipment Regulations 2009
COMAH Control of Major Accident Hazards Regulations 2015
DSEAR Dangerous Substances and Explosive Atmosphere Regulations 2002
OHSA Occupational Health and Safety Act 1985
OSCR Offshore Installations (Safety Case) Regulations 2005
RCSVR Controlled Waste (Registration of Carriers and Seizure of Vehicles) Regulations 1991
RSCR Railways (Safety Case) Regulations 2000
WEWR Waste (England and Wales) Regulations 2011
GENERAL
ADR Accord européen relatif au transport international des marchandises dangereuses par route
ALARP As Low As Reasonably Practicable
API Accident Prevention Institute
BLEVEs Boiling Liquid Expanding Vapour Cloud Explosions
BOP Blow-out Preventer
BSI British Standards Institute
COMAH Control of Major Accident Hazards
CT Computed Tomography
CVCEs Confined Vapour Cloud Explosions
DB Derrick Barge
DCS Distributed Control System
DLB Derrick / Lay Barge
DSV Deep Sea Diving Operations
EAC Emergency Action Code
ECC Emergency Control Centre
ESDs Emergency Shutdown Devices
ERP Emergency Response Plan
FMEA Failure Mode and Effects Analysis
FMECA Failure Modes, Effects and Criticality Analysis
FPSO Floating Production, Storage and Offloading Vessel
FSO Floating Storage and Offloading Vessel
HAZID Hazard Identification
HAZOP Hazard and Operability
HCR Hydrocarbon Release
HIPPS High Integrity Protection System
HLV Heavy Lifting Vessel
HSE Health and Safety Executive
HTF Heating Fluid
HVAC Heating Ventilation and Air Conditioning
ICI Imperial Chemicals Industries
ILCI International Loss Control Institute
IR Infrared
ISO International Standard for Organisation
LEL Lower Exposure Limit
LFL Lower Flammable Limit
LNG Liquefied Natural Gas
LOTO Lock out, Tag out
LPG Liquefied Petroleum Gas
LSA Low Specific Activity
MAHs Major Accident Hazards
MER Medical Emergency Response
MOC Management of Change
MPI Magnetic Particle Inspection
MSDS Material Safety Data Sheet
NCDs Non-condensables
NDT Non-destructive Testing
NORM Naturally Occurring Radioactive Material
OIM Offshore Installation Manager
OGP Oil and Gas Producers Association
OSVs Offshore Supply / Support Vessel
P&IDs Piping and Instrumentation Diagrams
PFDs Process Flow Diagrams
PFP Passive Fire Protection
PHA Process Hazards Analysis
PIGS Pipeline Inspection Gauges
PLBG Pipelay Barge
Printed under licence no. PA916 ix

PLC Programmable Logic Controller
PPE Personal Protective Equipment
PRV Pressure / Vacuum Valves
PSI Process Safety Information
PSM Process Safety Management
PSSR Pre-startup Safety Review
PTW Permit-to-work
QRA Quantified Risk Assessment
RBI Risk Based Inspection
RCM Reliability Centred Maintenance
RID International Carriage of Dangerous Goods by Rail
RTU Remote Terminal Units
SBT Small Bore Tubing System
SCADA Supervisory Control and Data Acquisition
SCC Stress Corrosion Cracking
SCEs Safety-Critical Elements
SDOF Single Degree of Freedom
SIL Safety Integrity Level
SIMOPS Simultaneous Operations
SIS Safety Instrument System
SRB Sulphate Reducing Bacteria
TR Temporary Refuge
UCVEs Unconfined Vapour Cloud Explosions
UFL Upper Flammable Limit
UV Ultra-violet
VCF Vapour Cloud Fire
Glossary
Blow-out preventers (BOPs): High pressure wellhead valves, designed to shut off the uncontrolled flow of
hydrocarbons.
Flammable: Capable of burning with a flame.
Flammable range: The concentration of flammable vapour in air falling between the upper and lower
explosion limits.
Hazardous area: An area where flammable or explosive gas (or vapour-air mixtures) are, or may be
expected to be, present in quantities that require special precautions to be taken against the risk of ignition.
Hydrocarbon: A compound containing only the elements hydrogen and carbon. May exist as a solid, a
liquid or a gas. The term is mainly used in a catch-all sense for oil, gas and condensate.
Liquefied natural gas (LNG): Oilfield or naturally occurring gas, chiefly methane, liquefied for
transportation.
Liquefied petroleum gas (LPG): Light hydrocarbon material, gaseous at atmospheric temperature and
pressure, held in the liquid state by pressure to facilitate storage, transport and handling. Commercial
liquefied gas consists essentially of either propane or butane, or mixtures thereof.
Lower explosion limit (LEL): The minimum concentration of vapour in air below which the propagation of
flame will not occur in the presence of an ignition source. Also referred to as the lower flammable limit or
the lower explosive limit.
Petroleum: A generic name for hydrocarbons, including crude oil, natural gas liquids, natural gas and their
products.
Separation: The process of separating liquid and gas hydrocarbons and water. This is typically
accomplished in a pressure vessel at the surface, but newer technologies allow separation to occur in the
wellbore under certain conditions.
Shutdown: A production hiatus during which the platform ceases to produce while essential maintenance
work is undertaken.
Upper explosion limit (UEL): The maximum concentration of vapour in air above which the propagation
of flame will not occur in the presence of an ignition source. Also referred to as the upper flammable limit or
the upper explosive limit.
Vapour: The gaseous phase released by evaporation from a substance that is a liquid at normal
temperatures and pressures.
Zone: The classified part of a hazardous area, representing the probability of a flammable vapour (or gas)
and air mixtures being present.
x Printed under licence no. PA916

Element
1
Health, safety and environmental management in
context
Learning outcomes
On completion of this element, candidates should be able to demonstrate understanding of the content through
the application of knowledge to familiar and unfamiliar situations. In particular they should be able to:
1.1 Explain the purpose of and procedures for investigating incidents and how the lessons learnt can be
used to improve health and safety in the oil and gas industries.
1.2 Explain the hazards inherent in oil and gas arising from the extraction, storage, and processing of raw
materials and products.
1.3 Outline the risk management techniques used in the oil and gas industries.
1.4 Explain the purpose and content of an organisation’s documented evidence to provide a convincing and
valid argument that a system is adequately safe in the oil and gas industries.
Content
1.1 - Learning from incidents...................................................................................................................................3
Accident/incident causation and investigation ........................................................................................................3
Basic incident investigation process .......................................................................................................................4
Importance of learning lessons from major incidents .............................................................................................6
1.2 - Hazards inherent in oil and gas ....................................................................................................................10
Terminology ..........................................................................................................................................................10
Flammable limits ...................................................................................................................................................11
Properties and hazards of gases ..........................................................................................................................12
Properties, hazards and control measures of associated products ......................................................................14
1.3 - Risk management techniques used in the oil and gas industries .................................................................16
The purposes and uses of risk assessment..........................................................................................................16
The risk management process ..............................................................................................................................17
Application of risk management to process safety ...............................................................................................20
The concept of hazard realisation .........................................................................................................................21
Risk control barrier models ...................................................................................................................................22
Uses of modelling..................................................................................................................................................23
1.4 - An organisation’s documented evidence to provide a convincing and valid argument that a system is
adequately safe .....................................................................................................................................................24
Examples of documented evidence and where it is used .....................................................................................24
The purpose of documented evidence..................................................................................................................24
The content of safety cases and safety reports ....................................................................................................24
Exam practice .......................................................................................................................................................26
Printed under licence no. PA916 1

UNIT IOG1 - ELEMENT 1 - HEALTH, SAFETY AND ENVIRONMENTAL MANAGEMENT IN CONTEXT
Sources of reference
Reference information provided, in particular web links, was correct at time of publication, but may have changed.
The Process Safety Leadership Group final report on Safety and Environmental Standards for Fuel Storage
Sites http://www.hse.gov.uk/comah/buncefield/fuel-storage-sites.pdf
U.S. Chemical Safety and Hazard Investigation Board Final Investigation Report No. 2005-01-I-TX March 2007
(Texas City March 23, 2005) at: http://www.csb.gov/completed_investigations/docs/CSBFinalReportBP.pdf
The Report of the BP U.S. refineries independent safety review panel (January 2007) at:
http://www.bp.com/liveassets/bp_internet/globalbp/globalbp_uk_english/SP/STAGING/local_assets/assets/pdfs/
Baker_panel_report.pdf
The Buncefield Incident 11 December 2005 The final report of the Major Incident Investigation Board
http://www.buncefieldinvestigation.gov.uk/reports/index.htm#final
The Australian Government report into the Longford Disaster
ISO 17776 Petroleum and natural gas industries, Offshore production installations, Guidance on tools and
techniques for hazard identification and risk assessment
The Offshore Installations (Safety Case) Regulations (OSCR) 2005
Preparing safety reports: Control of Major Accidents Hazards Regulations (COMAH) 1999. (HSE) HSG190
The Public Enquiry into the Piper Alpha Disaster, Cullen, The Honourable Lord, The Stationery Office, 1990
ISBN: 978-0-10-113102-5 or
Kletz, T.A., Learning from Accidents, 3rd edition, 2001, Chapter 17. Gulf, ISBN: 978-0-7506-4883-7
Kletz, T A: What Went Wrong? Case Histories of Process Plant Disasters (1998) Gulf, ISBN: 978-0-88415-920-
9
Kletz, T A: Still Going Wrong: Case Histories of Process Plant Disasters and How They Could Have Been
Avoided (2003) Gulf, ISBN: 978-0-7506-7709-7
Incidents that Define Process Safety John Wiley and Sons, ISBN: 978-0-470-12204-4
Step Change in Safety at: http://stepchangeinsafety.net
Energy institute guidance on investigating and analysing human and organisational factors aspects of incidents
and accidents (May 2008, ISBN: 978-0-852-9352-1) http://www2.energyinstpubs.org.uk/pdfs/817.pdf
Additional to the syllabus:
Investigating Accidents and Incidents (www.hse.gov.uk/pubns/books/hsg245.htm)
Guide for the management of NORM in the oil and gas industry. OGP report No412: September 2008
HSE Information sheet OIS No3/2006: Guidance on Risk Assessment for Offshore Installations
HSE: ‘ALARP at a Glance’
Improving Inherent Safety: OTH 96 521: (Prepared by AEA Technology and Loughborough Consultants for the
HSE)
HSE Offshore Information sheet No2/2009: Hydrocarbon Releases (HCRs) Offshore
The HAZOP (Hazard Operability) Method (Acutech Process Risk Management)
(http://www.acusafe.com/Hazard_Analysis/HAZOP_Technique.pdf)
HAZID: Hazard Identification: Chemical Engineering Processing. (http://chemeng-
processing.blogspot.co.uk/2009/04/hazid-hazard-identification.html)
Thermal Radiation from Large pool Fires (National Institute of Standards and Technology: NISTIR 6546)
The above web links along with additional sources of reference, which are additional to the NEBOSH syllabus, are provided
on the RMS Publishing website for ease of use - www.rmspublishing.co.uk.
2 Printed under licence no. PA916 © RMS

HEALTH, SAFETY AND ENVIRONMENTAL MANAGEMENT IN CONTEXT - ELEMENT 1 - UNIT IOG1
1.1 - Learning from incidents

Accident/incident causation and investigation
TYPES OF INCIDENT
Accident/incident:
An unplanned, uncontrolled event that results in injury, ill health, damage to plant or equipment, or some other
loss.
Near miss:
An unplanned, uncontrolled event that had the potential to cause injury, ill health, damage to plant or
equipment, or some other loss.
Dangerous occurrence:
A specified event that has to be reported to the relevant authority (for example, major release of a flammable
substance).
ACCIDENT AND INCIDENT CAUSATION
Some years ago a study of 1,750,000 accidents in 21 industry sectors, led by Frank Bird, showed that there is a
fixed ratio between losses of different severity (and accidents where no loss occurred, i.e. near misses). This
can be demonstrated with a pyramid model:
Figure 1-1: Accident ratio study. Source: Frank Bird - ILCI.

The model illustrates that if limited interest is taken in the full range of events that occur, such that only those
resulting in injury are considered, many opportunities to learn about what goes wrong are being missed. If near
misses are also studied they can provide more opportunities to learn and possibly prevent some of the events
that result in injury. The Bird model includes property damage in addition to near misses and, if measured,
analysed and acted on, this will help to prevent the injury events. The model helps to convince people of the
value of reporting a wide range of events and show that there are usually more near misses than injury events,
which provide more opportunities to learn and improve health and safety.
THE DOMINO THEORY
HW Heinrich, an American safety engineer, proposed one of the first coherent theories of accident/incident
causation in the mid-1920s. He suggested that accidents/incidents were not ‘acts of God’ but were caused by
the failures of people. His domino theory suggested that the series of events which led to an injury or some
other loss were a succession of events which followed a logical pattern. Further research by Frank Bird of the
International Loss Control Institute (ILCI) into accident/incident causation led them to put forward a modified
domino theory.
Figure 1-2: Accident causation domino. Source: Frank Bird - ILCI.
© RMS Printed under licence no. PA916 3

Bird’s modified theory stated that lack of management control (leading to root causes) was a key factor in the
accident/incident chain. Therefore when investigating accidents or incidents, it is not only important to identify
and address the immediate causes (unsafe acts and conditions) but also the root causes (management system
failures). It is only by addressing these root causes that enable us to prevent future similar incidents in the
future.
It is particularly important, in complex major accident/incident investigations, to identify all causes. Such
accidents normally have several immediate causes, and these immediate causes will have one or more root
causes. This is normally referred to as the Multi Causation Theory.
Basic incident investigation process
WHICH INCIDENTS SHOULD BE INVESTIGATED?
Ideally, all incidents should be investigated. The main reason for this is that without an investigation and
corrective action, the incident may re-occur. If we investigate and determine the causes, we can take the
necessary steps to prevent a recurrence.
Near-miss (non-injury) events offer us a free opportunity to correct a situation that may, next time, result in a
serious, perhaps fatal, injury. The difference between a near miss and an accident is often just ‘luck’. Each
near miss should, therefore, be regarded as a ‘free learning opportunity’.
The HSE (HSG 245: Investigating accidents and incidents) offers guidance on the basic accident investigation
process. It recommends a four step approach:
Step 1: Gather the information.
Step 2: Analyse the information. Determine the immediate and root causes.
Step 3: Identify suitable risk control measures.
Step 4: Develop an action plan, and implement.
However, before the investigation can start, there are some basic actions that must be taken:
Make the area safe - ensure that action is taken to render the area safe (for example, extinguish a fire; isolate
a gas leak).
Treat any casualties - ensure that first aid treatment is given to any injured persons.
Once these actions have been taken, a decision needs to be made regarding the type and level of investigation
to be undertaken. In determining the level of investigation you must consider the worst potential consequences
of the incident, not the actual outcome (for example, a scaffold collapse may not have caused any injuries, but
had the potential to cause major or fatal injuries). A risk matrix is sometimes used for this purpose.
There are broadly two types of investigation:
 A simple investigation (where there was no potential for serious outcome) undertaken by the relevant line
supervisor, which will look into the circumstances of the event and try to learn any lessons in order to
prevent future occurrences.
 A more detailed investigation (where there was actual, or potential for, serious outcome) which will involve a
team-based investigation, involving line supervisors or line managers, health and safety advisers and
employee representatives, and will look for the immediate and root causes.
Step 1: Gathering the information
 Find out what happened and what conditions and actions influenced the adverse event. Begin straight
away or as soon as possible.
 It is important to capture information as soon as possible. This stops it being corrupted (for example, items
moved, guards replaced etc.)
 If necessary, work must stop and the accident scene secured. Collect information from the scene by
means of:
 Photographs, videos.
 Sketches.
 Measurements.
 Written descriptions (for example, lighting, weather, ground conditions).
 Physical evidence.
 Talk to everyone who was close by when the incident happened, especially those who saw what happened
or know anything about the conditions that led to it.
 The amount of time and effort spent on information gathering should be proportionate to the level of
investigation.
 This information can be recorded initially in note form, with a formal report being completed later. These
notes should be kept at least until the investigation is complete.
 Relevant sources of information include:
 Witness statements.
 Risk assessments.

 Permits to work.
 Safe systems of work (for example, operating procedures).
 Maintenance records.
 Training records.
 Medical records.
 Photographs, CCTV.
 Computer print outs.
 Log book entries.
Step 2: Analysing the information
An analysis involves examining all the facts, determining what happened and why. All the detailed information
gathered should be assembled and examined to identify what information is relevant and what information is
missing. The information gathering and analysis are actually carried out side by side.
The analysis should be conducted with employee or trade union health and safety representatives and other
experts or specialists, as appropriate. This team approach can often be highly productive in enabling all the
relevant causal factors to emerge.
It is only by identifying all causes, and the root causes in particular, that you can learn from past failures and
prevent future repetitions.
There are many methods of analysing the information gathered in an investigation to find the immediate and
root causes and it is for you to choose whichever method suits you best.
Immediate causes are the unsafe acts and conditions that occurred at the time and place of the accident. For
example, an employee falls from an insecure ladder. Immediate cause - the insecure ladder (unsafe condition)
and the employee working from the insecure ladder (unsafe act).
Root causes are management system failures. In the above example, failure to train the employee may have
been one of the root causes. Other examples of root causes include:
 Inadequate maintenance.
 Inadequate risk assessments and systems of work.
 Inadequate supervision/management.
 Poor job design, layout.
 Failure to provide adequate PPE.
 Inadequate monitoring.
 Excessive work demands.
Step 3: Identifying suitable risk control measures
The analysis will have identified a number of risk control measures that either failed or that could have
interrupted the chain of events leading to the accident/incident, if they had been in place. A list of all the
alternative measures to prevent this, or similar, adverse events should be compiled.
Some of these measures will be more difficult to implement than others (for example, root causes, which reflect
management system failures), but this must not influence their listing as possible risk control measures. The
time to consider these limitations is later when choosing and prioritising which measures to implement.
Evaluate each of the possible risk control measures on the basis of their ability to prevent recurrences and
whether or not they can be successfully implemented.
Step 4: The action plan and its implementation
At this stage in the investigation, personnel who have the authority to make decisions and act on the
recommendations of the investigation team should be involved.
An action plan for the implementation of additional or improved risk control measures is the desired outcome of
a thorough investigation. The action plan should have SMART objectives, i.e. specific, measurable, agreed,
and realistic, with timescales.
Risk control measures will be implemented according to priority. In deciding your priorities you should be
guided by the magnitude of the risk. Consider: ‘What is essential to securing the health and safety of the
workforce today?’ What cannot be left until another day? How high is the risk to employees if this risk control
measure is not implemented immediately? If the risk is high, then action must be taken immediately.
Risk control improvements will, no doubt, be subject to financial constraints, but failing to put in place measures
to control serious and imminent risks is totally unacceptable. The duty is to reduce the risks to an acceptable
level, or stop the work. For those risks that are not high and immediate, the risk control measures should be
put into an action plan in order of priority. Each risk control measure should be assigned a timescale and a
person made responsible for its implementation. Progress on the action plan should be regularly reviewed. Any
significant departures from the plan should be explained and risk control measure rescheduled, if appropriate.
Employees and their representatives should be kept fully informed of the contents of the risk control action plan
and progress with its implementation.

Importance of learning lessons from major incidents

CAUSES OF MAJOR INCIDENTS
In any incident there are usually two types of causes:
 Direct; that occur immediately prior to the undesirable event.
 Further away; either in space or time (these are underlying causes that contributed to the immediate, direct
event).
Historically, many incidents and accidents in all major hazard industries were seen as the ‘fault’ of someone
close to the occurrence, for example, the last person who operated the equipment. This view is less common
today, particularly in incident investigations, although it is still dominant in efforts to prevent major accidents.
High risk sectors; such as petrochemical increasingly recognise that incidents have underlying causes distant
from the person who is directly involved; however resources to prevent such incidents are often targeted at front
line staff.
Reviews of reports into recent major incidents and of research examining the causes of such incidents around
the globe tells us the most common causes behind these events.
For example, over the years Professor Trevor Kletz has written several accessible books analysing high-profile
accidents such as Bhopal, Flixborough, Piper Alpha and Seveso, aiming to show how lessons can be learnt.
Discussing the focus on front line staff in reported ‘causes’ of accidents, Kletz states that:
‘Managers and designers, it seems, are either not human or do not make errors’ (Kletz 2001, p.317) 1.
Figure 1-3: Causes of accidents. Source: HSE.
Human error
Although the immediate causes of major incidents frequently involve ‘human error’ of operators or maintenance
personnel, the reasons that these errors occurred in the first place were the responsibility of those more senior
in the organisation.
Collins and Keeley (2003) research reviewed 718 loss of containment incidents randomly selected from
approximately 2500 investigations. Extracts from this research make interesting reading when considering
behavioural safety interventions. For example, of 110 incidents due to maintenance, only 17 were due to a
failure to ensure that planned maintenance procedures were followed (a front line issue and therefore possibly
candidates for a behavioural intervention), but 93 were due to a failure by the organisation to provide adequate
maintenance procedures (a management issue, which would not be addressed by the majority of behavioural
interventions). Of the incidents analysed, only 5.6% were due to procedural violations (personnel deliberately
not following procedures). Collins and Keeley state that ‘the cause of any incident or accident, including loss of
containment, can usually be traced back to a failure of ‘safety management’.
THE PIPER ALPHA DISASTER 1988
Summary
Piper Alpha was an oil and gas production platform situated in the North Sea, about 180km north-east of
Aberdeen. On 6 July 1988, there was an explosion and subsequent fire, which led to the destruction of the
platform, and the death of 167 men.
The Piper Alpha disaster was instrumental in bringing about legislative changes in offshore health and safety,
with the Offshore Installations (Safety Case) Regulations (OSCR) 2005 being introduced in the UK, and a
change in regulatory enforcement, with the Health and Safety Executive taking over in 1991.
The events leading up to the accident
Figure 1-4: Learning from accidents. Source: Kletz.

On the morning of 6th July 1988, a relief valve had been taken off the delivery line of a stand-by condensate
(gas) pump in order to check its set pressure. The work had not been completed by 18.00 hours, the end of the
day shift, and refitting the relief valve had been left over for the following day. A blank flange had been fitted
where the relief flange had been, but was not leak tight.
During the night shift, the on line gas pump tripped out. The operators tried unsuccessfully to restart the pump,
so they decided to commission the stand-by pump. They knew that a permit-to-work (PTW) for that pump had
been issued earlier in the day with the intention of carrying out a major overhaul lasting about two weeks. They
were also aware that, whilst the pump motor had been electrically isolated, its suction and delivery valves
closed and the pump drained down, none of the equipment had been opened up and the lines around the pump
had not been slip-plated off. Accordingly it would be simple and quick to reconnect the power supply and
restart the pump. However, they were not aware that a permit to work had been issued for a second
maintenance job on the stand-by pump (the removal of the relief valve) as a result of a fault in the handover of
the permit to work.
When the night shift opened up the pump’s suction valve in preparation for starting-up, condensate leaked from
the site of the removed relief valve. It was that leak which ignited and caused the initial explosion.
The overpressure from the explosion in the condensate area blew down the fire wall separating it from the
section of plant containing equipment to extract crude oil. Containment was breached and there was an
immediate and large oil fire. It was that fire and the resultant engulfing of the platform in thick smoke which so
hampered attempts to escape.
Some 20 minutes after the initial explosion, the gas lines on Piper (460mm diameter and operating at nearly
2000 psi) burst and ignited, engulfing the platform in a ball of fire.
Many of the workers were in the accommodation block at the time of the first explosion; others on duty made
their way there prior to the first gas pipe failure as they expected to be rescued by helicopter, the normal mode
of transport to and from the platform. As people opened doors, smoke became much thicker and eventually
intolerable.
The accommodation block was designed to resist fire but not to prevent smoke ingress. Nearly all those who
died in the accommodation did so as a result of inhaling smoke and gas.
Lessons to be learnt
Safety management
Safety management is important in any industry, but vital in high risk industries. The Cullen report on Piper
Alpha was highly critical of the management system in the company. Managers had minimal qualifications,
which led to poor practices and ineffective audits.
Permit to work: the Piper system had been relaxed, permits were seldom cross referenced; permits were often
left on the desk without verbal communication between operations and maintenance personnel. Effective
permit systems must incorporate:
 Formal training for issuers and receivers.
 Effective handover/hand back procedures.
 Secure equipment isolation procedures.
 Arrangements for suspended permits.
 Cross referencing of permits.
 Monitoring arrangements.
Systems: there was no systematic method for assessing major hazards. There was no system in place for
training in emergencies or when the platform was adapted for gas processing.
Design: the original platform had been designed to withstand fire (for example, firewalls). No modifications
were made (for example, explosion walls) when the platform was adapted to produce gas. The accommodation
block was designed to resist fire but not specifically to prevent smoke ingress.
Safety auditing: there was no shortage of auditing of the Piper platform. What was deficient was the quality of
that auditing. Not only were there departures from laid-down procedures, but they were not identified or
recorded. The absence of critical comment in audit reports lulled the senior management into believing that all
was well.
BUNCEFIELD, DECEMBER 2005
Summary
Early on Sunday 11 December 2005, a series of explosions and subsequent fire destroyed large parts of the
Buncefield oil storage and transfer depot, Hemel Hempstead in the UK, and caused widespread damage to
neighbouring properties.
The main explosion took place at 06.01:32 hours and was of massive proportions. It was followed by a large
fire that engulfed 23 large fuel storage tanks over most of the Buncefield site. The incident injured 43 people.
Fortunately, no one was seriously hurt and there were no fatalities. Nevertheless, there was significant damage
to both commercial and residential properties near the Buncefield site. About 2000 people had to be evacuated

from their homes and sections of the M1 motorway were closed. The fire burned for five days, destroying most
of the site and emitting a large plume of smoke into the atmosphere that dispersed over southern England and
beyond.
Late on Saturday 10 December 2005 a delivery of unleaded petrol from the T/K pipeline started to arrive at
Tank 912 in bund A at about 05:30 on 11 December. The safety systems in place to shut off the supply of
petrol to the tank to prevent overfilling failed to operate. Petrol cascaded down the side of the tank, collecting at
first in the tank bund. As overfilling continued, the vapour cloud formed by the mixture of petrol and air flowed
over the bund wall, dispersed and flowed west off site towards the Maylands Industrial Estate. A white mist was
observed in CCTV replays.
Between 05.30 and 06.00 the vapour cloud was seen by eyewitnesses and CCTV cameras to thicken and
spread.
At 06:01 the first of a series of explosions took place. These explosions caused a huge fire which engulfed
more than 20 large storage tanks over a large part of the Buncefield depot. The fire burned for five days,
destroying most of the depot.
Recommendations from the Major Incident Investigation Board included the need for:
 Protection against loss of containment of petrol and other highly flammable liquids by fitting a high integrity,
automatic operating overfill prevention system.
 Measures to detect hazardous conditions arising from loss of primary containment, including the presence
of high levels of flammable vapours in secondary containment.
 A review of the existing standards for secondary containment. (For example, bunds).
 Adequate on-site emergency plans, with adequately resource, and well trained staff.
 Operators of major hazard sites to review and amend as necessary their management systems for
maintenance of equipment and systems to ensure their continuing integrity in operation.
 Local authorities to review their off-site emergency response plans for COMAH (Control of Major Accident
Hazards) sites.
THE ESSO LONGFORD GAS EXPLOSION 1998
Summary
The 1998 Esso Longford gas explosion was a catastrophic industrial accident which occurred at the Esso
natural gas plant at Longford in the Australian state of Victoria's Gippsland region. On 25 September 1998, an
explosion took place at the plant, killing two workers and injuring eight. Gas supplies to the state of Victoria
were severely affected for two weeks.
Background
In 1998, the Longford gas plant was owned by a joint partnership between Esso and BHP. Esso was
responsible for the operation of the plant. Esso was a wholly owned subsidiary of US based company Exxon,
which has since merged with Mobil, becoming ExxonMobil. BHP has since merged with UK based Billiton
becoming BHP Billiton.
Built in 1969, the plant at Longford is the onshore receiving point for oil and natural gas output from production
platforms in Bass Strait. The Longford Gas Plant Complex consists of three gas processing plants and one
crude oil stabilisation plant. It was the primary provider of natural gas to Victoria, and provided some supply to
New South Wales.
The feed from the Bass Strait platforms consists of liquid and gaseous hydrocarbons, water (H2O) and
hydrogen sulphide (H2S). The water and H2S are removed before reaching the plant, leaving a hydrocarbon
stream to be the feed to Gas Plant 1. This stream contained both gaseous and liquid components. The liquid
component was known as ‘condensate’. The LPG is further extracted by means of a shell and tube heat
exchanger, in which heated ‘lean oil’ and cold ‘rich oil’ (oil which has absorbed LPG) are pumped into the
exchanger, cooling the lean oil and heating the rich oil.
During the morning of Friday 25 September 1998, a pump supplying heated lean oil to heat exchanger GP905
in Gas Plant No. 1 went offline for four hours, due to an increase in flow from the Marlin Gas Field which caused
an overflow of condensate in the absorber.
A heat exchanger is a vessel that allows the transfer of heat from a hot stream to a cold stream, and so does
not operate at a single temperature, but experiences a range of temperatures throughout the vessel.
Temperatures throughout GP905 normally ranged from 60°C to 230°C (140°F to 446°F). Investigators
estimated that, due to the failure of the lean oil pump, parts of GP905 experienced temperatures as low as
-48°C (-54°F). Ice had formed on the unit, and it was decided to resume pumping heated lean oil in to thaw it.
When the lean oil pump resumed operation, it pumped oil into the heat exchanger at 230°C (446°F); the
temperature differential caused a brittle fracture in the exchanger (GP905) at 12.26pm.

About 10 metric tonnes of hydrocarbon vapour were immediately vented from the rupture. A vapour cloud
formed and drifted downwind. When it reached a set of heaters 170 metres away, it ignited. This caused a
deflagration (a burning vapour cloud). The flame front burnt its way through the vapour cloud, without causing
an explosion. When the flame front reached the rupture in the heat exchanger, a fierce jet fire developed that
lasted for two days.
The rupture of GP905 led to other releases and minor fires. The main fire was an intense jet fire emanating
from GP905. There was no blast wave; the nearby control room was undamaged. Damage was localised to
the immediate area around and above the GP905 exchanger.
The fire at the plant was not extinguished until two days later. The Longford plant was shut down immediately,
and the state of Victoria was left without its primary gas supplier. Within days, the Victorian Energy Network
Corporation shut down the state's entire gas supply. The resulting gas supply shortage was devastating to
Victoria's economy, crippling industry and the commercial sector (in particular, the hospitality industry which
relied on natural gas for cooking). Loss to industry during the crisis was estimated at around $1.3 billion.
The investigation
A Royal Commission was called into the explosion at Longford. Esso blamed the accident on worker
negligence, in particular one of the panel workers on duty on the day of the explosion.
The findings of the Royal Commission, however, cleared the worker of any negligence or wrong-doing. Instead,
the Commission found Esso fully responsible for the accident.
Other findings of the Royal Commission included:
 The Longford plant was poorly designed and made isolation of dangerous vapours and materials very
difficult.
 Inadequate training of personnel in normal operating procedures of a hazardous process.
 Excessive alarm and warning systems had caused workers to become desensitised to possible hazardous
occurrences.
 The relocation of plant engineers to Melbourne had reduced the quality of supervision at the plant.
 Poor communication between shifts meant that the pump shutdown was not communicated to the following
shift.
Certain managerial shortcomings were also identified:
 The company had neglected to commission a HAZOP (Hazard and Operability) analysis of the heat
exchange system, which would almost certainly have highlighted the risk of tank rupture caused by sudden
temperature change.
 Esso's two-tiered reporting system (from operators to supervisors to management) meant that certain
warning signs such as a previous similar incident (on 28 August) were not reported to the appropriate
parties.
 The company's "safety culture" was more oriented towards preventing lost time due to accidents or injuries,
rather than protection of workers and their health.
Legal ramifications
Esso was taken to the Supreme Court of Victoria by the Victorian Work Cover Authority. The jury found the
company guilty of eleven breaches of the Occupational Health and Safety Act (OHSA) 1985, and a record fine
of $2 million was imposed in July 2001.
In addition, a class action was taken on behalf of businesses, industries and domestic users who were
financially affected by the gas crisis. Esso was ordered to pay $32.5 million.
Following the Longford accident, Victoria introduced the Major Hazard Facilities Regulations to regulate safety
at plants that contain major chemical hazards. These regulations require facility operators to demonstrate
control of major chemical hazards via the use of a Safety Management System and a Safety Case.
Other states have also implemented similar regulatory regimes.
THE TEXAS CITY REFINERY EXPLOSION 2005
Summary
The Texas City Refinery explosion occurred on March 23, 2005, when a hydrocarbon vapour cloud exploded
during the start-up of the isomerization unit at BP's Texas City refinery. 15 workers were killed as a result of the
explosion and a further 170 workers injured. The Texas City Refinery was the second-largest oil refinery in the
state, and the third-largest in the United States with an input capacity of 437,000 per day.
The start-up process commenced on March 22 with the initial filling of the raffinate splitter tower. The level
transmitter was designed to indicate the raffinate level within a 5 feet span from the bottom of the splitter tower
to a 9 feet level (i.e. 72% level indication would be 7.6 feet from the bottom) but it was common practice to fill
up to an indicated level of 99% even though the procedural requirement was stated as 50%. The Day
Supervisor arrived late for work and didn’t have a hand-over with the night shift. During the morning meeting on

the March 23, it was discussed that the heavy raffinate storage tanks were nearly full and therefore the second
Day Supervisor was told that the start-up procedure should not continue but this information was not passed on.
The start-up procedure resumed at just before 09:30am under instructions from the other Day Supervisor.
Before recommencing the tower refill and circulation process, heavy raffinate was drained from the bottom of
the tower via the level control valve into the heavy storage tank and was then shut off in ‘manual’ mode and not
the required ‘automatic’ mode with a 50% flow rate. At just before 10:00am, the circulation process was
restarted and raffinate was once again fed into the tower, even though the level was already too high. Since
the level control valve was shut, therefore, there was no circulation out of the tower (i.e. no heavy raffinate
being transferred to the storage tank), the splitter tower inevitably began to fill up. The defective level
transmitter continued to show the level at less than 100% and since the external sight glass was opaque, a
visual check to verify the level in the splitter tower was not possible.
Late morning, burners in the furnace were turned on to pre-heat raffinate going into the tower and to heat the
raffinate in the tower bottom. The erroneous 93% reading from the defective level transmitter still indicated an
ongoing safe level condition in the tower but there was still no flow of heavy raffinate from the splitter tower to
the storage tank as the level control valve remained closed; instead of the hydrocarbon liquid level being at 8.65
feet (93% level) as indicated, it had actually reached 67 feet. Just before midday, with heat increasing in the
tower, the actual fluid level had risen to 98 feet. Pressure started to build up in the system. The operations
crew thought that the pressure rise was a result of overheating in the tower bottoms as this was a known start-
up issue.
The liquid, already close to the top of the tower but continuing to expand due to the heat, finally entered the
overhead vapour line and flowed into the relief valve system. At 1:13 pm, the three pressure relief valves were
activated, resulting in raffinate entering the blowdown stack.
As the blowdown drum and stack filled up, liquid overflowed out of the top of the stack forming a 20 foot
‘geyser’ as hot hydrocarbon liquid vented directly into the air. It then ran down the side of the blow-down drum
and stack and pooled at the base of the unit. A pick-up truck, with its engine running had been parked within 30
feet of the blowdown stack; the vapour cloud reached the vehicle, causing the engine to race. At approximately
1:20pm, there was a catastrophic vapour cloud explosion. The blast pressure wave struck nearby contractor
trailers, the force of the explosion sent debris flying, causing fatal blunt force trauma to 15 people in and around
the trailers, 180 others were injured. The pressure wave was so powerful it shattered windows off site up to a
distance of three-quarters of a mile away.
Lessons to be learnt
Both BP-house experts as well as various authorities and committees investigated the explosion in relation to
technical, organisational, and safety culture aspects. Organisational failings included corporate cost-cutting, a
failure to invest in the plant infrastructure, a lack of corporate oversight on both safety culture and major
accident prevention programmes, a focus on occupational safety and not process safety, a defective
management of change process (which allowed the siting of contractor trailers too close to the ISOM process
unit), the inadequate training of operators, a lack of competent supervision for start-up operations, poor
communications between individuals and departments and the use of outdated and ineffective work procedures
which were often not followed. Technical failings included a blowdown drum that was of insufficient size, a lack
of preventative maintenance on safety critical systems, inoperative alarms and level sensors in the ISOM
process unit and the continued use of outdated blowdown drum and stack technology when replacement with
the safer flare option had been a feasible alternative for many years.
1.2 - Hazards inherent in oil and gas

Terminology
FLASH POINT
‘Flash point’ is defined as the lowest temperature at which sufficient vapour is produced from a liquid sample for
momentary or flash ignition to occur.
Substances with flash points below atmospheric temperature (for example, Gasoline -40 degrees C) pose a
significant risk, as they readily vaporise at ambient temperature.
VAPOUR DENSITY
Vapour density is the density of a gas or vapour compared to the density of hydrogen (or, in the USA, air).
Vapour density determines how a vapour/gas will behave in air before dispersing. The higher the density, the
more likely that vapours/gases will accumulate in low lying areas at a concentration sufficient for ignition.
Lighter vapours are more likely to disperse if released.
The density also has implications for container storage. For example, the positioning of ventilation slots in
storage vessels such as ‘flamvaults’. Also, when considering the positioning of gas detectors in a work area
density of the vapour/gas is one factor to consider. Even if not flammable, vapours/gases that are released
from containment could collect in the lower floor or level of a confined space and displace air, possibly
presenting an asphyxiation hazard to individuals entering the lower part of that space.

VAPOUR PRESSURE
Vapour pressure is the pressure exerted by a vapour, in equilibrium with its non-vapour (liquid or solid) phases,
in a closed system (for example a container). It is an indication of a substances evaporation rate. A substance
with a high vapour pressure at normal temperatures is often referred to as volatile.
FLAMMABLE
Flammable is defined as liquid substances and preparations having a low flash point.
HIGHLY FLAMMABLE
Highly flammable is defined as:
 Substances and preparations which may become hot and finally catch fire in contact with air at ambient
temperature without any application of energy.
 Solid substances and preparations which may readily catch fire after brief contact with a source of ignition
and which continue to burn or to be consumed after removal of the source of ignition.
 Liquid substances and preparations having a very low flash point.
 Substances and preparations which, in contact with water or damp air, evolve extremely flammable gases
in dangerous quantities.
EXTREMELY FLAMMABLE
Extremely flammable is defined as:
 Liquid substances and preparations having an extremely low flash point and a low boiling point.
 Gaseous substances and preparations which are flammable in contact with air at ambient temperature and
pressure, for example, hydrogen, methane, propane.
Flammable limits
UPPER FLAMMABLE LIMIT (UFL)
The upper flammable limit is the richest mixture of vapour in oxygen, that is flammable (above the UFL, the
mixture is too rich to ignite).
LOWER FLAMMABLE LIMIT (LFL)
The lower flammable limit is the leanest mixture of
vapour in oxygen, that is flammable (below the LFL,
the mixture is too lean to ignite).
These are commonly referred to as the upper and
lower explosive limits.
Flammable range is the range (between LFL and
UFL) of a concentration of gas/vapour that will
burn/explode (if an ignition source is introduced).
Examples of flammable limits are given in figure ref 1- Figure 1-5: What is LEL and UEL. Source: RKI Instruments.
6.
Gas or vapour LFL/LEL % UFL/UEL %
Acetylene, C2H2 2.5 81
Cyclohexane C6H12 1.3 8
Ethane, C2H6 3 12.4
Hydrogen, H2 4 75
Methane, CH4 5 15
Propane, C3H8 2.1 10.1
Figure 1-6: Flammable/explosive limits gases/vapours. Source: RMS/Multiple.
Controlling explosive atmospheres

Controlling gas and vapour concentration outside the explosive limits is a major consideration in the Oil and
Gas industry. Methods used include ‘inerting’ (using inert gases such as nitrogen) to reduce the oxygen level
so that the flammable limits fall outside the flammable range, or ‘purging’ (with nitrogen, steam or water) to
displace hydrocarbons from vessels, tanks, piping or equipment. Gases can also be maintained safely at
concentrations above the UEL, although a breach in the storage container can lead to explosive concentrations
in atmosphere or intense fires.
Dusts also have upper and lower explosion limits, though the upper limits are hard to measure and of little
practical importance. Lower explosive limits for many organic materials are in the range of 10-50 g/m³, which is

much higher than the limits set for health reasons, as is the case for the LEL of many gases and vapours. Dust
clouds of this concentration are hard to see through for more than a short distance, and normally only exist
inside process equipment.
Explosive limits also depend on the particle size of the dust involved, and are not intrinsic properties of the
material. In addition, a concentration above the LEL can be created suddenly from settled dust accumulations,
so management by routine monitoring, as is done with gases and vapours, is of no value. The preferred
method of managing combustible dust is by preventing accumulations of settled dust through process
enclosure, ventilation, and surface cleaning.
TOXICITY
Toxicity is the degree to which a substance can harm humans or animals. Toxicity can be acute, or chronic:
 Acute toxicity involves harmful effects through a single or short-term exposure (for example, exposure to
Hydrogen Sulphide).
 Chronic toxicity is the ability of a substance to cause harmful effects over an extended period, usually upon
repeated or continuous exposure, (for example, Benzene) sometimes lasting for the entire life of the
exposed organism.
Toxic substances may be generally classified as:
Very toxic Substances and preparations which in very low quantities cause death or acute or
chronic damage to health when inhaled, swallowed or absorbed via the skin.
Toxic Substances and preparations which in low quantities cause death or acute or chronic
damage to health when inhaled, swallowed or absorbed via the skin.
Harmful Substances and preparations which may cause death or acute or chronic damage to
health when inhaled, swallowed or absorbed via the skin.
Corrosive Substances and preparations which may, on contact with living tissues, destroy
them.
Irritant Non-corrosive substances and preparations which, through immediate, prolonged or
repeated contact with the skin or mucous membrane, may cause inflammation.
Sensitising Substances and preparations which, if they are inhaled or if they penetrate the skin,
are capable of eliciting a reaction by hypersensitisation such that on further exposure
to the substance or preparation, characteristic adverse effects are produced.
Carcinogenic Substances and preparations which, if they are inhaled or ingested or if they
penetrate the skin, may induce cancer or increase its incidence.
Mutagenic Substances and preparations which, if they are inhaled or ingested or if they
penetrate the skin, may induce heritable genetic defects or increase their incidence.
Toxic for reproduction Substances and preparations which, if they are inhaled or ingested or if they
penetrate the skin, may produce or increase the incidence of non-heritable adverse
effects in the progeny and/or of male or female reproductive functions or capacity.
CRUDE OIL
Crude oil is the term for ‘unprocessed’ oil, the material that comes out of the ground. It is also known as
petroleum. It is a fossil fuel, meaning that it was made naturally from decaying plants and animals living
millions of years ago. Crude oils vary in colour, from clear to tar-black, and in viscosity, from water to almost
solid.
Crude oils are such a useful starting point for so many different substances because they contain
hydrocarbons. Hydrocarbons are molecules that contain hydrogen and carbon and come in various lengths
and structures, from straight chains to branching chains to rings.
Hydrocarbons contain a lot of energy. Many of the things derived from crude oil, such as gasoline, kerosene,
diesel fuel and LPG take advantage of this energy. In addition to fuels, by chemically cross-linking hydrocarbon
chains you can get everything from synthetic rubber to nylon to the plastic in Tupperware.
In addition to carbon and hydrogen, crude oil typically contains: hydrogen sulphide; sulphur; carbon dioxide;
trace heavy metals (including nickel, vanadium) and nitrogen.
Additional hazards arising from the extraction and refining of crude oil involve: flammability; low/high
temperatures; gas; high pressures; hydrates; carcinogenicity; LSA material.
Properties and hazards of gases
The Oil and Gas industry produces and uses many gases. For safe operation, it is important that we
understand the properties and hazards associated with these gases.

HYDROGEN
Hydrogen, a key processing agent in petroleum-refining operations, is consumed in a variety of hydro-
desulphurization and hydro-cracking operations. It is colourless, odourless and lighter than air. It is highly
flammable/explosive; it reacts vigorously with oxidising agents; it has a wide flammable range (4-75%); it is
easily ignited; it burns with an almost invisible flame; it can displace oxygen when in high concentrations; liquid
hydrogen is cryogenic.
METHANE
Methane is the major constituent of natural gas. It is lighter than air and is highly flammable, forming a
combustible mixture with air over a wide range (5-15%). It is colourless and odourless, with the familiar smell of
natural gas as used in homes achieved by the addition of an odorant (as a safety measure), such as trace
amounts of mercaptans.
LIQUID PETROLEUM GAS (LPG)
Liquefied petroleum gas is a mixture of gases, mainly propane and butane, produced commercially from
petroleum. In addition to being used as a fuel in heating appliances and vehicles, it is also used as a
refrigerant.
A colourless, odourless gas under normal temperature and pressure, LPG is liquefied, and stored under
pressure and at low temperature. The low temperature means that LPG poses a ‘cold burn’ threat when
working on LPG systems (for example, draining water from an LPG sphere).
LPG is highly flammable (with explosive limits of 2-10%) and therefore poses a significant fire and explosion
risk. Because it is stored at high pressure, on release LPG readily reverts to its gaseous state, with the gas
expanding to 250 times the volume of its liquid state. LPG is heavier than air, thus posing an asphyxiation risk
if released into low lying areas such as pits and trenches.
LIQUEFIED NATURAL GAS (LNG)
Liquefied natural gas originates from underground natural oil and gas reservoirs, often discovered through
drilling and exploration operations. Whilst natural gas is used as a heating medium for domestic premises, it is
also used, in the creation of fertilizer, plastics, and fabrics. LNG is a clear, colourless, odourless non-toxic liquid
that is formed by cooling natural gas to -162C. This shrinks the volume of gas 600 times, making it easier to
store and ship.
At ambient temperature, the liquid rapidly expands (to 600 times the volume of its liquid form), forming an
odourless, highly flammable gas (explosive limits 5-15%).
Release and ignition of LNG may result in pool fires. Such fires cannot be extinguished, the fire will continue to
burn until all of the LNG is consumed by the fire. Because of its temperature (-162C) LNG can cause ‘cold
burns’, (with similar effects to the skin as burns). LNG heavier than air, thus posing an asphyxiation risk if
released into low lying areas such as pits, trenches.
NITROGEN (N2)
Nitrogen is a colourless, odourless, non-flammable gas which makes up 78% of the Earth’s atmosphere. Pure
nitrogen is used in the oil and gas industry for activities such as purging and inerting of vessels and pipelines to
remove and to prevent the formation of flammable atmospheres (for example, prior to carrying out ‘hot work’). It
may also be used to ‘freeze’ pipes when other forms of isolation are not available.
Nitrogen presents a risk of asphyxiation when used in confined spaces (by displacing the oxygen). Liquid
nitrogen is a common Cryogen, and can cause ‘cold burns’. Nitrogen in the blood decreases the oxygen
carrying capacity in the blood; an example being nitrogen narcosis during diving activities.
HYDROGEN SULPHIDE (H2S)
Found in crude oil and gas, Hydrogen Sulphide (H2S) is a colourless, highly toxic, flammable gas. H2S is
heavier than air and hence tends to accumulate in low-lying areas. At lower concentrations the gas is
characterised by the odour of ‘rotten eggs’ and is initially readily detectable by smell; at higher concentrations
the gas rapidly destroys the sense of smell, removing any warning of its presence,
H2S can cause irritation to the eyes, skin and respiratory tract. At higher concentrations (<500ppm), it can
cause over stimulation of the central nervous system and rapid breathing leading to respiratory failure, and
death.
OXYGEN (02)
Oxygen is a colourless, odourless gas and is essential to sustain life at a concentration of approximately 21% in
air, lower percentages 2-3% may result in unconsciousness or death; higher concentrations 2-3% may lead to
symptoms of light headedness and inability to concentrate.
The gas is widely used medicine for patient care, oxygen has a number of industrial applications, these include
smelting, the manufacture of plastics and metal cutting and welding.

Oxygen will react violently with oils and greases, and oxygen enriched atmospheres can lead to fires and
explosions. (Ref: HMS Glasgow and Swan Hunter: 1976). Combustible materials burn more readily in an
oxygen enriched atmosphere.
Properties, hazards and control measures of associated products
ADDITIVES
Anti-foaming agents (defoamers)
A defoamer or an anti-foaming agent is a chemical additive that reduces and hinders the formation of foam in
industrial process liquids. Typical applications in the Oil and Gas industry include oil drilling, oil separators and
waste water treatment.
Anti-foaming agents are insoluble in the foaming medium and have surface active properties. They are of low
viscosity and have the ability to spread rapidly on foamy surfaces, causing rupture of the air bubbles and
breakdown of surface foam. Entrained air bubbles are accumulated, and the larger bubbles rise to the surface
of the bulk liquid more quickly and disperse readily.
Foam, entrained and dissolved air that is present in coolants and processing liquids, may cause various kinds
of problems, including:
 Reduction of pump efficiency (cavitation).
 Reduced capacity of pumps and storage tanks.
 Bacterial growth.
 Dirt flotation/deposit formation.
 Reduced effectiveness of the fluids in use.
 Eventual downtime for cleaning.
 Blockages in sieves and filters.
Anti-foaming agents may be oil, powder, water or silicone based. Hazards generally concern skin or eye
irritation, and possible dermatitis following prolonged contact.
Avoiding contact with skin or eyes is the best form of control (for example, by using automating dosing
systems). If contact cannot be avoided, suitable eye protection and gloves should be worn. The Material
Safety Data Sheet (MSDS) should specify the relevant risk control measures.
Anti-wetting agents
Anti-wetting agents are coatings that are intended to place a waterproof barrier between the surface of material
and water (typically, wet weather). Such coatings are said to be “hydrophobic” (water repellent). Examples
include oil and Teflon.
Anti-wetting agents provide good anti-corrosion protection in harsh environments (for example, the legs of a
drilling rig, immersed in sea water).
Most surfactants are nontoxic, having a toxicity comparable to salt water (sodium chloride solution). Prolonged
exposure of skin to some surfactants can cause chaffing because they can disrupt the lipid coating that protects
skin (and other) cells. If contact cannot be avoided, suitable eye protection and gloves should be worn. The
Material Safety Data Sheet (MSDS) should specify the relevant risk control measures.
MICRO BIOCIDES
Micro biocides are used for the control of bacteria found in and around oilfield applications, and also for the
treatment of cooling water used in oil refineries to remove and prevent spores, fungi, legionella pneumophila
bacteria, and to prevent anaerobic bacterial slime which significantly reduces heat transfer in cooling systems.
Micro biocides may cause severe irritation of the skin, nose, throat and respiratory tract and may pose a risk if
ingested.
The MSDS should specify the relevant risk control measures.
CORROSION PREVENTATIVES
A corrosion inhibitor is a chemical compound that, when added to a liquid or gas, decreases the rate of
corrosion of a material, typically a metal or an alloy. A common mechanism for inhibiting corrosion involves
formation of a coating, which prevents access of the corrosive substance to the metal.
Typical inhibitors include alkyl amines such as benzyl dimethyl alkyl ammonium chloride.
Another form of corrosion prevention is ‘cathodic protection’. The simplest method to apply cathodic protection
is by connecting the metal to be protected, for example, iron (cathode) with another more easily corroded
‘sacrificial metal’, for example, zinc to act as the anode of the electrochemical cell. Typical applications include
offshore oil platforms, storage tanks and pipelines.
Alkyl amine corrosion inhibitors may cause severe irritation of the skin, nose, throat and respiratory tract and
may pose a risk if ingested. The MSDS should specify the relevant risk control measures.

REFRIGERANTS
A refrigerant is a substance used in a heat cycle usually including, a phase change from a liquid to a gas.
Typical refrigerants include propane, ammonia, carbon dioxide and methane. Uses include air conditioning
systems, process cooling. Safety consideration when using refrigerants include corrosion, toxicity and
flammability. The MSDS should specify the relevant risk control measures.
WATER/STEAM
Water/steam is used extensively offshore and in refineries for cooling, heating, lubrication (drilling muds) and
fire-fighting purposes. For example, when extracting oil from reservoirs, the oil may be too heavy to flow. A
second hole is then drilled into the reservoir and steam is injected under pressure. The heat from the steam
thins the oil in the reservoir, and the pressure helps push it up the well.
Higher pressure steam is used to power turbines and generate electrical power, to drive pumps, compressors,
fans and other equipment. Uses of lower pressure steam include the provision of heating for control rooms,
tank products (via heating coils) and trace heating of pipe work. Vast amounts of water are used in heat
exchangers for the cooling of process equipment and products. Deluge systems use vast amounts of water
when used in fire-fighting situations. Risks associated with the use of water and steam include:
 Hot or cold burns from contact with steam or hot water or ice.
 Corrosion of pipe work or equipment as a result of sea water use.
 Hydrate formation and blockage of small bore pipe work, valves.
 Salt deposits, causing internal fouling of pipes/equipment.
 Freezing of water, leading to blockages; overheating of equipment.
 Low water flow leading to equipment overheating or failure.
 High pressure water jet injuries.
 Water hammer from condensed water in steam systems.
 Exothermic reaction when water reacts with volatile substances.
 Legionella exposure, from poorly maintained cooling water systems.
MERCAPTANS
Mercaptans are a group of sulphur based volatile organic chemical compounds. They are a colourless,
flammable gas, and have a characteristic odour like that of rotting cabbage. Mercaptans are found in the
production processes of petroleum products. They are removed from such products within oil refineries using a
‘sweetening’ process known as the Merox process. This results in a product without the sour odour. They are
also used as an odorising agent in natural gas supply to enable detection of gas leakages; even at low
concentrations (2 parts per billion), their odour is readily detected. The vapours if inhaled may cause
headache, nausea, dizziness, drowsiness, loss of consciousness and may be irritating to the eyes, respiratory
system and skin. Where potentially harmful levels are present, suitable respiratory protection, gloves, eye
protection and coveralls should be worn.
The Milan incident
In 2004, an exhausted mercaptan canister used by a natural gas distributor was being returned to a supplier for
refilling. The canister sprang a leak while in transit at a road deliveries company in Sesto San Giovanni, a town
just north of Milan, Italy. Gas was carried by winds across the eastern half of the city of Milan, causing
residents as far as 12km from the canister to make thousands of calls that overwhelmed emergency services
for four hours, and risked hiding actual gas leaks.
DRILLING MUDS
Liquid drilling fluid is often called drilling mud. Drilling
fluids are used to provide hydrostatic pressure to
prevent formation fluids (materials through which the
drill is passing) from entering into the well bore. The
fluids keep the drill bit cool and clean during drilling
and carrying drill cuttings from the hole.
In addition they suspend the drill cuttings while drilling
is paused and when the drilling assembly is brought in
and out of the hole. The drilling fluid used for a
particular job is selected to avoid formation damage
and to limit corrosion. Mud types include:
Water based muds - which incorporate clays (for
example, Bentonite) and chemicals (for example,
Potassium formate). The fluid flows freely and when
‘static’ forms a gel which resists flow, until pumping
Figure 1-7: Typical drill-mud setup system. Source: Howstuffworks.
starts again.
The fluid flows freely and when ‘static’ forms a gel which resists flow, until pumping starts again.

Oil based muds - often diesel based, these have better lubrication properties, enhanced shale inhibition, and
greater cleaning abilities with less viscosity. Oil-based muds also withstand greater heat without breaking
down.
Synthetic based muds - where the base fluid is synthetic oil. This is most often used on offshore rigs because
it has the properties of an oil-based mud, but is less toxic (for example, than diesel fumes).
Gas based muds - can be compressed air alone, or a mixture of compressed air and water.
On a drilling rig, mud is pumped from the mud pits through the drill string where it sprays out of nozzles on the
drill bit, cleaning and cooling the drill bit in the process. The mud then carries the crushed or cut rock
(‘cuttings’) up the annular space (‘annulus’) between the drill string and the sides of the hole being drilled, up
through the surface casing, where it emerges back at the surface. Cuttings are then filtered out with shale
shakers, and the mud returns to the mud pits. The mud pits let the drilled ‘fines’ settle; the pits are also where
the fluid is treated by adding chemicals and other substances.
The returning mud can contain natural gases or other flammable materials which will collect in and around the
shale or in other work areas. Because of the risk of a fire or an explosion if they ignite, special monitoring
sensors and explosion-proof certified equipment is commonly installed, and workers are advised to take safety
precautions (such as suitable PPE to prevent skin contact with the mud).
LOW SPECIFIC ACTIVITY (LSA) SLUDGES AND SCALE
During the drilling process, Naturally Occurring Radioactive Material (NORM) flows with the oil, gas and water
mixture and accumulates in scale, sludge and scrapings. The level of NORM accumulation can vary
substantially from one facility to another depending on geological formation, operational and other factors.
LSA (Low Specific Activity) scale is a radioactive deposit inside pipes and other production equipment and
consists of Calcium carbonates and Barium sulphate, and co-precipitated Radium. The salts are dissolved in
the reservoir itself in a mixture of original formation water and injected seawater. LSA scale is not easily
soluble. Equipment contaminated with the scale can be removed by high pressure water jetting, or chemical
means.
NORM in sludge and scrapings
Radioactive radium can be found in sludge, and produced waters. Other radionuclides such as Lead-210 and
Polonium-210 can also be found in pipelines scrapings as well as sludge accumulating in tank bottoms, gas/oil
separators, dehydration vessels, liquid natural gas (LNG) storage tanks, the waste pit and in crude oil pipeline
scrapings.
NORM in scale
The main types of scale encountered in oil and gas facilities are sulphate scale such as Barium sulphate and
carbonate scale, such as Calcium carbonate. Radium is chemically similar to barium and calcium; hence
radium co-precipitates with Barium or Calcium scale.
The mixing of seawater, which is rich in sulphate, with the formation water, which is rich in brine, increases the
scaling tendency. The sudden change in pressure and temperature or even acidity of the formation water, as it
is brought to the surface also contributes to scale build-up.
Whilst exposures to LSA sludges and scales are generally likely to be low, it is still a source of ionising
radiation, and must be handled with caution. Particular care must be taken to avoid inhalation or ingestion, as
the material may contain alpha particle emitters, which may cause considerable health problems if they enter
the inside of the body.
Typical handling measures would involve well defined procedures which would include provision of: good
supervision; respiratory protective equipment; PPE (coverall, gloves, and rubber boots); reduced time exposure;
monitoring of radiation levels; decontamination facilities; good personal hygiene. In oil and gas production LSA
sludge and scale can be typically found in:
 The production well.  Separators.
 Well heads.  Crude pipelines.
 Safety valves.  Crude oil tanks.
1.3 - Risk management techniques used in the oil and gas industries
The purposes and uses of risk assessment
Risk assessment is an important step in the process of safety risk management. It allows organisations to
protect their workers, others, and of course their business. It is also often a legal requirement.
The UK Health and Safety Executive (in their publication ‘Five Steps to Risk Assessment’, INDG 163) state that
risk assessment is:
“Simply a careful examination of what, in your work, could cause harm to people, so that you can weigh up
whether you have taken enough precautions or should do more to prevent harm.”

The five steps described are:

Step 1: Identify the hazards.
Step 2: Decide who might be harmed and how.
Step 3: Evaluate the risks and decide on precautions.
Step 4: Record your findings and implement them.
Step 5: Review your assessment and update if necessary.
OIL AND GAS INDUSTRY
This straightforward method (five steps) should be suitable for most organisations. For the Oil and Gas
industry, where there are more complex risks, the techniques used are likely to require more technical insight
and depth. The UK Offshore Installations (Safety Case) Regulations (OSCR) 2005 requires a demonstration by
duty holders that:
 All hazards with the potential to cause a major accident have been identified.
 All major accident risks have been evaluated.
 Measures have been, or will be, taken to control the major accident risks to ensure compliance with the
relevant statutory provisions (i.e. a ‘compliance’ demonstration).
The compliance demonstration should be proportionate to the magnitude of risk. Because of the higher levels,
and more complex, risks in the Oil and Gas industry, other risk assessment techniques need to be considered,
i.e. qualitative and quantified risk assessment (QRA).
The primary objectives of risk assessment are to identify and rank the risks so that they can be adequately
managed, and to determine which risk reduction measures are most suitable for implementation.
QUALITATIVE AND QUANTITATIVE RISK ASSESSMENT
The risk assessment methodology applied should be cost-effective, and of sufficient detail to enable the ranking
of risks in order, for subsequent consideration of risk reduction. The rigour of assessment should be
proportionate to the complexity of the problem and the magnitude of risk.
It is expected that assessment would progress through the following stages to provide an appropriate
demonstration:
 Qualitative (Q), in which frequency and severity are determined purely qualitatively.
 Semi-quantitative (SQ), in which frequency and severity are approximately quantified within ranges.
 Quantified risk assessment (QRA), in which full quantification occurs.
These approaches to risk assessment reflect a range of detail of assessment from Q (lowest) to full QRA
(highest). The choice of approach will be determined by the level of estimated risk within its tolerability limits,
and the complexity of the problem in determining what more needs to be done to reduce the risk.
It may occasionally be possible to use qualitative risk assessment in extremely high risk situations, where it is
obvious that the risk is so high that risk reduction is essential.
Also, great care must also be taken when attempting to justify something that is a significant deviation from
existing codes, standards or good practice.
The lower levels of assessment (Q and SQ) are considered most appropriate for screening for hazards and
events that need to be analysed in greater detail, for example, to assist in determining the events to be included
in the representative set for more detailed assessment.
One approach to deciding the appropriate level of detail would be to start with a qualitative approach and to
elect for more detail whenever it becomes apparent that the current level is unable to offer:
 The required understanding of the risks.
 Discrimination between the risks of different events.
 Assistance in deciding whether more needs to be done (making compliance judgements).
The risk management process
INTRODUCTION
Managing risk starts at the design stage of any oil and gas installation project, where risks can be identified at
an early stage and, where possible, designed out.
However, the process should not end there. Risk management should be applied at all other stages of an
installation’s lifecycle, namely: construction; commissioning; modifications; start up and shut down;
decommissioning and demolition.
Figure ref 1-8 summarises the main stages in the process of risk management. Each stage in the process can
be seen as an opportunity to identify potential risk reduction options.

Figure 1-8: Main stages in the process of risk management. Source: University of Queensland.
The key stages of risk management are:
 Establish the context: such as setting the organisation's goals, targets, and objectives with respect to the
management of major hazards.
 Identify the hazards/risks: involves identifying the range of hazards with the potential to cause major
accidents, for example, flammable, toxic material inventories, together with their possible impact on
personnel, equipment and the environment should things go wrong.
 Analyse/evaluate the risks: analyse/estimate the level of risk; use of quantitative risk assessments;
compare against standards; determine acceptability of risk.
 Risk treatment/control: consider risk control options; measure to reduce likelihood and/or impact;
mitigation measures.
 Consult and communicate: involves workforce/stakeholders during all stages of the risk management
process.
 Monitor and review: establish monitoring and review processes; apply to all aspects of the process.
RISK ESTIMATION AND RANKING OF RISKS
Risk estimation entails assessing both the severity (consequence) and frequency (likelihood) of hazardous
events. The amount of detail and effort required increases from qualitative (Q) to semi-quantitative (SQ) to
quantified risk assessment (QRA). For the Q or SQ approaches, a risk matrix is a convenient method of
ranking and presenting the results. It is important that the risk matrix used should be capable of discriminating
between the risks of the different hazardous events for the installation. A 5 x 5 matrix will give greater
opportunity for such discrimination than a 3 x 3. See figure ref 1-9.
Figure 1-9: 5 x 5 matrix. Source: www.howishow.eu.

In order to decide what action, if any, is required we can consider the table below:
1-5 Acceptable No further action required. Maintain existing control measures.
6-12 Adequate Proceed, but look to improve controls.
13-25 Unacceptable Do not proceed. Seek further controls to reduce the risk.
THE CONCEPT OF ‘AS LOW AS REASONABLY PRACTICABLE’ (ALARP)
ALARP is short for ‘as low as reasonably practicable’. At its core is the concept of ‘reasonably practicable’; this
involves weighing a risk against the trouble, time and money needed to control it. Thus, ALARP describes the
level to which we expect to see workplace risks controlled.
Deciding whether a risk is ALARP can be challenging because it requires judgement to be exercised. For high
risk, complex or novel situations, more formal decision making techniques may be used, including cost-benefit
analysis, to assist our judgement.
In essence, making sure a risk has been reduced ALARP is about weighing the risk against the sacrifice
needed to further reduce it. To avoid having to make this sacrifice, you must be able to show that it would be
grossly disproportionate to the benefits of risk reduction that would be achieved. Thus, the process is not one
of balancing the costs and benefits of measures but, rather, of adopting measures except where they are ruled
out because they involve grossly disproportionate sacrifices. Extreme examples might be:
 To spend £1m to prevent five staff suffering bruised knees is obviously grossly disproportionate.
 To spend £1m to prevent a major explosion capable of killing 150 people is obviously proportionate.
In most situations, deciding whether the risks are ALARP involves a comparison between the control measures
in place or proposing the measures we would normally expect to see in such circumstances i.e. relevant good
practice. ‘Good practice’ is defined in the UK by the HSE as ‘those standards for controlling risk that HSE has
judged and recognised as satisfying the law, when applied to a particular relevant case, in an appropriate
manner’. Examples of good practice include HSE Approved Code of Practice; Guidance Notes; Industry
Guidance; Standards produces by Standard making organisations such as British Standards Institute (BSI),
(International Standard for Organisation (ISO).
Inherent safety in design
The principles of Inherent safety have a particular relevance to the offshore oil and gas industry, where
hazardous materials and operations are, by necessity, in close proximity to personnel, and where there has
been a tendency in the past to rely on active safety systems such as emergency shutdown and deluge system,
to control the hazards.
Inherent safety is a concept particularly used in the chemical and process industries. An inherently safe
process has a low level of danger even if things go wrong. It is used in contrast to safe systems where a high
degree of hazard is controlled by protective systems. As perfect safety cannot be achieved, common practice
is to talk about inherently safer design. An inherently safer design is one that avoids hazards instead of
controlling them, particularly by reducing the amount of hazardous material and the number of hazardous
operations in the plant.
Inherent safety has been recognised as a desirable principle by a number of national authorities, including the
US Nuclear Regulatory Commission and the UK Health and Safety Executive (HSE). In assessing control of
major hazard (COMAH) sites the HSE states ‘Major accident hazards should be avoided or reduced at source
through the application of principles of inherent safety’. The European Commission in its Guidance Document
on the Seveso II Directive states ‘Hazards should be possibly avoided or reduced at source through the
application of inherently safe practices’.
Following the Cullen Report on the Piper Alpha disaster; the HSE subsequently produced and continue to
produce regulations, and guidance with much greater emphasis on inherent safety. Regulations now require
the operator to provide a design safety case, at the early stages of the design to the HSE for comment. The
basic principles of inherent design are now legal requirements for safety case submission by operators and
typically focus on the findings of Cullen and other subsequent enquiries.
Inherent safety by design will include consideration of:
 Substitution of hazardous materials with the less hazardous.
 Avoidance of complex design.
 Allow for human and system failure, by the use of failsafe control systems that reduce the risk of human
error, for example, valves fail to either open or closed when there is a critical event without the need for
operator intervention.
 Keep hydrocarbon inventories’ as low as possible.
 Selection of construction materials (for example, physical and chemical resistance).
 Design vessels, pipelines to minimise deterioration (electrolytic or other corrosion), reduce stress
concentrations and enable regular inspection during construction and operation.
Sourced and adapted from: HSE OTH 96 521, Improving Inherent Safety ISBN 0-7176-1307-0.

Application of risk management to process safety

There are a number of other hazard identification techniques that are used within the Oil and gas Industry.
They include HAZOP, HAZID, FMEA, Bow ties, Health Risk Assessment (HRA) and QRA.
HAZARD AND OPERABILITY STUDIES (HAZOP)
A HAZOP is a structured and systematic examination of a planned or existing process or operation in order to
identify and evaluate deviations from intended normal operation that may represent risks to personnel or
equipment, or prevent efficient operation. It may also be applied prior to a process modification; following a
serious accident, or periodically as a plant/process ages.
The HAZOP technique was initially developed (by ICI Imperial Chemicals Industries; a substantial manufacturer
and processor of chemicals and products) to analyse chemical process systems. The HAZOP system
approach is now widely used to test complex processes and systems including the designs for equipment
systems such as public transport and in the development of software programmes.
A HAZOP is a qualitative technique based on guide-words and is carried out by a multi-disciplinary team
(HAZOP team).
The team will be led by a Chairperson, who will be someone technically competent, and experienced in the
HAZOP process. The Chairperson initially agrees the scope of the analysis; is involved in the selection of team
members and directs the team members in gathering of process safety information prior to the start of the
study. The chairperson leads the team in the analysis of the selected process or part of the process; writes the
report detailing the study findings and recommendations that the group has determined and reports the findings
to management.
Other team members may include: secretary/scribe; design engineer; maintenance engineer; operations
representative; process engineer; engineering specialist; safety specialist.
Methodology
The HAZOP process looks for deviations from the process design intent by combining guide words with process
parameters resulting in a possible deviation from design intent. For example, when the guide word ‘no’ is
combined with the parameter ‘flow’ the deviation ‘no flow’ results. The team should then list all credible causes
that will result in a no flow condition for the process.
Guidewords include: no; more; less; as well as; reverse; other than.
The application of parameters will depend on the type of process being considered, the equipment in the
process and the process intent. The most common specific parameters that should be considered are flow,
temperature, pressure, and where appropriate, level.
Specific parameters: flow; temperature; pressure; composition; phase; level.
Recommendations are made when the safeguards for a given hazard scenario, as judged by an assessment of
the risk of the scenario, are inadequate to protect against the hazard. These may include:
 Design changes.
 Hardware changes.
 Procedural changes (operational; maintenance).
 A more detailed (quantitative) risk assessment required.
HAZARD IDENTIFICATION (HAZID)
HAZID study is a hazard identification tool, carried out by a team of competent personnel from a mixture of
disciplines, and led by a person who is experienced in the HAZID technique.
HAZID will normally consider both the hazards associated with the process (for example, fires, explosions,
overpressures) and external hazards (for example, extreme ambient temperature and extreme wind).
Essentially a structured ‘brainstorming’ technique, HAZID can be applied in project design stages, or on existing
process plant (for example, after a modification).
Each area of the process is considered against a checklist of hazards. Where it is agreed that a hazard exists
the risk presented by the hazard is considered, the team will consider all possible means of either eliminating
the hazard or controlling the risk. The outcome may also lead to the need for further detailed risk assessment.
FAILURE MODE AND EFFECTS ANALYSIS (FMEA)
(FMEA) is a technique that is used for analysis of potential failure modes of components within a system. A
successful FMEA activity helps a team to identify potential failure modes based on past experience with similar
products or processes, enabling the team to design those failures out of the system with the minimum of effort
and resource expenditure.
Failure modes generally describe the ways in which an item or a component can fail. Effects analysis refers to
studying the consequences of those failures.
There are basically five stages to the FMEA process:
1) Break the system down into component parts.

2) Determine how each component may possibly fail.

3) Determine the effects of these modes of failure.
4) Consider how each failure mode may be detected.
5) Assess the consequences of the failure.
Figure ref 1-10 demonstrates the FMEA technique.
Figure 1-10: FMEA technique. Source: FMEA info centre.
The concept of hazard realisation

In 2000/1 the HSE initiated a hydrocarbon release offshore (HCR) leak reduction campaign which was
conducted over a four year period. They found that the areas which were significant contributors to the number
of HCRs occurring offshore; included failures in piping, flanges, valves and small bore tubing systems (SBTs).
Reductions in the numbers of HCRs in these areas occurred following publication of the guidelines. However,
during 2006/7 and 2007/8, the progress in reducing major and significant HCRs slowed down, and the planned
targets for the combined total of major and significant HCRs were exceeded in both years.
Evidence suggested that piping systems, including flanges and valves collectively continue to be a major
source of HCRs, with piping being the single largest contributor. Instruments (i.e. SBTs) connections
contributed the second largest single source of HCRs. Gas Compression was found to be the operating system
having the highest number of HCRs.
In summary, where operational failures are reported:
 Incorrectly fitted equipment is the most widespread operational cause.
 Followed by improper operation (i.e. human factor issues).
 Non-compliance with procedure (i.e. human factors issue) is the most common procedural cause where
procedural failures are reported.
For the whole period since 2000/1, instruments (SBT) were the largest single contributor to HCRs greater than
25kg.
Reported experience of inspection and survey on SBT systems suggests that 26% of fittings examined were
found to contain faults, for example, under-tightness, incorrect or mismatched components, leaks, incorrect or
poor installation and that this failure rate has remained constant since 2001.
By considering potential worst case scenarios, we can look at either eliminating or reducing the likelihood of
occurrence and/or the consequences.
Consider a worst case scenario of:
 >25kg of hydrocarbon is released from small bore instrument tubing, on a high pressure gas system, which
has been inadequately maintained.
 The release occurs in close proximity to the accommodation block.
 There are no gas detectors in the vicinity.
 There is no effective emergency response plan in place, and hence no training for emergencies.

 The accommodation block is in full occupancy, for example, at night time.

 The release finds an uncontrolled ignition source.
 The resultant fire and explosion kills all occupants of the accommodation.
Actions that could reduce the likelihood of occurrence include:
 Implementing a preventative maintenance programme.
 Ensuring that maintenance personnel are competent.
Action to reduce consequences include:
 Move the accommodation building.
 Installing gas detectors in the vicinity.
 Proper control of ignition sources.
 Develop, and practice, an emergency response plan.
 Training employees in emergency response.
Risk control barrier models
BOW-TIE DIAGRAMS
The bow-tie method provides a readily understood visualization of the relationships between undesired events,
the escalation of such events, the controls preventing the event from occurring and the preparedness measures
in place to limit the business impact.
A bow-tie diagram is a representation of all the initiators and consequences of a particular scenario, together
with the safety barriers that are in place to prevent, control or mitigate the event.
A barrier is a design feature. It may be physical or non-physical or a combination, and the intent is to prevent,
control, mitigate or protect from undesired events.
Examples of barriers are: corrosion protection systems, an emergency isolation/shut down valve; deluge
systems; an operator initiating blow-down.
The ‘Top (Hazardous) Event’ may be a release of flammable gas, with the consequences being fire and
explosion (the realisation of the hazard).
The cause (or ‘threat’) may be corrosion.
Prevention barriers may be construction standards, inspections, plant layout.
Mitigation barriers may include gas detection systems, emergency shut down valves, deluge systems,
emergency response plan.
The bow-tie is ideal for structured assessment and communication of risks, clearly demonstrating the link
between control measures and management system arrangements and can be used to qualitatively assess and
demonstrate control of all types of risk.
Figure 1-11: Bow-tie barrier diagram. Source: Blacktip project.

Uses of modelling
CONSEQUENCE MODELLING
Consequence modelling refers to the calculation or estimation of numerical values, that describe the physical
outcome of credible loss of containment scenarios (involving flammable/explosive and toxic materials) and the
potential effect on people, the asset or the environment.
Modelling can be used to predict dispersion/evaporation rates for flammable substances; specific levels of
toxicity for releases of toxic substances; thermal radiation output from fires; smoke dilution/composition.
This information can assist with:
 Spacing of plant.
 Determining blast zones.
 Sighting of safety critical controls.
 Selection of passive/active fire protection.
THERMAL RADIATION OUTPUT
In a fire situation, the radiant energy flux (rate of flow of energy) of petroleum based products can be sufficiently
high to threaten both the structural integrity of plant and equipment, and the physical safety of plant personnel.
Understanding such behaviour when considering possible major accident scenarios, with the use of modelling
systems, can help to determine the appropriate control measures required (for example, the layout and
separation distances of plant and equipment and also the location of personnel accommodations). Modelling
systems are available for substances such as LPG; Ammonia; Hydrofluoric Acid.
Accidental releases of flammable liquids or gases often result in the formation of a cloud of vapour that is dense
relative to ambient conditions. If the cloud encounters an ignition source then a vapour cloud fire (VCF) may
result. In the present context, VCF is taken to mean either a flash fire or a fireball. VCF's are important for two
reasons:
An intrinsic hazard
In the form of thermal radiation, assuming no or limited confinement/congestion, so that overpressures are not
important.
The possibility of escalation
It is highly likely that secondary fires may be started as a result of the flash fire/fireball and there is a high
probability that following a VCF there will be a steady fire, typically either a pool fire or jet fire (or a combination
of the two).
BLAST ZONES
Modelling techniques development for determining structural safety for offshore operations is an on-going
process.
Many existing offshore structures are being used well beyond their original design life, which necessitates the
re-assessment of the structure taking into account new data related to gas and explosion loading and response
models.
The UK Health and Safety Executive (HSE) require the duty holder to carry out an assessment to demonstrate
that risks have been reduced to As Low as Reasonably Practicable (ALARP).
Based on the results of the assessment studies the duty holder may decide that the risks to people, assets or
environment from fire and/or explosions to the structure are intolerable and as a result may decide to implement
risk reduction measures; such as physical strengthening of the structure.
Many of the earlier blast fire walls and supporting primary deck structures had limiting structural capacities
estimated using a range of methods ranging from single degree of freedom (SDOF) methods, through other
modelling techniques. In structural modelling, the blast load, material dynamic properties, material properties at
elevated temperatures, yield and ultimate values of strain and stress, and failure strain limits are often modelled
based on approximations. It is often assumed that these approximations are more than sufficient; and that
even if they are not, they will be balanced by other assumptions implicit in the codes and the design process.
The UK regulatory regime puts the onus on the duty holder to demonstrate that risks have been reduced to as
low as reasonably practicable.
Risk reduction measures can take different forms ranging from:
 Reducing the magnitude of the loading corresponding to a hazardous event within a particular return period.
For example, measures such as activating water deluge or imposed Emergency Shutdown (ESD) blow-
down are commonly used.
 Reducing the probability of occurrence of a particular hazardous event. For example, by improved
ventilation, gas detection or reducing the ignition probability.
 Strengthening the structure by making it stronger and/or more ductile thereby increasing the total load it can
withstand before failure and therefore reducing the probability of this load being exceeded.

One of the important and cost effective ways of reducing explosion over pressure is ‘mitigation by design’.
The terms mitigation and control have very specific meanings, but have been used interchangeably in many
considerations.
Mitigation is when there is a reduction in the consequences of an explosion event at the location of concern
(for example, the temporary refuge) without a reduction in the severity at the explosion source.
Control is when a device or a technique directly impacts on the severity of an explosion at the source. Often a
direct result of a successful control measure is also a reduction of overpressure at the location of concern.
Ventilation remains a very important parameter in controlling and reducing explosion overpressure. Ventilation
has a dual positive effect in the sense that it tends to decrease the total inventory that may contribute to an
explosion and also decrease the probability of the cloud forming a combustible mixture and igniting.
The best option for securing effective ventilation is the completely open platform. This is perhaps evidenced by
the lack of severe explosions on platforms in areas like the Far East and the Gulf of Mexico where because of
the less severe climate platforms can be made much more open. On the other hand, in the severe climate of
the North Sea a degree of weather protection is deemed necessary.
1.4 - An organisation’s documented evidence to provide a convincing

and valid argument that a system is adequately safe
Examples of documented evidence and where it is used
Safety cases and safety reports are a legal requirement in some countries.
In the UK, the Offshore Installations (Safety Case) Regulations (OSCR) 2005, which implement the central
recommendations of Lord Cullen’s report into the Piper Alpha disaster, require operators of all installations that
will be located in British waters and in the UK designated areas of the continental shelf, to prepare a safety
case, and submit to the HSE for approval (note: notification to the regulatory authority is required at an early
design stage of a new installation).
The Control of Major Accident Hazards Regulations (COMAH) 2015 implemented the majority of the
Seveso III Directive into UK law. The Directive was enacted by the European Parliament following the major
accident at Seveso, Italy in 1976, and modified following the major warehouse fire in Basle, Switzerland.
COMAH Regulations apply mainly to the chemical and petrochemical industries. They may also apply to
businesses that store fuels, including gas, have large warehouses or distribution facilities or manufacture and
store explosives.
For sites with particularly high quantities of dangerous substances, operators must describe their control
measures to prevent major accidents in a ‘safety report’.
The purpose of documented evidence
Safety cases and safety reports permit operators to demonstrate, to the relevant regulatory authority, good
practice and compliance with the legislative requirements (i.e. OSCR and COMAH). In other words, that the
operator has taken all the necessary measures to prevent major accidents and to limit their consequences (to
people, and the environment).
The content of safety cases and safety reports
SAFETY CASE
The contents of a safety case for a production installation include:
 The name and address of the operator of the installation.
 A summary of how any safety representatives for that installation were consulted with regard to the revision,
review or preparation of the safety case.
A description, with suitable diagrams, of:
a) The main and secondary structure of the installation and its materials.
b) Its plant.
c) The layout and configuration of its plant.
d) The connections to any pipeline or installation.
e) Any wells connected or to be connected to the installation.
The types of operation, and activities in connection with the operation, which the installation is capable of
performing.
The maximum number of persons expected to be on the installation at any time, and for whom accommodation
is to be provided.

The arrangements for the control of well operations, including those to control pressure in a well; to prevent the
uncontrolled release of hazardous substances; and to minimise the effects of damage to subsea equipment by
drilling equipment.
A description of any pipeline with the potential to cause a major accident, including: the fluid which it conveys;
its dimensions and layout; its contained volume at declared maximum allowable operating pressure; any
apparatus and works intended to secure safety.
A description of arrangements made for protecting persons on the installation from toxic gas at all times other
than during any period while they may need to remain on the installation following an incident which is beyond
immediate control.
A description of the measures taken or to be taken or the arrangements made or to be made for the protection
of persons on the installation from hazards of explosion, fire, heat, smoke, toxic gas or fumes during any period
while they may need to remain on the installation, following an incident which is beyond immediate control, and
for enabling such persons to be evacuated from the installation where necessary, including provision for:
a) Temporary refuge.
b) Routes from locations where persons may be present to temporary refuge and for egress there from two
points from where the installation may be evacuated.
c) Means of evacuation at those points.
d) Facilities within temporary refuge for the monitoring and control of the incident and for organising
evacuation.
A description of the main requirements in the specification for the design of the installation and its plant, which
shall include:
a) Any limits for safe operation or use specified therein.
b) A description of how the duty holder has ensured, or will ensure, compliance with regulation and any
specific statutory requirements.
c) A description of how the duty holder has ensured, or will ensure, the suitability of the safety-critical
elements.
A description of the arrangements for:
a) Identifying the routes and locations of pipelines, wells and other subsea equipment.
b) Assessing the risks that they pose to the installation.
Particulars of any combined operations which may involve the installation, including:
a) A summary of the arrangements in place for co-ordinating the management systems of all duty holders
involved in any such combined operation.
b) A summary of the arrangements in place for a joint review of the safety aspects of any such combined
operation by all duty holders involved, which shall include the identification of hazards with the potential to
cause a major accident and the assessment of risks which may arise during any such combined operation.
c) The plant likely to be used during any such combined operation.
d) The likely impact any such combined operation may have on the installations involved.
SAFETY REPORT
Will generally contain information relating to:
 Details of the installation operator.
 An overview of the installation, which may include:
 The processes.
 The major accident scenarios.
 The measures for protection and intervention.
 The interrelationship between different installations.
 Details of the surrounding environment. There are five aspects of the surrounding environment which need
to be considered:
 People.
 Features contributing to a major accident.
 The built environment.
 The natural environment.
 External factors contributing to major accidents.
 Information on dangerous substances: such as types, names, inventories; physical and chemical behaviour;
how they can cause potential for harm to people.
 A description of the management arrangements and safety management systems.
 This will include:
 A major accident prevention policy.
 Allocation of roles and responsibilities.

 Consultation process.
 Arrangements for control of contractors.
 Management of change procedures.
 Monitoring and auditing procedures.
 A description of possible major accident scenarios, including identifying all the possible major accidents,
giving an estimate of how likely it is that an accident may happen, and assessing the consequences of each
possible accident.
 A description of the measures that will be taken to prevent or limit the consequences of a major accident. A
description of the emergency response measures that have been put in place to limit the consequences of
a major accident.
Summary of key requirements of documented evidence:
 Details of the installation, including location; environment; basis of design; plant and equipment; processes
carried out and occupancy.
 Identification of major accident hazards.
 Evaluation of major accident risks.
 Measures in place to control major accident risks.
 Audit/verification arrangements.
 Supporting safety management systems, for example, control of contractors.
 Emergency response plans/procedures.
Exam practice
1. (a) List the four steps in the guidance to HSG 245: Investigating Accidents and Incidents. (4)
(b) Outline one step from the guidance. (4)
2. Explain the methods used to control gas and vapour concentration outside the explosive limits in the Oil
and Gas industry. (8)
3. (a) Explain the term ‘flash point’. (2)

(b) Outline the terms Upper Flammable Limit (UFL) and Lower Flammable Limit (LFL). (6)
4. Outline four management system root cause failures which might lead to an accident occurring in the
workplace. (8)
5. Outline the system and design failures which lead to the explosion and subsequent fire on the Piper
Alpha oil and gas production platform in the North Sea in 1988. (8)
6. (a) Hydrogen sulphide (H2S) is often found in crude oil and gas. Describe the physical properties of
H2S. (2)
(b) Explain the typical effects H2S exposure would have on the body. (6)
Please refer to the back of the assessment section for answers.

Element
2
Hydrocarbon process safety 1
Learning outcomes
2.1 Explain the principles of assessing and managing contractors, including the roles of parties involved.
2.2 Outline the tools, standards, measurement, competency requirements and controls applicable to
Process Safety Management (PSM) in the oil and gas industries.
2.3 Explain the role and purpose of a permit-to-work system.
2.4 Explain the key principles of safe shift handover.
2.5 Explain the importance of safe plant operation and maintenance of hydrocarbon containing equipment
and processes.
2.6 Outline the hazards, risks and controls to ensure safe start up and shut down of hydrocarbon containing
equipment and processes.
Content
2.1 - Contractor management ...............................................................................................................................29
Introduction ...........................................................................................................................................................29
Scale of contractor use .........................................................................................................................................29
Contractor management, ownership and representation......................................................................................29
2.2 - Process safety management (PSM) .............................................................................................................30
Introduction ...........................................................................................................................................................30
The OSHA process safety management standard ...............................................................................................30
Management of change controls ...........................................................................................................................33
2.3 - Role and purpose of a permit-to-work system ..............................................................................................35
Introduction ...........................................................................................................................................................35
The key features of a permit-to-work system ........................................................................................................35
Interfaces with adjacent plant ...............................................................................................................................36
Interfaces with contractors ....................................................................................................................................36
Lock out, tag out and isolation procedures ...........................................................................................................37
2.4 - Key principles of safe shift handover ............................................................................................................40
Introduction ...........................................................................................................................................................40
Shift handover .......................................................................................................................................................41
Two-way with both participants taking joint responsibility .....................................................................................41
Key principles in handover ....................................................................................................................................42
2.5 - Plant operations and maintenance ...............................................................................................................42
Asset integrity ........................................................................................................................................................42
Maintenance, inspection and testing.....................................................................................................................43
Risk based maintenance and inspection strategy ................................................................................................45
Techniques, principles and importance of safe operation, standard operation procedures and maintenance ....46
Control of ignition sources during maintenance and operations ...........................................................................47
Cleaning and gas freeing of plant and equipment ................................................................................................47
2.6 - Start up and shut down .................................................................................................................................48
Associated hazards and controls ..........................................................................................................................48
Exam practice .......................................................................................................................................................51

UNIT IOG1 - ELEMENT 2 - HYDROCARBON PROCESS SAFETY 1
USA Occupational Safety and Health Administration (OSHA) Process safety management of highly hazardous
chemicals (Standards - 29 CFR 1910.119)
Lees’ Loss Prevention in the Process Industries: Hazard Identification, Assessment and Control - Butterworth-
Heinemann Ltd; ISBN - 13: 978-0-7506-7555-0
T. Kletz: What Went Wrong? Case Histories of Process Plant Disasters (1998) Gulf, ISBN: 978-0-88415-920-9
T. Kletz: Still Going Wrong: Case Histories of Process Plant Disasters and How They Could Have Been
BSEN ISO 15544 Petroleum and natural gas industries - Offshore production installations - Requirements and
guidelines for emergency response
API Corrosion management
Human factors: Safety critical communications: http://www.hse.gov.uk/humanfactors/comah/safetycritical.htm)
Safe Ups and Downs for Process Units (BP Process Safety Series) The Institution of Chemical Engineers; 2nd
Revised edition (30 July 2006) ISBN: 978-0-8529-5502-4
Guidance on permit-to-work systems: A guide for the petroleum, chemical and allied industries (HSE) HSG 250
ISBN: 978-0-7176-2943-5
HSE: Managing Contractors: A Guide for Employers (HSG 159)
OSHA: Process Safety Management: Guidelines for Compliance (OSHA 3133)
HSE: Plant Modification/Change Procedures
HSE: Asset Integrity: KP3 (11/07)
HSE: Maintenance of Work Equipment
Maintenance Strategies: NACE Interactions (http://events.nace.org/library/corrosion/Inspection/Strategies.asp)
Basics of Corrosion Control (www.npl.co.uk)
HSE: Guidance on Operating Procedures
HSE: Cleaning and Gas Freeing of Tanks containing Flammable residues (CS15)
Non-condensables (www.plantengineering.com; www.systhemique.com/steam-condensate)

HYDROCARBON PROCESS SAFETY 1 - ELEMENT 2 - UNIT IOG1
2.1 - Contractor management

Introduction
A contractor is anyone who is called into work for your company but is not an employee. Many accidents
involve contractors working on a site due to a number of factors. They include:
 Activities can be risky due to the type of work they are involved in.
 Poor communication when staff do not know there is a contractor working near-by and when contractors
don’t know the dangers of the site.
 Because the contractors involved are unfamiliar with the site.
 Poor selection processes, training and competency.
Scale of contractor use
The use of contractors in the oil and gas industry is commonplace. Many companies turn to contractors to
supplement their engineering staff. They are also used for specialist tasks, often involving hazardous activities.
This could involve working on critical process plant and equipment or carrying out non-routine activities where
there is a greater potential for harm if their work is not properly managed.
It is important to ensure that contractors are properly briefed on, and understand, the major hazard risks
associated with the activities in order for them to be able to work safely and to safeguard the integrity of the
plant and processes.
Not only is it good business sense to manage contractors effectively, it is often a legal requirement in many
jurisdictions.
Contractor management, ownership and representation
There are five basic steps involved in managing contractors:
Step 1: Planning
Step 2: Choosing a contractor
Step 3: Contractors working on site
Step 4: Keeping a check
Step 5: Reviewing the work
STEP 1: PLANNING
This step is about how to plan the contractor’s job. Working through it will give a better understanding of the
practicalities of risk assessment and planning to reduce risks.
This involves determining exactly what work is to be carried out by the contractor, and how it can be safely
carried out. This will require a risk assessment. If a contractor has been selected, it may be appropriate to
discuss with, or involve, the contractor. This process should determine the risk control measures required
(which may include the use of a permit to work) in order to protect both client and contractor employees.
Contractors have responsibilities for preparing their own risk assessment. Their risk assessment should fit in
with the clients and provide information. Conversely contractors will need information from the client about the
job, the state of plant, induction requirements, local rules, emergency procedures etc. when preparing their
assessment.
Clearly, there is a need for communication and close co-operation between client and contractor so that all risks
associated with the job are covered.
STEP 2: CHOOSING A CONTRACTOR
The choice of contractor can have a big impact on health and safety to the client, and should be approached
with care. It is not something to do casually. Selection criteria should not be based on cost alone, but should
also include technical competence; availability; reliability and health and safety.
Information that may assist in determining health and safety competence includes:
 Health and safety policy.
 Accident statistics.
 Risk assessments; method statements.
 Training programmes.
 Enforcement action.
 References.
 Membership of professional body/trade association.
 Experience in oil and gas work.
 Monitoring.
 Employers’ liability insurance.
 Arrangements for selection of sub-contractors.

Problems can arise when there is further subcontracting unless there are good arrangements between all
parties. It is essential to set down rules about subcontracting.
Building relationships to set up preferred contractors has definite advantages. Not only do the contractors
become familiar with the installation and the personnel (and vice-versa), it also enables their safety record to be
checked from time to time and to keep them in touch with the location rules and standards. This will enable a
contractor to be in place and to demonstrate a considered and reliable arrangement for safe working. It also
removes the need to carry out a complete selection process every time (some organisations do this by having a
‘preferred contractor listing’).
STEP 3: CONTRACTORS WORKING ON SITE
Contractors need to be told about the hazards they face when they come on site. Often an induction talk is the
best way of passing this information on. It is worthwhile checking that they have understood any essential
points (for example, a short test).
Arrangements should be put in place to determine contractor employee whereabouts on site at any time. This
is often achieved by either a sign in/out system, or the issue of personal ID cards.
Contractors need a site contact - someone to get in touch with on a routine basis or if the job changes and there
is any uncertainty about what to do. The purpose here is not to take responsibility off the contractor, but to
ensure that the contractor has all the necessary information for them to do so.
STEP 4: KEEPING A CHECK
Keeping a check on the contractor is a critical step in controlling their work. Monitoring is essential to check on
the work done and whether the job is going as planned.
Contractors are responsible for supervising their own work and for ensuring that they work safely; it is not
necessary to watch them all the time. A balance has to be made often considering that which is reasonable in
the circumstances.
The amount of contact with the contractor should be related to the hazards and risks associated with the job.
The selection process should have ensured the selected contractor will meet the conditions specified in the
terms in the agreement. As the work proceeds, particularly with a new contractor, a little more checking may be
required, to make sure that the agreed controls are being met (for example, that permits to work and risk
assessments are being followed as agreed).
STEP 5: REVIEWING THE WORK
The final step is about learning from the job and about the contractor when the work is completed.
Reviewing is about evaluating the standard and quality of the contractor’s work and the safety of their
performance (for example, were method statements/risk assessments/permits to work followed? Were
accidents reported and properly investigated? Were safety inspections carried out as agreed? Were safety
review meetings attended?).
The contractor’s performance, and any lessons learnt, should be recorded and may be used when revising the
list of preferred contractors.
2.2 - Process safety management (PSM)

Introduction
PSM involves managing a number of technical, managerial and human factors activities which, if not managed
effectively, may lead to a major incident.
High profile incidents such as Buncefield have highlighted the need for high risk installations to have effective
systems in place to prevent, or limit the effects of, such incidents.
The OSHA process safety management standard
The OSHA Process Safety Management: Guidelines for Compliance (OSHA 3133) Standard contains 14
elements. Many companies have developed their own systems, based on the OSHA standard.
The OSHA standard contains requirements for the safe management of hazards associated with processes
using, storing, manufacturing, handling, or moving highly hazardous chemicals onsite. It emphasizes the
management of hazards through an established comprehensive program that integrates technologies,
procedures, and management practices. The elements are as follows:
EMPLOYEE PARTICIPATION
Employers are required to have a written plan outlining their arrangements for employee participation and
consultation. Employee participation should begin at the start of PSM implementation. Such participation not
only improves employee commitment to PSM, but makes the implementation process more effective. The
involvement should include employees at all levels of the organization, including operators, maintenance
personnel, supervision and management. The participation should extend to every element of PSM.

PROCESS SAFETY INFORMATION (PSI)

PSI is complete and accurate written information concerning process chemicals, process technology, and
process equipment. It is the information necessary for implementation of all other aspects of PSM. Complete
information on all chemicals involved in the process is required. Process technology includes not only Process
Flow Diagrams (PFDs) and Piping and Instrumentation Diagrams (P&IDs), but operating and storage conditions
as well as operating procedures. Process equipment information should include the underlying codes and
standards relied upon, in addition to information about the specific equipment used in the process.
PROCESS HAZARDS ANALYSIS (PHA)
A PHA is a systematic evaluation of the hazards involved in the process. PHAs are required for initiation of a
process and at least once every five years after that. The PHA team should be multi-disciplinary, including
maintenance, operations, and engineering. There are a variety of methods that can be used to conduct a PHA.
The method selected will depend on the maturity of the process and operational experience, in addition to
process size and complexity.
OPERATING PROCEDURES
Operating procedures include not only the steps for normal operations, but for upset conditions, temporary
operations, start-up, and shutdown. Very important safety information must also be included in operating
procedures. Such information includes basic hazards of exceeding operational limits, appropriate response to
upset conditions, safety and health information, and emergency operations. The procedures need to be up to
date and reliable. They are also a critical element in training of personnel.
TRAINING
Training is required for all employees new to a process before they become involved in that process. Training
requirements extend beyond operating personnel to anyone involved in the process. This would normally
include at least maintenance personnel and, possibly, contractors.
The training must include the hazards of the chemicals and process and what is necessary to protect
themselves, their fellow employees, and their surrounding communities. Training should be both
written/classroom and hands-on. Employers must evaluate the effectiveness of training and make adjustments
to content and frequency of training based on those evaluations.
CONTRACTORS
Employers using contractors need to ensure that use of those contractors will not jeopardize the safety of
operations. This starts with the selection process, where the employer needs to evaluate the safety
performance and capabilities of potential contractors. Once selected, the employer must make sure that
contractor employees have the appropriate skills and training to perform their work safely. The employer must
also provide contractors with sufficient information/training to perform their jobs safely. Ongoing, the employer
should keep a log of contractor injuries and illnesses (in addition to its own employees) and periodically
evaluate the safety performance of its contractors. The contractors themselves also have various
requirements, including ensuring that all of their employees are appropriately trained or informed to perform all
of their responsibilities.
PRE-START-UP SAFETY REVIEW (PSSR)
The Pre-Start-up Safety Review is done before start-up of a new operation or start-up following a change in the
process (see ‘Management of change’). It is a means for ensuring that all essential action items and
recommendations from the PHA have been completed prior to beginning operations. It is also the point at
which the design parameters and standards used for construction are verified. If training or modifications to PSI
are necessary, completion of these items is also verified during the PSSR. Start-up should not be allowed to
occur until all safety-critical PSSR items have been completed.
MECHANICAL INTEGRITY
Employers are required to have a written program to ensure the integrity of processes and equipment. Aspects
include listing applicable equipment, training of maintenance personnel, inspection and testing, and
maintenance of such systems as controls, vessels, piping, safety systems, and emergency systems.
Development and modifications to the mechanical integrity program should be made based on operational
experience, relevant codes, and industry standards.
HOT WORK PERMITS
Hot work permits must be issued for any work to be performed on, or near, a PSM-covered process. While the
OSHA standard specifically lists hot work, permits should be developed for any non-routine work to be
performed in or around PSM covered processes. In addition to hot work, this could include line breaking,
confined space entry, work over water etc. Again, while the standard is titled ‘permit’, it really means an entire
procedure covering all hazards of the work to be performed.

MANAGEMENT OF CHANGE (MOC)

‘Change’ includes anything that would require a change in process safety information. This includes changes to
equipment, processes, and instrumentation (‘replacements in kind’ may be excluded). A proper MOC system
requires that any change be evaluated prior to its implementation. The level of evaluation can depend on the
degree of change and its criticality to the safety of the operation. In addition to the evaluation and approval of a
change, MOC requires that suitable training be conducted (if necessary) and the relevant PSI be updated.
INCIDENT INVESTIGATION
Incident investigation is required for any incident that did, or could have, resulted in a significant release of a
PSM-covered chemical. There are very specific requirements for the timing of an investigation, the makeup of
the investigation team, the resulting report, and the use/dissemination of the information obtained. The
investigation should determine the root cause(s) of an incident.
EMERGENCY PLANNING AND RESPONSE
Employers are required to develop and implement an emergency action plan for the entire plant, not just the
processes covered by PSM. It needs to address the actions to be taken in response to the release of any PSM-
covered chemical. The plan needs to be comprehensive, including notification to emergency responders,
operational responses such as shutdown, and precautions to protect other employees and the public.
COMPLIANCE AUDITS
Compliance audits must be conducted at least once every three years. The purpose of the audits is to
determine whether the practices and procedures developed under the provisions of the PSM standard are
being followed and are effective. The auditor(s) must be knowledgeable in PSM and should be impartial to the
facility being audited. An audit report must be developed and the employer must promptly respond to each of
the findings. Once deficiencies are corrected, the corrective action must also be documented.
TRADE SECRETS
The trade secrets provision of PSM requires that the employer provide all information necessary to comply with
PSM to all persons who need it. This does not preclude the employer from taking steps necessary to safeguard
the integrity of any information disclosed. It merely prohibits the employer from using trade secrets as an
excuse not to provide information to either employees or contractors.
THE SPACING OF OPERATING PLANT
Plant layout is often a compromise between a number of factors such as:
 The need to keep distances for transfer of materials between plant/storage units to a minimum to reduce
costs and risks.
 The geographical limitations of the site.
 Interaction with existing or planned facilities on site such as existing drainage and utilities routings.
 Interaction with other plants on site.
 The need for plant operability and maintainability.
 The need to locate hazardous materials facilities as far apart as possible from site boundaries and people
living in the local neighbourhood, for example, Buncefield, Flixborough.
 The need to prevent confinement where release of flammable substances may occur.
 The need to provide access for emergency services.
 The need to provide emergency escape routes for on-site personnel.
 The need to provide acceptable working conditions for operators.
To avoid aggregation and trapping of flammable/toxic vapours which could lead to a hazardous event, buildings
should be designed so that all parts of the building are well ventilated by natural or forced ventilation.
Flammable storages should be sited in the open air so that minor leaks or thermal out-breathing can be
dissipated by natural ventilation. Maintenance procedures should include the displacement of vapours from
hazardous areas before work begins.
The most important factors of plant layout as far as safety aspects are concerned are those to:
 Prevent, limit and/or mitigate escalation of adjacent events (domino).
 Ensure safety within on-site occupied buildings.
 Control access of unauthorised personnel.
 Facilitate access for emergency services.
CONTROL ROOMS, TEMPORARY REFUGE AND CRITICAL ASSOCIATED SAFETY SYSTEMS
The main buildings occupied by personnel on an offshore platform include the control rooms and the
accommodation modules.
There are two major aspects of control room design that should be taken into account:
1) The suitability of the structure of the control room to withstand possible major hazards events.
2) The layout of control rooms and the arrangement of panels, VDUs etc. to ensure effective ergonomic
operation of the plant in normal circumstances and in an emergency.

Buildings should be designed to withstand an overpressure that will ensure that risks to individuals within the
building are kept below acceptable limits.
In consideration of toxic gas releases the control room should provide a safe haven for its occupants. This will
include arranging that the building is adequately sealed to prevent ingress of gases to levels of concentration
that will affect the health and thereby the ability of the operators to maintain control of the plant. Careful
consideration of the building ventilation system is required to ensure that air intakes are situated away from
areas that may be affected or to arrange that there is no air intake during an incident, preferably by closure of
an automatic valve linked to a gas analyser.
Measures for protection from fires should ensure the control room will withstand thermal radiation effects
without collapse and that smoke ingress is controlled.
The accommodation module of an offshore platform will usually form part of the temporary refuge (TR) for the
platform. The accommodation module will ideally be positioned away from any explosion source and will, at
worst, be subjected to blast loading from a distant explosion which will typically consist of a steep sided
pressure pulse of short duration.
The guidance in the Safety Case Regulations prescribes that an endurance time for the TR of at least one hour
is required.
The external module cladding is rated to meet well defined jet fire conditions. Where these walls are subject to
blast, they are required to meet these requirements after blast.
The building should be able to withstand the ingress of toxic gases or smoke following any fire or explosion.
The Heating Ventilation and Air Conditioning (HVAC) system should automatically isolate the module from toxic
gases. The personnel within the TR should be able to gain access to the primary means of escape.
Management of change controls
The failure to manage change has been a critical factor in several major accident incident scenarios. The
destruction of the Nypro UK site (1974) at Flixborough was a prime example of a lack of effective management
of change. Other examples include: Texas City Refinery, USA (2005); Buncefield Storage Depot UK (2005);
Mumba High Platform, India (2005); Deepwater Horizon, Gulf of Mexico, USA (2010).
RISK ASSESSMENT AND AUTHORISATION
The UK Chemical Industries Association Safety Advisory Group outlines the following good practice related to
plant modification/change procedures:
 Members of staff must be aware of the hazards associated with the work they carry out and be able to
determine that the risks involved are acceptable.
 Risk assessment must be carried out to determine the possibility and consequence of the hazards being
realised; if necessary, appropriate precautions must be taken to minimise the risk.
 All modifications - whether involving procedures, plant and equipment, people or substances - should be
subject to formal management procedures.
Good industry practice requires that process and plant modifications should not be undertaken without having
undertaken a safety, engineering and technical review. This review should be traceable and identify changes
proposed to the following factors: process conditions; operating methods; engineering methods; safety;
environmental conditions; engineering hardware and design.
In process safety management, change includes all modifications to equipment, procedures, raw materials, and
processing conditions other than ‘replacement in kind’. These changes must be properly managed by
identifying and reviewing them prior to implementing them. For example, the operating procedures contain the
operating parameters (pressure limits, temperature ranges, flow rates, etc.) and the importance of operating
within these limits.
While the operator must have the flexibility to maintain safe operation within the established parameters, any
operation outside of these parameters requires review and approval by a written management of change
procedure.
Management of change also covers changes in process technology and changes to equipment and
instrumentation. Changes in process technology can result from changes in production rates, raw materials,
experimentation, equipment unavailability, new equipment, new product development, change in catalysts, and
changes in operating conditions to improve yield or quality.
Equipment changes can be in materials of construction, equipment specifications, piping pre-arrangements,
experimental equipment, computer program revisions, and alarms and interlocks.
Temporary changes have caused a number of catastrophes over the years, and employers must establish ways
to detect both temporary and permanent changes. It is important that a time limit for temporary changes be
established and monitored since otherwise, without control, these changes may tend to become permanent.
Temporary changes are subject to the management of change provisions. In addition, the management of
change procedures are used to ensure that the equipment and procedures are returned to their original or
designed conditions at the end of the temporary change. Proper documentation and review of these changes

are invaluable in ensuring that safety and health considerations are incorporated into operating procedures and
processes.
Employers should develop formalised written procedures to support management of change authorisation forms
to facilitate the processing of changes.
A typical change form may include a description and the purpose of the change, the technical basis for the
change, safety and health considerations, documentation of changes for the operating procedures,
maintenance procedures, inspection and testing, plant and instrumentation diagrams (P&IDs), electrical
classification, training and communications, pre-start-up inspection, duration (if a temporary change), approvals,
and authorisation.
Where the impact of the change is minor and well understood, a check list reviewed by an authorized person,
with proper communication to others who are affected, may suffice.
For a more complex or significant design change, however, a hazard evaluation procedure with approvals by
authorised personnel (for example, technical process or engineering personnel) is necessary. Changes in
documents such as P&IDs, raw materials, operating procedures, mechanical integrity programs, and electrical
classifications should be noted so that these revisions can be made permanent when the drawings and
procedure manuals are updated.
COMPETENCE IN MANAGEMENT OF CHANGE
Competence plays a very important role in the management of change process. For a person to be competent,
they need qualifications, experience, and qualities appropriate to their duties.
These include:
 Such training that would ensure acquisition of the necessary knowledge of the field for the tasks that they
are required to perform.
 Adequate knowledge of the hazards associated with those tasks.
 The ability to communicate effectively.
 An appreciation of their own limitations and constraints.
Competence is at all stages of the management of change process. For example, with respect to those
persons who need to:
 Justify and estimate the effects of the change, to ensure the change will not have an adverse effect on the
process, for example, the technical process/mechanical/design engineers.
 Approve/authorise the change, for example, technically qualified managers.
 Implement the change, for example, maintenance personnel; contractors; process operators.
 Periodically carry out verification checks/audits on the management of change process.
 Case Study - Flixborough

The incident
At about 16:53 hours on Saturday 1 June 1974 the Nypro (UK) site at Flixborough was severely damaged by a
large explosion. 28 were killed and a further 36 suffered injuries. It is recognised that the number of casualties
would have been more if the incident had occurred on a weekday, as the main office block was not occupied.
Offsite consequences resulted in 53 reported injuries. Property in the surrounding area was damaged to a
varying degree.
Prior to the explosion, on 27 March 1974, it was discovered that a vertical crack in reactor No.5 was leaking
cyclohexane. The plant was subsequently shutdown for an investigation. The investigation that followed
identified a serious problem with the reactor and the decision was taken to remove it and install a bypass
assembly to connect reactors No.4 and No.6 so that the plant could continue production. During the late
afternoon on 1 June 1974 a 20 inch bypass system ruptured, which may have been caused by a fire on a
nearby 8 inch pipe. This resulted in the escape of a large quantity of cyclohexane. The cyclohexane formed a
flammable mixture and subsequently found a source of ignition. At about 16:53 hours there was a massive
vapour cloud explosion which caused extensive damage and started numerous fires on the site.
Technical failures included:
- A plant modification occurred without a full assessment of the potential consequences. Only limited
calculations were undertaken on the integrity of the bypass line. No calculations were undertaken for
the dog-legged shaped line or for the bellows. No drawing of the proposed modification was produced.
- No reference made to any design codes.
- No pressure testing was carried out on the installed pipework modification.
- Control room design: not structurally designed to withstand major hazard events.

2.3 - Role and purpose of a permit-to-work system

Introduction
An integral part of a safe system of work, a permit-to-work system is a formal, recorded process used to control
work which is identified as potentially hazardous. Such work is generally ‘non-routine and high risk’.
The permit-to-work system should ensure that authorised and competent people have thought about
foreseeable risks and that such risks are avoided by using suitable precautions. The site occupier for onshore
installations and the duty holder for an offshore installation should, as appropriate, ensure that a senior
manager is assigned responsibility to ensure an appropriate permit-to-work system is introduced and
maintained.
The key features of a permit-to-work system
A permit-to-work system should be fully documented, and include:
 How the system works.
 The jobs it is to be used for.
 The responsibilities and training of those involved.
 The arrangements for checking its operation.
Essential features of permit-to-work systems are:
 Clear identification of the tasks requiring a permit-to-work.
 Responsibilities of issuing/authorising and recipient/performing authorities (and any limits to their authority).
 Training requirements for the authorising and performing authorities.
 Details of monitoring and auditing requirements to ensure that the system works as intended.
An effective permit-to-work form should:
 Clearly describe the task to be performed.
 Indicate the date, location and equipment to be worked on.
 Identify the permit validity time (for example: 1 shift; 1 day).
 Identify any isolations that may be required (for example: electrical, mechanical).
 Identify any residual hazards, and the precautions required (for example, gas testing; personal protective
equipment).
 Cross reference any other activities, or isolations, that may be relevant for the equipment being worked
upon.
 Make provision for permit extensions.
 Incorporate provision for permit hand back and cancellation.
The above elements are completed by the issuing authority (normally the person responsible for the operational
area for which the permit is being issued), who will also ensure that:
 The work area has been inspected before work commences.
 Other personnel that may be affected by the work have been informed.
 The permit conditions are agreed and made clear to the performing authority.
 The permit is signed by both issuing and performing authorities.
 Permit compliance is monitored for the period of the job.
Managers or supervisors should not rely solely on scrutinising forms to see whether they have been completed
properly, but should carry out additional checks of issuer’s forms on a sample basis. Careful consideration
should be given to the number of signatures required for a permit. Signatures or ‘initials’ should only be
required where they add value to the safety of the work undertaken, and those signing permits or supporting
documentation should have specific training and authorisation from the company.
During the Piper Alpha inquiry it was found that contrary to the written procedure, the performing authority’s
copy of the permit was frequently not displayed at the job site, and was commonly kept in the performing
authority’s pocket. Lord Cullen made a specific recommendation on this point: “Copies of all issued permits
should be displayed at a convenient location and in a systematic arrangement such that process operating staff
can readily see and check which equipment is under maintenance and not available for operation.”
Where the potential for harm is considered to be particularly high, the permit should be seen by a second
person (the permit authoriser) before issue, i.e., the authorisation procedure should be more rigorous. In any
case, a person should not issue a permit to themselves. A permit-to-work system is a formal recorded process
used as means of communication between site/installation management, plant supervisors and operators and
those who carry out the hazardous work.
As part of their duties, assigned by the site occupier for onshore installations and by the duty holder for offshore
installations, the site or OIM should ensure that all work requiring a permit-to-work is identified and only issued
by those authorized to issue them.

The performing authority is responsible for:

 Overall control of the work activity.
 Ensuring that the hazards and precautions stipulated on the permit are communicated to his team
members.
 Ensuring that the precautions are followed and maintained.
 Ensuring that only work specified on the permit is carried out.
 Ensuring that the permit hand back is completed on completion of the task.
Interfaces with adjacent plant
It is important to make sure that one activity under a permit-to-work does not create danger for another, even if
the other work does not require a permit-to-work. Those involved with the issue of permits-to-work should be
aware of potential interaction, and should ensure that when a permit is prepared, the work to be carried out
takes account of other activity currently planned or underway. It may be that the interacting activities are
covered by separate responsible authorities, in which case close liaison will be necessary, for example, through
cross-referencing on the permit.
In the permit-to-work system in place at the time of the Piper Alpha disaster, there was no cross-referencing
when the work carried out under one permit affected the work under another. Reliance was placed on the
memory of the designated authority.
Interfaces with contractors
The client company is responsible for operational health and safety; irrespective of where its resources come
from i.e. its own staff, contract, subcontract or agency staff or self-employed workers. The client should ensure
that contractors:
 Understand the permit-to-work systems and other arrangements that apply to the particular locations at
which they or their employees are to work.
 Are properly trained, and understand the permit-to-work systems and any other specific arrangements
made for a job, area or location in which they are to work.
A major vapour cloud explosion at a chemical complex in Passadena, USA in 1989 killed 23 people and injured
300. The incident occurred during maintenance work on a reactor vessel which was being carried out by a
maintenance contractor. During the investigation, it was discovered that there was no effective permit-to-work
system in operation that applied to both company employees and contractors. This lack of an effective system
led to a communication breakdown and work taking place on un-isolated plant.
Sites and installations should give particular attention to the permit-to-work system during combined or
simultaneous operations to ensure that work undertaken does not compromise safety, for example, by a mobile
drilling unit or support vessel. Combined operations may require the interface of electronic permit-to-work
systems (discussed below) with paper-based systems to enable permits to be transmitted or authorised by
remote sites.
TYPES OF PERMIT
Permits to work are typically used for the following activities:
 Hot work.
 Work on electrical systems.
 Work on machinery.
 Excavation work.
 Work over water.
 Diving work.
 Confined space entry work.
 Work with ionising radiation.
 Work with asbestos.
There are typically three copies of a permit-to-work issued:
1) One to be kept at the work site, or with the performing authority.
2) A copy to be kept on display in the control room.
3) A copy to be kept with the issuing authority.
Permits-to-work should be retained at site by the issuing authority for at least 30 days after completion, and
then archived for a period (specified by the location) to enable an effective monitoring and audit process.
Electronic permits
Permits can be produced electronically and a number of companies are using this type of system. There may
be advantages in reducing the amount of paperwork associated with the permit process. However, before
introducing an electronic permit system operators must be sure that:
 A suitable system is in place to prevent unauthorised issue or acceptance, for example, password-protected
electronic signatures.

 Permits cannot be issued remotely without a site visit.

 Systems are in place to prevent permits already issued from being altered, without the alterations being
communicated to all concerned.
 The facility exists for paper permits to be produced for display at the job site.
 Training is provided to ensure that operators assess the specific job and do not rely on ‘cutting and pasting’
existing sections from other permits.
 Back-up systems are available in the event of a software failure or power outage.
Lock out, tag out and isolation procedures
The effectiveness of an isolation system depends on the adequacy of other arrangements, including work
control systems (especially permit-to-work), operating procedures, training and competence, management of
change and contingency plans.
At an early point in the design process (intrinsic safety approach) the client should specify the intentions for
normal and alternative mode(s) of operation, sparing of equipment, and the equipment maintenance strategy.
Where possible, this should anticipate the intended lifecycle of the plant, including foreseeable modifications
(for example, addition of equipment).
This philosophy should be documented and will determine the plant’s outline isolation requirements. Any
proposed deviation from the agreed design basis once the plant is operational should be justified through risk
assessment before alternative isolation arrangements are used.
Any intrusive activity could allow the escape of hazardous substances. The implementation of adequate
isolation practices is critical to avoiding loss of containment. Whenever possible, isolation should be minimised
by planning intrusive maintenance for shutdown periods. When maintenance work has to be carried out on live
plant a high standard of management supervision will be required.
Lock out, tag out, often known as LOTO in the oil and
gas sectors is a safety procedure that ensures that
any piece of equipment being worked on cannot be
inadvertently powered up or started in any way while
workers are repairing it.
LOTO involves the isolation of all energy sources; a
means of ensuring inadvertent re-energisation; and an
adequate means of warning (usually in the form of a
tag or label).
LOTO is concerned with the isolation of all types of
energy source, including:
 Electrical supplies.
 Pneumatics.
 Hydraulics.
 Steam. Figure 2-1: Removal of LOTO. Source: www.roughneckcity.com.
A designated worker on each shift (for example, usually the motorman on an oil rig) is in charge of the locks
and tags.
To begin, the designated worker must notify the Rig Manager, Driller and all workers on the location of the lock
out before the procedure begins; only then can the shut down and lock out the equipment to be worked on take
place.
Examples of lock out would be:
 When working on mud pumps. After the mud pumps are shut down and locked out it is important to ensure
a relief valve (usually a 2") is open to relieve any pressure trapped in the pumps or mud lines. When this is
done and all potential stored energy hazards are relieved, the isolated equipment should then be tested by
turning on the Start/Run switch to confirm that the equipment is 100% locked out.
It is important to remember that, before work begins, all stored energy in the equipment must be released (for
example, by venting, draining).
ENSURING SAFE ISOLATION, LOCK OUT AND TAG OUT
Isolation steps can be summarised as follows:
 Shutdown the machinery or equipment to be worked upon.
 Isolate the equipment from its energy source (for example, steam, air, hydraulics).
 Dissipate any stored energy (for example, vent, drain).
 Lockout and tag out the energy isolating devices with assigned locks and tags.
 Confirm that the isolation is effective (for example, by pressing the starter button on an electrically driven
pump).

The equipment is now locked out or tagged out. For activities where more than one person may have to work
on a piece of equipment, a ‘multi lock’ may have to be fitted on a main electrical isolator (see figure ref 2-2).
This lock accepts a number of individual padlocks, which are fitted by each individual who works on the
equipment, with each person retaining the key for their own lock.
Removing locks and tags
Before returning the equipment to service; checks should be made to ensure that all tools, spare parts, etc.
have been removed. Also, ensure that all safety guards are in place, that all workers are notified and clear of
the equipment. Only then should the locks be removed, power restored and checks to confirm that the
equipment is functioning correctly. It is important to remember that only the person locking equipment out has
the key to unlock it. If that person is not available (perhaps because of a shift change), for an oil rig, the key
should be left with the Rig Manager and the relief supervisor and the relieving driller notified of the work that is
being performed. No equipment should be unlocked without these basic procedures being followed.
FORMS OF MECHANICAL ISOLATION
Valves
The simplest form of isolation device, standard use for
process plant and pipelines suitable for all fluids at all
pressure ranges. Valves may not give tight shut-off
due to seal damage, and require locking off to prevent
inadvertent operation.
Locking-out equipment is not always a straight-forward
procedure and at times requires careful analysis and
consideration (see figure ref 2-2). In this situation the
valve handles had to be removed and then chains and
a lock and tag were put in place. Figure 2-2: Locking out equipment. Source: www.roughneckcity.com.
SPADES AND SPECTACLE PLATES

Here a solid plate known as a ‘spade’ is inserted between pipe flanges, and is standard use for process plant
and pipeline isolation. It is suitable for all fluids over a range of pressure ratings. They give positive isolation
with a clear indication of presence. However, it requires intrusion into the process to break and make joints.
Long length of pipes often means such isolations may be remote from the worksite, making control more
difficult.
Figure 2-3: Spades and spectacled plates. Source: HSE HEG 2563.
SPECIALIST ISOLATION TECHNIQUES
There are a number of specialised mechanical isolation techniques that can be used. These include:
 Squeeze off.
 Foam bagging.
 Pipe stoppers.
 Pipe plugs.
 Inflatable bags.
 Pipe freezing.
 Hot tapping and stopping.
 Pigs.
These techniques are often used when valve or spade isolation is not possible, or is not practicable.
Squeeze off
Here the isolation is achieved by the pipe being squeezed together using a mechanical or hydraulic clamp to
stop the flow. It is a specialist technique used for temporary isolation of low and medium pressure gas network

polyethylene pipe work. A relatively cheap simple technique, but it is only suitable for use on polyethylene pipe
work. The technique causes physical deformation and further squeeze offs should not be carried out within
specified limits along the same length of pipe. Suitable only for low pressure systems.
Foam bagging
Foam bagging is another specialist technique, whereby foam is injected into a semi-porous bag, previously
inserted into the pipe work; the method requires specialist equipment and training. It is used for low and
medium pressure gas network for cast iron, ductile iron and steel mains particularly for stopping tapered,
vertical or non-standard diameter pipe and can be inserted without decommissioning the pipeline. The
technique can be used when there is insufficient room to carry out a conventional mains isolation. It is a low
cost option for abandonment of mains or services, but not suitable for temporary isolations. A second method
of isolation must be used if the technique is to form a permanent isolation, for example, an end cap or blank.
Pipe stoppers
Pipe stoppers are a form of low differential pressure sealing plugs, suitable for process plant and pipelines
stoppers are primarily used as a secondary seal. Low cost, simple to use, but does not provide external
indication of isolation. Requires open end to access pipeline but they are only suitable for low differential
pressure and care must be exercised to ensure correct fitment for the full duration of the isolation, i.e.
continuous monitoring is required.
Pipe plugs
Pipe plugs are a single multi-seal plug (or a number of plugs in combination) suitable for use in process plant
pipelines to provide an effective leak-free barrier. Pipe plugs are of limited application; they require an open
end to access the pipeline; if control lines are damaged they can become stuck within the pipe. They are
normally used for short-term isolations. If used as a primary isolation technique, sufficient redundancy and
independence should exist within or between plugs so that failure of a part of the sealing system does not
cause total loss of sealing capability. Pipe plugs must be suitable for use with the fluid and rated to the required
pressure. Care must be exercised to ensure correct fitment for the full duration of the isolation i.e. continuous
monitoring is required. It is a medium cost, specialist technique which requires specific training.
Figure 2-4: Pipe line plug. Source: HSE HEG 2563.
Inflatable bags
Inflatable bag are inserted through relatively small holes cut into the pipe wall, prior to being filled with air or
nitrogen, to affect a seal. They are used in pairs with a vent between bags or can be used singly as a
secondary seal, but are only suitable for use on low differential pressure isolation systems, for example, low
pressure gas pipelines.
Inflatable bags require constant monitoring as bags can suddenly deflate and may be damaged when being
installed through the hole which has been cut or by swarf (metal shavings) left in the pipe. Bag materials may
be damaged by some fluids (for example, mercaptans). Specific care must be taken when hot work is being
undertaken close to inflated bag isolation. They provide flexible location of isolation and are available in a large
range of sizes.
The system allows flow of fluid to be maintained if a bypass is fitted and the pipeline does not need to be
decommissioned, but requires completion plugs to be fitted to pipelines. It is medium cost, requires specialist
equipment and trained personnel, but is only suitable for low differential pressure isolations.

Pipe freezing
The fluid within the pipe is frozen to form a solid plug.
To achieve this coolant (solidified or liquefied gas) is
used around the outside of the pipe wall. The
technique does not require intrusion into the pipe
work. The choice of location for isolation is flexible
and can be used on non-standard pipe diameters.
Expense and complexity of technique varies
dependent on fluid, pipe diameter and flow rate
specialist operator training is required.
The technique is suitable for process plant and
pipelines and service liquids such as those which are
water based (using carbon dioxide as coolant);
hydrocarbons, acids, alkalis, chlorides, ammonia, etc.
(using liquid nitrogen as coolant).
Continual monitoring is required since the plug may
move/melt leading to failure of the isolation. Pipe
materials, joints and components can be adversely
affected by the freezing operation. Failure to equalise
the pressure across the plug can result in physical
damage to the pipe work and when the plug thaws
propulsion of it along the pipe. Figure 2-5: Pipe line freezing. Source: HSE HEG 2563.
Hot tapping and stopping

Hot tapping and stopping is a technique suitable for use on most steel pipelines of a wide range of diameters,
including subsea installations. The method may be used for plugging a pipe which is still subject to service
pressure; or to isolate a section of pipe and allow continued operation to be maintained by diverting the fluid
through a temporary bypass. Installation can be made without the need to decommission the pipeline and
provides flexibility in location of isolation, but requires tee and other fittings to be welded onto the pipe. The
technique requires specialist equipment and trained personnel and the use of high integrity welding and
inspection techniques. The operation must be carefully controlled to prevent thermal build-up within the service
fluid or interconnecting spaces. The method is not appropriate for systems containing chlorine, oxygen,
hydrogen, hydrogen sulphide or hydrogen fluoride. Welded or bolted fittings and blanks remain on the pipeline
when no longer required; a relatively expensive specialist technique.
PIGS
Pigs are a dynamic isolation scheme that may be used to isolate, clean or inspect a pipeline. For isolation they
may be used in series separated by slugs of nitrogen, diesel, glycol, water (or a combination of inert fluids) to
form a pig train. Can withstand some differential pressure (a few bars) before train starts to move, but is a
relatively expensive technique which requires specialist equipment and trained personnel once more.
2.4 - Key principles of safe shift handover

Introduction
Effective communication is important in all organisations when a task and its associated responsibilities are
handed over to another person or work team. This can occur at shift changeover, between shift and day
workers, or between different functions of an organisation within a shift, for example, operations and
maintenance.
Oil and gas exploration and production are continuous 24-hour operations. Personnel typically reside on the
offshore installation for 2-4 week periods, working alternating 12-hour shifts. Poor communications and
handover have been a factor in many major accidents (for example, Piper Alpha). The objective of handover is
the accurate reliable communication of task-relevant information across shift changes or between teams
thereby ensuring continuity of safe and effective working. Communications should be both verbal and written.
Effective handover consists of three elements:
1) A period of preparation by out-going personnel.
2) Handover where out-going and in-coming personnel communicate to exchange task-relevant information.
3) Cross-checking of information by in-coming personnel as they assume responsibility for the task.
Accidents with contractors can be caused by poor communication and supervision - when site personnel do not
know there is a contractor working nearby and when contractors do not know the dangers on site.

The following case study is taken from ‘HSE, HSG159: Managing contractors: A guide for employers’.
 Case Study - Contractor injured in fall

Contractors had been called in to replace some damaged pipework lagging. They needed to work high up and
access was difficult. They ended up working from a ladder which was leaning against a tank. During the middle
of the morning one of the contractors fell from the ladder.
Injury: He landed on some nearby plant and suffered serious internal injuries, but eventually
recovered.
The company said: We expected them to come in and finish the job yesterday but they didn’t turn up. We
didn’t even know they were on site this morning.
The contractor said: Our men couldn’t finish the job yesterday as the weather was too bad.
The company said: We didn’t know they were working from a ladder - we would have expected them to put
up some scaffolding or use a mobile elevating work platform. It was difficult to get to the
pipe.
The contractor said: The company didn’t include this section of pipework in their original request - it was an
add-on when they realised the problem was more widespread.
What went wrong? Communication with the contractors was poor. They were left to get on with it and the
company didn’t even know when they were on site. The job changed and no one
considered the risks. The contractors’ method of working was unsafe.
Shift handover
Effective communication is important in all organisations when a task and its associated responsibilities are
handed over to another person or work team. This can occur at shift changeover, between shift and day
workers, or between different functions of an organisation within a shift, for example, operations and
maintenance. The goal of a handover is the accurate reliable communication of task-relevant information
across shift changes or between teams thereby ensuring continuity of safe and effective working. Effective
handover consists of three elements:
1) A period of preparation by out-going personnel.
2) Handover where out-going and in-coming personnel communicate to exchange task-relevant information.
3) Cross-checking of information by in-coming personnel as they assume responsibility for the task.
Many accidents have occurred because of failure of communication at shift handover; the majority of these
involved planned maintenance work. The Cullen Report concluded that one of the many factors which
contributed to the Piper Alpha disaster was failure of transmission of information at shift handover. Specifically,
knowledge that a pressure safety valve had been removed and replaced by a blind flange was not
communicated between shifts. Lack of this knowledge led to the incoming shift taking actions which initiated
the disaster.
Many continuous process tasks are characterised by long system response times between process alterations
and effects. Actions may not have their effects until subsequent shifts. Without adequate communication of
information at shift handover, diagnosis of effects resulting from actions on previous shifts is problematic.
Amongst the distinctive features of offshore facilities are their geographical isolation and unusual shift patterns.
All or part of the crew may leave the facility in a short period of time. Clarification of issues not adequately
recorded or communicated at shift handover is therefore potentially problematic. Significant fluctuations in
alertness and performance have been observed over two-week offshore shift cycles, the most marked and
adverse effects occurring during the shift-change phase. Furthermore, offshore workers can be exposed to
high noise levels, both on and off-duty, which increases potential for misunderstood verbal communications.
Two-way with both participants taking joint responsibility
The review of communication theory indicates that to ensure effective shift handover communication
organisations should:
 Give effective shift handover communication a high priority.
 Pay particular attention to handovers which occur when staff has returned following a lengthy absence from
work; during plant maintenance; during deviations from normal working; and when handovers take place
between experienced and inexperienced staff.
 Specify key information needed by the incoming operator to update their mental model of plant status.
 Use operator supports (logs, displays etc.). Designed on the basis of the operator's information needs.
 Include communication skills in their selection criteria for shift-workers.
 Develop the communication skills of existing staff.

Key principles in handover

The handover procedure should ensure that the incoming shift is aware of any outstanding permit-controlled
jobs, the status of those jobs, and the status of the plant. Work-in-progress should be left in a condition that
can be reliably communicated to, and understood by, the oncoming shift. A permit log, permit file or display
boards are ways of recording on-going permits.
It is essential that there is good communication between incoming and outgoing issuing and performing
authorities and it is recommended that the incoming issuing authority signs to allow the continuation of a permit
to ensure they are fully aware of their existence and requirements.
Shift handover should be:
 Conducted face-to-face (for example, in control room).
 Two-way, with both participants taking joint responsibility (for example, relaying information; seeking
clarification).
 Done using both verbal and written communication (for example, log books).
 Based on an analysis of the information needs of incoming staff (for example, after prolonged absence;
experience of incoming operator).
 Given as much time and resource as necessary (for example, dependent on state of the process; amount of
maintenance work on previous shift).
Key operational issues to be covered at shift handover, include:
 Operational status of the process.
 Changes of operation required during the forthcoming shift.
 Emergencies or abnormal events that occurred during the shift.
 Completed maintenance activities.
 Maintenance activities started but not completed (plant out of service).
 Details of any overrides that have been put in place.
 Permit-to-work status.
 Any forthcoming preparation work that will be required.
 Any routine operational task for the forthcoming shift (for example, fire deluge checks).
 Emergency drills planned for the forthcoming shift.
Formal handover check sheet
Key communication of operational plant status should not rely solely on the memory of the parties involved in
the handover process, for example, the outgoing person to recall plant ‘status information’ or the incoming
person ‘to ask specific questions’.
A check sheet should be used at handover and the completed sheet should be retained to evidence that a
structured handover procedure has been carried out.
2.5 - Plant operations and maintenance

Asset integrity
Asset integrity can be defined as the ability of an asset to perform its required function effectively and efficiently
whilst protecting health, safety and the environment. Asset integrity management is the means of ensuring that
the people, systems, processes and resources that deliver integrity are in place, in use and will perform when
required over the whole lifecycle of the asset.
Essential for the integrity of any installation are the safety-critical elements (SCEs). These are the parts of an
installation and its plant (including computer programmes) whose purpose is to prevent, control or mitigate
major accident hazards (MAHs) and the failure of which could cause or contribute substantially to a major
accident.
These include temporary refuge (HVAC systems); fire pumps; deluge systems; gas/fire detectors; blow out
preventer (BOP); relief valves; HIPPS; emergency lighting; emergency communication systems; tannoy system
and emergency shutdown devices (ESD’s).
BARRIERS
The SCEs represent the barriers which prevent, control or mitigate the major accident scenarios. The
maintenance management strategy must be developed to provide assurance that they will be available when
required, they will operate with the required reliability and they be able, as necessary, to survive incidents
against which they are designed to protect.
In the Swiss Cheese Model, see figure ref 2-6, an organisation's defences against failure are modelled as a
series of barriers, represented as slices of Swiss cheese.

Figure 2-6: Swiss cheese model. Source: The Bly Report.

The holes in the cheese slices represent individual weaknesses in individual parts of the system, and are
continually varying in size and position in all slices. The system as a whole produces failures when all of the
holes in each of the slices momentarily align, permitting ‘a trajectory of accident opportunity’, so that a hazard
passes through all of the holes in all of the barriers, leading to a failure.
If the layers are set up with all the holes lined up, this is an inherently flawed system that will allow a problem at
the beginning to progress all the way through to adversely affect the outcome. Each slice of cheese is an
opportunity to stop an error. The more barriers you put up, the better. Also the fewer the holes and the smaller
the holes, the more likely you are to catch/stop errors that may occur.
Maintenance, inspection and testing
MAINTENANCE
In order to ensure equipment does not deteriorate to the extent that it may put people at risk it should be
maintained in an efficient state, in efficient order and in good repair.
The factors that may help to determine the frequency and nature of maintenance include:
 The manufacturer's recommendations.
 The intensity of use.
 Operating environment (for example, the effect of temperature, corrosion and weathering).
 The risk to health and safety from any foreseeable failure or malfunction.
SCE’s of equipment may need a higher and more frequent level of attention than other aspects. This should be
reflected within the maintenance programme.
MAINTENANCE STRATEGIES
Maintenance is any activity carried out on an asset in order to ensure that the asset continues to perform its
intended functions, or to repair any equipment that has failed, or to keep the equipment running, or to restore to
its favourable operating condition. Over the years, many new strategies have been developed and
implemented, with the intention of overcoming the problems related to equipment breakdown.
Some of the common maintenance strategies are as follows:
Corrective maintenance
Corrective maintenance refers to action only taken when a system or component failure has occurred. It is thus
a retro-active strategy. This will not be suitable for SCE.
Preventive maintenance
Equipment is repaired and serviced before failures occur. The frequency of maintenance activities is pre-
determined by schedules. Preventive maintenance aims to eliminate unnecessary inspection and maintenance
tasks, to implement additional maintenance tasks when and where needed and to focus efforts on the most
critical items. The greater the consequence of failure, the greater the level of preventive maintenance that is
justified.

Predictive maintenance
Predictive maintenance refers to maintenance based on the actual condition of a component. Maintenance is
not performed according to fixed preventive schedules but rather when a certain change in characteristics is
noted. (For example, corrosion sensors supplying diagnostic information on the condition of a system or
component.)
Reliability centred maintenance
Reliability centred maintenance (RCM) involves the establishment or improvement of a maintenance program in
the most cost-effective and technically feasible manner. It utilizes a systematic, structured approach that is
based on the consequences of failure. As such it represents a shift away from time-based maintenance tasks
and emphasizes the functional importance of system components and their failure/maintenance history.
INSPECTION
An effective inspection programme is a key element of effective maintenance, and should cover all SCE’s of an
asset. Inspection programmes should be clearly documented. Factors influencing inspection frequency include:
 Where required by national regulations (for example, lifting equipment; pressure vessels).
 After damage, major modification or repair.
 Equipment operating in extreme weather or harsh environments.
TESTING
Testing is required to ensure that SCE continues to meet the required performance standard. In addition,
functionality testing may be required following maintenance (for example, checking the set pressure of a relief
valve). Again, testing of certain equipment may be required under national regulations.
CORROSION PREVENTION
Corrosion is the deterioration of materials by chemical interaction with their environment. It is a natural process
in the sense that the metal is attempting to revert to the chemically combined state in which it is almost
invariably found in the earth’s crust. The term corrosion is sometimes also applied to the degradation of
plastics, concrete and wood, but generally refers to metals. The rusting of ordinary steel is the most common
form of corrosion.
The consequences of corrosion are many and varied and the effects of these on the safe, reliable and efficient
operation of equipment or structures are often more serious than the simple loss of a mass of metal.
Some of the major harmful effects of corrosion include:
 Structural failure or breakdown of equipment.
 Failure of vessels and pipes allowing escape of their contents and possible harm to people, plant,
equipment and the environment.
 Mechanical damage to valves, pumps, etc., or blockage of pipes by solid corrosion products.
Various corrosion control measures are available, one or more of which might be appropriate. The full life-cycle
must be considered as corrosion may occur at any stage. Materials selection, fabrication, shape and cost are
all significant. Corrosion control measures must be able to reduce risk to a quantifiable and appropriate low
level where the consequences of failure are serious. The following measures may be considered:
Corrosion allowance - metal added to the design thickness against general corrosion loss (typically 0.5 mm to
6.0 mm for many engineering purposes). Whilst the progress of depleting the corrosion allowance must be
monitored and recorded, ‘day one’ corrosion thicknesses should be checked as a base-line measurement.
Coatings - the choice of coating is related to its intended function. This can include coating for visual decorative
appearance, temporary coating for transport or storage, using wax, grease or other water repellent, and long-
term corrosion protection, using organic, inorganic or metallic coating systems.
Cathodic and anodic protection - this is the control of metal potentials to reduce the corrosion rate. The
principle of cathodic protection involves the connecting of an external anode to the metal to be protected and
the passing of an electrical current so that all areas of the metal surface become cathodic and therefore do not
corrode. It is suitable for immersed and underground conditions for equipment (for example, pipe lines).
Inhibitors - these are substances added in small concentrations to reduce the corrosion rate. Liquid-phase or
vapour phase varieties are used in closed systems such as central heating, power boilers, sealed packaging.
In petro-chemical process systems having a throughput of process fluids, batch or continuous inhibitor addition
is practised.
Corrosion control and system history - repairs or local changes in a system may alter the requirements for
corrosion inhibitors or chemicals required for process control. Time-related corrosion changes in a system must
also be accounted for; the internal surface of a pipe increases as it is roughened by corrosion. This can
increase the amount of surface active inhibitive chemicals needed to control corrosion.
Quality control
 Confusion of materials must be avoided, especially if repairs are to be carried out in a planned maintenance
programme.

 Where resistance to corrosion depends on correctly applied welding technology, it should be carried out to
appropriately designed and qualified welding procedures.
Corrosion awareness - when corrosion reaches a critical level, it can lead to an expensive or catastrophic
situation. It is important that even those not involved in corrosion control or maintenance should have an
understanding of the application, effects and benefits of a corrosion control programme and how their work may
impact upon its efficiency. Duty holders should ensure they establish and use measurable acceptance criteria
for external corrosion of items such as gratings, bolts, cable trays and valves, rather than rely upon subjective
decisions made by inspectors. The Energy Institute, commissioned by Oil and Gas UK and, in conjunction with
the offshore industry’s Corrosion Management Working Group, has now published its Guidance for Corrosion
Management in Oil and Gas Production and Processing which should be used as a basis for the policy for the
management of corrosion offshore. Inspections should not only focus on safety-critical plant and equipment,
but should also include safety-related plant and equipment.
A clear policy should be established to define roles and responsibilities which failed to clearly identify those
individuals responsible for maintenance of safety-related plant and equipment. The Offshore Division of HSE’s
Hazardous Installations Directorate July 2009 reported: “Ageing is not about how old your equipment is; it’s
about what you know about its condition, and how that’s changing over time.”
This plant was only about 5 years old, but due to poor maintenance was These pre 1940’s riveted pressure vessels remained in good condition
stained in many locations from acid seepage. This made it hard to and successfully operated in service until the 1990’s.
inspect and to know how it was ageing.
Figure 2-7: Plant ageing. Source: HSE - Plant ageing research report RR509.
COMPETENCY AND TRAINING

Asset integrity management needs a high level of competency. It is essential that staff involved not only have
the skills, knowledge and competence to carry out their tasks, but also understand the performance standards
required for the equipment (SCE’s) on which they are working. Many serious incidents have been attributed, in
part, to poor maintenance. Ensuring continued competence of maintenance personnel, helps to minimise the
threat of such incidents.
Risk based maintenance and inspection strategy
The Accident Prevention Institute (API) Publication 581 - Base Resource Document: Risk Based Inspection
(RBI); is an industry specific document designed to be applied to the petroleum and chemical process areas.
The approach recognises that a RBI programme aims to:
 Define and measure the level of risk associated with an item.
 Evaluate safety, environmental and business interruption risks.
 Reduce risk of failure by the effective use of inspection resources.
The level of risk is first assessed by the use of a qualitative analysis; i.e. comparing each plant item with a
ranking in a 5 x 5 risk matrix.
The likelihood of failure is determined from the sum of six weighted factors:
1) Amount of equipment within item.
2) Damage mechanism.
3) Usefulness of inspection.
4) Current equipment condition.
5) Nature of process.
6) Safety design and mechanisms.

The consequence of failure is divided into only two factors:

1) Fire/explosion.
2) Toxicity.
To determine critical plant items for further more detailed analysis a quantitative analysis is generally applied
after the initial review.
Risk is then calculated as the product of each consequence and likelihood for each damage scenario, the total
risk for an item being the sum of all the scenario risks. The inspection programme is then developed to reduce
that risk by determining:
 The type of damage to look for.
 How to look for damage.
 Where to look for damage.
 When to look for damage.
What and where is established from reviewing the design data, process data and the equipment history. How
to look for the damage is decided by reviewing the damage density and variability, inspection sample validity,
sample size, detection capability of method and validity of future prediction based on past observations. When
to look for damage is related to the estimated remaining life of the component.
Techniques, principles and importance of safe operation, standard
operation procedures and maintenance
There have been numerous recorded incidents where human failures have been the major contributing cause
of major accidents. Provision of clear, concise and accurate operating procedures is the most effective
measure to prevent, control and mitigate such events.
Operating procedures should clearly lay down instructions for operation of process plant. They should
represent a definition of good or best practice that should be adhered to at all times.
The technique of writing procedures usually consists of following an established set of step-by-step instructions
and related information needed to help carry out tasks safely. They may include checklists, decision aids,
diagrams, flow-charts and other types of job aids - more on these later. Procedures are not always paper
documents - they may appear as ‘on screen’ help in control system displays. The instructions should be clear,
concise and unambiguous; they should be easy to understand and of course, operators should be trained in
their use. In the major hazard industries, procedures are essential for safe operation:
 To minimise errors/failures.
 To protect against loss of operating knowledge (for example, when experienced personnel leave).
 To standardise working practices for safe operation.
 To ensure maintenance and return of equipment back is carried out correctly.
 To provide a basis for training.
 To meet statutory requirements.
Procedures may range from detailed guidance, through step-by-step instructions, to short checklists. Several
types of procedures may be required for some tasks: those used for training new users will differ from those
used in the field by skilled workers. In order to decide on the level of detail needed in the procedure, there are
several factors that must be considered including the significance of error, the complexity of the task, how often
the task is performed and the competence of the user. Typical procedures may include:
 Standard operating procedures and operating philosophy.
 Abnormal operating procedures.
 Temporary operating procedures.
 Plant trials.
 Emergency operating procedures.
 Commissioning.
 Plant start-up.
 Plant shut-down.
 Manage of change.
Job aids support the successful performance of a task, for example, checklists may be used for complex
isolations or decision aids used to help control room operators’ problem-solving when responding to alarms.
They often take the form of diagrams and flow charts. Job aids reduce the amount of decision-making and
decrease the need to memorise key points. Above all, they should be practical - some companies produce key
information on small laminated cards that can withstand everyday use in an industrial environment.
Often operators have devised their own job aids and these should not be ignored or their use prohibited, as
long as they are safe ways of working. These informal job aids and other useful notes are contained in note
books and are often based on years of operating experience.

Control of ignition sources during maintenance and operations

Hazardous areas on an oil and gas installation (concerning the presence of flammable materials) are ‘zoned’.
This means that fixed sources of equipment (for example, lighting, pumps, motors, switches) in those areas, are
designed to prevent ‘sparking’ during their operation. In other words, should they come into contact with a
flammable material, they cannot ignite the material.
Maintenance work however, is periodically undertaken on or around, live process plant. This work may involve
the use of ignition sources (for example, burning/welding work; grinding; vehicle movements). Such work must
be strictly controlled, to avoid the possibility of fire and explosion. A hot work permit is generally the controlling
document for such activities. The purpose of the permit is to ensure that the equipment to be worked on, and
the area, is free from flammable materials (and will stay that way) for the duration of the work activity.
Cleaning and gas freeing of plant and equipment
The operation of gas-freeing should be distinguished from that of cleaning. Gas-freeing (or purging) means the
removal of flammable gas or vapour from a tank, whereas cleaning refers to the removal of solid and liquid
residues. Cleaning and gas freeing are processes that are applied to tanks, vessels or other equipment (for
example, pumps) in order to prepare them for maintenance activities, such as hot work, confined space entry,
inspection.
Following the draining and or venting of residual material from the equipment, the cleaning and gas-freeing
process can commence.
A tank which has been emptied and gas-freed cannot be assumed to be completely free from flammable or
toxic materials, nor can it be assumed to remain gas-free for other than a limited time. Residues in the form of
sludge, polymers or other solid material may still be present, and flammable material may also be trapped in
cavities and joints. It would be dangerous to assume that because monitoring does not indicate the presence of
flammable vapour, the tank is therefore clean and safe for hot work or for entry. Likewise a tank which has
been cleaned by, for example, washing with water, is not necessarily gas-free, and may require further work to
be done to make it safe. Hot water washing (sometimes as a solution with caustic or detergent), high pressure
water jetting and steam cleaning are commonly used for the removal of residual product.
Steam should be passed freely into the previously-emptied tank, taking care that excess pressure cannot be
generated. The steam should be as dry as possible. Condensate should be allowed to drain from the tank at
the lowest possible point, so that sludge and heavy oils etc. can be carried away. The walls of the tank should
reach a temperature sufficient to ensure removal of residues - the use of steam supplied at 2 bar gauge will
normally be adequate. The tanks should be held at this temperature for at least 30 minutes. The presence of
oil in the condensate after this period will indicate that further steaming is required. When steam cleaning or
high pressure water jetting, the risk of static build up must be considered.
Care should be taken in any steaming operation to ensure that thermal expansion of the tank does not put
undue strain on fixed pipework or fittings, and that a vacuum is not formed when the tank cools. Even a partial
vacuum can cause a tank which is not designed for vacuum conditions to collapse inwards. Tank openings
should therefore be of sufficient diameter to prevent vacuum formation, and should be left open and
unobstructed until the temperature has fallen to ambient. Internal examination can then begin.
Before maintenance activities start, it is necessary to ensure that the equipment is ‘gas free’. Whilst gas-freeing
may be achieved in many cases in the course of steam cleaning, for vessels this may also be achieved by
using educators, air movers or any other suitable equipment that does not create a source of ignition. Such
equipment should be bonded to the vessel’s earthing system.
It is necessary, before hot work commences, to ensure that any gas-freeing and cleaning has been effective.
The instrument normally used for this purpose is the combustible gas detector or explosimeter. This measures
% of the Lower Explosive Limit (LEL) for flammable gases. Before vessel entry is allowed, it is also necessary
to ensure the absence of toxic gases (for example, hydrogen sulphide) and the presence of sufficient oxygen.
The concentration of which should be at least 19%. Oxygen enrichment (greater than 25% in air) is a severe
fire hazard.
PURGING
The main gases used for purging are carbon dioxide, combustion gas, nitrogen. The main difficulty when using
inert gas is to ensure that the gas is uniformly mixed within the tank and that there are no remaining pockets of
flammable mixture. In a large tank the mixing may be predominantly reliant on diffusion, which is a slow
process. Ideally the gas should be introduced at a number of points, simultaneously and at high velocity. The
quantity of inert gas used in a purging operation will depend on the required final oxygen concentration required
in the vessel.
VENTING
During cleaning or gas freeing of tanks, quantities of flammable vapour may be vented from the tank into the
surrounding area. Vapour, which is usually heavier than air, will spill out and accumulate in low-lying and other
poorly ventilated areas and may remain there for some time. It is therefore essential that the control of ignition

sources and the protection against toxic hazards is extended to these areas as well. Gas-freeing and other
operations which involve the venting of substantial quantities of gas or vapour should not be undertaken unless
the surrounding area can be well ventilated and cleared of ignition sources. Particular care should be taken if
the tank is close to the site boundary, as vapour may spread to neighbouring premises.
DRAINING OF WATER, PRODUCT
Some vessels, particularly those used for processing, are provided with an external jacket to allow circulation of
a heating or cooling medium. In some cases this can be a flammable liquid. This can be dealt with by thorough
draining of the liquid followed by filling of the jacket with water to prevent residual liquid or vapour being ignited
by subsequent hot work. In all cases, however, the jacket should be vented to the atmosphere so that heat
from the work does not cause a pressure rise in the jacket.
In the case of tanks equipped with steam coils or electric immersion heaters, it may be necessary to leave the
heat supply in operation during the initial stages of liquid removal, to facilitate pumping. To avoid generation of
flammable vapour, the energy source should always be isolated before the level of liquid falls to within 0.5m of
the heating surfaces or the temperature sensors. In general, waste liquids and other residues should be treated
as hazardous waste and disposed of in consultation with the waste disposal authority for the area concerned.
Relevant environmental legislation covering the disposal of these materials includes the Waste (England and
Wales) Regulations (WEWR) 2011 and the Controlled Waste (Registration of Carriers and Seizure of Vehicles)
Regulations (RCSVR) 1991 as amended.
OXYGEN
Thorough testing of the atmosphere inside the tank is necessary before people are allowed to enter
unprotected. The oxygen concentration in the tank should be at least 19% (normal atmospheric oxygen level is
21%). On no account should oxygen from a cylinder or similar source be added directly to the atmosphere in
the tank, as oxygen enrichment (greater than 25% in air) is a severe fire and toxic hazard.
Sourced and adapted from HSE Guidance Note CS15.
NON-CONDENSABLES (NCD’S)
Gases from petroleum processing units (such as distillation columns or steam ejectors) that are not easily
condensed by cooling; consists mostly of nitrogen, light hydrocarbons, carbon dioxide, or other gaseous
materials. Air consists of a number of NCD’s. They include oxygen, nitrogen, argon and carbon dioxide.
Boiler feedwater contains a small percentage of non-condensable gases in solution. When the boiler water
changes state (liquid to vapour), the non-condensable gases are released and carried with the steam into the
plant. Steam will release the latent energy to the process and condense down to condensate in the heat
transfer area, but the non-condensable gases do not condense. These gases stay in the heat transfer
component unless some method or action removes them.
The presence of NCD gases in a steam system increases corrosion, which bring about costs associated with
excessive consumption of anti-corrosion chemicals and frequent repairs. NCD gases also cause a decrease in
steam pressure and therefore in temperature. Energy transfer being less efficient, the pressure in heat
exchangers must be raised in order to obtain the target temperature. Consequently, it takes more fuel to heat
the product at the required temperature.
NCD’s can also have a serious impact on the system operating conditions, efficiency and lifetime of
refrigeration or air conditioning systems.
INERTING
In cases where gas-freeing and cleaning cannot be carried out, or are impracticable for other reasons, an
alternative procedure for hot work on the outside of a vessel is to make the atmosphere containing the
flammable material non-flammable and non-explosive. This may be done in a number of ways, but the general
principle is to inert the tank atmosphere by the exclusion of oxygen, thereby preventing combustion. Carbon
dioxide and nitrogen are typically used inerting gases.
Another method often used to inert a small tank or drum is to fill it with water, removing any air bubbles in the
process (for example, fuel tanks on vehicles in a recycling plant).
2.6 - Start up and shut down

Associated hazards and controls
HAZARDS
Many potential hazards can be realised during start-up or shut-down of plant or process. Specific operating
procedures should be provided which take account of all eventualities. For some specific plant items, start-up
is known to present particular additional hazards.

Some examples of these are:

 Dryers - when starting up a drying system after maintenance or a plant shutdown, the actual temperature
the dryer might reach before settling out with the control system may result in an increased chance of a
dust explosion.
 Furnaces - explosions may occur if ignition of fuel is delayed.
 Vessels, tanks, reactors - ignition of flammable vapours introduced may occur for systems relying on
elimination of oxygen to prevent explosions, unless inert gas purging is carried out effectively.
 Reactors - start-up of batch reactors after agitator failure may cause an uncontrollable exothermic reaction.
Start-up and shut-down
Many potential hazards can be realised during start-up or shut-down of plant or process. These include:
 The release of stored energy.
 Flammable hydrocarbon release, leading to fires, explosion.
 Toxic gas release (for example, hydrogen sulphide).
 Overpressure of plant and equipment.
 Thermal shock.
 Inadvertent starting of machinery.
Start-up and shut-down procedures should be in place to ensure that plant operations can resume or cease in a
safe and controlled manner. Competent staff and good supervision are key to the effectiveness of such
procedures.
Shut-down controls Start-up controls
 Use of permit-to-work.  All permits closed out.
 Isolation of equipment (electrical, mechanical etc.)  Spades, blanks removed.
and LOTO.  De-isolation of equipment.
 Venting, draining, removal of materials from  Instruments calibrated.
equipment.  Alarms, gas detection systems functional.
 Purging, cleaning of equipment.  ESD’s, flares, relief valves, deluge systems
 Spading or blanking of equipment (use of a functional.
‘spade’ list).  Pressure, leak, integrity testing.
 Ensuring that equipment is ‘gas free’ (for example,  Emergency plans in place.
before hot work or vessel entry).
KICK FORMATION
The downhole fluid pressures are controlled through
the balancing of the hydrostatic pressure provided by
the drilling mud used.
Should the balance of the drilling mud pressure fall
below the pore pressure of the formation fluids (oil,
natural gas and/or water) they will flow into the
wellbore and up the annulus (the space between the
outside of the drill string and the walls of the open hole
or the inside of the last casing string set), and/or inside
the drill pipe. This is commonly called a ‘kick’.
If the blow-out preventer valves do not close the well,
a kick can quickly escalate into a blowout (Gusher)
when the formation fluids reach the surface, especially
when the influx contains gas that expands rapidly as it
flows up the wellbore, further decreasing the effective Figure 2-8: The Lucas Gusher at Spindletop, Texas (1901).
weight of the fluid. Source: The Paleontological Research Institution.
WATER AND HYDRATES PRESENCE AND REMOVAL

In drilling, record water depths are continuously being set by oil companies in the search of hydrocarbon
reserves in deep waters. Due to environmental concerns and restrictions, water based drilling fluids are often
more desirable than oil based fluids, especially in offshore exploration. However, a well-recognised hazard in
deep water offshore drilling, using water based fluids, is the formation of gas hydrates in the event of a gas kick.
In deep-water drilling, the hydrostatic pressure of the column of drilling fluid and the relatively low seabed
temperature could provide suitable conditions for the formation of hydrates in the event of a gas kick. This can
cause serious well safety and control problems during the containment of the kick.
The formation of gas hydrates in water based drilling fluids could cause problems in at least two ways:
 Gas hydrates could form in the drill string, blow-out preventer (BOP) stack, choke and kill line. This could
result in potentially hazardous conditions, i.e. flow blockage, hindrance to drill string movement, loss of
circulation, and even abandonment of the well.

 As gas hydrates consist of more than 85% water, their formation could remove significant amounts of water
from the drilling fluids, changing the properties of the fluid. This could result in salt precipitation, an
increase in fluid weight, or the formation of a solid plug.
The hydrate formation condition of a kick depends on the composition of the kick gas as well as the pressure
and temperature of the system. A combination of salts and chemical inhibitors, which could provide the
required inhibition, could be used to avoid hydrate formation.
Different methods are currently in use for reducing
hydrate problems in hydrocarbon transfer lines and
process facilities. The most practical methods are:
 At fixed pressure, operating at temperatures
above the hydrate formation temperature. This
can be achieved by insulation or heating of the
equipment.
 At fixed temperature, operating at pressures
below hydrate formation pressure.
 Dehydration, i.e. reducing water concentration to
an extent of avoiding hydrate formation.
 Inhibition of the hydrate formation conditions by
using chemicals such as methanol and salts.
 Changing the feed composition by reducing the
hydrate forming compounds or adding non- Figure 2-9: A large gas hydrate plug formed in a subsea hydrocarbon
hydrate forming compounds. pipeline. Source: Petrobras (Brazil).
The most common additives used to prevent hydrate formation are methanol, ethylene glycol, and diethylene
glycol. Methanol injection is very beneficial in cases where a low gas volume does not permit the dehydration
processing. It is also extremely useful in cases where hydrate problems are relatively mild, infrequent, or
periodic, in cases where inhibitor injection is only a temporary phase in the field development program, or
where inhibition is done in conjunction with a primary dehydration system.
Figure 2-10: Dehydration system. Source: http://www.hse.gov.uk/comah/sragtech/techmeasoperatio.htm.

TESTING, COMMISSIONING AND HOOK UP

Testing
Clear demarcation of where limits of intervention cease and reliance upon the control systems interface begins
is a critical step in defining the operating procedures for a given plant or process. During the hazard and
operability stage, the justification of reliance upon human intervention rather than automated systems should be
established. This should be assessed in more depth in a subsequent risk assessment.
Controls
The principle controls for start-up and shut-down are the safe working procedures. The procedures should be
ordered and phased so that interlinked plant operations can resume or cease in a safe and controlled manner.
Particular care should be taken on start-up to ensure alarms which may have been temporally muted are
reinstated once the process reaches stabilisation.
Commissioning
Commissioning of process plant is the practical test of the adequacy of prior preparations, including training of
operating personnel and provision of adequate operating instructions. Since the possibility of unforeseen
eventualities cannot be eliminated during this period when operating experience is being gained, the need for
safety precautions should be reviewed. Full written operating instructions should be provided for all
commissioning activities.
Commissioning procedures document a logical progression of steps necessary to verify that installed plant is
fully functional and fit for purpose. A general sequence of steps in commissioning may typically include:
System configuration check; the purpose of this activity is to trace all pipework and connections to verify the
system configuration, and to visually inspect items of equipment to ensure that they are clean, empty and fit for
purpose as appropriate prior to undertaking water trials.
Instrumentation system check - verification of alarms and trips; the purpose of this activity is to ensure that all
instrumentation, alarm settings, microprocessor signals and hardwire trips pertaining to the installation are
functional. This will also check that signals from the field instrumentation are displayed locally and are being
correctly relayed to the computer interface rack, as well as to the computer system.
Flushing and cleaning of lines and vessels with water; the purpose of this activity is to clean all items of
pipework and the vessels that make up the installation. This task shall also ensure that there are no
obstructions, blockages or any potential contaminants in any of the process lines or vessels that may have
resulted from materials being left inside the system from the construction phase. If chemicals incompatible with
water are to be used, it is important that the pipelines and equipment are thoroughly dried prior to introduction
of the chemicals. This is normally done by passing dry air through the plant.
Assessment of ancillary equipment; the main aim of this assessment is to verify the performance of all ancillary
equipment. This may include pumps, fans, heat exchangers, condensers etc.
Calibration of vessels and instrumentation; the purpose of this activity is to check the calibration and
performance of all vessels and instrumentation pertaining to the installation. To a certain extent this will be
carried out in conjunction with the system pre-checks to ensure that the correct set points and alarm points
have been established for use in the water trials.
Exam practice
1. (a) State the role of a permit-to-work system. (2)
(b) Outline the key elements of an effective permit-to-work form. (6)
2. (a) Explain the term non-condensables (NCD’s) using examples. (4)

(b) Outline why it is important to control NCD’s in boiler feed water. (4)
3. (a) Explain the purpose of a preventative maintenance scheme. (4)

(b) Outline the benefits of reliability centred maintenance. (4)
4. (a) Explain the term ‘corrosion’. (4)

(b) Outline the harmful effects corrosion may have on an oil rig. (4)
5. Outline the important considerations which should be taken to ensure a safe shift handover. (8)

This page is intentionally blank

Element
3
Hydrocarbon process safety 2
Learning outcomes
3.1 Outline types of failure modes that may lead to loss of containment from hydrocarbons.
3.2 Outline types of failures that may lead to loss of containment from hydrocarbons.
3.3 Outline the controls available to maintain safety critical equipment.
3.4 Outline the hazards, risks and controls available for safe containment of hydrocarbons offshore and
onshore.
3.5 Outline the fire hazards, risks and controls relating to hydrocarbons.
3.6 Outline the hazards, risks and controls available for operating boilers and furnaces.
Content
3.1 - Failure modes ...............................................................................................................................................55
Materials strength ..................................................................................................................................................55
Stress corrosion cracking ......................................................................................................................................56
Thermal shock .......................................................................................................................................................57
Brittle fracture ........................................................................................................................................................57
What is meant by a ‘safe operating envelope’ ......................................................................................................57
Use of knowledge of failure modes in initial design, process and safe-operating procedures .............................57
Failure of the annular rim (bottom rim of storage tank) .........................................................................................58
3.2 - Other types of failures ...................................................................................................................................58
Weld failures .........................................................................................................................................................58
3.3 - Safety critical equipment controls .................................................................................................................61
Process control systems .......................................................................................................................................61
Emergency shutdown systems .............................................................................................................................61
Procedures for bypassing ESD’s ..........................................................................................................................61
Blow down facilities and flares ..............................................................................................................................62
Drains, sewers and interceptors ...........................................................................................................................64
3.4 - Safe containment of hydrocarbons ...............................................................................................................66
Hazards and risks .................................................................................................................................................66
Floating roof tanks.................................................................................................................................................67
Fixed roof storage tanks........................................................................................................................................68
Bunding of storage tanks ......................................................................................................................................68
Filling of tanks .......................................................................................................................................................69
Pressurised and refrigerated vessels....................................................................................................................70
Loss of containment and consequences...............................................................................................................71
Decommissioning of offshore platforms ................................................................................................................74
Management of simultaneous operations (SIMOPS) ...........................................................................................75
3.5 - Fire hazards, risks and controls ....................................................................................................................75
Lightning ................................................................................................................................................................75
Fire triangle and the potential consequences .......................................................................................................76
Electrostatic charges .............................................................................................................................................77
Ignition sources - identification and control ...........................................................................................................77
Zoning and hazardous area classification.............................................................................................................78
3.6 - Furnace and boiler operations ......................................................................................................................79
Use of furnaces and boilers ..................................................................................................................................79
Hazards and risks of operating boilers and furnaces ............................................................................................80
Exam practice .......................................................................................................................................................81

T. Kletz: What Went Wrong? Case Histories of Process Plant Disasters (1998) Gulf, ISBN: 978-0-8841-5920-9
T. Kletz: Still Going Wrong: Case Histories of Process Plant Disasters and How They Could Have Been
API Corrosion management
Safety and environmental standards for fuel storage sites Buncefield Standards Task Group (BSTG) Final
report http://www.hse.gov.uk/comah/buncefield/bstgfinalreport.pdf
Energy Institute: Guidance for corrosion management in oil and gas production and processing ref: 978-0-8529-
3497-5
Energy Institute: Corrosion threats handbook - Upstream oil and gas production plant (A6) Date: Dec 2008 ref:
978-0-8529-3496-8
Human factors: Safety critical communications: http://www.hse.gov.uk/humanfactors/comah/safetycritical.htm)
Materials strength; Stress; Stress Corrosion Cracking: Wikipedia
Non-Destructive Testing (hse.gov.co.uk/comah/sragtech/techmeasndt.htm) (www.tutkndt.org/sub: Wilcox and
Downes)
Safety Critical Systems (SINTEF: www.sintef.no)
Process Control Systems (Wikipedia)
Emergency Shutdown Systems (Krongsberg: www.km.krongsberg.com) (Wikipedia)
Safety Integrity Levels: Tech. News; SA Instrumentation and Control (www.instrumentation.co.za)
Fire and Gas controls: John Hind (www.johnhind.com)
Floating Roof Tank (rim seal) Fire Protection: (GRISHMA Global Technology: www.grishmaglobal.com)
Interceptors/Separators: (PS International: www.psinternational.com) (Wikipedia)
Pressurised and Refrigerated Vessels: Wikipedia
Pool Fires: HSE (www.hse.gov.uk/offshore/strategy/pool.html)
Deflagration/Detonation: HSE (www.hse.gov.uk/fire and explosion/thermaloxidiser.pdf)
UVCE’s: HSE (www.hse.gov.uk/research.hsl_pdf/2002/hsl02-02.pdf)
Pipelines and Pigging Operations (Wikipedia)
Decommissioning Topic Strategy (Bomel Ltd: www.hse.gov.uk/research/otopdf/2001/oto01032.pdf)
SIMOPS: Guidance on SIMOPS (IMCA: www.imca-int.com/documents/divisions/marine/docs/IMCAM203.pdf)
Lightning: US EPA (http://www.epa.gov/osweroe1/docs/chem/lit-flam.pdf)
Static Electricity: OSH Department of Labour: New Zealand
(http://www.osh.dol.govt.nz/order/catalogue/archive/staticelectricity.pdf)
Zoning and Hazardous Areas: HSE (www.hse.gov.uk/comah/sragtech/techmeasareaclas.htm); Cooper Crouse-
Hinds: A User Guide to Intrinsic Safety (www.mtl-inst.com/images/uploads/datasheets/App_notes/AN9003.pdfl
Boiler Tube Failures: (http://www.brighthub.com/engineering/mechanical/articles/38111.aspx)

3.1 - Failure modes

Materials strength
Strength of materials is a subject in materials science which determines the ability of an object to withstand an
applied stress without failure.
A load applied to a mechanical member will induce internal forces within the member called stresses. The
stresses acting on the material cause deformation of the material. Deformation of the material is called strain,
while the intensity of the internal forces is called stress. The applied stress may be tensile, compressive, or
shear.
The strength of any material relies on three different types of analytical method: strength, stiffness and stability,
where strength refers to the load carrying capacity, stiffness refers to the deformation or elongation, and
stability refers to the ability to maintain its initial configuration. Material yield strength refers to the point beyond
which the material experiences deformations that will not be completely reversed upon removal of the loading.
The ultimate strength refers to the point at which the stress produces fracture.
TENSILE, COMPRESSIVE AND SHEAR STRESSES
Stress can result from a tensile force, a compressive force and from a shear force. Tensile forces are those
internal forces that act on a member to pull it apart, whereas compressive forces are those internal forces that
push a member together.
Tension
Figure 3-1: Tension. Source: RMS.
Figure 3-2: Compression. Source: RMS.

The tensile strength of a material is measured in a
tensile testing machine which pulls a test piece apart.
Compressive strength is measured by placing a test
piece under compressive forces until it fails
explosively.
Shear stress
A shear stress is the measure of the tendency for one
part of a solid material to slide past the neighbouring
part.
shearing load F
Shear stress =   MN m-2
area being sheared A
Figure 3-3: Shear stress. Source: Ambiguous.

Stress/strain relationships, yield point, breaking stress, ultimate tensile strength,

elasticity and plasticity
Figure 3-4: A tensile test-piece. Source: Ambiguous.

When a test piece is placed in a tensile testing machine it will produce a load (force) - extension (i.e. change in
length) graph. As the initial dimensions of the test piece are known, the data from the tensile test can be
translated to a stress strain diagram.
This will reveal a large amount of information about the properties of the material:
 The amount of elastic deformation. This is reversible deformation.
 The degree of permanent plastic deformation. This is not reversible.
 The yield point at which plastic deformation is initiated.
 The stress at which the material breaks, called the breaking stress.
 The maximum tensile stress that the material can support without breaking, called the ultimate tensile
strength.
Brittle materials, such as cast iron and glass, display elastic behaviour until they break (i.e. they do not deform
plastically). Thus, they will revert back to their original shape once the stress on them is relaxed.
A stress strain graph for most materials will have an initial straight elastic region. The slope of this elastic
region is a measure of the stiffness of the material and is derived from the following formula:
stress
E =
strain
Where E is the elastic modulus, or Young’s modulus, named after Thomas Young (1773-1829). Young’s
modulus is the ability of a material to withstand elastic deformation (i.e. its stiffness or floppiness).
Another term used to describe a material is ductility. This is the property, possessed by a typical metal, of
being able to be drawn out into a wire - in other words its ability to deform under tensile stress.
Creep
Creep is the gradual extension of a material, under stress, over a prolonged period of time. It is more severe at
high temperatures, or temperatures approaching the material’s melting point. Creep has commonly been
associated with steam/gas turbine blade failures. Measures to prevent creep include:
 Temperature and stresses control in plant, including the minimisation of thermal stresses (for example, re-
routing hot pipes).
 Use of creep resistant materials (for example, 1% chrome, 0.5% molybdenum steel).
 Regular inspection for cracks and signs of deformation, such as bulges.
 Maintenance and replacement of creep prone components.
Stress corrosion cracking
Stress corrosion cracking (SCC) is cracking that is
induced as a result of stress, a corrosive environment
and a susceptible material. It can lead to unexpected
sudden failure of normally ductile metals subjected to
a tensile stress, especially at elevated temperature in
the case of metals. SCC is highly chemically specific
in that certain alloys are likely to undergo SCC only
when exposed to a small number of chemical
environments (for example, aluminium alloys are
susceptible to chlorides; mild steel is susceptible to
nitrates).
The chemical environment that causes SCC for a
given alloy is often one which is only mildly corrosive
to the metal otherwise. Hence, metal parts with
severe SCC can appear bright and shiny, while being
filled with microscopic cracks. This factor makes it
common for SCC to go undetected prior to failure. Figure 3-5: Example of stress corrosion cracking. Source: Ambiguous.
SCC often progresses rapidly, and is more common
among alloys than pure metals.

The specific environment is of crucial importance, and only very small concentrations of certain highly active
chemicals are needed to produce catastrophic cracking, often leading to devastating and unexpected failure.
Thermal shock
Thermal shock is the name given to extreme temperature difference (gradient) across an object, which can
result in cracking and/or breaking. It can occur as a result of a rapid and extreme temperature change.
Thermal shock occurs when a thermal gradient causes different parts of an object to expand by different
amounts. This differential expansion can be understood in terms of stress or of strain, equivalently. At some
point, this stress can exceed the strength of the material, causing a crack to form. If nothing stops this crack
from propagating through the material, it will cause the object's structure to fail (for example, thermal shock was
a significant causal factor of the Longford Gas Plant Explosion).
Brittle fracture
Brittle fracture occurs suddenly and without warning or prior evidence of distress. It is caused by tensile
stresses on brittle materials, such as cast iron, glass and pottery. More ductile materials, such as steel become
brittle at low temperature and can also be subject to brittle fracture.
As an example, consider pouring boiling water into a
cold glass - the result is sometimes brittle fracture.
Factors influencing failure modes include:
 Low temperatures.
 High temperatures.
 Rapid and extreme temperature change.
 Overpressure/pressure cycling.
 Corrosive environment.
 Poor welding.
 Residual manufacturing stresses.
 Operating outside the safe working envelope. Figure 3-6: Tensile stress and brittle failure. Source: Ambiguous.
What is meant by a ‘safe operating envelope’

A material has a rest shape and its shape departs away from the rest shape when a stress is applied. The
amount of departure from the rest shape is known as deformation, the proportion of deformation to original size
is called strain. If the applied stress is sufficiently low almost all solid materials behave in such a way that the
strain is directly proportional to the stress; the coefficient of the proportion is called the modulus of elasticity or
Young's modulus.
This region of deformation is known as the linearly elastic region. This region, where permanent deformity or
fracture does not occur, is used by designers to determine the safe operating envelope for different materials
used in the manufacture of such things as pressure vessels, lifting equipment and accessories, structures and
buildings.
The safe operating envelope is: “A set of limits that, if respected, should ensure the safe operation of the
equipment and process.”
These limits include the setting of minimum and maximum measurable values for properties such as flow; level;
pressure; temperature and corrosion rates.
Modern process facilities rely heavily on their alarm systems and safety instrumented systems to maintain
operations within the ‘safe operating envelope’. Initially these limits may be set by the process and mechanical
design. However, as the plant ages and is debottlenecked and modified, the limits will change. Limits may also
be temporarily or permanently reduced due to maintenance activities. In this dynamic environment, ensuring
that planners and process operators know where the limits are and always operate within them is critical for
safe operation.
The setting of operating limits provides a fixed boundary of acceptability for specific system parameters that
impact safety. Ensuring that operations stay within the operating envelope at all times is an overriding factor in
decision making in the face of equipment breakdown or abnormal operating conditions.
Use of knowledge of failure modes in initial design, process and safe-
operating procedures
Identification of potential failure modes (for example, mechanical failures as a result of buckling, ductile fracture,
impact loading, brittle fracture, creep, thermal shock, corrosion, stress corrosion cracking) during the product
design process is critical for creating failure-free Designs. Currently, organisations use procedures such as
failure modes and effects analysis (FMEA), fault tree analysis, or failure modes, effects and criticality analysis
(FMECA), as well as prior knowledge and experience, to determine potential failure modes. This requires

designers to have a broad knowledge of commonly occurring failure modes and to understand any connections
between failures for successful implementation.
Failure of the annular rim (bottom rim of storage tank)
The bottom annular rim of storage tanks is subject to various stresses when repeatedly emptied and filled
during its process life. Often this area of the tank is subject to corrosion damage, particularly if the products
stored in them contain salt water (for example, crude oil tanks.), or if water is able to collect around the base in
a bund.
Settlement of a tank is also an issue to consider. Such settlement could affect the tank joins or protective
finishes, leading to possible corrosion issues. In both cases, loss of containment can arise as a result of these
mechanical failures.
3.2 - Other types of failures

Weld failures
Welding is the most economical and efficient way to join metals permanently. It is the only way of joining two or
more pieces of metal to make them act as a single piece. It is a process that is extensively used in the Oil and
Gas industry, for the fabrication, and repair, of vessels, pipe work and structures.
There are many factors that influence the strength of welds, and the materials around them. They include the
welding method; the energy input; the weld ability of the base material; the filler and flux materials; the design of
the joints and the interaction between all of these factors.
To test the quality of a weld, either destructive or non-destructive testing methods are commonly used to verify
that welds are free from defects, have acceptable levels of residual stresses and distortion, and have
acceptable heat-affected zone properties.
Types of welding defects include:
 Porosity, as a result of gas inclusions.
 Incomplete penetration, as a result of lack of penetration usually caused by too low welding current.
 Lack of fusion, often as a result of poor welding technique.
 Undercutting, usually caused by incorrect arc voltage and travel speed.
 Longitudinal cracking, hot or cold, as a result of incorrect electrode, joint design, welding technique.
Examples of lack of penetration.

Examples of porosity.
Example of longitudinal cracking.
Examples of undercutting.
Example of lack of fusion.

Figure 3-7: Types of welding defects. Source: esab.com.
Non-destructive testing (NDT) methods such as visual inspection, radiography, ultrasonic testing, dye
penetration inspection, Magnetic-particle inspection can help with detection and analysis of weld defects.
NON-DESTRUCTIVE TESTING (NDT)
NDT is the testing of materials, for surface or internal flaws or metallurgical condition, without interfering in any
way with the integrity of the material or its suitability for service.
Pressure vessels, storage tanks and other safety critical components (including pipe work and valves) are
designed to contain liquids, gases and solids such that a loss of containment does not occur.
Leaks or the mechanical or structural failure of these items of equipment may result in a major accident on-site.
The presence of flaws in critical components may result in the integrity of such systems being compromised
and increase the likelihood of failure.
NDT often provides the only method of obtaining information about the current ‘health’ of process plant.

The types of defect/flaw and degradation that can be detected using NDT include: weld defects; stress
corrosion cracking; wall thinning through corrosion, erosion; corrosion pitting; structural deformities such as
dents and bulges.
Visual and optical inspection
Visual inspection is a valuable NDT tool. It is one of the first methods used in order to detect suspect defect
areas in materials. Once located, the defect area can be examined and evaluated in more detail. A lot can be
learnt from looking directly or remotely at the end of large heat exchanger, or in a large vessel through an open
manhole. Cameras may be used to assist in remote viewing of critical areas. Clean surfaces and good lighting
sources are required for visual inspections.
Radiography
This technique is suitable for the detection of internal defects in materials. X-rays, generated electrically, and
gamma rays emitted from radio-active isotopes, are penetrating radiation which is differentially absorbed by the
material through which it passes.
X and gamma rays also have the property, like light, of partially converting silver halide crystals in a
photographic film to metallic silver, in proportion to the intensity of the radiation reaching the film, and therefore
forming a latent image. This can be developed and fixed in a similar way to normal photographic film.
Material with internal voids is tested by placing the subject between the source of radiation and the film. The
voids show as darkened areas, where more radiation has reached the film, on a clear background. The
principles are the same for both X and gamma radiography.
The source of radiation is positioned on one side of the material being tested, and the film on the opposite side
y, so that the radiation passes through the subject and on to the film. After the exposure period the film is
removed, processed, dried, and then viewed by transmitted light on a special viewer.
As sources of Ionising radiation, exposure to x-ray and gamma sources has to be strictly controlled. Shielding,
exposure time, distance and barriers are normal means of exposure control when radiography is in progress.
Magnetic particle inspection (MPI)
This method is suitable for the detection of surface and near surface discontinuities in magnetic material, mainly
ferritic steel and iron.
The principle is to generate magnetic flux in the article to be examined, with the flux lines running along the
surface at right angles to the suspected defect. Where the flux lines approach a discontinuity they will stray out
in to the air at the mouth of the crack. The crack edge becomes magnetic, and has the power to attract finely
divided particles of magnetic material such as iron fillings. Usually these particles are of an oxide of iron in the
size range 20 to 30 microns, and are suspended in a liquid which provides mobility for the particles on the
surface of the test piece, assisting their migration to the crack edges. However, in some instances they can be
applied in a dry powder form.
The particles can be red or black oxide, or they can be coated with a substance, which fluoresces brilliantly
under ultra-violet illumination. The object is to present as great a contrast as possible between the crack
indication and the material background.
The technique not only detects those defects which are not normally visible to the unaided eye, but also renders
easily visible those defects which would otherwise require close scrutiny of the surface.
Dye penetrant testing
Dye penetrant testing is frequently used for the detection of surface breaking flaws in all non-ferrous and
ferrous materials; although magnetic particulate inspection is often the preferred method used for ferrous
materials sub surface examination. The material to be examined is first of all chemically cleaned, to remove all
traces of foreign material, grease, dirt, etc. from the surface generally, and also from within the cracks.
Next the penetrant (which is a very fine thin oil usually dyed bright red or ultra-violet fluorescent) is applied and
allowed to remain in contact with the surface for approximately fifteen minutes. Capillary action draws the
penetrant into the crack during this period. The surplus penetrant on the surface is then removed completely
and thin coating of powdered chalk is applied.
After a further period (development time) the chalk draws the dye out of the crack, rather like blotting paper, to
form a visual, magnified in width, indication in good contrast to the background.
The process is purely a mechanical/chemical one and the various substances used may be applied in a large
variety of ways, from aerosol spray cans at the most simple end to dipping in large tanks on an automatic basis
at the other end. The latter system requires sophisticated tanks, spraying and drying equipment but the
principle remains the same.
Ultrasonic testing
This technique is used for the detection of internal and surface (particularly distant surface) defects in sound
conducting materials.

An ultrasound transducer connected to a diagnostic machine is passed over the object being inspected. The
transducer is typically separated from the test object by a couplant (such as oil) or by water, as in immersion
testing.
Ultrasonic couplants are used in virtually all contact testing applications to facilitate the transmission of sound
energy between the transducer and the test piece. Couplant use is necessary because sound energy at the
ultrasonic frequencies typically used for non-destructive testing is not effectively transmitted through air. Even
an extremely thin air gap between the transducer and the test piece will prevent efficient sound energy
transmission and make conventional testing impossible.
There are two methods of receiving the ultrasound waveform, reflection and attenuation. In reflection (or pulse-
echo) mode, the transducer performs both the sending and the receiving of the pulsed waves as the "sound" is
reflected back to the device. Reflected ultrasound comes from an interface, such as the back wall of the object
or from an imperfection within the object.
The diagnostic machine displays these results in the form of a signal with the amplitude representing the
intensity of the reflection and the distance, representing the arrival time of the reflection. In attenuation mode, a
transmitter sends ultrasound through one surface, and a separate receiver detects the amount that has reached
it on another surface after travelling through the medium. Imperfections in the space between the transmitter
and receiver reduce the amount of sound transmitted, thus revealing their presence.
Eddy current testing
This technique can be uses to detect surface and sub-surface defects.
Eddy currents can be produced in any electrically conducting material that is subjected to an alternating
magnetic field (typically 10Hz to 10MHz). The alternating magnetic field is normally generated by passing an
alternating current through a coil.
The magnitude of the eddy currents generated in the material is dependent on conductivity, permeability and
the set up geometry. Any change in the material or geometry can be detected by the excitation coil as a
change in the coil impedance. The simplest coil comprises a ferrite rod with several turns of wire wound at one
end and which is positioned close to the surface of the product to be tested. When a crack, for example, occurs
in the product surface the eddy currents must travel farther around the crack and this is detected by the
impedance change.
Pressure/leak testing
Pressure/leak testing is carried out in order to guarantee the integrity of process equipment and/or pipework
that has been installed, or reassembled after inspection, maintenance, repairs, modifications or replacement,
prior to it being returned to operation. This is required in order to avoid the loss of containment of process
fluids, thereby protecting the safety of all personnel either involved with, or in the vicinity of, the plant and
maintaining the integrity of the installation.
There are basically two methods used for pressure testing: hydrostatic and pneumatic. A hydrostatic test is
performed by using water as the test medium, whereas a pneumatic test typically uses nitrogen, helium, argon
or compressed air. Pneumatic tests are potentially more dangerous than hydrostatic because of the higher
level of potential energy. Pneumatic tests may be used when systems are so designed that they cannot be
filled with water, or when systems are to be used in services where traces of the testing medium cannot be
tolerated.
Hydrostatic testing involves filling the vessel or pipe system with a liquid, usually water, which may be dyed to
aid in visual leak detection, and pressurisation of the vessel to the specified test pressure. Pressure tightness
can be tested by shutting off the supply valve and observing whether there is a pressure loss. The location of a
leak can be visually identified by checking for the presence of the dyed water.
Pneumatic testing, for example, using nitrogen, involves pressurising the system to the specified test pressure,
then locking it in. In addition to watching for pressure drops, the commissioning team will be visually checking
the system for leaks. One technique that is used, is to spray joints and flanges on vessels and pipework, with
soapy water solution. Any small leaks are visible as soapy bubbles. This activity presents a number of risks to
the members of the commissioning team who are carrying out the tests.
These include:
 Extreme weather conditions, including wind and rain.
 The effects of cold or heat, for example, hypothermia and sunburn.
 Cold burns as a result of contact with nitrogen.
 Asphyxiation from nitrogen, if in a confined area.
 Eye or skin irritation from contact with the soapy water.
 Falling from height when accessing flanges.
 Slipping on wet soapy surfaces.
 Cuts from sharp bolts/flanges.
 Ergonomic injuries whilst accessing awkwardly positioned flanges.

3.3 - Safety critical equipment controls

Because of the inherently high risks associated with oil and gas operations, process plants are equipped with
safety systems to prevent harm to people, environment or property. These can be instrumented systems or
administrative tools, as for example, procedures on what to do when deviations from normal operation occur.
Primarily, we work with the instrumented safety systems. These include systems that automatically detect
alarm and handle critical situations. In the oil and gas industry, instrumented safety systems include:
 Process control systems.  Fire and gas systems.
 Emergency shutdown (ESD).  Over pressure protection (HIPPS).
Process control systems
Process control systems are extensively used in the oil and gas industry. Process control enables automation,
so that operating personnel can operate a complex process from a central control room.
For example, heating up a process stream is a process that has the specific, desired outcome to reach and
maintain a defined temperature (for example, 150°C), kept constant over time. Here, the temperature is the
controlled variable. At the same time, it is the input variable since it is measured by a thermometer and used
to decide whether to heat or not to heat. The desired temperature (150°C) is the set point. The state of the
heater (for example, the setting of the valve allowing the heating medium to flow through it) is called the
manipulated variable since it is subject to control actions.
A commonly used control device called a programmable logic controller, or a PLC is used to read a set of
digital and analogue inputs, apply a set of logic statements, and generate a set of analogue and digital outputs.
Using the example in the previous paragraph, the process stream temperature would be an input to the PLC.
The logical statements would compare the set point to the input temperature and determine whether more or
less heating was necessary to keep the temperature constant. A PLC output would then either open or close
the heating medium valve, an incremental amount, depending on whether more or less hot water was needed.
Larger more complex systems can be controlled by a distributed control system (DCS) or SCADA system
(supervisory control and data acquisition).
Emergency shutdown systems
Emergency shutdown systems (ESD’s) are intended
to minimise the consequences of emergency
situations, for example, the uncontrolled release/loss
of containment of hydrocarbons, or the outbreak of fire
in hydrocarbon areas. Generally designed with a high
safety integrity level (SIL) typical actions of an ESD
include:
 Shutdown of a system, or part of a system.
 Isolate hydrocarbon inventories.
 Stop hydrocarbon flow.
 Prevent escalation of an incident.
 Depressure/blowdown.
For shutdown valves used in safety instrumented
systems it is essential to know that the valve is
capable of providing the required level of safety
performance and that the valve will operate on Figure 3-8: Emergency shut down valve. Source: Wikimedia.
demand.
The required level of performance is dictated by the safety integrity level (SIL). In order to adhere to this level
of performance it is necessary to test the valve. There are two types of testing methods available:
1) A proof test: a manual test that will determine whether the valve is ‘as good as new’, by testing for all
possible failure modes. This may require a system shutdown (unless by pass facilities are provided).
2) A diagnostic test: an ‘online’ test that will detect some of the possible failure modes of the valve (for
example, a partial stroke test).
Procedures for bypassing ESD’s
Occasionally, ESD’s will need to be bypassed or overridden (for example, for emergency maintenance work).
These operations must be very closely controlled, and subject to a written procedure (this may be included in
the management of change procedures, as a temporary change).
Authorised by a competent person (often a Plant Manager), and subject to justification and risk assessment,
alternative means of control in the event of an emergency should be considered. For example, an operator
standing by at the bypass location, with radio communication with the process control room.

The bypass arrangement should be applied for the shortest possible period of time. The details of bypass
arrangements should be entered into a logbook and communicated to all relevant parties (for example,
operations, maintenance staff and supervision). This is critically important should the bypass be in place during
a shift hand over.
FIRE AND GAS CONTROLS
Oil and gas installations should be designed to be safe. However there will always be residual risks. Layers of
protection need to be designed in, to detect any anomalies that the process control system hasn’t taken care of.
These additional layers should make the process safe. The fire and gas detection system provides an extra
layer of protection to mitigate the consequences when the other safeguarding layers have not been sufficient.
The gas detection system can detect a discharge of combustible or toxic gas and take action to minimise the
leak and prevent it turning into a fire or explosion. If a fire should result, systems can be attached to extinguish
the fire and protect other areas from the actions of the fire. The same system, usually with different detectors
and principles, can be used to detect toxic gases, give warning to personnel and provide the possibility of taking
automatic shutdown actions.
SAFETY INTEGRITY LEVELS FOR INSTRUMENTATION
Safety integrity level (SIL) is a statistical representation of the reliability of safety instrument systems. There are
four categories, namely SILs 1, 2, 3 and 4, SIL 1 being the least dependable and SIL 4 being the most
dependable. It is defined as the probability of the safety instrument system (SIS) to fail on demand (PFD). A
process demand occurs whenever the process reaches the trip condition and causes the SIS to take action.
Consider a tank filling with a process fluid. If the tank is full, the SIS comes into play as the trip conditions are
reached. The SIS prevents the tank from overflowing. The number of times this occurs is known as the
incident frequency.
Consider an SIL 1 installation, which has a maximum probability level of 1 in 10. This means for every 10 times
the SIS is activated as a result of a high tank level trip, the safety function (for example, the dump valve opens
lowering the level) could be expected to work nine times. The other one time the safety function would not work
and the tank would overflow.
In SIL 2 this overflow probability would be one in a hundred as a worst-case scenario; in SIL 3 one in a
thousand, and in SIL 4, one in ten thousand.
The required SIL level in a particular process design and what actions should be taken to reduce the number of
process demands is based on the perceived risk and tolerable incident frequency. This decision is taken after
considering issues such as potential risk to personnel, environmental releases, property damage, plant and
equipment damage, and the plant's licence to operate.
Blow down facilities and flares
BLOW DOWN
If a pressurised vessel is attacked by fire, its temperature rises and this reduces the strength of the vessel.
This, combined with the pressure within the vessel, may lead to failure of the vessel with catastrophic
consequences.
A blow down system is a collection of controls, valves and pipes, by which liquid or gas pressure contained
within a process, piping, or pressure vessel, can be safely relieved.
Liquid blow down will normally be collected in a drum, vessel or (in the event of a non-hazardous material) an
oily sewer/interceptor. Flammable or toxic gases may be routed to a flare system for reprocessing or burning.
Traditional facilities for preventing overpressure of equipment includes bursting discs, which bursts under
overpressure conditions, thus relieving the equipment pressure, and mechanical relief valves, where excess
pressure causes the valve to open and release the pressure. As soon as the pressure is vented the valve
shuts, thus retaining the pressure inside the equipment.
Another protection system is a high integrity protection system (HIPPS). The HIPPS will shut off the source of
the high pressure before the design pressure is exceeded, thus preventing loss of containment through rupture.
FLARES
The flare is a last line of defence in the safe emergency release system in a refinery, offshore platform or
chemical plant. Its purpose is to relieve overpressures from process plant and to burn unwanted gas. The flare
provides a means of safe disposal of the vapour streams from its facilities, by burning them under controlled
conditions such that adjacent equipment or personnel are not exposed to hazards, and at the same time
obeying the environmental regulation of pollution control and public relations requirements.
The most commonly utilised flare systems are elevated flares and ground flares. Selection of the type of flare is
influenced by several factors, such as availability of space; the characteristics of the flare gas (composition,
quantity and pressure); economics; investment and operating costs; public relations and regulation.

ELEVATED FLARE
Elevated flare (see figure ref 3-9) is the most commonly used type in refineries and chemical plants. Elevated
flares have larger capacities than ground flares.
The waste gas stream is fed through a stack from 10 metres to over 100 metres tall and is combusted at the tip
of the stack. The elevated flare, can be steam assisted, air assisted or non-assisted.
Elevated flares can utilise steam injection/air injection
to promote mixing and turbulence, and to reduce
smoke.
The disadvantage of steam injection/air injection is it
introduces a source of noise and cause noise
pollution.
If adequately elevated, this type of flare has the best
dispersion characteristics for malodorous (unpleasant
or offensive odours) and toxic combustion products.
In addition to steam or air assisted flares, other types
include non-assisted flares; pressure assisted flares
and liquid/mixed phase flares.
GROUND FLARE
With a ground flare, the combustion takes place at
ground level. It varies in complexity, and may consist
either of conventional flare burners discharging
horizontally with no enclosure or of multiple burners in
refractory-lined steel enclosures.
The type, which has been used almost exclusively, is
the multi-jet flare (enclosed type).
Compared to elevated flare, ground flare can achieved
smokeless operation as well, but with essentially no
noise or luminosity problems, provided that the design Figure 3-9: Steam assisted elevated flare system.
gas rate to the flare is not exceeded. Source: KLM Technology Group.
However, it will have poor dispersion of combustion product because the stack is near to the ground; this may
result in severe air pollution or hazard if the combustion products are toxic or in the event of flame-out.
Because of poor dispersion, multi-jet flare is suitable for ‘clean burning’ gases when noise and visual pollution
factors are critical.
Figure 3-10: Typical ground system. Source: KLM Technology Group.

Monitoring flare operation

Flare monitoring must be in place to ensure the integrity of the flame. This can be done visually, or by using an
inexpensive heat sensing device such as an ultra violet beam or a thermocouple. Automatic ignition panels
sense the presence of a flame, and reignite it should a ‘flameout’ occur.
Drains, sewers and interceptors
STORM WATER DRAINS
This system consists of pipes and open, grated ditches collecting clean and/or oily storm waters, fire and
washing waters from the non-polluted process areas. The water will pass through an interceptor for the
removal of any oil, before discharge to a watercourse.
OILY WATER DRAINS
Designed to collect process spillages, drainage from hydrocarbon containing equipment, cooling water; oily
condensate and cooling water drainage. The contaminated water should pass to an interceptor for oil removal,
prior to discharge to a watercourse.
SEWAGE
This sewer collects non-polluted raw human effluent from sanitary facilities as required. The final main will flow
into sanitary sewage treatment Units. Treated waste can be disposed of or re-used (for example, as a farm
fertiliser). Treated sewage water will be discharged to a watercourse.
OIL INTERCEPTORS/SEPARATORS
General
Oil separators are fitted to water drainage systems to protect the environment from pollution by oils. They
separate the oil from the water, based on gravity, and then retain the oil safely until it is removed for
reprocessing. To be effective, oil separators need to be correctly designed, installed and maintained.
Separators may be fitted with audible alarms, activated by a sensor and linked to the process control room, to
warn of excess levels of oil. In addition, the sensor may be linked to an automatic separator outlet valve which
would close should unacceptable levels of oil be detected.
Other operational controls for the effective operation of a separator include:
 Regular visual inspections of the separator.
 Visual inspections of the outlet stream.
 Regular removal/skimming of oil.
 Investigating the source of any significant amounts of oil.
 Periodic removal of sludge/sand/silt from the separator.
 Periodic maintenance of any safety critical controls (such as sensor, automatic outlet valve, alarms).
Figure 3-11: Oil separator. Source: www.psinternational.com/models.htm.

In figure ref 3-11 the contaminated stream enters the separator through the inlet valve, which is designed to
ensure that the separator is always full of liquid. The flow is directed through a series of corrugated plates,
which cause oil to coalesce, and float to the top of the separator, towards the outlet pipe. The solids break out
of the flow and gather behind the sludge baffle. An access point above allows for easy removal of the sludge.
The baffle also assists in aiding the floatation of the oil up to the oil collection and removal pipe. The clean
water is pumped out of the separator.
For installations with potential for a large oil spill, the separator can be equipped with an automatic inlet shut off
valve, and high level alarms.

API separators
The API separator (figure ref 3-12) is a gravity separation device designed by using Stokes Law to define the
rise velocity of oil droplets based on their density and size. The design of the separator is based on the specific
gravity difference between the oil and the wastewater because that difference is much smaller than the specific
gravity difference between the suspended solids and water. Based on that design criterion, most of the
suspended solids will settle to the bottom of the separator as a sediment layer, the oil will rise to top of the
separator, and the wastewater will be the middle layer between the oil on top and the solids on the bottom.
Typically, the oil layer is skimmed off and subsequently re-processed or disposed of, and the bottom sediment
layer is removed by a chain and flight scraper (or similar device) and a sludge pump.
Figure 3-12: Gravimetric API separator. Source: BT Techno Services.
Parallel plate separators

Parallel plate separators are similar to API separators but they include tilted parallel plate assemblies (also
known as parallel packs). The underside of each parallel plate provides more surface area for suspended oil
droplets to coalesce into larger globules. Any sediment slides down the topside of each parallel plate. Such
separators still depend upon the specific gravity between the suspended oil and the water. However, the
parallel plates enhance the degree of oil-water separation. The result is that a parallel plate separator requires
significantly less space than a conventional API separator to achieve the same degree of separation.
Figure 3-13: A typical parallel plate separator. Source: BT Techno Services.

3.4 - Safe containment of hydrocarbons

Hazards and risks
Storage tank integrity needs to be well managed since tanks can contain large inventories of hazardous liquids
and their failure has the potential to result in serious and dramatic events.
Failures, though not as common as those in piping systems, occur regularly. Permeable bunds are still found at
many sites and it is by no means unknown for a tank to be leaking through the base without any indication or
the operator’s knowledge. Despite their importance storage tanks are frequently perceived as ‘infrastructure’
and not fundamental to process. This can lead to issues such as poor record keeping, insufficient design,
construction and condition information, unsatisfactory design drawings, process diagrams and piping and
instrumentation drawings (P&IDs).
Tanks are often perceived as simple structures that require little attention. Nevertheless damage mechanisms
associated with them can be complex and varied. The measures operators have in place to maintain tanks in a
safe operating condition are often varied and in some cases fundamentally inadequate. Often repairs,
modifications and other changes, some of which may have been substantial, are not always documented or
recorded.
OVERFILLING
Overfilling hydrocarbon tanks results in loss of containment. This can lead to:
 Fire and explosion.
 Damage to plant, equipment and personnel.
 Damage to the environment (air, water and land).
This can arise as a result of:
 Lack of monitoring when filling.
 Failure of the pump to shut off.
 Failure of level /over fill alarms.
The main cause of the Buncefield Accident in 2005 was the overfilling of a gasoline tank (see ‘Element 1 -
Health, safety and environmental management in context’).
EFFECTS OF VACUUM
Pressure/vacuum relief valves (breather valves) are
used extensively on storage tanks to prevent the
build-up of excessive pressure or vacuum, which can
damage the storage tank.
The pressure valve will open when a set pressure is
reached, for example, pumping hydrocarbon into a
tank and the vacuum valve will operate when a set
vacuum value is reached (for example, pumping
hydrocarbon out of a tank).
In order to ensure continued, effective operation the
valves must be subject to a regular maintenance
regime. Figure 3-14: Pressure/vacuum relief valve. Source: Elmac Technologies.
STORAGE TANK FAILURES

There have been numerous catastrophic failures of storage tanks, one of the most notorious being that which
occurred at Boston, Massachusetts USA on January 14, 1919. The large tank had only been filled eight times
when the containment failed, resulting in a wave of molasses which killed 21 people in the vicinity. The Boston
molasses disaster was caused by poor design and construction, with a wall too thin to bear repeated loads from
the contents. The tank had not been tested before use by filling with water, and was also poorly riveted.
There have been many other accidents caused by tanks since then, often caused by faulty welding or by sub-
standard steel. However, storage tanks also present another problem, surprisingly, when empty. If they have
been used to hold oil or oil products such as gasoline, the atmosphere in the tanks may be highly explosive as
the space fills with hydrocarbons. If new welding operations are started, then sparks can easily ignite the
contents, with disastrous results for the welders.
The majority of storage tanks are constructed from carbon steel and corrosion is a prime cause of deterioration
of them and their accessories. It can be associated almost equally from external attack (atmospheric side) or
from an internal (product side) mechanism. By way of example, tanks in crude oil service can be particularly
susceptible to sulphate reducing bacteria (SRB) attack.
Corrosion is rarely uniform, though this is not unknown. However, random, localised, pitting corrosion attack,
particularly of flat-bottomed tank floors appears to be the most common failure. This can be topside down
(especially where there is an aqueous phase) or underside up. Product temperature appears to be an

important element, higher temperatures increasing the rate of corrosion. The condition and materials of
construction of tank base along with the effectiveness and durability of the floor to base seal, and the slope
angle of the tank pad away from the base are crucial factors in prevention of bottom up corrosion. Although it is
common to refer to some tanks as flat-bottomed, the floor may actually be designed cone-up or cone-down.
Cone-up floors are the most common and allow settled water or bottoms product to gravitate to sumps around
the periphery of the tanks. Cone-down floors normally have a sump at the centre of the tank.
For tanks used to contain crude oil, or other liquid hydrocarbons, consideration must be given to the possibility
of entrained water in the product, or entering through seals or natural breathing. Water will naturally collect as a
layer in the bottom and it is important that operators adopt good drainage procedures for the tanks. Corrosion
leading to small leaks in floors can potentially go undetected for a period of time. In some cases this has led to
foundations been washed away, causing the tank to become unstable, leading to catastrophic failure of the
tank.
Floating roof tanks
An external floating roof tank is a storage tank
commonly used to store large quantities of volatile
petroleum products such as crude oil or gasoline. It
comprises an open- topped cylindrical steel shell
equipped with a roof that floats on the surface of the
stored liquid. The roof rises and falls with the liquid
level in the tank. As opposed to a fixed roof tank there
is no vapour space (ullage) in the floating roof tank
(except for very low liquid level situations). In
principle, this greatly reduces the evaporative loss of
the stored liquid, and minimises the build-up of
flammable hydrocarbon vapours. There is a rim seal
system between the tank shell and roof to reduce rim
loss.
The roof has support legs hanging down into the
liquid. At low liquid levels the roof eventually lands
and a vapour space forms between the liquid surface
and the roof, similar to a fixed roof tank. Figure 3-15: Rim seal. Source: Ambiguous.
The support legs are usually retractable to increase the working volume of the tank. Potential sinking and
distortion of the roof can be caused by build-up of snow and rain water. Water on the roof is usually drained
from a flexible hose that runs from a drain-sump on the roof, through the stored liquid to a drain valve on the
shell at the base of the tank.
Figure 3-16: Floating roof tank. Source: e Notes.

A second type of floating roof is an internal floating roof tank. As well as overcoming weather related problems,
these tanks will reduce the likelihood of lightning strikes igniting vapours than might be leaking past the rim
seal. This cuts down the potential for tank fires.
Foam based systems are usually used for fighting floating roof tank fires. Larger tanks will often have
automatic rim seal systems. In such systems, a foam discharge manifold with spray nozzles is evenly spaced
along the rim seal.
On detection of the first sign of fire, the detection triggers an alarm and immediately actuates the foam
extinguishing system to quench the fire.
Fixed roof storage tanks
Fixed roof tanks are used for liquids with high flash points, (for example, fuel oil, bitumen etc.). Cone roofs,
dome roofs and umbrella roofs are usual.
The tanks are insulated to prevent the clogging of certain materials and heat is provided by steam coils within
the tanks. Dome roof tanks are used for tanks having slightly higher storage pressure than that of the
atmosphere (for example, slop oil).
The tank design should be suitable for each operational duty and all reasonably expected forces such as tank
contents, ground settlement, frost, wind and snow loadings, earthquake and other circumstances as
appropriate.
Excessive loss of vapours from vent systems may result from out breathing and may present a low pressure
(vacuum) hazard leading to tank distortion or partial implosion.
Pressure/vacuum valves (PRV) are often installed to prevent the release of vapours during very small changes
in temperature, pressure or liquid level.
Figure 3-17: Fixed roof tank. Source: Metrology Centre.
Bunding of storage tanks

Tanks should be surrounded by a bund to contain any leak as a result of loss of tank containment. Bunds
should:
 Be able to contain 110% of the tank’s capacity or 25% of the total storage volume if there is more than one
tank contained within the bund.
 Have an impervious base.
 Have impervious wall.
 Have sufficiently strong walls to contain the hydrostatic head of the liquid released.
 Have means of removing surface/rain water. If a drain valve is used this should normally be locked closed;
drained water should pass through an interceptor for hydrocarbon separation.
 Ideally have pipe work passing over the bund wall. If this is not possible, the bund wall should be sealed
with a suitable material.

Figure 3-18: Concrete bund. Source: Safeguard Europe Ltd. Figure 3-19: Brick bund. Source: Safeguard Europe Ltd.
Filling of tanks
Tank gauging measurements are normally performed for one of the following reasons:
Operations: the main reason for this type of level measurement is to attempt to avoid unintentional overfilling
or emptying of the tank during everyday operations. This form of measurement would tend to be continuous,
and act as a monitor. It is also possible for this type of application to initiate alarms.
Stock control: this requires a higher level of measurement accuracy than that used for operational monitoring
because it is used to account for all quantities of product on site. This type of system is used for applications
such as leak detection or ensuring that onsite product quantities do not exceed those permitted. This
application can operate in either continuous or periodic modes.
Custody transfer: this generally requires the highest accuracy level measurement because it is normally
associated with the trading of the product. This application of tank gauging would be continuous, but only be
used when a transfer was required. Of the three applications in which tank gauging is normally applied, there
are two general modes of operation:
Periodic: level measurement is performed after predefined intervals.
Continuous demand: the level of the tank contents is always being measured by the level measurement
instrumentation.
The design and required application would ultimately dictate how the particular system operates. There are a
number of level measurement system technologies which are used for liquid level detection.
A basic and commonly used way of measuring the liquid level within a storage tank is measurement by dip
tape. This is a single manual measurement that is performed by an individual. The accuracy of the
measurement taken is dependent upon the skill and experience of the individual, and therefore there may be
inconsistencies between different individuals. Any manual process can be subject to human error, so suitable
procedures should be put in place to counteract this.
Presently, radar technology is most commonly used in the fuel storage industry, although servo gauging
systems are also very common. The main reasons for radar being favoured over mechanical and float type
systems is that it has no moving parts and is non-invasive. This leads to higher reliability due to the removal of
factors such as wear and tear of moving mechanical components.
To prevent overfilling, tanks should have headspace margins that enable the filling line to be closed off in time.
The set points of high level trips and alarms requiring operator action should allow sufficient time for the action
to be taken to deal with the developing situation. Having established the overfill level (maximum capacity), it is
then necessary to specify a level below this that will allow time for any action necessary to prevent the
maximum from being reached/exceeded. The response in this case may require the use of alternative controls,
for example, manual valves, which are less accessible or otherwise require longer time to operate than the
normal method of isolation.
The high-high level device provides an independent means of determining the level in the tank and is part of the
overfilling protection system. It provides a warning that the tank rated capacity has been (or is about to be)
reached/exceeded and triggers a response:
 The function of the LAHH is to initiate a shutdown.
 The outcome of LAHH activation may be limited to a visible/audible alarm to alert a human operator to take
the required action. The actions required by the operator to a high-high level warning should be clearly
specified and documented.

 The response may be fully automatic, via an instrumented protective system including a trip function that
acts to close valves, stop pumps etc. to prevent further material entering the tank. The trip function should
include an audible/visual alarm to prompt a check that the trip function has been successful. Different
devices can be employed to provide the trip function; these may range from a simple level switch (level
switch high-high) to more sophisticated arrangements including duplicate level instrumentation.
When control rooms are not continually staffed, the reliable detection of plant problems needs careful
consideration.
Pressurised and refrigerated vessels
Liquefied petroleum gas (propane and butane) is stored under pressure (typically, between 2 and 20 bars), in
either cylindrical or spherical pressure vessels. The vessels are designed to withstand the pressures exerted
by the gas inside.
There should be a minimum separation distance between the tank, other tanks, any building, boundary line or
fixed source of ignition.
There should not be any drains or gullies near to the tank unless a water trap is provided to prevent gas
entering the drains. This is because LPG is heavier than air and if a leak were to develop from the tank or its
controls or pipe work or when it is being filled then the vapour could accumulate in an un-trapped drain or gully.
Ignition of these vapours could then lead to fire/explosion.
If possible, the tank (and its associated piping) should not be located in areas where there is no motor traffic
(i.e. no internal combustion engine vehicles). However, where this is not possible, then protection from a motor
vehicle hitting the tank is required such as crash barriers or bollards.
Measures to protect the structural integrity of LPG spheres include:
 Pressure relief valves.
 Passive fire protection for the legs of the sphere.
 Fixed gas detection.
 Fire water deluge systems.
 Impervious floors under the spheres.
 Regular inspection and maintenance of the sphere.
A liquefied natural gas (LNG) storage tank is a specialized type of storage tank used for the storage of
Liquefied Natural Gas. LNG storage tanks can be found in ground, above ground or in LNG carriers. The
common characteristic of is the ability to store LNG at very low temperature (-162°C).
Figure 3-20: LPG storage. Source: tradeKorea.com.

LNG storage tanks have double containers, where the
inner contains LNG and the outer container contains
insulation materials.
LNG is a cryogen, and is kept in its liquid state at very
low temperatures.
The temperature within the tank will remain constant if
the pressure is kept constant by allowing the boil off
gas to escape from the tank. This is known as auto-
refrigeration.
Carbon dioxide is stored as a liquid at room
temperature, in pressurised containers (at about
56bars).
Its many industrial uses include as a refrigerant and as
Figure 3-21: LPG storage. Source: HSE.
a fire extinguishing medium.

Loss of containment and consequences

JET FIRES
A jet or spray fire is a turbulent diffusion flame resulting from the combustion of a fuel continuously released
with some significant momentum in a particular direction or directions. Jet fires can arise from releases of
gaseous, flashing liquid (two phase) and pure liquid inventories.
Jet fires represent a significant element of the risk associated with major accidents, particularly on offshore
installations. The high temperatures of burning fuels lead to structural failure or vessel/pipe work failure and
possible further escalation.
The consequences of jet fires depend on the fuel composition, release conditions, release rate, release
geometry, direction and ambient wind conditions. Low velocity two-phase releases of condensate material can
produce lazy, wind affected buoyant, sooty and highly radiant flames similar to pool fires. Sonic releases of
natural gas can produce relatively high velocity fires that are much less buoyant, less sooty and hence less
radiant heat.
POOL FIRES
A pool fire is a turbulent diffusion fire burning above a horizontal pool of vaporising hydrocarbon fuel where the
fuel has zero or low initial momentum. The consequences of a pool fire is dependent on the diameter of the
pool, which may spread quickly over an area. Fires in the open will be well ventilated (fuel-controlled), but fires
within enclosures may become under-ventilated (ventilation-controlled). Pool fires may be static (for example,
where the pool is contained) or ‘running’ fires. Pool fires represent a significant element of the risk associated
with major accidents on offshore installations.
Software packages commonly used for offshore QRA studies include codes such as Aramas, Neptune and
Plato. These codes appear only to model open pool fires, which would not represent the particular features of
confined or ventilation-controlled fires.
HYDROCARBON VAPOUR CLOUDS
Vapour clouds arise from loss of containment of hydrocarbons. This can arise as a result of:
 The rupture/sudden depressurisation of an LPG vessel.
 Overfilling of a tank.
 Evaporation of a large spillage.
 Draining of LPG vessels.
When the hydrocarbon is releases into air, and the mixture is within the flammable limits, all that is required is a
source of ignition to generate a vapour cloud explosion.
The explosion can be either a detonation or a deflagration:
Deflagrations, the more common type of explosion, are flames (combustion waves) that move into the un-burnt
gas at subsonic speeds.
Detonations, on the other hand, are combustion waves moving at supersonic speeds and which spread as a
result of shock compression heating.
In some situations, deflagrations can develop into detonations. This occurs as a result of acceleration of the
flame front, as it travels through the flammable mixture (for example, in a confined space). If the rate of
acceleration is sufficient for the velocity of the flame front to become supersonic then the deflagration will
become a detonation.
Both types of explosion can have catastrophic consequences.
Confined vapour cloud explosions (CVCE’s)
If a flammable vapour cloud is ignited in a contained area (for example, a drum, or a tank), it can cause rupture
of the container and considerable localised damage. Debris and flash burns can cause serious, even fatal,
injuries to personnel in the vicinity (for example, the initial Piper Alpha explosion).
Unconfined vapour cloud explosions (UCVE’s)
An unconfined vapour cloud arises from the sudden, or significant, release of flammable gas/vapour into the
atmosphere. A UVCE occurs when this cloud mixes with air (within in the flammable limits) and finds a source
of ignition.
Such explosions have the potential for considerable destruction (for example, Buncefield 2005; Flixborough
1974).
The over-pressure generated by an unconfined explosion is a function of the flame speed, and the turbulence in
the medium through which the flame progresses. As the flame accelerates the pressure waves generated by
the flame front begin to develop into a shock front of increasing strength. If the explosion occurs in a medium of
low initial turbulence, is fully unconfined, and there are no obstacles present then the generated over-pressure
is very low. If obstacles are present then expansion-generated flow, created by the combustion of the un-burnt
gas passing through the obstacles, will generate turbulence. This will increase the burning velocity, because

increasing expansion flow which will further enhance the turbulence. This cycle continues generating higher
burning velocities and increasing over-pressures.
Boiling liquid expanding vapour cloud explosions (BLEVE’s)
A BLEVE is caused by the rupture of a vessel containing pressurised liquid (for example, LPG) above its boiling
point. The rupture is often caused by a flame impinging on the surface of the vessel.
The vessel contains pressurised liquid, and vapour above the liquid surface. The flame causes the vessel
pressure to rise, and the relief valve to open to release the pressure. This causes the liquid level to drop. As it
does so, the flames come in contact with the vessel surfaces above the liquid level (no liquid to absorb the
heat). The vessel wall begins to weaken and, ultimately, ruptures. This causes a rapid boiling of the liquid as a
result of the pressure drop, which then releases large amounts of vapour. On contact with an ignition source,
the vapour cloud will explode violently, generating a significant fireball, and causing large fragments of the
vessel to be projected significant distances. In addition, other major consequences include thermal radiation
and blast waves.
Feyzin (BLEVE)
Summary
The Feyzin disaster occurred in a refinery near to the small town of Feyzin (France) on 4 January 1966.
An LPG release occurred when an operator was draining water from a 1200m³ pressurised propane sphere.
The resultant cloud of propane vapour spread 150m until it was ignited by a car on an adjoining road. The pool
of propane in the bund caused the storage sphere to be engulfed in flames. The vessel became overheated
and a boiling liquid expanding vapour explosion (BLEVE) occurred when the sphere ruptured. This resulted in
a fireball which killed and injured firemen and spectators. Flying missiles broke the legs of an adjacent sphere
which later BLEVE'd. Three further spheres toppled due to the collapse of support legs which were not
adequately fire protected. These vessels ruptured but did not explode. A number of petrol and crude oil tanks
also caught fire. The conflagration took 48 hours to bring under control. This incident resulted in the deaths of
18 people, the injury of 81 and extensive damage to the site.
The Incident
During morning shift, workers were required to take a routine sample from each of the LPG storage tanks. A
team composed of a plant operator; the shift fireman and a laboratory technician were taking a sample from
sphere no. 443. The operator, due to the fact that he had only a single valve spanner, opened the valves in the
incorrect order. This caused the release of a small amount of caustic soda and a small amount of gas when he
opened the lower valve. This prompted the operator to close the valve and then reopen it, leading to only a few
drops emerging. The upper valve was then opened fully. This led to a very powerful jet of propane to rush out.
This release splashed up from the drain and gave frost burns to the operator on the face and forearm. As he
recoiled from the flow, the operator partly pulled off the valve handle. The fireman, losing sight of the operator,
turned on the water supply to the sprays fitted to the sphere and, with the operator, attempted to reposition the
valve handle and shut the valve. They failed to do so.
The three workers then set off on foot to sound the alarm and seek help (they were afraid of using the
telephone or starting up the truck that transported them there in case they set fire to the escaping gas). They
were successful in raising the alarm, and traffic was stopped on the nearby motorway. However, the escaping
gas ignited. The fire services attended the blaze, but they were not trained in controlling a BLEVE type fire.
While they attempted to cool the surrounding gas spheres, the leaking sphere exploded, killing several firemen.
The explosion also caused another sphere to topple and leak gas.
Lessons from Feyzin
The Feyzin disaster was the worst accident which had occurred in petroleum and petrochemical plants in
Western Europe, prior to the Flixborough disaster in 1974. Since then, many pressurised tanks containing
liquefied gases have BLEVE'd. The hazards are now better understood and storage spheres are protected
from fire engulfment by better design.
However, so many firemen and emergency servicemen have been killed while trying to control large fires that
the cautious philosophy is to evacuate and take shelter until the material burns itself out. BLEVE's produce
intense thermal radiation from the fireball, and blast damage from the bursting pressure vessel.
DRAINING OF LPG STORAGE VESSELS
Occasionally, water has to be drained form storage vessels. It was such an operation that started the chain of
events that lead to the Feyzin disaster. Such draining activities must be strictly controlled to prevent
unexpected release of flammable gas (leading to fire and explosion) and other risks such as freezing of the
drain valves, cold burns to the operator, and asphyxiation potential in confined areas.
Control measures when draining water from storage vessels include:
 Well trained staff.
 A safe operating procedure for the draining operation.
 Small diameter drain lines (20mm), downstream from the drain valves.

 Drain lines to be fitted with two valves (the second one, spring loaded).
 The length of piping between the drain valves to be at least half a metre, to minimise the potential for
freezing of the valves.
 Piping and valves to be adequately supported to prevent mechanical damage from vibration, or force of the
draining operation.
 Valves should have means of activation (for example, valve handles) that cannot be easily removed.
 Drain pipe should ideally discharge to a closed system - and not underneath the vessel.
 Water level indicators, provided close to the drain point.
 Gas detection system to be fitted in the vicinity of the draining operation.
Pipelines
Pipelines are generally the most economical way to transport large quantities of oil, refined oil products or
natural gas over land. Compared to shipping by railroad, they have lower cost per unit and higher capacity.
Although pipelines can be built under the sea, that process is economically and technically demanding, so a
significant amount of oil and gas from offshore oil and gas wells is transported by tanker ships.
Figure 3-22: Pipeline to be buried in the ground. Source: HSE.

Oil pipelines are made from steel or plastic tubes with inner diameter typically from 100 to 1,200mm. Most
pipelines are typically buried at a depth of about 1 to 2 metres. To protect pipes from impact, abrasion, and
corrosion, a variety of methods are used. These can include concrete coating, high-density polyethylene, and
cathodic protection (see ‘Element 2.5 - Plant operations and maintenance’).
The oil is kept in motion by pump stations along the pipeline, and usually flows at speed of about 1 to 6 metres
per second.
In general, pipelines can be classified in three categories:
1) Gathering pipelines - smaller pipelines that bringing crude oil or natural gas from wells to a treatment plant
or processing facility.
2) Transportation pipelines - larger diameters that move products oil and gas products across country.
3) Distribution pipelines - smaller pipelines that distribute tanks to tanks and storage facilities.
Operational control
Field devices include instrumentation, data gathering units and communication systems. The field
Instrumentation includes flow, pressure and temperature gauges/transmitters, and other devices to measure the
relevant data required. These instruments are installed along the pipeline on some specific locations, such as
injection or delivery stations, pump stations (liquid pipelines) or compressor stations (gas pipelines), and block
valve stations.
The information measured by these field instruments is then gathered in local remote terminal units (RTU) that
transfer the field data to a central location in real time using communication systems, such as satellite channels,
microwave links, or cellular phone connections. Pipelines are controlled and operated remotely, from what is
usually known as the ‘main control room’. In this location, all the data related to field measurement is
consolidated in one central database. The data is received from multiple RTUs along the pipeline. It is
common to find RTUs installed at every station along the pipeline.
The SCADA system at the main control room receives all the field data and presents it to the pipeline operator
through a set of screens, showing the operational conditions of the pipeline. The operator can monitor the
hydraulic conditions of the line, as well as send operational commands (open/close valves, turn on/off
compressors or pumps, change set points, etc.) through the SCADA system to the field. To optimize and
secure the operation of these assets, some pipelines incorporate advanced pipeline applications, which are
software tools installed on top of the SCADA system, that provide extended functionality to perform leak
detection, leak location, batch tracking (liquid lines), pig tracking, composition tracking, operator training and
security detection against arson and illegal tapping (removal of pipeline contents).

Pipeline cleaning and inspection

Crude oil contains varying amounts of wax, or paraffin,
and in colder climates wax build up may occur within a
pipeline. Often these pipelines are inspected and
cleaned using pipeline inspection gauges (PIGS).
Smart pigs (also known as intelligent or intelligence
pigs) are used to detect anomalies in the pipe such as
dents, metal loss caused by corrosion, cracking or
other mechanical damage.
These devices are launched from pig-launcher
stations and travel through the pipeline to be received
at any other station down-stream, the pigs may be
used to either remove wax deposits and material that
may have accumulated inside the line or to inspect
and record the condition of the line. Figure 3-23: Smart PIG. Source: Paint Square.
Pigging systems are designed so that the pig is loaded into the launcher, which is pressured up to launch the
PIG into the pipeline through a kicker line.
Figure 3-24: PIG launcher/receiver. Source: Pigging Products and Services Association.
The PIG is removed from the pipeline via the receiver at the end of each run. There are inherent risks in
opening the pig receiver door to atmosphere and care must be taken to ensure that the receiver is de-pressured
to atmospheric pressure prior to opening. If it is not completely de-pressured, the pig can be ejected at force,
and operators have been severely injured when standing in front of an open pig door.
Other uses of a PIG include:
 Physical separation between different fluids flowing through the pipeline.
 Inspection of the condition of pipeline walls.
 Capturing and recording geometric information relating to pipelines, for example, size, and position.
 Isolation of pipelines.
Decommissioning of offshore platforms
The offshore industry began in the Gulf of Mexico in 1947. Since then, the industry has designed, built and
installed more than 6500 structures on the continental shelves of some 53 countries.
No two structures are alike, as each individual installation is site-specific depending on the purpose of use, sea
environment, location and many other factors. Hence, it is impossible to design a prescriptive decommissioning
policy for all circumstances. Since 1973, over 100 small structures have been removed annually from the Gulf
of Mexico. The owner/operator recommends a removal/disposal solution to the authorities, but the relevant
state authorities make the final decision that the owner/operator must then implement.
Decommissioning of offshore installations is subject to a hierarchy and tight network of international, regional
and national regulations. Different conventions, laws and regulations address the two separate components of
decommissioning, namely removal and disposal.
Decommissioning options for the substructure include total removal (to shore for recycling or disposal as waste,
deep water disposal, reuse or other uses), partial removal (to shore for recycling or disposal as waste, deep
water disposal, reuse or other uses, emplacement or toppling on site), or leave in place.
In all cases, wells will have been plugged and abandoned and the facilities will have been made safe. In
submitting a decommissioning recommendation, the operator must show that more than one option was
considered. In more than 90% of cases, the decommissioning solution will generally be straightforward.
However, the industry should be well prepared for all eventualities, learning from the experience of the Brent
Spar (in the North Sea, UK), where the owner recommended a solution (deep-sea disposal) which the
authorities approved but public opinion intervened and eventually forced the operator to reconsider alternative

solutions. Decommissioning occurs when oil or gas production from a field is exhausted or when an installation
reaches the end of its useful life.
For drilling and production installations, there are
three principal stages:
1) Cessation of production.
2) Plugging and abandonment (P&A) of wells and
making them safe.
3) Removal and disposal of redundant facilities as
appropriate.
The owner/operator will normally be required to
prepare, for approval by the national regulator, a
Decommissioning Programme which identifies the
decommissioning options, evaluates the technical
feasibility, assesses the environmental and societal
impacts, and minimises the risks to human health and
safety. The principal method of small platform
removal and that proposed for larger platforms would
be to lift the topsides onto a heavy lift vessel (HLV) Figure 3-25: Heavy lift vessel. Source: EMAS.com.
and then lift all or part of the jacket also using a HLV.
Such operations are weather-dependant. In addition, the world HLV fleet is small, with some nearing the end of
their working lives.
Management of simultaneous operations (SIMOPS)
SIMOPS (simultaneous operations) may be described as the potential clash of activities that could cause harm
to people, damage to plant and equipment, or both. SIMOPS often involve multiple contractor companies with
large multi-disciplined workforces, carrying out a wide range of routine and none routine maintenance,
construction and commissioning tasks.
The risks associated with SIMOPS can be eliminated, minimised or managed through proper planning,
communication and supervision. When SIMOPS are involved, it is crucial that all parties involved should meet
to discuss all activities undertaken, and how they will impact on each other.
The meeting should:
 Identify the main hazards associated with the activities.
 Summarise the control measures to be applied.
 Identify time frames for the activities.
 Identify responsibilities, and nominate the responsible person for each party.
 Identify communications methods for the activities.
 Agree, develop contingency/emergency plans.
It is important that interface documentation is developed for the SIMOPS activities. The document(s) should
detail the covered activities, and may include a SIMOPS matrix, to identify which activities are permissible when
conducted simultaneously.
The document will include:
 Scope of the activities covered by the document.
 Details of roles and responsibilities.
 SIMOPS risks and mitigation measures.
 Procedures and controls.
 Contingency plans.
 Details of communications processes.
 Permit-to-work details.
SIMOPS will often be managed by a single permit-to-work system, co-ordinated by the person in overall charge
of the activities (for example, the client’s representative). Regular meetings should take place during the work,
as should regular communication between all parties involved in the activities.
Once the SIMOPS have been completed, it is good practice to conduct a close-out review. This should capture
any lessons to be learnt for future SIMOPS activities.
3.5 - Fire hazards, risks and controls

Lightning
Lightning is a form of static electricity; it has extremely high electrical potentials and energy and can generate
extremely high temperatures. It tends to strike the tallest object on the ground in the path of its discharge.

Parts of structures most likely to be struck are those that project above surrounding parts, vents, edge of roof,
wind sock, etc. The bolt generally follows a conductive path to ground.
Lightning protection provides a controlled path for the current to follow back to earth and minimises the
development of hazardous potential differences. It may not be possible to completely eliminate the possibility of
damaging accidents caused by lightning, a random phenomenon. However steps can be taken to minimize
them. Facilities should determine an adequate level and type of protection and then regularly maintain and
inspect the protection systems.
A low impedance path (for example, lightning rod to ground) should be offered to prevent the lightning current
from taking other possible destructive routes. Most metals are good electrical conductors for low impedance
paths and unaffected by electricity flow. This path must be a continuous path from the ground terminal to the
air terminal (lightning rod). This requires that metal parts be interconnected or bonded so that they maintain the
same electrical potential. This prevents side-flashes or sparks over disconnected metal parts. Potential gaps
between metallic conductors should be avoided especially where flammable vapours may escape or
accumulate.
For tanks holding flammable substances, protection devices, such as air terminals (lightning rods), bonding and
appropriate grounding systems, conductors (connects air terminals to grounding system), masts, overhead
ground wires, and other types of protection, should be considered.
Some tanks used for storage of flammable substances may be self-protecting from damage from lightning and
may need no additional protection; such tanks would include metallic structures that are electrically continuous,
tightly sealed to prevent the escape of liquids, vapours, or gases, and of adequate thickness to withstand direct
lightning strikes. Testing, inspection, and electrical continuity measurement should be a part of scheduled
maintenance programmes.
Fire triangle and the potential consequences
The fire triangle is a simple approach that depicts fire
as having three essential components: fuel, oxygen
and heat. When these three components combine in
the right proportions, the chemical reaction of
combustion takes place. The three components are
portrayed as coming together in a triangle, which
shows their dependency on each other for the
combustion process. This approach is useful when
considering the components needed to make a fire
and how they are extinguished. If one or more of the
components of a fire is removed, the fire will be
extinguished.
This can be done by cooling the fire to remove the
heat; starving the fire of fuel; smothering the fire, to
limit its oxygen supply. Figure 3-26: Fire triangle. Source: RMS.
THERMAL RADIATION
Fires on oil and gas installations can be intense emitters of heat, smoke, and other combustion products. This
is particularly true if the fuel is a petroleum based substance, with a high heat of combustion and sooting
potential. The radiant energy flux can be sufficiently high to threaten both structural integrity, and the physical
safety of fire fighters, plant personnel, and potentially people beyond the boundaries of the facility.
For example, when a flammable liquid with a vapour pressure greater than atmospheric is released from
pressurised storage, flash evaporation occurs. The ignition of such a release is likely to create a fireball which
creates a short lived, but intense, source of thermal radiation.
Protection against thermal radiation is an important issue in fire-fighting and in fire safety engineering design to
prevent fire spread, protect structures and provide safe egress conditions for personnel in case of fire
emergencies.
Human physiological effects typically include high pulse rates, increased and laboured respiration increased
sweating and increased body temperature. At skin temperatures above 44°C, pain is felt and injury continues
whilst the temperature remains above this point. The rate of injury increases by a factor of 3 for every degree
above 44°C, such that at 50°C, the injury rate is -100 times that at 44°C.
EXPLOSIONS
An explosion is a rapid increase in volume and release of energy in an extreme manner, usually with the
generation of high temperatures and the release of gases. An explosion creates a shock wave. If the shock
wave is a supersonic detonation, then the source of the blast is called a ‘high explosive’. Subsonic shock
waves are created by low explosives through the slower burning process known as deflagration.

Explosions can occur in flammable gases, vapours and certain types of dusts. For the explosion to occur the
gas, vapour or dust must be mixed with air in such proportions that the mixture is within the flammability range
for that substance. Explosion can occur with such gases as hydrogen, propane, acetylene and examples of
dusts that may cause explosion hazards are aluminium, coal, flour and polythene.
Electrostatic charges
Static electricity is an electric charge built up on persons or objects through friction. It is most familiar as an
occasional annoyance in seasons of low humidity, but can be destructive and harmful in some situations.
When working in the presence of flammable gases, liquids or dusts, care must be taken to avoid accumulating
and discharging static electricity.
Electrostatic discharge can provide a source of high energy that may be sufficient to ignite flammable gases,
vapours or dusts
Discharge of static electricity can create severe hazards in oil and gas installations, where a small electrical
spark may ignite explosive mixtures.
The flowing movement of finely powdered substances or low conductivity fluids in pipes or through mechanical
agitation can build up static electricity. Dust clouds of finely powdered substances can become combustible or
explosive.
When there is a static discharge in a dust or vapour cloud, explosions have occurred. Among the major
industrial incidents that have occurred are: a grain silo in southwest France, a paint plant in Thailand, and a
storage tank explosion in Glenpool, Oklahoma in 2003.
Controls to minimise the risk of static discharge, include:
 The use of conductive materials (for example, in filling operations).
 Good earthing and bonding systems.
 The use of anti-static additives.
 Employing low transfer velocities.
 Avoidance of splash filling.
 The use of anti-static clothing.
Ignition sources - identification and control
Ignition sources can be found in many forms. They include:
 Flames.
 Direct fired space and process heating.
 Use of cigarettes/matches etc.
 Cutting and welding flames.
 Hot surfaces.
 Hot process vessels.
 Space heating equipment.
 Mechanical machinery.
 Electrical equipment and lights.
 Friction heating or sparks.
 Impact sparks.
 Sparks from electrical equipment.
 Electrostatic discharge sparks.
 Lightning strikes.
 Vehicles, unless specially designed or modified are likely to contain a range of potential ignition sources.
Sources of ignition should be effectively controlled in all hazardous areas by a combination of design measures,
and systems of work:
 Using electrical equipment and instrumentation classified for the zone in which it is located.
 Earthing of all plant/equipment.
 Provision of lightning protection.
 Correct selection of vehicles/internal combustion engines that have to work in the zoned areas.
 Prohibition of smoking/use of matches/lighters.
 Controls over the use of normal vehicles.
 Control of maintenance activities that may cause sparks/hot surfaces/naked flames through a permit-to-
work system.
DIRECT FIRED HEATING EQUIPMENT
A range of petrochemical and refinery processes use fired heaters (for example, boilers, furnaces) for steam
raising and process heating purposes. Clearly, if the fuel supply to the heater or the pipe work carrying the
process fluid leaks close to the heater, any leak must be expected to find a source of ignition, either directly at
the flames, or by a surface heated by a flame. In these circumstances, hazardous area classification, and
appropriate selection of equipment is not suitable as a basis of safety for preventing fire and explosion risks.

Instead, safety should be achieved by a combination of a high standard of integrity of fuel and process
pipelines, together with a means of rapid detection and isolation of any pipes that do fail.
Zoning and hazardous area classification
Hazardous areas are defined in the UK Dangerous Substances and Explosive Atmosphere Regulations
(DSEAR) 2002 as ‘any place in which an explosive atmosphere may occur in quantities such as to require
special precautions to protect the safety of workers’.
Area classification is a method of analysing and classifying the environment where explosive gas atmospheres
may occur. The main purpose is to facilitate the proper selection and installation of apparatus to be used safely
in that environment, taking into account the properties of the flammable materials that will be present. DSEAR
specifically extends the original scope of this analysis, to take into account non-electrical sources of ignition,
and mobile equipment that creates an ignition risk.
Hazardous areas are classified into zones based on an assessment of the frequency of the occurrence and
duration of an explosive gas atmosphere, as follows:
 Zone 0: an area in which an explosive gas atmosphere is present continuously or for long periods; (zone 20
for dusts).
 Zone 1: an area in which an explosive gas atmosphere is likely to occur in normal operation; (zone 21 for
dusts).
 Zone 2: an area in which an explosive gas atmosphere is not likely to occur in normal operation and, if it
occurs, will only exist for a short time; (zone 22 for dusts).
The Zone classification will determine the requirements for the selection of equipment to be used in that area,
as follows:
 Zone 0 or 20: Category 1 Equipment.
 Zone 1 or 21: Category 1 or 2 Equipment.
 Zone 2 or 22: Category 1, 2 or 3 Equipment.
TYPES OF EQUIPMENT
Intrinsically safe equipment (Ex i)
Intrinsically safe equipment is equipment that, by design, cannot produce a spark with sufficient energy to ignite
the flammable substance present. There are three categories:
1) ‘Ia’: this offers the highest level of protection and is generally considered as being adequately safe for use
in the most hazardous locations (Zone 0), ‘ia’ is adequately safe in the event of two ‘faults’ developing, and
gives greater protection than ‘ib’ and ‘ic’.
2) ‘Ib’: apparatus which is adequately safe with one fault, is considered safe for use in less frequently
hazardous areas (Zone 1).
3) ‘Ic’: apparatus which is assessed in ‘normal operation’ and is generally acceptable in infrequently
hazardous areas (Zone 2).
Examples if type ‘i’ equipment include instrumentation and low energy equipment.
Flameproof equipment (Ex d)
This apparatus is designed and constructed to withstand an internal explosion, without igniting the flammable
atmosphere in which the equipment is sited. Flameproof equipment is usually category 2 and therefore suitable
for zones 1 and 2. Examples of flameproof equipment are motors, lighting, and junction boxes.
Type ‘e’ equipment
Type ‘e’ equipment does not produce arcs, sparks or temperatures high enough to ignite a flammable
atmosphere. This equipment (category 2) is suitable for use in zone 1 and 2 areas. Examples of such
equipment include motors, lighting.
Type ‘N’ equipment
This equipment is nonincendive and non-sparking (category 3) and will not ignite a flammable atmosphere
under normal conditions. It is only suitable for use in zone 2 areas.
Correct selection of electrical equipment for hazardous areas requires the following information:
 Classification of the hazardous area (as described above).
 Temperature class or ignition temperature of the gas or vapour involved according to figure ref 3-27.
Temperature classification Max surface temp, °C Ignition temp of gas or vapour, °C
T1 450 >450
T2 300 >300
T3 200 >200

Temperature classification Max surface temp, °C Ignition temp of gas or vapour, °C

T4 135 >135
T5 100 >100
T6 85 >85
Figure 3-27: Temperature class or ignition temperature. Source: RMS.
If several different flammable materials may be present within a particular area, the material that gives the
highest classification dictates the overall area classification.
3.6 - Furnace and boiler operations

Use of furnaces and boilers
Furnaces and boilers are items of equipment that are often found as part of process plant and are used for a
variety of purposes such as waste heat recovery, steam generation, heating of process streams.
A boiler (or steam generator) is a device used to create steam by applying heat energy (from the burning of oil,
gas or coal) to water.
The form and size depends on the application. Industrial installations will usually have a larger separate steam
generating facility connected to the point-of-use by piping. The steam can be used to generate electricity; to
power steam turbines and to provide a source for domestic and process heating.
An industrial furnace (or direct fired heater) is used to provide heat for a process. Furnace designs vary as to
function, heating duty, and type of fuel and method of introducing combustion air. However, most process
furnaces have some common features.
Fuel flows into the burner (typically oil or gas) and is burnt with air provided from an air blower. There can be
more than one burner in a particular furnace which can be arranged in cells which heat a particular set of tubes.
Burners can also be floor mounted, wall mounted or roof mounted depending on design.
The flames heat up the tubes, which in turn heat the fluid inside in the first part of the furnace known as the
radiant section or firebox. In this chamber where combustion takes place, the heat is transferred (mainly by
radiation) to tubes around the fire in the chamber.
The heating fluid (HTF) passes through the tubes and is thus heated to the desired temperature. It is important
to keep tube metal temperature (TMT) within the design parameters. Failure to do so can result in tube(s)
weakening/creeping. Failure of tubes can lead to a violent explosion within the boiler/furnace. Low
temperatures can give rise to fouling inside the tubes, thus impairing heat transfer.
Large boilers and furnaces use thermocouples to monitor temperatures at strategic locations to locate ‘hot
spots’ and monitor efficiency. The information is feedback to process control room operators to assist in
ensuring safe and optimal operation.
The gases from the combustion are known as flue gas. After the flue gas leaves the firebox, most furnace
designs include a convection section where more heat is recovered before venting to the atmosphere through
the flue gas stack. Furnaces provide the heating source for crude oil, in the first stage distillation process in a
refinery.
Figure 3-28: Boiler layout. Source: NTPC 6 weeks project report.

Figure 3-29: Simple industrial furnace. Source: http://maps.thefullwiki.org/Furnace.
Hazards and risks of operating boilers and furnaces

The main hazards associated with boiler and furnace operations are as follows:
LOSS OF PILOT GAS SUPPLY
A pilot gas supply is used to ignite the boiler fuel (which can be gas, oil or solid). If the flame goes out gas will
continue to enter the boiler causing a build-up of potentially flammable gases. If the gases are not purged, re-
ignition of the boiler can lead to explosion, leading to damage to the boiler/furnace, and possible injury to
nearby personnel. Purging would typically be for 15/20 minutes in order to remove any residual fuel from the
system.
Flame detectors are used in multi burner and large industrial boilers to detect the presence and absence of
flame produced from each burner and its associated igniters. Information from the flame detectors is an integral
part of the burner management system.
OVERFIRING
Overfiring occurs as a result of having too much fuel, poor flame adjustment (for example, air/fuel ratio) or
burner tip/atomiser problems in the case of fuel oil fired boilers.
FLAME IMPINGEMENT
Poor firing can result in ‘flame impingement’. This occurs when the flame touches the tubes. The result is
potential corrosion on the tubes at the flame interface, particularly if firing heavy oils with contaminants. The
corrosion is accelerated due to high metal temperatures associated with flame impingement and chemical
deposits placed on the tubes resulting from quenching the flame when it touches the tube wall. Water
treatment problems can accentuate the problems associated with flame impingement because internal deposits
at this localized high temperature zone are formed on the inside tube wall driving the tube operating
temperature even higher.
FIREBOX OVER PRESSURE
The firebox of a forced draft furnace/boiler is designed to withstand the overpressure that can be generated by
the fans, with dampers in the closed position. This is particularly important when forced and induced draft fans
are provided to discharge combustion products through heat recovery systems, since high fan pressures are
often used to overcome increased pressure drop. Firebox overpressure may also occur as a result of tube
rupture.
BOILER TUBE FAILURE
Long term overheating tube failures are due to operating metal temperature of the boiler tubes going above the
allowable limit. Boilers used for industrial steam generation and power generation have kilometres of tubes that
carry water and steam through the circulation system and super heaters, respectively. These tubes are of

various sizes and thicknesses depending upon the pressure and the mid-wall metal temperature. The tubes
selected are boiler quality tubes manufactured under various standards (for example, ASME, BS, DIN, JIS).
When tube temperature exceeds the allowable metal temperature of the tube material, overheating sets in.
This can happen as a result of internal deposits, low flow though the tube, a sudden load raise. When the metal
temperature of the tube exceeds the allowable limit the material strength reduces drastically, and can fail.
Operating the boiler within the specified range of parameters and regime can minimise the risk of this type of
failure.
Exam practice
1. (a) Explain the term ‘creep’. (2)
(b) Outline the measures which can be taken to prevent creep failure. (6)
2. (a) Explain what is meant by the term proof test in relation to shut down valve safety. (2)
(b) Outline the purpose of emergency shutdown systems (ESD’s). (6)
3. (a) Outline how poor design has led to storage tank failures. (2)
(b) Explain how corrosion may result in storage tank containment loss. (6)
4. More ductile materials, such as steel become brittle at low temperature and can also be subject to brittle
failure. Outline the factors that promote brittle failure. (8)
5. Explain the terms ‘a proof test’ and ‘a diagnostic test’ used to ensure a high level of performance of an
emergency shut down valve. (8)
6. (a) Explain why floating roof tanks are used for storage of certain materials. (2)
(b) Outline the operation of a floating roof tank and how materials are contained safely within. (6)


Element
4
Fire protection and emergency response
Learning outcomes
4.1 Outline appropriate control measures to minimise the effects of fire and explosion in the oil and gas
industries.
4.2 Outline the principles, procedures and resources for effective emergency response.
Content
4.1 - Fire and explosion risk in the oil and gas industries .....................................................................................85
Leak and fire detection systems ...........................................................................................................................85
Gas detection ........................................................................................................................................................85
Leak detection .......................................................................................................................................................86
Fire detection ........................................................................................................................................................86
Smoke detection ...................................................................................................................................................86
Heat detection .......................................................................................................................................................87
Passive fire protection ...........................................................................................................................................87
Active fire protection..............................................................................................................................................89
Choice of fire-fighting media .................................................................................................................................89
Examples of specific fire protection systems ........................................................................................................91
4.2 - Emergency response ....................................................................................................................................92
Emergency response plan (ERP) .........................................................................................................................92
Content of an emergency response plan ..............................................................................................................93
Medical emergency planning ................................................................................................................................93
Principles of escape, evacuation and rescue........................................................................................................94
Roles and structure of emergency response teams .............................................................................................95
Exam practice .......................................................................................................................................................97

UNIT IOG1 - ELEMENT 4 - FIRE PROTECTION AND EMERGENCY RESPONSE
Sites, http://www.hse.gov.uk/comah/buncefield/fuel-storage-sites.pdf
Fire systems integrity assurance (OGP Report No. 6.85/304)
ISO 13702 Petroleum and natural gas industries - Control and mitigation of fires and explosions on offshore
production installations - Requirements and guidelines
API recommended Practice no 2021 Management of Atmospheric Tank Fires
Fire and Gas Detection in the Process Industry: J.Hind (http://www.jonhind.com/fire-and-gas-in-the-process-
industry-jon-hind%20paper.pdf)
Fire and Gas Detection: HSE Offshore
HSE: Offshore Report OTO 200 051: Review of Response of Pressurised Process Vessels and Equipment to
Fire Attack
Passive Fire Protection: Wikipedia
Active Fire Protection: HSE: Active/Passive Fire Protection (hse.gov.uk/comah/sragtech/lechmeasfire.htm)
Fire Engineering (www.fireengineering.com)
HSE: HSG 191: Emergency Planning for Major Accidents
HSE: L65: Prevention of Fire and Explosion and Emergency Response on Offshore Installations

FIRE PROTECTION AND EMERGENCY RESPONSE - ELEMENT 4 - UNIT IOG1
4.1 - Fire and explosion risk in the oil and gas industries
Leak and fire detection systems
Fire and gas detection systems in oil and gas installations are designed to mitigate unexpected events.
Designers need to know what is available in order to choose the correct systems for their plants.
There are two principal types of detector which are commonly in use in offshore installations: heat, flame and
smoke, and flammable gas instruments. The most significant for risk reduction are gas detection systems,
since they give the earliest warning of hazardous situations, as a result of either flammable or toxic gas
releases. Infrared (IR), line-of-sight or point type detectors which identify an accumulation of gas and acoustic
leak detectors, are also used.
Gas detection
INFRARED ABSORPTION COMBUSTIBLE GAS DETECTION
The technology uses the absorption characteristics of the hydrocarbon molecules to infrared light. The more
hydrocarbon molecules are present, the higher the absorption of infrared radiation. More than one type of
hydrocarbon gas may be detected.
This technology is more expensive than catalytic detection, but it is used for many applications as it doesn’t
need field calibration and proof test intervals are considerably better (longer) than for catalytic types. Speed of
response is quicker than for catalytic types. Unlike catalytic types, the detector doesn’t need oxygen for
operation.
Point infrared detectors record the gas concentration
at the detector location. They need to be placed
where a release of gas is considered possible. They
can be placed remotely and connected to the
sampling location by tubes, with air sucked across the
detecting chamber. Consideration needs to be given
to the extra detection time added by the transit time
down the tube. (Example uses: air inlets, confined
spaces).
Infrared open-path gas detectors send out a beam of
infrared light, detecting gas anywhere along the path
of the beam. This linear ‘sensor’ is typically a few
metres up to a few hundred metres in length.
(Example use: pipe rack monitoring). Figure 4-1: Infrared point gas detector. Source: J.Hind.
An open path detector usually costs more than a single point detector, so there is little incentive for applications
that play to a point detector's strengths: where the point detector can be placed at the known location of the
highest gas concentration, and a relatively slow response is acceptable. The open path detector excels in
outdoor situations where, even if the likely source of the gas release is known, the evolution of the developing
cloud or plume is unpredictable.
Gas will almost certainly enter an extended linear beam before finding its way to any single chosen point. Point
detectors in exposed outdoor locations require weather shields to be fitted, increasing the response time
significantly. Open path detectors offer a cost advantage in any application where a row of point detectors
would be required to achieve the same coverage, for instance, monitoring along a pipeline, or around the
perimeter of a plant. Not only will one detector replace several, but the costs of installation, maintenance,
cabling etc. are likely to be lower.
Catalytic gas detectors
Catalytic detectors rely upon burning gas in a sintered chamber. For this reason they are only available as a
point detector or as part of a multi-point aspirating system.
They require periodic checking, calibration and replacement and are liable to poisoning by chemicals. For
these reasons, despite their lower cost than infrared detectors they have fallen out of general use in the process
industries. (Example use: hydrogen detection).
Toxic gas detection
Technologies available include chemical cell and semiconductor point detectors. Many different types of gas
can be detected. Cross-sensitivity to different gases other than those being looked for needs to be given
careful attention to ensure measurement accuracy.
Chemical cell types require sensor replacement at intervals determined by the environment. Semiconductor
cells are also affected by their environments. (Example uses: hydrogen sulphide detection at well heads or in
processing areas).

Figure 4-2: Catalytic gas detector. Source: J.Hind. Figure 4-3: Toxic gas detector. Source: J.Hind.
Leak detection
Leak detection may not be considered to be part of the fire and gas detection system. Leak detection is often
regarded as a supervisory or maintenance facility, or an adjunct to the fire and gas system by using them in
conjunction with other detection methods.
ULTRASONIC LEAK DETECTORS
Devices are available for detecting the sound of leaks
at ultrasonic frequencies and have more general
application. They do not detect a specific gas but
detect the characteristic sound of gas or vapour
leaking from the plant (for example, a flange, joint,
valve). Time delays are built into the detection system
or detectors to aid in differentiating between normal
process emissions and leaks.
Ultrasonic gas detectors are mainly used for outdoor
environments where weather conditions can easily
dissipate escaping gas before allowing it to reach gas
leak detectors that require contact with the gas in
order to detect it and sound an alarm. These
detectors are commonly found on offshore and
onshore oil/gas platforms, gas compressor and
metering stations, gas turbine power plants. Figure 4-4: Point leak detector. Source: J.Hind.
Fire detection
Fires can be detected from flame, smoke or heat. A combination of devices may be needed for best results.
There is no perfect fire detector.
INFRARED (IR) FLAME DETECTORS
The detector relies on infrared radiation produced by flames. The level and wavelength of infrared radiation
varies depending on the fuel of the flame being detected. The detector detects a flame within a cone of vision.
The shape and length of the cone of vision varies between different models and manufacturers of flame
detectors.
In some detectors, more than one wavelength of infrared radiation is used. Background infrared radiation can
lead to reduced sensitivity and reduced effective detection distances. Careful placement is needed.
ULTRA-VIOLET (UV) FLAME DETECTORS
These detectors rely on the effective detection of ultra-violet radiation produced by flames. This is the original
type of flame detector and has been largely superseded by other technologies. Detection of hydrogen fires,
which used to mandate UV detectors, can also now be done by some infrared flame detectors.
Smoke detection
Smoke detection technology ranges from the battery-powered detectors on sale generally to sophisticated
visual, camera-based detection systems.

POINT SMOKE DETECTORS

Point detectors detect smoke at a fixed point. They
need to be placed where smoke realistically could
travel in the event of a fire. The majority in use rely on
smoke accessing a chamber containing the detector
element. These detectors therefore have a low IP
rating and cannot be used in external areas.
With the use of addressable systems, each location
can be pinpointed. (Example uses include: offices,
corridors, accommodation buildings).
There are two basic types:
Ionisation point smoke detectors
This used to be the predominant smoke detection
technology. It has been largely superseded by optical
or combined optical smoke/heat detectors. Figure 4-5: Example of point smoke detector. Source: J.Hind.
These detectors use a small radioactive source and detect decreased conduction caused by the ionisation of
smoke particles in a detection chamber.
Optical point smoke detectors
These detectors generally detect smoke particles inside a chamber by an increase of light scatter caused by
smoke particles or by the smoke particles obscuring a light beam.
Heat detection
Heat detection is used where ambient temperatures or
environment preclude the use of smoke detection.
Linear heat detectors offer wide area coverage, with
some linear heat detectors discriminating alarms both
by temperature and location.
POINT HEAT DETECTION
These detect high temperatures at a given point.
They are still commonly described as ‘rate of rise, and
fixed heat detectors’.
Rate of rise detectors respond to a sudden increase of
temperature whilst fixed detectors are set to a fixed
temperature.
(Example uses include: kitchens; turbine hoods).
LINEAR (LINE) HEAT DETECTORS Figure 4-6: Rate compensated heat detector. Source: J.Hind.
These detectors detect heat somewhere along the length of the device. They vary from the simple destructive
types that burn through and signal an alarm to sophisticated systems that monitor the actual temperature at a
particular point.
(Example uses include: tank rim seals; cable tunnels).
Passive fire protection
Passive fire protection (PFP) may be defined as ‘a coating, cladding or free-standing system which, in the event
of a fire, will provide thermal protection to restrict the rate at which heat is transmitted to the object or area
being protected’.
These materials are used to:
 Prevent escalation of the fire due to progressive releases of inventory, by separating the different fire risk
areas.
 Protect essential safety items and critical components such as separators, risers and topside emergency
shutdown valves.
 Minimise damage by protecting the critical structural members, particularly those which support the
temporary refuge, escape routes and critical equipment.
 Protect personnel until safe evacuation can take place.
The required fire resistance may be achieved by the use of PFP in conjunction with active fire protection
systems such as water deluge, in which case a minimal residual protection must be achieved should the active
systems fail to operate. PFP is used particularly where active systems are impracticable, have insufficient
reliability or where protection is needed within the probable response time of an active system.

TYPES OF PFP
There are many types of PFP materials on the market, which can be broadly categorised as follows:
 Spray-applied and coating materials (comprising primer, coating, top sealer coat and/or a decorative coat).
 Blanket/flexible jacket/wrap around systems.
 Prefabricated sections.
 Enclosures and casings.
 Composites.
 Seals and sealants.
 Fire walls.
 Systems (for example, cable transits, inspection hatches, pipe penetration systems).
Spray coatings
Involves the application of intumescent or endothermic paints, or fibrous or cementatious plasters to keep
material such as structural steel, valves, liquefied petroleum gas (LPG) vessels, vessel skirts, bulkheads or
decks below either 140°C for electrical items or ca. 500°C for structural steel elements to maintain operability
of the item to be protected.
Enclosures
Boxes or wraps made of fireproofing materials, including fire-resistive wraps and tapes to protect speciality
valves (such as ESD’s) and other items deemed to require protection against fire and heat.
Fireproof cladding
Boards used for the same purpose and in the same applications as spray fireproofing. Materials for such
cladding include perlite, vermiculite, calcium silicate, gypsum, intumescent epoxy, durasteel (fibre - reinforced
cement, mechanically bonded to punched steel sheets).
Seals and sealants
Commonly used to fill gaps through which services pass (for example, cables; fire water risers in buildings).
Another example is the intumescent strip, fitted around the edges of a fire door. This is activated by heat and
seals the door, preventing the passage of fire and smoke.
Cable coating
The application of fire-retardants, which are either endothermic or intumescent, to reduce flame spread and
smoke development of combustible cable-jacketing.
Fire walls
A firewall is a fireproof barrier used to prevent the spread of fire between or through buildings, and structures.
Fire walls are constructed in such a way as to achieve a code-determined fire-resistance rating, thus forming
part of a fire compartment's passive fire protection. Materials of construction include concrete and gypsum
boards.
Compartmentalisation
Compartmentalisation in structures, such as process modules, buildings, is the fundamental basis and aim of
passive fire protection. The idea is to divide a structure into ‘fire compartments’, which may contain single or
multiple rooms, for the purpose of limiting the spread of fire, smoke and flue gases, in order to enable the three
goals of fire protection: preserving life, protecting property and continuing operations. All components forming
part of such a compartment are subject to stringent bounding in countries where product certification is
mandatory.
Figure 4-7: Fire resistant rated wall with fire door. Source: Wikipedia. Figure 4-8: Fire protection enclosure around ESD actuator.
Source: IREX Contracting Group.

Figure 4-9: Sprayed coating on steel beam. Source: DCI Flooring. Figure 4-10: Sublimation coating on LPG vessel. Source: Donelli.
Active fire protection

Active fire protection systems such as water sprinkler and spray systems are widely used in the process
industries for protection of storage vessels and process plant.
The duty of the fire protection system may be to extinguish the fire, control the fire, or provide exposure
protection to prevent domino effects.
For some applications foam pourers or fixed water monitors may be a more appropriate method of delivery than
sprays or sprinklers.
Other more specialised systems using inert gases and halogen based gases are used for flooding enclosed
spaces.
Systems can be fixed (for example: deluge or sprinkler systems) or portable (extinguishers). Fixed installations
are often linked to a detector, and are activated automatically on detection of heat.
Choice of fire-fighting media
The selection of media will depend on the required duty. This may be to extinguish the fire, control the fire, or
provide exposure protection. Types of fire-fighting media are:
 Water.  Chemical powders.
 Foams.  Halons.
 Inert gases.
Water is not recommended as an extinguishing media for low flash point liquids, but it is used widely throughout
industry for fire control and exposure protection.
Foam is a more effective extinguishing media for low flash point substances and is widely used against liquid
fires. There are various types of foam available, but the most widely used is protein foam. Alcohol resistant
foam is used for application on polar solvents where the foam stability is affected. Other more specialist foams
have been developed to give improved extinguishing properties such as fluoro-protein and aqueous film forming
foams.
Other agents such as inert gases, chemical powders and halogen based gases (halons) can be delivered by
active fire protection systems, but these tend to be installed where process equipment is contained within an
enclosure such as a gas turbine enclosure. A common use for these systems is in the protection of switch
rooms and control panels. There has been movement away from the use of halons over recent years due to
their potential effect upon the ozone layer and other undesirable environmental effects.
FIXED WATER BASED SYSTEMS
Comprises:
 A source of water: (for example, sea water, tank, river, wells).
 A pump: designed to deliver at the required flow rate and pressure, with quick or automatic activation.
 Fire water mains: a piping system to transport the water from the pump to where it is needed (for
example, fire hydrants, risers, sprinkler heads). These may be kept normally ‘dry’ (empty) or, for quicker
response, ‘wet’ (full of water). Corrosion potential of the water is a factor that has to be considered when
looking at wet or dry systems.
Water systems primarily operate by cooling the fire. Water is suitable for use in environments containing solid
combustible materials such as wood, paper and textiles (Class A fires).
FIXED FOAM SYSTEMS
Similar to fixed water based systems, except that a foam concentrate is injected into the fire water system from
a separate vessel.
Basically, foam is a stable mass of small, air-filled bubbles that have a lower density than oil, petrol, or water.
When it is discharged, it comprises three elements; the foam concentrate, water and air. Because of the
product’s low density, it readily floats on a fuel’s surface to extinguish a flammable liquid fire by separating the
fuel from oxygen. Effectively, it smothers the fire, while its high water content provides effective cooling.

Figure 4-11: Fire monitor converted for foam use. Figure 4-12: Foam monitor: may be used to protect tanks or jetties.
Source: Williams Fire and Hazard Control. Source: Narfoam Kar Company.
Foam can be used on fire involving solid combustible materials and is highly effective on flammable liquid fires
(for example, hydrocarbon fuel fires).
SPRINKLER SYSTEMS
Automatic sprinkler systems are used more than any
other fixed fire protection system. The purpose of an
automatic sprinkler system is to detect the fire,
extinguish or control the fire and to raise the alarm.
The structure/area to be protected is covered by a grid
of pipes with sprinkler heads fitted into them at regular
intervals. Pumped water (from a source such as a
tank or seawater) fills the pipes.
Each sprinkler head will open when it reaches a
specific temperature and spray water on to a fire. The
hot gases from a fire are usually enough to make it
operate. Figure 4-13: Sprinkler head with frangible bulb. Source: J.Hind.
Only the sprinklers over the fire open. The others remain closed. This limits any damage to areas where there
is no fire and reduces the amount of water needed. At the point where the water enters the sprinkler system
there is a valve. This can be used to shut off the system for maintenance. For safety reasons it is kept locked
open and only authorised persons should be able to close it.
DELUGE SYSTEMS
Deluge water spray systems are similar to sprinkler
systems, except all nozzles are open and will
discharge together when the system is activated.
These systems are used where rapid fire spread is a
concern, as they provide a simultaneous application of
water over the entire hazard. Water is not present in
the piping until the system operates. To prevent the
water supply pressure from forcing water into the
piping, a deluge valve is used in the water supply
connection, which is a mechanically latched valve. It is
a non-resetting valve, and stays open once tripped. Figure 4-14: Deluge water spray system. Source: J.Hind.
The deluge valve must be opened as signalled by a fire alarm system. The type of fire alarm initiating device is
selected mainly based on the hazard. The initiation device signals the fire alarm panel, which in turn signals the
deluge valve to open. Activation can also be manual.
Deluge systems can provide rapid cooling, reducing available oxygen. In addition, there is also a reduction in
the amount of radiant heat that may be transmitted to nearby structures or vessels.
WATER MIST SYSTEMS
Water mist is a fine spray with 99 percent of water volume contained in water droplets less than one millimetre
(1,000 microns) in diameter. Water divided into very fine droplets creates a greater surface area than standard
droplets emitted from sprinkler system heads. Water mist system droplets can be 20 times smaller and have a
surface area 400 times greater than sprinkler system water droplets.

This enhanced area allows more of the water to

absorb the heat from the fire. Steam generated during
the cooling process, provides an inert blanket, which
has the effect of also excluding oxygen from the fire.
The mist is created by discharging water through
special nozzles at very high pressure. Nitrogen
cylinders used in conjunction with water cylinders, or
pump systems are used to deliver water to the
nozzles. The mist acts similar to gaseous
extinguishing systems in that the mist can extinguish
fires in shielded, obstructed locations which would not
be reached by other directional water jets/droplets
type systems. Some water mist systems have an
additive injection component to introduce Class A or
Class B foam concentrate into the piping. Figure 4-15: Water mist sprinkler head. Source: J.Hind.
A small amount of foam concentrate added to the water supply can significantly improve the water mist
system’s performance when suppressing buried ordinary combustibles and liquid fuel spill fires. The resulting
thin layer of foam solution blanketing the fuel spill reduces the amount of vaporisation and inhibits the amount of
radiant heat energy absorbed by the fuel. Water mist is effective on Class A (wood, paper, textiles) and Class
B (flammable liquids) fires. In addition, it is also effective in extinguishing fires involving energized electrical
equipment, such as computer rooms, and telecommunication centres.
DRY POWDER INSTALLATIONS (CHEMICAL)
Dry powders, in common with vaporising liquids, offer the advantage of a quick knock-down of fire, but unlike
vaporising liquids, they have negligible toxic effects. Their major disadvantage is that they require a lot of
clearing up once an installation has operated. Compacting of the powder is also a problem, due to heat or
vibration or moist atmospheres during storage. This could present difficulties in the maintenance of the system
especially after discharge when compacting could take place in valves, etc. Recently developed powders (for
example, 'Monnex') appear, however, to be free of this problem.
A dry powder installation consists of dry powder containers linked by pipework to discharge nozzles covering
the areas of risk. When a fire occurs it is necessary to pressurise the powder so that it is forced through the
pipework and discharge nozzles. This is usually done with CO2. A line detector is linked to a lever which when
actuated allows the head of a CO2 cylinder to be pierced. The carbon dioxide thus released pressurises the dry
powder and forces it over the protected area. Dry powder installations can usually be operated either
automatically or manually. Powder fire extinguishers are ideal for use in mixed risk environments and offer
excellent all round fire protection (Class A, B, C and electrical fires).
GASEOUS (INERTING) EXTINGUISHING SYSTEMS
Traditional flood systems, such as those using carbon dioxide, where the displacement of air within the
enclosure is necessary for their successful operation may be considered to be inerting systems. Other
specialist agents that are used include FM 200, NOVEC 1230, aragonite and inergen. Inerting system works by
smothering the fire, and thus excluding the air/oxygen. They have the advantage of being ‘clean’, and therefore
cause little mess or damage to equipment. However, when used in areas where people are working there is a
risk of people being asphyxiated. In such situations, automatic activation is generally overridden until people
leave the area. Typical applications include computer rooms, or where there is the potential for fires initiated by
electrical faults.
Examples of specific fire protection systems
FLOATING ROOF TANKS
Floating roof tanks have a roof which rises and falls
with the liquid level inside the tank, thereby
decreasing the vapour space above the liquid level.
They are used for the storage of crude and volatile
products.
They have one weak spot: between the rim of the
floating roof and the tank shell is an annular seal,
where a flammable mixture of air and vapour can
collect.
If left undetected, lightning or static electricity sparks
can lead to an emergency situation. Figure 4-16: Foam protection on floating roof tank.
Source: Indiamart.

A discharge manifold with spray nozzles evenly

spaced along the rim seal is designed to discharge the
required foam solution (from a foam source) into a
moat or dam above the seal to control the fire.
Activation can be manual or automatic.
FIXED ROOF TANKS
Foam injection or water cooling systems can be used.
Foam injection may be either from fixed injectors
situated either above the liquid surface, sub - surface,
or from foam monitors operated remotely.
With sub-surface injection, percolating foam bubbles
rise to the hydrocarbon surface from the injection
point(s) at the tank’s base.
Figure 4-17: Fixed foam chamber: generally for use on fixed roof or
This process tends to cycle cooler product to the covered floating roof tanks. Source: Narfoam Kar Company.
surface which can assist in reducing heat and flame
intensity.
SPHERES
Water deluge systems, either manually or
automatically activated, are used for vessel cooling in
order to help prevent vessel failure.
The vessel may be protected from radiant heat by
burying or, if above ground, by applying passive fire
protection (such as sprayed coatings) to the vessel
and its supports to mitigate the effects of fire.
OFFSHORE PROCESS MODULES
Deluge and sprinkler systems are used in areas where Figure 4-18: LPG storage sphere fire protection. Source: Imgur.
hydrocarbon pool fires are likely to occur. Deluge
systems tend to provide a wider level of protection for
a range of fire scenarios than other, more specific,
protection systems.
Water deluge also has the advantage of being able to
provide general area protection to personnel and open
escape routes.
Specific process equipment may require specific
protection. For example, gas turbines (or gas turbine
compartments), control rooms, communications
centres may be protected by water mist or inerting
systems. Helidecks are usually protected by fixed Figure 4-19: Helideck fire protection. Source: Blaze Manufacturing
foam monitors. Solutions Ltd.
4.2 - Emergency response

INTRODUCTION
Emergency planning and response is part of an overall strategy for preventing and minimising the effects of
major accidents to people, plant and the environment. There are three basic steps involved:
1) Identification - involves installation operators notifying major hazard installations to the regulatory authority
(based on activity; inventories of hazardous substances).
2) Prevention and control - minimise the potential for major accidents by assessing the risks and putting
appropriate controls in place.
3) Mitigation - have emergency plans in place to reduce the consequences of a major accident.
Emergency response plan (ERP)
ROLE AND IMPORTANCE
In all cases where a major accident could occur, which could result in serious harm to people, significant
damage to plant or the environment, proper planning will help to minimise the consequences. Emergency
response plans (ERP) are a legal requirement in countries where Safety Cases are required. For example, in
the UK, it is a requirement under both the Control of Major Accident Hazard Regulations (COMAH) 2015,
and the Offshore Installations (Safety Case) Regulations (OSCR) 1999. (See also ‘Element 1 - Health,

safety and environmental management in context’). A well prepared and rehearsed ERP can significantly
reduce the consequences of a major accident. A written ERP:
 Allocates roles and responsibilities.
 Outlines the actions to be taken for all likely emergencies.
 Provides the basis for communicating to all parties involved or affected.
 Demonstrates emergency preparedness compliance to regulatory authorities.
Content of an emergency response plan
Whilst ERP’s will be unique to each installation and location, the following aspects would generally be covered:
Control and command structure: details of the persons authorised to set the emergency procedures in
motion, and the name of the person responsible for co-ordinating the emergency response. For offsite
emergencies, this should include the name of the person responsible for liaising with offsite authorities. Contact
numbers of such personnel should also be available to persons, for example, out of hours duty personnel who
may have to initiate such an emergency. The ERP should clearly lay down the responsibilities of all persons
named in the plan.
Additionally, a designated ‘control and command centre’ should be designated or established. This should be
equipped with information that may be needed for dealing with the emergency (such as site drawings/process
flow schemes, product inventories and chemical data sheets) and also communication systems for
alerting/dealing with outside bodies such as the coast guard, regulators, local authority, fire brigades, police and
the media.
Foreseeable emergency situations: a key component of the plan. This should describe:
 The types of foreseeable accidents.
 The intended strategy for dealing with these accidents.
 Details of the personnel who have roles to play in the emergency response, and their responsibilities.
 Details of the availability and function of special emergency equipment including fire-fighting materials, and
damage control and repair items.
 Details of the availability and function of other resources (for example, rescue and medical assistance).
Arrangements for limiting the risk to personnel: this should include the systems, equipment and facilities for
early detection of a developing major accident, and the responsibilities for initiating the suitable responses by
on-site personnel (to evacuate, shelter, use personal protective equipment, etc.). Similar arrangements should
be in place, in the event of an offsite emergency, for informing the public, and the local authority responsible for
setting any offsite plan in motion.
Training of staff: this should include the arrangements for training and instructing the on-site personnel (staff,
contractors, visitors, etc.) and the arrangements for liaising with the off-site emergency services.
Off-site assistance: this may include, for example, any special equipment, expertise or facilities which the off-
site emergency services can use and the role of the establishment’s personnel in briefing the media.
Alarm systems: alarms may be audible or visual, or both, and may be manually or automatically activated.
There may be more than one alarm to indicate different responses by personnel (for example: an intermittent
alarm may be for muster purposes; a continuous alarm may be to evacuate). For onshore installations, for an
escalating incident, strategically played off site alarms may be used to warn members of the public. Fire and
gas detection systems may activate both an alarm and some form of control action (for example, activation of
ESD’s; activation of a fire deluge system).
Medical emergency planning
The legal requirement for the provision of medical care to employees normally falls under the health and safety
legislation of the country in which the company is operating. Some governments may make specific
requirements for oil and gas exploration.
Several countries have legislated minimum medical equipment levels at remote sites and some have
requirements for minimum numbers of medical personnel. This may range from holders of first aid certificates
to one or more ‘medics’ depending on the size, location and hazards associated with the operation.
The UK has seen a move from prescriptive requirements to a risk assessment-based approach. It is usual to
carry out a risk assessment for Medical Emergency Response (MER) in remote locations. A medical
emergency plan can then be drawn up which should be documented and make up part of the overall
emergency response plan for the facility.
TIERED RESPONSE
The MER is divided into tiers or levels. The following scheme is recommended by the Oil and Gas Producers
Association (OGP):
 Level 1 Basic first aid.
 Level 2 Advanced first aid.
 Level 3 Trained paramedic or emergency medical technician.

 Level 4 Doctor or nurse working in a primary care facility.

 Level 5 Specialist doctor working in a secondary or tertiary care facility.
On manned offshore installations, there is typically one level 3 paramedic. The term ‘paramedic’ is a loose one
within the industry and, in general, refers to an individual with medical or nursing training, who is in charge of
medical care at the offshore location. The level of training can vary from advanced first aid training to a medical
degree. In many cases, paramedics, emergency medical technicians or nurses who have had training and
experience in emergency medicine are employed. In Africa, the Middle East and Asia medical doctors are often
found working as offshore medics.
The medic is supported by a number of advanced first aiders. Often, many or all the crew have some basic first
aid training. The medic is also supported and supervised remotely by a level 4 doctor who is based onshore.
MEDICAL EVACUATION PROCEDURES AND BACK UP RESOURCES
Medical evacuation is the timely and efficient movement and en route care provided by medical personnel to
injured personnel being evacuated from the scene of an accident, and who require urgent care at better
equipped facilities.
Factors to consider include:
 Risks to the patient: risks posed by the transportation process as well as the urgency of enhanced
treatment need to be considered.
 Type of emergency: for example, single or multiple casualties.
 Resources required: means of transportation and the requirements for trained medical personnel and
equipment.
Evacuation may be by land (ambulance), sea or air (helicopter or air ambulance).
Principles of escape, evacuation and rescue
ESCAPE
Providing a clear and unambiguous means of escape in the event of an emergency is fundamental to life safety
and must be incorporated at an early stage in the design of an installation. Factors to consider when
considering effectiveness of escape routes include:
 Numbers and locations of workers.  Protection of routes with fire resistant materials.
 Number of routes required.  Active fire protection such as water mist sprays
 Width of routes. and provision of extinguishers.
 Free from obstruction.  Adequate signage for identification.
 Travel distances.  Emergency lighting.
 Considerations for disabled workers.  Provision of temporary refuge.
The temporary refuge provides a safe haven for people to muster. If the emergency is sufficiently serious, or
develops, personnel will then need to be evacuated off site.
EVACUATION
A means of escape from the installation is required so that persons may evacuate in the event of the failure of
the primary evacuation system (air or sea) in a catastrophic incident, when a planned and orderly evacuation
cannot be achieved. Evacuation from an offshore installation normally comprises two elements; a means of
descent to sea level and something which offers some protection from the elements and avoids the need to
enter the sea directly.
Means of descent to sea provided on UK offshore installations vary widely, depending on the installation and
circumstances. Such means may include fixed ladders, retractable ladders, stairways, life-raft davits, chutes
(typically Skyscape), and/or personal descend devices.
Figure 4-20: Lifeboat in cavite. Figure 4-21: Free fall lifeboat. Figure 4-22: Free fall lifeboat interior.
Source: Safety first. Source: Safety first. Source: Safety first.

Figure 4-23: Skyscape - entering the next cell. Source: Safety first. Figure 4-24: Skyscape - next person get ready. Source: Safety first.
Life-rafts are usually provided for protection from the elements and to avoid the need to enter the sea directly.
RECOVERY AND RESCUE
Effective arrangements need to be in place, to enable persons who have to evacuate or to escape from the
installation to be recovered or rescued to a place of safety.
Recovery will also be required:
 To rescue persons from the sea near the installation (for example, a person falling overboard).
 In the event of a helicopter ditching into the sea during landing or take off.
Recovery may be achieved by use of a dedicated fast rescue craft, located close to the installation, external
vessels, or public/commercial search and rescue facilities. Rescue is complete when personnel are at a place
of safety, where medical and other care facilities, are available.
Roles and structure of emergency response teams
ONSHORE INSTALLATIONS
Emergency control centre (ECC)
The principal facility that should be considered in the on-site emergency plan is the on-site ECC, the place from
which operations to manage the response to the emergency are directed and co-ordinated.
This will normally be the location occupied by the site main controller, other key personnel as appropriate, and
by the senior officers of the emergency services in attendance for tactical and operational command and
control.
The on-site ECC should have good communication links with the site incident controller and all other
installations on the establishment, as well as communication with appropriate points off site, which may be via
the on-site emergency services. These links should include emergency services’ headquarters, hospitals and
the health authority, company headquarters, regulatory authorities and the media (to assist early distribution of
public health and safety advice to minimise delay).
The on-site ECC requires facilities to record the development of the incident to assist in its management and in
decision making on the appropriate method of control. Records will also need to be kept for any subsequent
inquiry.
Site main controller
The site main controller has the overall responsibility for directing operations from the on-site ECC. A suitable
job function to fill this role is the senior establishment manager, establishment manager or director who has an
overall knowledge of the site.
Responsibilities include:
 Take overall control of the incident, from the ECC.
 Confirm that the emergency services have been notified.
 Ensure that casualties are receiving attention.
 Co-ordinate the shutting down of plants as necessary.
 As appropriate, initiate the offsite emergency plan.
 Ensure that key personnel have been mobilised.
 Liaise as appropriate with external agencies (for example, health and safety; environmental).
 Establish links with the media. Issue information as appropriate in liaison with emergency services.
 Arrange for ongoing records of the emergency to be kept.
 Control the rehabilitation of affected areas after the emergency.

Site incident controller

The site incident controller is responsible for taking control at the scene of the incident. The person carrying out
this role should have a thorough knowledge of the overall situation in the vicinity of the incident. A suitable job
function to fill this role is the establishment manager, shift manager or shift supervisor at the time the incident
occurred. Round-the-clock cover to fulfil this role is essential. On establishments with a small number of staff,
or which are not attended around the clock, appropriate management arrangements should be in place to carry
out the necessary functions in an emergency.
 Assess the impact of the incident. If major, initiate on site plan and, if appropriate, off site plan.
 Take charge of the incident until the site main controller is in place.
 Control fire-fighting operations, until emergency services arrival.
 Work with emergency services in search for casualties.
 Evacuation of non-essential personnel.
 Set up communications with ECC.
 Provision of advice and information to emergency services at the scene.
 Keep the main site controller informed of significant developments.
OFFSHORE INSTALLATIONS
The person in overall charge of an emergency is the offshore installation manager (OIM). In addition to
communicating details of the emergency to installation personnel (for example, alarms or tannoy systems),
specific considerations offshore will include arrangements for:
 Contact with external services (for example, coast guard; maritime authorities).
 Communication with inter - connected installations.
 Alerting rescue and recovery services.
 Contact with onshore liaison personnel.
 Alerting personnel engaged in installation activities (for example, divers and supply vessels).
TRAINING AND DRILLS
All personnel should be instructed as to the actions to be taken in the event of an emergency. In particular:
 Alarm actions (and how to raise the alarm).
 Location of escape and evacuation routes.
 Muster/assembly points.
 The use/operation of any emergency equipment (for example, survival suits, breathing apparatus,
lifeboats).
Those allocated specific responsibilities in the emergency plan will require specific training in accordance with
their allocated responsibilities. In particular:
 Oil installation managers.
 Fire crew members.
 (Emergency) control room operators.
In order to retain competence, refresher training should be given at appropriate intervals. In addition, periodic
drills (based on the emergency plan) should be carried out to assist personnel in both practicing their skills, and
also to practice evacuation procedures. Drills may involve simulated exercises, ‘desktop’ exercises, and may
involve liaison with outside personnel (for example, coast guard or other installations), in order to test the
effectiveness of the communications systems.
All personnel on a floating production, storage and offloading vessel (FPSO) should have at least basic
training in emergency response, first-aid, handling lifesaving appliances and fire-fighting. In addition as part of
the FPSO induction process all personnel should be introduced to FPSO specific issues, such as:
 Evacuation routes.
 Designated muster points.
 Emergency response equipment.
 The main hazards and incidents that may arise.
 The emergency response procedures and the station plan (the bill).
 The emergency response organisation.
 People with key roles in the emergency response will need to be given more advanced instruction in their
roles and duties.
 Liaison with emergency services.
Liaison with emergency services
Offshore the problem is compounded because of the lack of emergency services to assist in dealing with a
major emergency. Operators need to work closely with the emergency services and other key organisations, in
considering when and where decontamination of casualties and response personnel should take place and in
determining the level of personal protective equipment needed for use by emergency and decontamination
personnel.

In the longer term, plans also need to be made to deal with the health care needs of those who have been
evacuated, access to medication and those people who may suffer from stress related illnesses as a result of
the incident.
Exam practice
1. List the contents of a typical emergency response plan. (8)
2. (a) Identify suitable job functions for selecting a site incident controller. (2)
(b) Explain the role and responsibilities of a site incident controller. (6)
3. (a) Explain the operation of a floating roof tank. (2)

(b) Outline the use of floating roof tanks and how fire suppression is achieved in the event of a fire. (6)
4. (a) Explain the term ‘passive fire protection’. (2)

(b) Describe how the use of passive fire protection improves safety on a rig. (6)
5. The Oil and Gas Producers Association (OGP) recommend that producers adopt a five level system for
Medical Emergency Response (MER). Identify FOUR of the five levels which are required to be
established. (8)


Element
5
Logistics and transport operations
Learning outcomes
5.1 Identify the main hazards of and suitable controls for marine transport in the oil and gas industries.
5.2 Identify the main hazards of and suitable controls for land transport in the oil and gas industries.
Content
5.1 - Marine transport ..........................................................................................................................................101
Hazards of vessels and working over water .......................................................................................................101
Loading and unloading of vessels at marine terminals .......................................................................................106
Control of marine operations, certification of vessels, inspection and approvals ...............................................107
Roles and responsibilities of marine co-ordinators, masters and crews .............................................................107
Personnel transfers and boarding arrangements ...............................................................................................108
Personal protective equipment suitability ............................................................................................................109
Diver operations ..................................................................................................................................................109
5.2 - Land transport .............................................................................................................................................109
Tankers ...............................................................................................................................................................109
Traffic management ............................................................................................................................................111
Rail ......................................................................................................................................................................112
Exam practice .....................................................................................................................................................113

UNIT IOG1 - ELEMENT 5 - LOGISTICS AND TRANSPORT OPERATIONS
Oil Companies International Marine Forum Guidelines
Guidelines for managing marine risks associated with FPSOs (OGP Report No. 377)

LOGISTICS AND TRANSPORT OPERATIONS - ELEMENT 5 - UNIT IOG1
5.1 - Marine transport

Hazards of vessels and working over water
HAZARDS OF VESSELS
Vessel hazards include collision with other vessels, the rig platform or auxiliary supply vessels; and movement of
loads within vessels or the loss of deck loads in storm conditions. Where construction vessels or tankers are
transferring materials or oil there is the potential for the vessel to tip over if the load and water ballast are not
managed carefully.
HAZARDS OF WORKING OVER WATER
Working alongside or over sea water can expose workers (and their tools) to the effects of salt spray. This can
have a serious effect on skin and clothing, metal tools, and especially electrical equipment with the additional risk
of electric shock. Wet clothing increases the chill factor and increases the likelihood of hypothermia. Skin care
is essential, as is clean and dry clothing and footwear.
Falls of people or equipment from a height can cause serious injury or damage, and the higher the fall, the greater
the hazard. Wet clothing can absorb a large amount of water, and triple its weight. This makes it very difficult to
swim to the surface if workers fall into the sea. Working over water can make footing slippery and hazardous.
Exposure to wind and ultraviolet radiation will damage the skin and eyes if not controlled.
If the job entails working from a barge, or floating platform, additional hazards will include water swell as the level
change, often several feet, can make boarding and offloading difficult and dangerous. A barge (unless it is a
jack-up type) makes an unstable base, especially when operating machinery. Care needs to be taken when
loading and off-loading, to avoid tipping the barge over.
TRANSPORTATION OF LIQUEFIED NATURAL GAS (LNG)
LNG must be kept cold to remain a liquid, independent of pressure. Despite efficient insulation, there will
inevitably be some heat leakage into the LNG, resulting in vaporisation of the LNG. This boil-off gas acts to keep
the LNG cold. LNG is transported in specially designed ships with double hulls protecting the cargo systems from
damage or leaks.
Figure 5-1: LNG carrier. Source: Wikipedia.

Transportation and supply is an important aspect of the gas business, since LNG reserves are normally quite
distant from consumer markets. LNG has far more volume than oil to transport, and most gas is transported by
pipelines. There is a pipeline network in the former Soviet Union, Europe and North America.
Figure 5-2: Melkoya LNG Plant with LNG Carrier Arctic Princess. Source: Statoil Hydro.

Figure 5-3: SS Northwest Seaeagle - liquid natural gas carrier. Source: www.ipahl.com/nauticus.
FLOATING PRODUCTION, STORAGE AND

OFFLOADING UNITS (FPSO)
Recent years have seen the expansion and
formalisation of the global deepwater offshore industry
and Floating Production, Storage and Offloading
(FPSO) units are effective in remote or deepwater
locations where seabed pipelines are not cost effective.
A floating production, storage and offloading (FPSO)
unit is a floating vessel used by the offshore industry for
the processing of hydrocarbons and for storage of oil.
A FPSO vessel is designed to receive hydrocarbons
produced from nearby platforms or subsea template,
process them, and store oil until it can be offloaded onto
a tanker or transported through a pipeline. FPSO’s are
easy to install, and do not require a local pipeline Figure 5-4: FPSO Ship. Source: Marine Insight.
infrastructure to export oil.
They are particularly effective in remote, deep water
areas where the construction of a pipeline would not be
feasible. FPSOs can be a conversion of an oil tanker
or can be a vessel built specially for the application.
FLOATING STORAGE UNITS (FSO)
A Floating Storage and Offloading Unit (FSO) is a
floating storage device, which is a simplified FPSO
without the facilities for oil or gas processing.
Vessels supplying the offshore industry are required to
carry a variety of bulk liquids in dedicated tanks within
the ship to supply installations offshore. These liquids
can be fuel oil, base oils, drilling brines, cement, mud,
fresh and drill water, etc. Figure 5-5: Knock Nevis floating storage unit. Source: Wikipedia.
Additionally, food and a wide variety of engineering supplies are also transported. Most FSOs are older single hull
tankers that have been converted and an example of this is the Knock Nevis, which was converted to an FSO to
be used offshore Qatar.
Hazards associated with FPSO's and FSO's include:
 Working in extreme weather conditions (heat, cold, rain).
 Increased risk of corrosion from salt water.
 Potential leaks/spills from offloading/transfers.
 Collision with other vessels or structures, for example, a drilling rig/ production platform.
 Slippery floors and surfaces.
 Personnel transfers to/from other vessels/platforms.
 Failure of anchorage systems.
 Helicopter landings/take off.
 Flaring (potential ignition source if hydrocarbon release).

SUPPLY VESSELS
Offshore supply/support vessels (OSVs) are those vessels which are engaged in the transport of stores, materials
and equipment to and from mobile offshore drilling rigs, fixed and floating platforms, sub-sea installations and
other similar offshore installations.
Figure 5-6: Supply vessel. Source: Fearnley Offshore Supply. Figure 5-7: Platform supply vessel. Source: www.aker-yard.com.
Hazards with such activities include work/operating in inclement weather, collision (with rigs/other vessels), lifting
and handling stability.
OFFSHORE DRILLING
Offshore drilling refers to a mechanical process where a wellbore is drilled through the seabed. It is typically
carried out in order to explore for and subsequently produce hydrocarbons which lie in rock formations beneath
the seabed. Offshore drilling presents environmental challenges, both from the produced hydrocarbons and the
materials used during the drilling operation.
Drilling for oil and gas offshore, in some instances hundreds of miles away from the nearest landmass, poses a
number of different challenges over drilling onshore. The actual drilling mechanism used to delve into the sea
floor is much the same as can be found on an onshore rig. However, with drilling at sea, the sea floor can
sometimes be thousands of feet below sea level. Therefore, while with onshore drilling the ground provides a
platform from which to drill, at sea an artificial drilling platform must be constructed.
THE DRILLING PROCESS
The drilling system is set up as shown in figure ref 5-
8. During drilling, mud is circulated down the drill pipe
and up through the annulus between the well bore and
the drill pipe. The mud, which cools the drill bit, carries
the rock fragments produced by the drilling. This
circulating mud also serves to prevent the oil and gas
in the deposits from entering the well, because the
pressure of the mud inside the well bore is higher than
that of the oil outside. If for any reason this pressure
difference starts dropping, the mud pressure has to be
increased, otherwise the oil or gas will enter the well
bore.
In addition, a blowout preventer (BOP) is installed on
the sea floor. The BOP is fitted with hydraulic shears
which, in the event of a kick or pressure surge, are
designed.to shear the drill pipe and thus prevent a
blowout. Above the blowout preventer, a specialised
system known as a ‘riser' extends from the sea floor
to the drilling platform above. The riser is designed to
house the drill bit and drill string, and yet be flexible
enough to deal with the movement of the drilling
platform. Strategically placed slip and ball joints in the
marine riser allow the subsea well to be unaffected by
the pitching and rolling of the drilling platform. Figure 5-8: Typical offshore drilling process. Source: Ambiguous.
There are two basic types of offshore drilling rigs: those that can be moved from place to place, allowing for drilling
in multiple locations, and those rigs that are permanently placed.

Moveable offshore drilling rigs

Moveable rigs are often used for exploratory purposes because they are much cheaper to use than permanent
platforms. Once large deposits of hydrocarbons have been found, a permanent platform, or FPSO, can be
sited/used to allow their extraction. Types include:
Drilling barges
Suitable for still, shallow waters, drilling barges are not able to withstand the water movement experienced in
large open water situations.
Jack-up rigs
Once a jack-up rig is towed to the drilling site, three or four ‘legs’ are lowered until they rest on the sea bottom.
This allows the working platform to rest above the water surface, as opposed to a floating barge. Suitable for
shallow water. These rigs are typically safer to operate than drilling barges, as their working platform is elevated
above the water level.
Figure 5-9: Drilling barge. Figure 5-10: Jack-up rig. Source: Drilling Contractor.
Source: I. Castaneda, University of Minnesota.
Figure 5-11: Submersible rig. Source: Friede & Goldman.

Submersible rigs
Also suitable for shallow water, these rigs consist of
platforms with two hulls positioned on top of each
another.
The upper hull contains the living quarters for the
crew, as well as the actual drilling platform. The lower
hull works much like the outer hull in a submarine,
when the platform is being moved from one place to
another, the lower hull is filled with air, making the
entire rig buoyant. Figure 5-12: Semi-submersible rig. Source: Husky.
When the rig is positioned over the drill site, the air is let out of the lower hull, and the rig submerses to the sea
floor. This type of rig has the advantage of mobility in the water.
Semi-submersible rigs
Semi-submersible rigs are the most common type of offshore drilling rigs, combining the advantages of
submersible rigs with the ability to drill in deep water. A semi-submersible rig works on the same principle as a

submersible rig, through the ‘inflating’ and ‘deflating’ of its lower hull. The main difference with a semi-submersible
rig, however, is that when the air is let out of the lower hull, the rig does not submerge to the sea floor. Instead,
the rig is partially submerged, but still floats above the drill site. When drilling, the lower hull, filled with water,
provides stability to the rig. Semi-submersible rigs are held in place by huge anchors, each weighing upwards of
10 tons. These anchors, combined with the submerged portion of the rig, ensure that the platform is stable and
safe enough to be used in turbulent offshore waters. Semi-submersible rigs can be used to drill in much deeper
water than the rigs mentioned above.
Drilling ships
Drilling ships are exactly as they sound, ships
designed to carry out drilling operations.
A typical drillship will have, in addition to all of the
equipment normally found on a large ocean ship, a
drilling platform and derrick located on the middle of
its deck.
In addition, drillships contain a hole (or ‘moonpool’),
extending right through the ship down through the hull,
which allows for the drill string to extend through the
boat down into the water.
Drillships are often used to drill in very deep water,
which can often be turbulent. Drillships use what is
known as ‘dynamic positioning’ systems. Figure 5-13: Drilling ship. Source: www.maritime-connector.com.
Offshore drilling and production platforms

As mentioned previously, moveable rigs are
commonly used to drill exploratory wells. In some
instances, when exploratory wells find commercially
viable natural gas or petroleum deposits, it is
economical to build a permanent platform from which
well completion, extraction, and production can occur.
These large, permanent platforms are extremely
expensive, however, and generally require large
expected hydrocarbon deposits to be economical to
construct.
Some of the largest offshore platforms are located in
the North Sea, where because of almost constant
inclement weather, structures able to withstand high
winds and large waves are necessary.
A typical permanent platform in the North Sea must be
able to withstand wind speeds of over 90 knots, and Figure 5-14: North Sea production platform. Source: Ambiguous.
waves over 60 feet high. These platforms are among
the largest structures built by man.
Figure 5-15: Offshore drilling platforms. Source: MMS.

There are a number of different types of permanent offshore platforms, each useful for a particular depth range,
these include:
 Compliant towers.  Tension leg platforms.
 Sea star platforms.  SPAR platforms.
Subsea system
Subsea production systems are wells located on the sea floor, as opposed to at the surface. Just as in a floating
production system, the petroleum is extracted at the seafloor, and then ‘tied-back’ to an already existing
production platform, or FPSO. The well is drilled by a moveable rig, and instead of building a production platform
for that well, the extracted natural gas and oil are transported by riser or undersea pipeline to a nearby production
platform. This allows one strategically-placed production platform to service many wells over a reasonably large
area. Subsea systems are typically in use at depths of 7,000 feet or more, and do not have the ability to drill,
only to extract and transport.
Figure 5-16: Subsea system. Source: INPEX. Figure 5-17: Crane vessel on offshore construction.
Source: Intership Ltd.
CONSTRUCTION BARGES
Offshore construction is a term given to the process of building offshore, generally related to the production and
supply of electricity, oil and gas. This can involve installations of structures and pipelines or constructing a larger
piece of machinery.
In order to reduce heavy lifting in offshore construction a lot of the structures are assembled on the mainland;
these can include oil drilling rigs, pipelines and oil platforms. These structures can usually be transported out to
sea using a crane vessel or transport barge, where they are fitted together, then towed to the offshore installation
site using floating devices to hold their weight.
Due to the marine environment, floating vessels referred to as ‘flotels’ are used to accommodate workers
throughout the construction period.
There are different types of vessels adopted for pipe laying; the key ones include the ‘Derrick Barge (DB)’, the
‘Derrick/Lay Barge (DLB)’ and the ‘Pipelay Barge (PLBG)’.
Loading and unloading of vessels at marine terminals
The International Safety Guide for Oil Tankers and Terminals (International Chamber of Shipping 1978) contains
information and samples of checklists, guidelines, permits and other procedures covering safe operations when
loading or unloading vessels, which may be used by vessel and terminal operators.
Although marine vessels sit in water and are thereby intrinsically grounded, there is a need to provide protection
from static electricity which can build up during loading or unloading. This is accomplished by creating a common
potential between the dock and the vessel by bonding or connecting metal objects on the dock or
loading/unloading apparatus to the metal of the vessel by suitable electrical conductors. Bonding is also
accomplished by use of conductive loading hose or piping. An electrostatic spark of ignitable intensity may also
be generated when lowering equipment, thermometers or gauging devices into compartments immediately after
loading; and it is for this reason that enough time must be allowed for the static charge to dissipate before such
equipment is used.
Additional controls to ensure safety during loading/unloading operations include:
 Ensuring that the vessel is securely moored.
 Ensuring that the hoses used for the transfer are inspected and in good condition.
 Completion of a ‘ship/shore’ checklist before operations start.
 Good communications between the ship and terminal representatives.
 Ship and terminal personnel vigilance during operations.

All vessels and terminals need mutually agreed upon emergency response procedures in case of a fire or release
of product, vapour or toxic gas. These must cover emergency operations, stopping product flow and emergency
removal of a vessel from the dock. The plans should consider communications, fire-fighting, vapour cloud
mitigation, mutual aid, and rescue, clean-up and remediation measures.
Figure 5-18: Supertanker AbQaiq during loading. Source www.wermac.org.uk.
Control of marine operations, certification of vessels, inspection and

approvals
Any organisation which owns or operates a marine terminal facility must apply for a license from the authorising
body in the country in which the marine terminal is situated. Before operating a new terminal, an owner/operator
must also obtain a licence from the same authority.
Sea going ships are required to have a variety of certificates including:
 International Load Line Certificate.
 International Oil Pollution Prevention Certificate.
 Safety Management Certificate.
 Cargo Ship Safety Construction Certificate.
 Cargo Ship Safety Equipment Certificate.
Most of these certificates will be valid for five years with an intermediate survey carried out halfway through the
period. Some certification is required to be carried out annually and is conducted by the ships flag state or their
representative.
Roles and responsibilities of marine co-ordinators, masters and crews
Marine co-ordinators play a vital health and safety role in tracking vessels and personnel across the site and as
a focal point for safety and site inductions and emergency response planning. The marine co-ordinator’s office
should be manned 24 hours a day to ensure continuous oversight of the facilities operation and that emergency
response is on standby if required.
On larger scale projects more than one co-ordinator will be needed to man the office at a time to deal with the
increased number of vessels and personnel. Onsite marine co-ordinators should have a working knowledge of
the vessels capabilities and constraints working onsite. Marine co-ordinators should keep in close contact with
local marine authorities. They must carry out regular audits of all activities including vessels and personnel
movements. Activity logs should be kept and maintained up to date.
A sea captain (also called a master or a shipmaster) is a licensed mariner in ultimate command of the vessel and
is, therefore, responsible for the implementation of the safety policy. The captain is responsible for its safe and
efficient operation, including cargo operations, navigation, crew management and ensuring that the vessel
complies with local and international laws, as well as company and flag state policies. All persons on board,
including officers and crew, other shipboard staff members, passengers, guests and pilots, are under the captain's
authority and are his ultimate responsibility.
The captain must ensure that all roles and responsibilities are allocated to the crew and must ensure that all tasks
are carried out properly including:
 Maintenance planning and follow up.
 Emergency measures and drills.
 Anti-pollution measures meet international and local standards.
 All lifesaving and safety equipment is kept in a proper order.
The deck crew of a ship has officers who each have a role in leadership and in keeping things running safely.

Personnel transfers and boarding arrangements

Transfer of personnel between two unsecured ships at sea is potentially a particularly dangerous manoeuvre. A
risk assessment of the transfer arrangements should be undertaken and appropriate safety measures put into
place to ensure the safety of those involved.
Both vessels should be properly equipped and/or modified to allow the boarding to be undertaken without
unnecessary risk. A proper embarkation point should be provided, and the boarding procedure clearly agreed.
The relative movements of both vessels in any seaway and varying sea tide and swell conditions make the
judgement of when to affect a transfer crucial.
The Master responsible for the transfer operation should have full sight of the area of transfer and he, and at least
one designated crew member should be able to communicate at all times with the crew member making the
transfer.
It is recommended that vessels undertaking ship to ship transfers while underway should carry equipment
designed to aid in the rapid recovery of a casualty from the waters.
Transfer options include: helicopter, transfer basket, gangways and rope ladders.
Figure 5-19: Transfer basket. Source: touchoilandgas.com. Figure 5-20: Transfer from supply vessel. Source: marinelink.com.
Figure 5-21: Column type gangway. Source: Ambiguous. Figure 5-22: Personnel basket. Source: Ambiguous.

Personal protective equipment suitability

The nature of the task and the associated risks will
determine the appropriateness of PPE.
Factors to be considered in selection include:
 Water-proof characteristics.
 Reinforced on parts especially exposed to wear
and tear.
 Keeps the body warm.
 Provides freedom of movement.
 Ensures good visibility.
 Withstands tearing.
 Ventilates water vapour and sweat.
 Feels light when wearing.
 Reduces risk of getting caught in equipment and
installations. Figure 5-23: Personal protective clothing. Sourced and adapted from:
 Integrated buoyancy aid. http://www.imh.mug.edu.pl/attachment/attachment/5257/R10.pdf.
Diver operations
Generally, deep sea diving operations (DSV) are carried out by contractors appointed by the operator/owner and
should have been considered in the safety case.
Control should be by the operators/owner’s management systems. However this will inevitably require the
contractor to supply information to the operator/owner.
Diving operations can be divided into three categories:
1) Surface supplied diving: air is supplied via a hose, from a diver support vessel or from an installation on
the surface.
2) Surface supplied mix gas diving: uses a mixture of helium and oxygen as the breathing gas can be used
to increase the range of surface diving operations without the use of saturation techniques.
3) Saturation diving: is a diving technique that allows divers to reduce the risk of decompression sickness (‘the
bends’) when they work at great depth for long periods of time. In saturation diving, the divers live under
pressure in a saturation system or ‘saturation spread’, a hyperbaric environment on the surface, or an ambient
pressure underwater habitat, for the duration of the project (several days to weeks, as appropriate) and are
decompressed to surface pressure only once, at the end of their tour of duty. This is the main method used
in the industry (for dives between 18 to 300 metres).
Each diving operation must be properly planned and supervised. The plan should detail the work to be
undertaken, the equipment to be used, roles and responsibilities, communications to be set up, the hazards that
may be encountered and the precautions to be put in place before and during the activity.
Risks to divers include: drowning; entanglement (in anchor wires, cables); breathing supply problems; contact
with vessels or remotely operated underwater vehicles (ROV's); temperature extremes; tides/currents; visibility;
decompression sickness; on-platform emergencies; communications break down.
5.2 - Land transport

Tankers
UN ‘CLASSIFICATION’ AND TRANSPORT OF HAZARDOUS MATERIALS
In the UK and Europe, the Carriage of Dangerous Goods and Use of Transportable Pressure Equipment
Regulations (CDGUTPER) 2009 and the European agreement (‘Accord européen relatif au transport international
des marchandises dangereuses par route’) (known as ADR), regulate the carriage of dangerous goods by road.
The classes of dangerous goods according to ADR are:
UN Class Dangerous Goods Classification
1 Explosives Explosive
2 Gases Flammable gas
Non-flammable, non-toxic gas
Toxic gas
3 Flammable liquid Flammable liquid

UN Class Dangerous Goods Classification

4 Flammable solids Flammable solid
Spontaneously combustible substance
Substance which in contact with water emits
flammable gas
5 Oxidising substances Oxidising substance
Organic peroxide
6 Toxic substances Toxic substance
Infectious substance
7 Radioactive material Radioactive material
8 Corrosive substances Corrosive substance
9 Miscellaneous dangerous goods Miscellaneous dangerous goods
Figure 5-24: Classes of dangerous goods. Source: ADR.
Consignors must identify the hazardous substance
that they are transporting. To assist in emergency
the driver is responsible for ensuring that the correct
paperwork for the load is to hand.
For dangerous goods a Dangerous Goods Note
should detail:
 Nature and quantity of dangerous goods.
 UN number or identification number.
 Proper shipping name.
 Class or division (subsidiary risk).
 Packing group (if required).
 All other required information.
This has usually been accomplished through special
marking and labelling to indicate the hazards of the
consignment on the vehicle and inclusion of relevant
information in the transport documents and also by
the pleading and labelling displayed on the transport
unit.
Warning signs are used to alert emergency services
and other road users that a vehicle is carrying
dangerous goods which pose a greater risk to
people, property and the environment than ordinary
loads. Figure 5-25: Dangerous Goods Note. Source: NCEC.
Additional safety precautions will be needed to
handle any incident involving the vehicle.
Drivers of tankers and tank containers must be in possession of sufficient written information to ensure they know
the nature of the dangers involved in transporting the dangerous substance and the emergency action to be taken
if such dangers arise.
The ‘Transport Emergency Card (Road)’, known more commonly as a Tremcard must be kept in the vehicle cab,
so that this 'information in writing' can be easily located by the emergency services in the event of an accident.
A Tremcard relating to the previous load should be put into a securable compartment or container, which is
clearly marked and capable of remaining closed even in the event of a vehicle roll-over.
PROTECTION OF PLANT AGAINST VEHICLE STRIKE
Storage tanks and other vulnerable equipment should be protected from collision damage by vehicles. This is
usually achieved through the use of fixed metal barriers, such as those used on motorway networks. Generally
concrete tank bunds are not designed for collision damage and should be similarly protected.
DRIVER TRAINING
ADR requires that drivers of tankers carrying dangerous goods must be suitably trained and certificated (by
examination). This certificate/licence has to be updated at specified intervals.

The driver is required to carry this licence when driving. Employers are responsible for making sure existing staff
certification is current.
The purpose of the training is to ensure that drivers:
 Are aware of hazards arising from the carriage of
dangerous goods.
 Have basic information to minimise the likelihood
of an incident taking place.
 Can take necessary measures for their own safety
and that of the public and environment to limit the
effects should an incident occur.
 Have passed an examination in relation to the
carriage of the dangerous goods in question.
An ADR basic course covers:
 The general requirements governing the carriage
of dangerous goods.
 Information on the control of the transfer of wastes
and environmental protection.
 Driver responsibilities during the carriage of
dangerous goods.
 The prohibitions on mixed loading in the same
vehicle or container.
 Information on multimodal transport operations.
 Security and ‘High Consequence Dangerous
Goods’.
 General information concerning civil liability.
 Basic knowledge about the use of personal
protective equipment.
 Administration of basic first-aid.
 Fire prevention.
 What to do in the event of an incident.
FILLING ARRANGEMENTS
The transfer area should be designed so that it is away NB: Plus EHS mark where appropriate on both sides and rear.
from general traffic routes and on firm, level ground; Figure 5-26: GB registered vehicle on GB domestic journey.
vehicles can manoeuvre easily without risk of collision Source: HSE.
with plant, people or other tankers; adequate lighting
is in place at all transfer stations.
Good communication, with the site operator, are essential prior to and during the filling operation. Unless the
engine is used to drive a pump or similar part of the process, the ignition must be switched off and the keys
handed to a supervisor. The keys should not be returned until loading is complete. This is a precaution designed
to prevent the driver pulling away before the transfer has finished (breakaway couplings are also used for this
purpose in the event that tankers may inadvertently drive off without disconnecting).
Before bulk transfer begins, all equipment including hoses and pipelines must be checked to ensure that they are
in good condition. They must be properly designed, for example, of adequate strength and properly maintained.
Hoses should be subject to an annual examination and proof pressure test and certificates of inspection should
be kept available for audit. The annual examination should include measurement of the electrical resistance of
the assembly.
Instrumentation should be checked for functionality (for example, high level alarms). If top filling is used, hand
rails should be fitted to the vehicle to prevent driver falls. To protect against arcing, grounding/bonding lines must
be fitted to help to dissipate static charges. After filling a tank, time should be allowed for any residual charge to
dissipate.
Other sources of ignition (such as mobile phones, smokers’ items) must be excluded from the filling area.
Emergency procedures should be established for leaks, fire (for example, availability of fire extinguisher, spillage
kit).
Traffic management
ONSITE
The good design of roadways and the control of traffic on-site are important factors in the prevention of road traffic
accidents and an important consideration in the prevention of major accident hazards on-site.

Collisions between moving vehicles, collisions between pedestrians and moving vehicles, or the impact of a
vehicle with stationary plant, vehicles or equipment can lead to physical injuries and damage or a loss of
containment of chemicals.
Controls to minimise accidents include:
 Well-constructed and well maintained roads.
 Roads of sufficient width.
 Adequate road marking.
 Warning signs.
 Speed limits and speed limiting devices.
 One way systems where possible.
 Pedestrian segregation/walkways/road crossings.
 Adequate lighting.
 Mirrors at sharp corners.
 Specified parking areas.
ROUTES
Factors that influence route planning:
 Mandatory factors, there may be physical considerations that preclude the use of a route because of weight
limitations on bridges, height restrictions on underpasses, inadequate shoulders for breakdowns, extensive
construction activities or inadequate parking and turning spaces.
 Laws and regulations may apply to any routing alternative, which would prohibit the transport of hazardous
materials along certain roads or structures (for example, tunnels and bridges).
 Subjective factors that are difficult to quantify but would have to be considered: sensitive populations, special
land uses and emergency response capability.
 Sensitive land uses such as major hospitals, schools, housing, churches or items of cultural significance; or
the location of sensitive ecosystems and natural landscape such as parks reservations and wetlands.
 Emergency and evacuation planning and infrastructure, including: the availability of emergency and
evacuation procedures and plans, the location of emergency response teams and their ability to respond to
hazardous material release, access and ease of emergency evacuation.
 Road and traffic factors. These include the capability and level of service of the road system as measured
by its physical characteristics, the volume of traffic and its composition, and congestion levels of existing and
potential routes.
 Operational factors including economics and operator's requirements. In the first instance, mandatory and
subjective factors should be considered to identify those routes which are clearly unsuitable for the road
transport of hazardous materials.
 Driver considerations include: suitably licensed for the vehicle in question; given suitable breaks on lengthy
journeys; aided by the use of a tracking (GPS) system; knowledgeable of local legislation.
Occasionally during the journey checks should be made to ensure that:
 The load is still secure.
 There is no overheating on the vehicle or leaks from the goods on the vehicle.
 The Emergency Action Code (EAC) markings are clean and clearly visible.
Rail
In Europe, the Regulations concerning the International Carriage of Dangerous Goods by Rail (RID) governs the
movement of dangerous goods (such as petroleum products) by rail, and directly reference ADR for the main
duties.
Requirements for rail transport of dangerous goods are broadly the same as for ADR, in that substances must be
classified, and tankers labelled such that, in the event of an incident emergency services have the emergency
action information readily available.
Additionally, duty holders are required to ensure that suitable security arrangements are in place to prevent
unauthorised interference with the dangerous goods.
In some countries legislation such as, in the UK, the Railways (Safety Case) Regulations (RSCR) 2000 may
require duty holders to prepare, and hold, a Safety Case for their activities.

Exam practice
1. (a) Explain what is meant by the term ‘surface supplied diving technique’. (2)
(b) Outline the purpose and risks associated with saturation diving techniques. (6)
2. (a) Identify possible sources of ignition which should be controlled or excluded at a road tanker filling
point. (2)
(b) Outline a safe working procedure to be followed before bulk transfer to a road tanker is
commenced. (6)
3. Describe the hazards associated with working over water. (8)
4. (a) Explain the hazards associated with water vessels in the vicinity of an oil and gas rig. (8)
(b) Outline the hazards of personnel working over water. (12)


Assessment
Content
Assessments of understanding ...........................................................................................................................116
Assessment questions ....................................................................................................................................116
Exam practice - answers .....................................................................................................................................117
IOG1 - Management of international oil and gas operational safety ..............................................................117

ASSESSMENT
Assessments of understanding
It is understood that those using this publication may be doing so to broaden their understanding of this
important topic, management of oil and gas operational safety, wherever in the world they may be working, and
others will be studying in order to obtain a specific related qualification. The approach taken by those
assessing such qualifications will vary.
This element provides information on how one such qualification is assessed, the NEBOSH International
Technical Certificate in Oil and Gas Operational Safety. The questions and related answers provided in this
section may prove useful for those that want to assess their understanding for this qualification and for more
general reasons.
Assessment questions
NEBOSH PAPER IOG1
To assist students understanding of the assessment requirements for the NEBOSH International Technical
Certificate in Oil and Gas Operational Safety qualification, paper IOG1, some questions that are typical of the
type used in a qualification at this level have been included at the end of each element. This is accompanied by
the following observations related to the success of candidates taking examinations of this type.
At every examination a number of candidates - including some good ones - perform less well than they might
because of poor examination technique. It is essential that candidates practice answering both essay-type and
short answer questions and learn to budget their time according to the number of marks allocated to questions
(and parts of questions) as shown on the paper.
The written paper is 2 hours duration and contains 2 sections:
Section 1 has one question carrying 20 marks requiring quite an 'in-depth' answer. This question should be
allocated 30 minutes in total. If time (for example, 5 minutes) is given to reading, planning and checking, the
time available for writing is 25 minutes. Two sides of a page should be allocated for this answer. Candidates
should produce approximately 1½ sides for an average answer.
Section 2 has 10 questions each carrying 8 marks. If time (for example, 10 minutes) is allowed for reading,
planning and checking then there are 8 minutes to answer each question. One page is allowed for each of
these answers, candidates should produce approximately ½ to ¾ of a side for each answer.
The paper covers the whole unit syllabus with at least one question per unit element. A common fault is that
candidates may fail to pay attention to the command word in each question. The most common ‘command
words’ used in Certificate examination questions are:
Identify To give reference to an item, which could be its name or title.
NB: Normally a word or phrase will be sufficient, provided the reference is clear.
Give Only a short answer is required, not an explanation or a description.
NB: Normally a single word, phrase or sentence will be sufficient.
Outline To indicate the principal features or different parts of.
NB: An exhaustive description is not required. What is sought is a brief summary of the major
aspects of whatever is stated in the question.
Describe To give a detailed written account of the distinctive features of a subject. The account should
be factual, without any attempt to explain. When describing a subject (or object) a test of
sufficient detail would be that another person would be able to visualise what you are
describing.
Explain To provide an understanding. To make an idea or relationship clear.
NB: This command word is testing the candidate’s ability to know or understand why or how
something happens. Is often associated with the words ‘how’ or ‘why’.
The need to understand the meaning of the ‘command word’ and to read the question carefully is emphasised
in the comments below that are taken from recent examiner’s reports:
“… Many answers were too brief to satisfy the requirement for an outline or description. Points made should
have been supported by sufficient reasoning to show their relevance to the question.”
“Some candidates, even though they identified many of the relevant factors, could not be awarded the full range
of marks available because they produced a truncated list that did not properly outline the relationship between
each factor and the corresponding risks.”

ASSESSMENT
“…Some candidates could not be awarded high marks as their responses did not include adequate and
appropriate description of the practical measures…”
“While answers to this question were generally to a reasonable standard, many were too brief to attract all the
marks that were available.”
Exam practice - answers

IOG1 - Management of international oil and gas operational safety
ELEMENT 1
1. (a) List the four steps in the guidance to HSG 245: Investigating Accidents and Incidents. (4)
(b) Outline one step from the guidance. (4)
For part (a)
Step 1: Gather the information.
Step 2: Analyse the information. Determine the immediate and root causes.
Step 3: Identify suitable risk control measures.
Step 4: Develop an action plan, and implement.
For part (b) choose one of the following:
Step 1: Gathering the information
Find out what happened and what conditions and actions influenced the adverse event. Begin straight away, or
as soon as possible. It is important to capture information as soon as possible. This stops it being corrupted,
for example, items moved, guards replaced etc. Talk to everyone who was close by when the incident
happened, especially those who saw what happened or know anything about the conditions that led to it. The
amount of time and effort spent on information gathering should be proportionate to the level of investigation.
This information can be recorded initially in note form, with a formal report being completed later. These notes
should be kept at least until the investigation is complete.
Step 2: Analysing the information
An analysis involves examining all the facts, determining what happened and why. All the detailed information
gathered should be assembled and examined to identify what information is relevant and what information is
missing. The information gathering and analysis are actually carried out side by side.
The analysis should be conducted with employee or trade union health and safety representatives and other
experts or specialists, as appropriate. This team approach can often be highly productive in enabling all the
relevant causal factors to emerge. It is only by identifying all causes, and the root causes in particular, that we
can learn from past failures and prevent future repetitions.
Step 3: Identifying suitable risk control measures
The analysis will have identified a number of risk control measures that either failed or that could have
interrupted the chain of events leading to the accident/incident, if they had been in place. A list of all the
alternative measures to prevent this, or similar, adverse events should be compiled.
Evaluate each of the possible risk control measures on the basis of their ability to prevent recurrences and
whether or not they can be successfully implemented.
Step 4: The action plan and its implementation
At this stage in the investigation, personnel who have the authority to make decisions and act on the
recommendations of the investigation team should be involved. An action plan for the implementation of
additional or improved risk control measures is the desired outcome of a thorough investigation. The action
plan should have SMART objectives, i.e. specific, measurable, agreed, and realistic, with timescales.
Risk control measures will be implemented according to priority. In deciding priorities it will be necessary to be
guided by the magnitude of the risk.

ASSESSMENT
2. Explain the methods used to control gas and vapour concentration outside the explosive limits in the Oil
and Gas industry. (8)
Methods used include ‘inerting’ (using inert gases such as nitrogen) to reduce the oxygen level so that the
flammable limits fall outside the flammable range, or ‘purging’ (with nitrogen, steam or water) to displace
hydrocarbons from vessels, tanks, piping or equipment.
Gases can also be maintained safely at concentrations above the UEL, although a breach in the storage
container can lead to explosive concentrations in the atmosphere or intense fires.
3. (a) Explain the term ‘flash point’. (2)

(b) Outline the terms Upper Flammable Limit (UFL) and Lower Flammable Limit (LFL). (6)
For part (a)
Flash Point is defined as the lowest temperature at which sufficient vapour is produced from a liquid sample for
momentary or flash ignition to occur.
For part (b)
The upper flammable limit is the richest mixture of vapour in oxygen, that is flammable (above the UFL, the
The lower flammable limit is the leanest mixture of vapour in oxygen, that is flammable (below the LFL, the
These are commonly referred to as the upper and lower explosive limits.
4. Outline four management system root cause failures which might lead to an accident occurring in the
workplace. (8)
Examples of root causes include:
 Failure to train.
 Inadequate maintenance.
 Inadequate risk assessments and systems of work.
 Inadequate supervision/management.
 Poor job design, layout.
 Failure to provide adequate PPE.
 Inadequate monitoring.
 Excessive work demands.
5. Outline the system and design failures which lead to the explosion and subsequent fire on the Piper
Alpha oil and gas production platform in the North Sea in 1988. (8)
Safety management is important in any industry, but vital in high risk industries. The Cullen report on Piper
Alpha was highly critical of the management system in the company.
Systems: There was no systematic method for assessing major hazards. There was no system in place for
training in emergencies or when the platform was adapted for gas processing. Permits were seldom cross
referenced; permits were often left on the desk without verbal communication between operations and
maintenance personnel.
Design: The original platform had been designed to withstand fire (for example, firewalls). No modifications
were made (for example, explosion walls) when the platform was adapted to produce gas. The accommodation
block was designed to resist fire but not specifically to prevent smoke ingress.
6. (a) Hydrogen sulphide (H2S) is often found in crude oil and gas. Describe the physical properties of
H2S. (2)
(b) Explain the typical effects H2S exposure would have on the body. (6)
(a) Found in crude oil and gas, Hydrogen Sulphide (H2S) is a colourless, highly toxic, flammable gas. H2S is
heavier than air and hence tends to accumulate in low-lying areas.
(b) At lower concentrations the gas is characterised by the odour of ‘rotten eggs’ and is initially readily
detectable by smell; at higher concentrations the gas rapidly destroys the sense of smell, removing any warning
of its presence, H2S can cause irritation to the eyes, skin and respiratory tract. At higher concentrations

ASSESSMENT
(<500ppm), it can cause over stimulation of the central nervous system and rapid breathing leading to
respiratory failure, and death.
ELEMENT 2
1. (a) State the role of a permit-to-work system. (2)
(b) Outline the key elements of an effective permit-to-work form. (6)
For part (a)

An integral part of a safe system of work, a permit-to-work system is a formal, recorded process used to control
work which is identified as potentially hazardous. Such work is generally ‘non-routine and high risk’.
For part (b)
An effective permit-to-work form should:
 Clearly describe the task to be performed.
 Indicate the date, location and equipment to be worked on.
 Identify the permit validity time (for example, 1 shift; 1 day).
 Identify any isolations that may be required (for example, electrical, mechanical).
 Identify any residual hazards, and the precautions required (for example, gas testing; personal protective
equipment).
 Cross reference any other activities, or isolations, that may be relevant for the equipment being worked
upon.
 Make provision for permit extensions.
 Incorporate provision for permit hand back and cancellation.
 The permit conditions are agreed and made clear to the performing authority.
 The permit is signed by both issuing and performing authorities.
 Permit compliance is monitored for the period of the job.
2. (a) Explain the term non-condensables (NCD’s) using examples. (4)

(b) Outline why it is important to control NCD’s in boiler feed water. (4)
For part (a)

NCD’s are gases from petroleum processing units (such as distillation columns or steam ejectors) that are not
easily condensed by cooling and consists mostly of nitrogen, light hydrocarbons, carbon dioxide, or other
gaseous materials.
Air consists of a number of NCD’s. They include oxygen, nitrogen, argon and carbon dioxide.
For part (b)
Boiler feed water contains a small percentage of non-condensable gases in solution. When the boiler water
changes state (liquid to vapour), the non-condensable gases are released and carried with the steam into the
plant. The presence of NCD gases in a steam system increases corrosion, which bring about costs associated
with excessive consumption of anti-corrosion chemicals and frequent repairs. NCD gases also cause a
decrease in steam pressure and therefore in temperature. Energy transfer being less efficient, the pressure in
heat exchangers must be raised in order to obtain the target temperature. Consequently, it takes more fuel to
heat the product at the required temperature.
NCD’s can also have a serious impact on the system operating conditions, efficiency and lifetime of
refrigeration or air conditioning systems.
3. (a) Explain the purpose of a preventative maintenance scheme. (4)

(b) Outline the benefits of reliability centred maintenance. (4)
For part (a)
Preventive maintenance is where equipment is repaired and serviced before failures occur. The frequency of
maintenance activities is pre-determined by schedules. Preventive maintenance aims to eliminate unnecessary
inspection and maintenance tasks, to implement additional maintenance tasks when and where needed and to
focus efforts on the most critical items. The greater the consequence of failure, the greater the level of
preventive maintenance that is justified.

ASSESSMENT
For Part (b)

Reliability centred maintenance (RCM) involves the establishment or improvement of a maintenance program in
the most cost-effective and technically feasible manner. It utilises a systematic, structured approach that is
based on the consequences of failure. As such it represents a shift away from time-based maintenance tasks
and emphasises the functional importance of system components and their failure/maintenance history.
4. (a) Explain the term ‘corrosion’. (4)

(b) Outline the harmful effects corrosion may have on an oil rig. (4)
(a) Corrosion is the deterioration of materials by chemical interaction with their environment. It is a natural
process in the sense that the metal is attempting to revert to the chemically combined state in which it is almost
invariably found in the earth’s crust. The term corrosion is sometimes also applied to the degradation of
plastics, concrete and wood, but generally refers to metals. The rusting of ordinary steel is the most common
form of corrosion.
(b) The consequences of corrosion are many and varied and the effects of these on the safe, reliable and
efficient operation of equipment or structures are often more serious than the simple loss of a mass of metal.
Some of the major harmful effects of corrosion include:
 Structural failure or breakdown of equipment.
 Failure of vessels and pipes allowing escape of their contents and possible harm to people, plant,
equipment and the environment.
 Mechanical damage to valves, pumps, etc, or blockage of pipes by solid corrosion products.
5. Outline the important considerations which should be taken to ensure a safe shift handover. (8)
A shift handover should be:
 Conducted face-to-face (for example, in control room).
 Two-way, with both participants taking joint responsibility (for example, relaying information; seeking
clarification).
 Done using both verbal and written communication (for example, log books).
 Based on an analysis of the information needs of incoming staff (for example, after prolonged absence;
experience of incoming operator).
 Given as much time and resource as necessary (for example, dependent on state of the process; amount of
maintenance work on previous shift).
ELEMENT 3
1. (a) Explain the term ‘creep’. (2)
(b) Outline the measures which can be taken to prevent creep failure. (6)
For part (a)
Creep is the gradual extension of a material, under stress, over a prolonged period of time. It is more severe at
high temperatures, or temperatures approaching the material’s melting point. Creep has commonly been
associated with steam/gas turbine blade failures.
For part (b)
Measures to prevent creep include:
 Temperature and stresses control in plant, including the minimisation of thermal stresses (for example, re-
routing hot pipes).
 Use of creep resistant materials (for example, 1% chrome, 0.5 % molybdenum steel).
 Regular inspection for cracks and signs of deformation, such as bulges.
 Maintenance and replacement of creep prone components.
2. (a) Explain what is meant by the term proof test in relation to shut down valve safety. (2)
(b) Outline the purpose of emergency shutdown systems (ESD’s). (6)
For part (a)
A proof test is a manual test that will determine whether the valve is ‘as good as new’, by testing for all possible
failure modes. This may require a system shutdown (unless by pass facilities are provided).

ASSESSMENT
For part (b)

 Emergency shutdown systems (ESD’s) are intended to minimise the consequences of emergency
situations, for example, the uncontrolled release/loss of containment of hydrocarbons, or the outbreak of fire
in hydrocarbon areas. Generally designed with a high safety integrity level (SIL) typical actions of an ESD
include:
 Shutdown of a system, or part of a system.
 Isolate hydrocarbon inventories.
 Stop hydrocarbon flow.
 Prevent escalation of an incident.
 Depressure/blowdown.
3. (a) Outline how poor design has led to storage tank failures. (2)
(b) Explain how corrosion may result in storage tank containment loss. (6)
For part (a)
The Boston molasses disaster was caused by poor design and construction, with a wall too thin to bear
repeated loads from the contents.
The tank had not been tested before use by filling with water, and was also poorly riveted. Faulty welding or the
use of sub-standard steel are common causes of failure.
For part (b)
The majority of storage tanks are constructed from carbon steel and corrosion is a prime cause of deterioration
of them and their accessories. It can be associated almost equally from external attack (atmospheric side) or
from an internal (product side) mechanism.
By way of example, tanks in crude oil service can be particularly susceptible to sulphate reducing bacteria
(SRB) attack.
Corrosion is rarely uniform, but flat-bottomed tank floors appear to be the most common areas of failure. This
can be topside down (especially where there is an aqueous phase) or underside up. Product temperature
appears to be an important element, higher temperatures increasing the rate of corrosion.
The condition and materials of construction of tank base along with the effectiveness and durability of the floor
to base seal, and the slope angle of the tank pad away from the base are crucial factors in prevention of bottom
up corrosion.
Corrosion leading to small leaks in floors can potentially go undetected for a period of time. In some cases this
has led to foundations been washed away, causing the tank to become unstable, leading to catastrophic failure
of the tank.
4. More ductile materials, such as steel become brittle at low temperature and can also be subject to brittle
failure. Outline the factors that promote brittle failure. (8)
The factors that promote brittle failure are:

 High tensile stresses.
 Residual (locked in) stresses.
 Impact loading, which does not give the material time to deform plastically.
 Low and high temperatures.
 Inappropriate use of brittle materials.
 Welding joints (these may be brittle).
5. Explain the terms ‘a proof test’ and ‘a diagnostic test’ used to ensure a high level of performance of an
emergency shut down valve. (8)
There are two types of testing methods available:
A proof test: a manual test that will determine whether the valve is ‘as good as new’, by testing for all possible
failure modes. This may require a system shutdown (unless by pass facilities are provided).
A diagnostic test: An ‘online’ test that will detect some of the possible failure modes of the valve (for example, a
partial stroke test).

ASSESSMENT
6. (a) Explain why floating roof tanks are used for storage of certain materials. (2)
(b) Outline the operation of a floating roof tank and how materials are contained safely within. (6)
(a) An external floating roof tank is a storage tank commonly used to store large quantities of volatile petroleum
products such as crude oil or gasoline.
(b) It comprises an open-topped cylindrical steel shell equipped with a roof that floats on the surface of the
stored liquid. The roof rises and falls with the liquid level in the tank. As opposed to a fixed roof tank there is
no vapour space (ullage) in the floating roof tank (except for very low liquid level situations). In principle, this
greatly reduces the evaporative loss of the stored liquid, and minimises the build up of flammable hydrocarbon
vapours. There is a rim seal system between the tank shell and roof to reduce rim loss.
ELEMENT 4
1. List the contents of a typical emergency response plan. (8)
Whilst emergency response plans ERP’s will be unique to each installation and location, the following aspects
would generally be covered:
 Command structure.
 The types of foreseeable accidents.
 The intended strategy for dealing with these accidents.
 Details of the personnel who have roles to play in the emergency response, and their responsibilities.
 Details of the availability and function of special emergency equipment including fire-fighting materials, and
damage control and repair items.
 Details of the availability and function of other resources (for example, rescue and, medical assistance).
 Arrangements for limiting the risk to personnel: this should include the arrangements for training and
instructing the on-site personnel (staff, contractors, visitors, etc).
 Off site assistance: this may include, for example, any special equipment, expertise or facilities which the
off-site emergency services can use.
 Alarm systems: alarms may be audible or visual, or both, and may be manually or automatically activated.
2. (a) Identify suitable job functions for selecting a site incident controller. (2)
(b) Explain the role and responsibilities of a site incident controller. (6)
For part (a)
A suitable job function to fill this role is the establishment manager, shift manager or shift supervisor at the time
the incident occurred. Round-the-clock cover to fulfil this role is essential.
On establishments with a small number of staff, or which are not attended around the clock, appropriate
management arrangements should be in place to carry out the necessary functions in an emergency.
For part (b)
The site incident controller is responsible for taking control at the scene of the incident. The person carrying out
this role should have a thorough knowledge of the overall situation in the vicinity of the incident.
 Assess the impact of the incident. If major, initiate on site plan and, if appropriate, off site plan.
 Take charge of the incident until the site main controller is in place.
 Control fire fighting operations, until emergency services arrival.
 Work with emergency services in search for casualties.
 Evacuation of non essential personnel.
 Set up communications with ECC.
 Provision of advice and information to emergency services at the scene.
 Keep the main site controller informed of significant developments.
3. (a) Explain the operation of a floating roof tank. (2)

(b) Outline the use of floating roof tanks and how fire suppression is achieved in the event of a fire. (6)
For part (a): Floating roof tanks have a roof which rises and falls with the liquid level inside the tank, thereby
decreasing the vapour space above the liquid level.
For part (b): They are used for the storage of crude and volatile products. They have one weak spot between
the rim of the floating roof and the tank shell is an annular seal, where a flammable mixture of air and vapour
can collect. If left undetected, lightning or static electricity sparks can lead to an emergency situation.

ASSESSMENT
A discharge manifold with spray nozzles evenly spaced along the rim seal is designed to discharge the required
foam solution (from a foam source) into a moat or dam above the seal to control the fire. Activation can be
manual or automatic.
4. (a) Explain the term ‘passive fire protection’. (2)

(b) Describe how the use of passive fire protection improves safety on a rig. (6)
(a) Passive fire protection (PFP) may be defined as “a coating, cladding or free-standing system which, in the
event of a fire, will provide thermal protection to restrict the rate at which heat is transmitted to the object or
area being protected.”
(b) PFP materials are used to:
 Prevent escalation of the fire due to progressive releases of inventory, by separating the different fire risk
areas.
 Protect essential safety items and critical components such as separators, risers and topside emergency
shutdown valves.
 Minimise damage by protecting the critical structural members, particularly those which support the
temporary refuge, escape routes and critical equipment.
 Protect personnel until safe evacuation can take place.
5. The Oil and Gas Producers Association (OGP) recommend that producers adopt a five level system for
medical emergency response (MER). Identify FOUR of the five levels which are required to be
established. (8)
The MER is divided into tiers or levels. The following scheme is recommended by the Oil and Gas Producers
Association (OGP):
Level 1 Basic first aid.
Level 2 Advanced first aid.
Level 3 Trained paramedic or emergency medical technician.
Level 4 Doctor or nurse working in a primary care facility.
Level 5 Specialist doctor working in a secondary or tertiary care facility.
ELEMENT 5
1. (a) Explain what is meant by the term ‘surface supplied diving technique’. (2)
(b) Outline the purpose and risks associated with saturation diving techniques. (6)
For part (a)
Surface supplied diving; air is supplied via a hose, from a diver support vessel or from an installation on the
surface.
For part (b)
Saturation diving is a diving technique that allows divers to reduce the risk of decompression sickness (‘the
bends’) when they work at great depth for long periods of time. In saturation diving, the divers live under
pressure in a saturation system or ‘saturation spread’, a hyperbaric environment on the surface, or an ambient
pressure underwater habitat, for the duration of the project (several days to weeks, as appropriate) and are
decompressed to surface pressure only once, at the end of their tour of duty. This is the main method used in
the industry (for dives between 18 to 300 meters).
Risks to divers include: drowning; entangled (in anchor wires, cables); breathing supply problems; contact with
vessels; decompression sickness; on platform emergencies; communications break down.
2. (a) Identify possible sources of ignition which should be controlled or excluded at a road tanker filling
point. (2)
(b) Outline a safe working procedure to be followed before bulk transfer to a road tanker is
commenced. (6)
For part (a)
To protect against arcing, grounding/bonding lines must be fitted to help to dissipate static charges.

ASSESSMENT
After filling a tank, time should be allowed for any residual charge to dissipate. Other sources of ignition (such
as mobile phones, smokers’ items) must be excluded from the filling area.
For part (b)
Before bulk transfer begins, all equipment including hoses and pipelines must be checked to ensure that they
are in good condition. They must be properly designed, for example, of adequate strength and properly
maintained. Hoses should be subject to an annual examination and proof pressure test and certificates of
inspection should be kept available for audit. The annual examination should include measurement of the
electrical resistance of the assembly.
Instrumentation should be checked for functionality (for example, high level alarms). If top filling is used, hand
rails should be fitted to the vehicle to prevent driver falls.
Emergency procedures should be established for leaks, fire (for example, availability of fire extinguisher,
spillage kit).
3. Describe the hazards associated with working over water. (8)

Working alongside or over sea water can expose workers (and their tools) to the effects of salt spray. This can
have a serious effect on skin and clothing, metal tools, and especially electrical equipment with the additional
risk of electric shock.
Wet clothing increases the chill factor and increases the likelihood of hypothermia. Exposure to wind and
ultraviolet radiation will damage the skin and eyes if not controlled.
4. (a) Explain the hazards associated with water vessels in the vicinity of an oil and gas rig. (8)
(b) Outline the hazards of personnel working over water. (12)
(a) Vessel hazards include collision with other vessels, the rig platform or auxiliary supply vessels; and
movement of loads within vessels or the loss of deck loads in storm conditions. Where construction vessels or
tankers are transferring materials or oil there is the potential for the vessel to tip over if the load and water
ballast are not managed carefully.
(b) Working over sea water can expose workers (and their tools) to the effects of salt spray. This can have a
serious effect on skin and clothing, metal tools, and especially electrical equipment with the additional risk of
electric shock. Wet clothing increases the chill factor and increases the likelihood of hypothermia. Falls of
people or equipment from a height can cause serious injury or damage. Wet clothing can absorb a large
amount of water, and triple its weight. This makes it very difficult to swim to the surface if workers fall into the
sea. Water can make footing slippery and hazardous. Exposure to wind and ultraviolet radiation will damage
the skin and eyes if not controlled. If the job entails working from a barge, or floating platform, additional
hazards will include water swell as the level change, often several feet, can make boarding and offloading
difficult and dangerous.
Falls of people or equipment from a height can cause serious injury or damage, and the higher the fall, the
greater the hazard. Wet clothing can absorb a large amount of water, and triple its weight. This makes it very
difficult to swim to the surface if workers fall into the sea. Working over water can make footing slippery and
hazardous.
If the job entails working from a barge, or floating platform, additional hazards will include water swell as the
level change, often several feet, can make boarding and offloading difficult and dangerous. A barge (unless it is
a jack-up type) makes an unstable base, especially when operating machinery. Care needs to be taken when
loading and off loading, to avoid tipping the barge over.

INDEX
Index
working on site, 30
A Control of
Accident causation, 3 ignition sources, 47
Action plan, 5 Major Accident Hazards Regulations (COMAH) 2015, 24
Active fire protection, 89 Control rooms, 32
Additives, 14 Controlled variable, 61
Agents - anti-foaming/anti-wetting, 14 Controlling explosive atmospheres, 11
ALARP, 19 Controls
Analysing information, 5 fire, 62, 75
Annular rim, 58 gas, 62
Anti-foaming agents (defoamers), 14 safety critical equipment, 61
Anti-wetting agents, 14 shut-down, 49
API separators, 65 start-up, 49
Approvals, 107 Co-ordinators
Arrangements marine, 107
boarding, 108 Corrective maintenance, 43
filling, 110 Corrosion
As low as reasonably practicable (ALARP), 19 cracking – stress, 56
Assessment - risk, 33 inhibitor, 14
Asset integrity, 42 preventatives, 14
Associated products prevention, 44
control measures, 14 Corrosive, 12
hazards, 14 Creep, 56
properties, 14 Crews - marine, 107
Authorisation Critical associated safety systems, 32
risk, 33 CVCE’s, 71
B
Barges D
construction, 106 Dangerous occurrence, 3
drilling, 104 Decommissioning offshore platforms, 74
Barriers, 42 Definition of
Blast zones, 23 extremely flammable, 11
BLEVE’s, 72 flammable, 11
Blow down, 62 flash point, 10
Boarding arrangements, 108 highly flammable, 11
Boiler vapour density, 10
operations, 79 vapour pressure, 11
tube failure, 80 Deflagrations, 71
Boilers, use of, 79 Deluge systems, 90
Boiling liquid expanding vapour cloud explosions (BLEVE’s), 72 Detection systems, 85
Bottom rim, 58 Detonations, 71
Bow-tie diagrams, 22 Direct fired heating equipment, 77
Breaking stress, 56 Distributed control system (DCS), 61
Brittle fracture, 57 Diver operations, 109
Buncefield, 7 Domino theory, 3
Bunding - storage tanks, 68 Draining of
LPG storage vessels, 72
Product/water, 48
C Drains, 64
Cable coating, 88 Drilling
Carcinogenic, 12 barges, 104
Catalytic gas detectors, 85 muds, 15
Causation offshore, 103, 104, 105
accident, 3 process, 103
incident, 3 rigs, 104
major incidents, 6 ships, 105
Certification of vessels, 107 Driver training, 110
Change controls - management, 33 Dry powder installations (chemical), 91
Cleaning of equipment and plant, 47 Dye penetrant testing, 59
Commissioning, 51
Compartmentalisation, 88
Compliance audits, 32
Compressive E
stress, 55 Eddy current testing, 60
Concept of hazard realisation, 21 Effects of vacuum, 66
Confined vapour cloud explosions (CVCE’s), 71 Elasticity, 56
Construction barges, 106 Electronic permits, 36
Containment, 71 Electrostatic charges, 77
Content of Elevated flare, 63
alarm systems, 93 Emergency
an emergency response plan, 93 content of, 93
arrangements for limiting the risk to personnel, 93 control centre (ECC), 95
control and command structure, 93 planning, 32
foreseeable emergency situations, 93 response plan (ERP), 92
off site assistance, 93 response, 32, 92
safety cases, 24 role and importance, 92
safety reports, 24, 25 shutdown systems, 61
training of staff, 93 Employee participation, 30
Contractors, 29, 31 Enclosures, 88
interfaces, 36 Equipment
 RMS Printed under licence no. PA916 125

INDEX
cleaning, 47 area classification, 78

flameproof, 78 materials - transport, 109
gas freeing, 47 Hazards, 48, 66
intrinsically safe, 78 fire, 75
types, 78 oil and gas, 10
Escape, 94 operating boilers, 80
ESD’s, 61 operating furnaces, 80
Esso Longford, 8 vessels, 101
Estimation - risk, 18 working over water, 101
Evacuation, 94 Hazards of
Explosion risk in the oil and gas industries, 85 associated products, 14
Explosions, 76 gases, 12
Explosive atmospheres, 11 HAZOP methodology, 20
Extremely flammable, 11 Heat detection, 87
Highly flammable, 11
Hook up, 51
F Hot
Failure stopping, 40
mode and effects analysis (FMEA), 20 tapping, 40
modes, 55, 57 work permits, 31
Failures, 58 Human error, 6
storage tank, 66 Hydrates
weld, 58 presence, 49
Feyzin, 72 removal, 49
Filling Hydrocarbon vapour clouds, 71
arrangements, 110 Hydrocarbons, 66
of tanks, 69 Hydrogen, 13
Fire sulphide, 13
controls, 62, 75
detection, 86
detection systems, 85 I
hazards, 75 Ignition sources, 77
risk in the oil and gas industries, 85 Implementation action plan, 5
risks, 75 Incident, 3
triangle, 76 causation, 3
walls, 88 investigation process, 4
Firebox over pressure, 80 investigation, 4, 32
Fireproof cladding, 88 types of, 3
Fires Inerting, 48
jet, 71 Inflatable bags, 39
pool, 71 Information
Fixed analysing, 5
foam systems, 89 gathering, 4
roof storage tanks, 68 Infrared (IR)
roof tanks, 92 absorption combustible gas detection, 85
water based systems, 89 flame detectors, 86
Flame detectors open-path, 85
detectors, 86 Inherent safety, 19
impingement, 80 Input variable, 61
infrared (IR), 86 Inspection, 43, 44, 107
ultra-violet (UV), 86 optical, 59
Flameproof equipment, 78 strategy - risk based, 45
Flammable, 11 visual, 59
extremely, 11 Interceptors, 64
highly, 11 Interfaces
limits, 11 adjacent plant, 36
Flare, 62 contractors, 36
elevated, 63 Intrinsic hazard, 23
ground, 63 Intrinsically safe equipment, 78
operation, 64 Investigation, 3
Flash point, 10 incidents, 4, 32
Floating Ionisation point smoke detectors, 87
production, storage and offloading units (FPSO), 102 Irritant, 12
production, storage and offloading vessel (FPSO), 96 Isolation
roof tanks, 67, 91 procedures, 37
storage units (FSO), 102 techniques - specialist, 38
Foam bagging, 39
Frank Bird, 3
Furnaces, 79
J
Jack-up rigs, 104
Jet fires, 71
G
Gas
based muds, 16
K
controls, 62 Kick formation, 49
detection, 85
freeing, 47 L
supply - loss of pilot, 80 Land transport, 109
Gaseous (inerting) extinguishing systems, 91 Leak detection, 86
Gases, 12 systems, 85
Ground flare, 63 ultrasonic, 86
Liaison with emergency services, 96
H Lightning, 75
Limits - flammable, 11
Handover
key principles, 42 Linear (line) heat detectors, 87
shift, 41 Liquefied
Harmful, 12 natural gas (LNG), 13, 70
Hazard petroleum gas (LPG), 13, 70
identification, 20 transportation, 101
intrinsic, 23 Loading of vessels, 106
realisation - concept of, 21 Lock out, 37
Hazard and operability studies (HAZOP), 20 Low specific activity (LSA), 16
Hazardous Lower flammable limit (LFL), 11
126 Printed under licence no. PA916  RMS

INDEX
point smoke detectors, 87

M OSHA process safety management standard, 30
Magnetic particle inspection (MPI), 59 Overfilling, 66
Maintenance, 43 Overfiring, 80
corrective, 43 Ownership - contractor, 29
predictive, 44 Oxygen, 13, 48
preventive, 43
reliability centred, 44
risk based, 45 P
strategies, 43 Parallel plate separators, 65
Major incidents, 6 Passive fire protection, 87
Management Permit
change controls, 33 electronic, 36
contractor, 29 types, 36
simultaneous operations, 75 Permit-to-work system, 35
traffic, 111 Personal protective equipment, 109
Management of change (MoC), 32 Personnel transfers, 108
Manipulated variable, 61 PIGS, 40
Marine Pilot gas supply, 80
co-ordinators, 107 Pipe
crews, 107 freezing, 40
masters, 107 plugs, 39
operations, 107 stoppers, 39
transport, 101 Pipeline, 73
Masters - marine, 107 cleaning, 74
Materials - strength, 55 inspection, 74
Mechanical operational control, 73
integrity, 31 Piper Alpha, 6
isolation, 38 Planning, 29
Medical emergency planning, 93 emergency, 32
Medical evacuation procedures and back up resources, 94 Plant
Mercaptans, 15 cleaning, 47
Methane, 13 gas freeing, 47
Micro biocides, 14 maintenance, 42
Modelling, 23 operations, 42
Modes - failure, 57 protection, 110
Moveable offshore drilling rigs, 104 Plasticity, 56
Muds Platforms - production, 105
drilling, 15 Point
gas based, 16 heat detection, 87
oil based, 16 smoke detectors, 87
synthetic, 16 Pool fires, 71
water based, 15 Predictive maintenance, 44
Mutagenic, 12 Pressure testing, 60
Pressurised vessels, 70
Pre-start-up safety review (PSSR), 31
N Preventatives - corrosion, 14
Near miss, 3 Prevention - corrosion, 44
Nitrogen, 13 Preventive maintenance, 43
Non-condensables (NCD’s), 48 Procedures, 57
Non-destructive testing, 58 Process
NORM control systems, 61
scale, 16 drilling, 103
sludge and scrapings, 16 hazards analysis (PHA), 31
procedures, 57
O safety information (PSI), 31
Offshore safety management (PSM), 30
decommissioning, 74 Product draining, 48
drilling, 103, 105 Production platforms, 105
Installation Manager (OIM), 96 Programmable logic controller, 61
Installations (Safety Case) Regulations (OSCR) 2005, 24 Properties of
installations, 96 associated products, 14
platforms gases, 12
process modules, 92 Protection
Oil and gas plant, 110
hazards, 10 vehicle strike, 110
industries - explosion risk, 85 Purging, 47
industries - fire risk, 85 Purpose of
industries, 17, 85 permit-to-work system, 35
risk management techniques, 16 risk assessment, 16
Oil
based muds, 16
interceptors, 64
Q
Qualitative
separators, 64 risk assessment, 17
Oily water drains, 64 Quantified risk assessment (QRA), 17
Onshore installations, 95
Onsite, 111
Operating boilers R
hazards, 80 Radiation - thermal, 76
risks, 80 Radiography, 59
Operating furnaces Rail, 112
hazards, 80 Ranking of risks, 18
risks, 80 Recovery and rescue, 95
Operating plant Refrigerants, 15
procedures, 31 Refrigerated vessels, 70
spacing, 32 Reliability centred maintenance, 44
Operations Rescue, 95
boiler, 79 Response emergency, 32
diver, 109 Rigs, 104
furnace, 79 drilling, 104
marine, 107 jack-up, 104
Optical semi-submersible, 104
inspection, 59 submersible, 104
 RMS Printed under licence no. PA916 127

INDEX
Risk assessment, 33
process, 17
T
purposes, 16 Tag out, 37
qualitative, 17 Tankers, 109
quantitative, 17 Tanks - filling, 69
uses, 16 Temporary refuge, 32
Risk Tensile stress, 55
authorisation, 33 Tension, 55
control barrier models, 22 Testing, 43, 44, 51
control measures, 5 dye penetrant, 59
estimation, 18 eddy current, 60
management, 16, 20 pressure, 60
Risks, 66 ultrasonic, 59
fire, 75 Texas City Refinery Explosion 2005, 9
operating boilers, 80 The Cullen Report, 41
operating furnaces, 80 The Milan incident, 15
ranking, 18 Thermal
Roof tanks, 91 output, 23
Routes, 112 radiation, 76
shock, 57
Toxic, 12
S gas detection, 85
Safe Toxicity, 12
containment of hydrocarbons, 66 carcinogenic, 12
isolation, 37 corrosive, 12
lock out, 37 harmful, 12
operating envelope, 57 irritant, 12
operating procedures, 57 mutagenic, 12
operation, 46 sensitising, 12
tag out, 37 toxic, 12
Safety very toxic, 12
cases, 24 Traffic management, 111
critical equipment, 61 Training, 31
integrity level, 62 driver, 110
reports - content of, 24, 25 Training and drills, 96
Saturation diving, 109 Transfers - personnel, 108
SCADA system, 61 Transport
Scale, 16 hazardous materials, 109
Seals and sealants, 88 land, 109
Semi-quantitative (SQ), 17 marine, 101
Semi-submersible rigs, 104 Transportation
Sensitising, 12 liquefied natural gas, 101
Separators Types of PFP, 88
API, 65
oil, 64
parallel plate, 65
U
Set point, 61 Ultimate tensile strength, 56
Sewage, 64 Ultrasonic
Sewers, 64 leak detectors, 86
Shear - stress, 55 testing, 59
Shift handover, 40, 41 Ultra-violet (UV) flame detectors, 86
Ships - drilling, 105 Unconfined vapour cloud explosions (UVCE’s), 71
Shock - thermal, 57 Unloading of vessels, 106
Shut-down, 48 Upper flammable limit (UFL), 11
controls, 49
Simultaneous operations, 75 V
Site, 95 Valves, 38
incident controller, 96 Vapour
main controller, 95 density, 10
Sludge and scrapings, 16 pressure, 11
Smoke detection, 86 Vehicle strike protection, 110
Sources of ignition, 77 Venting, 47
Spades, 38 Vessels
Spectacle plates, 38 certification, 107
Spheres, 92 hazards, 101
Spray coatings, 88 loading, 106
Sprinkler systems, 90 pressurised, 70
Squeeze off, 38 refrigerated, 70
Start-up, 48 unloading, 106
controls, 49 Visual inspection, 59
Static electricity, 77
Steam, 15
Storage W
bunding, 68 Water, 15
failures, 66 based muds, 15
fixed roof, 68 draining, 48
tank, 58 mist systems, 90
vessels - draining, 72 presence, 49
Storm water drains, 64 removal, 49
Strength - materials, 55 Weld failures, 58
Stress Working
compressive, 55 on site - contractors, 30
corrosion cracking, 56 over water - hazards, 101
shear, 55
tensile, 55 Y
Stress/strain relationships, 56 Yield point, 56
Submersible rigs, 104
Subsea system, 106
Supply vessels, 103 Z
Surface - supplied diving, 109 Zoning, 78
Synthetic based muds, 16
128 Printed under licence no. PA916  RMS

International Oil and Gas Operational Safety: A Guide To

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

International Oil and Gas Operational Safety: A Guide To

Hochgeladen von

Copyright:

Verfügbare Formate

A guide to

International Oil and Gas Operational Safety

Printed under licence no. PA916

© RMS Publishing Limited

Printed under licence no. PA916

Printed under licence no. PA916

Scope and contents

Photographs and schematics

Production of the publication

Publications available from RMS:

Publication Edition ISBN

Printed under licence no. PA916 vii

viii Printed under licence no. PA916

Printed under licence no. PA916 ix

x Printed under licence no. PA916

Printed under licence no. PA916 1

2 Printed under licence no. PA916 © RMS

1.1 - Learning from incidents

Figure 1-1: Accident ratio study. Source: Frank Bird - ILCI.

Figure 1-2: Accident causation domino. Source: Frank Bird - ILCI.

© RMS Printed under licence no. PA916 3

4 Printed under licence no. PA916 © RMS

© RMS Printed under licence no. PA916 5

Importance of learning lessons from major incidents

Figure 1-4: Learning from accidents. Source: Kletz.

6 Printed under licence no. PA916 © RMS

© RMS Printed under licence no. PA916 7

8 Printed under licence no. PA916 © RMS

© RMS Printed under licence no. PA916 9

1.2 - Hazards inherent in oil and gas

10 Printed under licence no. PA916 © RMS

Controlling explosive atmospheres

© RMS Printed under licence no. PA916 11

12 Printed under licence no. PA916 © RMS

© RMS Printed under licence no. PA916 13

14 Printed under licence no. PA916 © RMS

© RMS Printed under licence no. PA916 15

16 Printed under licence no. PA916 © RMS

The five steps described are:

© RMS Printed under licence no. PA916 17

Figure 1-9: 5 x 5 matrix. Source: www.howishow.eu.

18 Printed under licence no. PA916 © RMS

© RMS Printed under licence no. PA916 19

Application of risk management to process safety

20 Printed under licence no. PA916 © RMS

2) Determine how each component may possibly fail.

Figure 1-10: FMEA technique. Source: FMEA info centre.

The concept of hazard realisation

© RMS Printed under licence no. PA916 21

 The accommodation block is in full occupancy, for example, at night time.

Figure 1-11: Bow-tie barrier diagram. Source: Blacktip project.

22 Printed under licence no. PA916 © RMS

© RMS Printed under licence no. PA916 23

1.4 - An organisation’s documented evidence to provide a convincing

24 Printed under licence no. PA916 © RMS

© RMS Printed under licence no. PA916 25

3. (a) Explain the term ‘flash point’. (2)

26 Printed under licence no. PA916 © RMS

Printed under licence no. PA916 27

28 Printed under licence no. PA916 © RMS

2.1 - Contractor management

© RMS Printed under licence no. PA916 29

2.2 - Process safety management (PSM)