NEBOSH International Technical

Certificate in Oil & Gas Operation Safety

Please be advised that the course material is regularly reviewed and updated on the eLearning
platform. SHEilds would like to inform students downloading these printable notes and using these
from which to study that we cannot ensure the accuracy subsequent to the date of printing. It is
therefore important to access the eLearning environment regularly to ensure we can track your
progress and to ensure you have the most up to date materials.

Version 2.0 (30/10/2015)

SHEilds Ltd [Link] eLearning: [Link] Tel: +44(0)1482 806805

NEBOSH Intl Oil & Gas Safety Certificate v2.0 (30/10/2015) Page: 1
 Element 2: Hydrocarbon process safety 1.

Specific intended learning outcomes:

On completion of this element, candidates should be able to demonstrate an understanding and knowledge
of familiar and unfamiliar situations in the oil & gas industry. In particular you should be able to:

1.0 - Explain the principles of assessing and managing contractors.

2.0 - Outline the tools, standards, measurement, competency and controls applicable to Process Safety
Management in the oil & gas industries.

3.0 - Explain the role and purpose of a Permit to Work system.

4.0 - Explain the key principles of safe shift handover.

5.0 - Explain the importance of safe plant operation and maintenance of hydrocarbon containing equipment
and process.

6.0 - Outline the hazards, risks and controls to ensure safe start up and shut down of hydrocarbon
containing equipment and process.

Recommended tuition time:

Recommended tuition time for this unit is not less than 8 hours.
1.0 - Introduction to Contractor Management.

A "Contractor" is anyone you get in to work for you who is not an employee.

Scale of Contractor Use.

The use of contractors in the Oil and Gas industry is commonplace. Many companies turn to contractors to
supplement their engineering and operational staff. They are also used for specialist tasks, often involving
hazardous activities. This could involve working on critical process plant and equipment or carrying out
non-routine activities where there is a greater potential for harm if their work is not properly managed.
Contractors are also used throughout the rest of the process, from geological surveys, design, construction,
repair, operation, dismantling, resupply and other specialist services.

Contractor use is now surging. Due to the ever increasing demand for oil, and a worldwide shortage of
industry skills, oil and gas companies are using contractors more and more. In 2012 80% of companies
increased their contractor headcount, and in 2013 the number of oil and gas contractors in the UK is
predicted to increase by 20%. The industry's spend on contractors is enormous. For example BP is
estimated to spend $35 billion a year, 80% of its turnover, on contractors and suppliers. Shell spends
around $10 billion a year.

SHEilds Ltd [Link] eLearning: [Link] Tel: +44(0)1482 806805

NEBOSH Intl Oil & Gas Safety Certificate v2.0 (30/10/2015) Page: 2
 1.0 - Introduction to Contractor Management.

Figure 1. Major oil and gas contractors, their specialisms, turnovers and numbers of employees.

Figure 2. Activities and categories of the oil and gas industry supply chain.

SHEilds Ltd [Link] eLearning: [Link] Tel: +44(0)1482 806805

NEBOSH Intl Oil & Gas Safety Certificate v2.0 (30/10/2015) Page: 3
 1.0 - Introduction to Contractor Management.

Practical Steps for Managing Contractors.

It is important to ensure that contractors are properly briefed on and understand the major hazard risks
associated with your activities in order for them to be able to work safely, and to safeguard the integrity of
your plant and processes.

Accidents with contractors are often caused by poor communication, when staff don't know there is a
contractor working nearby and when contractors don't know the dangers on site.

Not only is it good business sense to manage contractors effectively, it is often a legal requirement.

In their publication, "Managing Contractors: A Guide for Employers", the UK HSE recommends five basic
steps for managing contractors:

Step 1: Planning.

Step 2: Choosing a contractor.

Step 3: Contractors working on site.

Step 4: Keeping a check.

Step 5: Reviewing the work.

SHEilds Ltd [Link] eLearning: [Link] Tel: +44(0)1482 806805

NEBOSH Intl Oil & Gas Safety Certificate v2.0 (30/10/2015) Page: 4
 1.0 - Introduction to Contractor Management.

Figure 3. Front cover of HSG159 - Managing Contractors, A Guide for Employers.

1.1 - Step 1: Planning.

This step is about how to plan the contractor's job. Working through it will give a better understanding of the
practicalities of risk assessment and planning to reduce risks.

This involves determining exactly what work is to be carried out by the contractor, and how it can be safely
carried out. This will require a risk assessment. If a contractor has been selected it may be appropriate to
discuss with, or involve, the contractor. This process should determine the risk control measures required
(which may include the use of a Permit to Work, or following Client's local rules and procedures) in order to
protect both client and contractor employees.

Contractors have responsibilities for preparing their own risk assessment. Their risk assessment should fit
in with your own and provide you with information. Likewise contractors will need information from you
about the condition of equipment that they are asked to work on or near, any induction requirements, local
rules, and emergency procedures when preparing their assessment.

Clearly there is a need for communication and close co-operation between client and contractor so that all
risks associated with the job are covered.

Key questions that will be asked are:

• What needs doing?

• What are the risks?
• What are the necessary controls?
• Who is responsible for what?
• Who else needs to be told?
• Who else needs to be consulted?

1.2 - Step 2: Choosing a Contractor.

When engaging Contractors to do work, the Client should ensure that the Contractor has the appropriate
job skills, knowledge, and certification (such as pressure vessel welders etc.). Since the Contractors may
be working in and around processes that involve hazardous chemicals, the Contractors should also be
selected for their past experience performing the desired tasks without compromising the safety of
employees at the plant.

Contractors must seek to demonstrate:

• Management commitment to Health & Safety and willingness to improve any gaps.
• A Health & Safety Management System equal to or better than that of Client.
• A documented performance history.
• An Accident Frequency (AFR) rate better than, or compatible to, the industry norm.
• A proven commitment of continuous improvement in Health & Safety.

From a safety perspective, the Contractor evaluation process should:

• Provide a clear understanding of the risks each Contractor will bring to the worksite.
• Provide an understanding of the impact a Contractor may have on overall safety results.
• Identify the mitigating steps required to get the Contractor to meet overall safety expectations.

Before the work starts, spell out the conditions your Contractor has to meet and select the one best
equipped to meet them. Identify health and safety procedures associated with the job and include them in
the Contractor's specification. When bids are received, check them against the specification to make sure

SHEilds Ltd [Link] eLearning: [Link] Tel: +44(0)1482 806805

NEBOSH Intl Oil & Gas Safety Certificate v2.0 (30/10/2015) Page: 5
 1.2 - Step 2: Choosing a Contractor.

that proper provision has been made for controlling risks.

Selection criteria should not be based on cost alone, but should also include technical competence,
availability, reliability, and health and safety.

Information that may assist in determining health and safety competence includes:

• A H&S questionnaire completed by the Contractor.

• Health, Safety and Environmental policies signed by the top management.
• Statement of commitment to comply with all applicable Health, Safety and Environmental legislation.
• Accident/Incident statistics.
• Enforcement action by regulatory bodies.
• Risk assessments and Method Statements.
• Training records and plans for employees.
• References from previous Clients.
• Membership of relevant professional bodies and trade associations.
• Previous experience in similar work.
• Management system details and procedures for issues such as accident investigation, monitoring,
consultation, work planning, substance abuse prevention, risk assessment etc.
• CVs and qualifications of key personnel.
• Employers' liability, public liability and professional indemnity insurance certificates.
• Arrangements for selection of sub-Contractors. Will they apply the same rigour in selecting and
managing sub-Contractors?

There are a number of schemes that Contractors can apply to join. These will select and vet Contractors
based on their H&S credentials. Belonging to an approved scheme can be beneficial to both the Contractor
and the Client. It will create more business opportunities for the Contractor as membership enhances their
reputation. For the Client it can save time and allows them to carry out due diligence checks with the
minimum of effort.

Building relationships to set up an internal list of preferred Contractors has definite advantages. Not only do
the Contractors become familiar with your installation and your personnel (and vice-versa), you can check
their safety record from time to time and keep them up to date with your rules and standards.

The Client should consider establishing a method of reviewing and determining whether a Contractor can
meet the Client's safety requirements and therefore be considered for work. An example process would be
once the Safety Questionnaire has been completed by the Contractor, the Client would review the
document for completeness, and evaluate it against the Client's requirements. In order to assist the
Contractor, Clients would provide relevant feedback to the Contractor on areas that need enhancement or
improvement.

Problems can arise when there is further subcontracting unless there are good arrangements between all
parties. You may wish to set down rules about subcontracting. We will look at this later.
1.3 - Step 3: Contractors working on site.

Controlling Access.

All businesses need to control the coming and going of people in and out of their premises. It is too
common for regular contractors to come on site and work without any control.

The basic steps of controlling contractors are:

• All contractors sign in and out.

• Name a site contact.
• Reinforce health and safety information and site rules.
SHEilds Ltd [Link] eLearning: [Link] Tel: +44(0)1482 806805
NEBOSH Intl Oil & Gas Safety Certificate v2.0 (30/10/2015) Page: 6
 1.3 - Step 3: Contractors working on site.

• Check the job and allow work to begin.

Contractors should arrive at a reception area or similar and sign a visitors book. When they leave they
should sign out. This way the business who is on site, where they are, who they are visiting and what they
are doing.

The arrival is the opportunity to check if they have been inducted. If not then they need a site induction
where they will learn the site safety rules and what site hazards they need to be aware of. These rules will
be given to the contractors in writing. They will also be introduced to the site contact who will discuss the
rules verbally and will be available if the contractors have any questions or they need to change the job
which was agreed.

Training Requirements.

Contractors need to be told about the hazards they face when they come on site. Often an induction talk is
the best way of passing this information on. It is worthwhile checking that they have understood any
essential points (for example: by having a post induction test).

Contractors have the responsibility to provide appropriate information and training to ensure that their
employees have adequate knowledge and skills to perform their jobs safely. The Contractor is generally
responsible for providing safety and job-specific training for its employees unless otherwise stated in the
contract or other agreement. Upon final review of the scope of work, Client and Contractor may identify any
site or job-specific training that is necessary to perform the work safely and agree on how this will be
accomplished.

Training that the Client may provide the Contractor's employees include:

• Hazards and risks specific to the installation.

• Control measures to control the above risks.
• Fire and emergency procedures.
• Internal Permit to Work systems.
• Accident/Incident reporting.
• First aid facilities.

It is important for the Contractor to maintain records of training and make them available to the Client upon
request. The Contractor should consider periodically reviewing training schedules and materials to verify
that they are current. The Contractor should maintain training documentation in a manner that is easily
retrievable. Additionally, Contractor personnel may need to carry certain training credentials as required by
regulation or the Client.

Practical ways of ensuring the contractors are trained when they arrive on site include:

• Keeping a record of induction training and checking contractors' names against this before allowing
access on site.
• Delivering classroom style induction training.
• Producing an induction training video covering the important safety rules and information on site.
• Giving them an information booklet and pocket card to keep with them and refer to in future.
• Making contractors pass a test or exam to check their knowledge before entering site.
• Taking the contractors on a workplace tour so they know the locations of exits, welfare facilities,
emergency equipment, alarm call points and key personnel.
• Introducing them to key personnel such as the client contact, first aiders and supervisors.
• Ensuring they are aware of local procedures relating to accident reporting, permit to work systems
and emergency procedures.

SHEilds Ltd [Link] eLearning: [Link] Tel: +44(0)1482 806805

NEBOSH Intl Oil & Gas Safety Certificate v2.0 (30/10/2015) Page: 7
 1.3 - Step 3: Contractors working on site.

Communication Requirements.

It is important that information flows easily between the Client and Contractor, and also filters down to their
respective employees where appropriate.

Clients and Contractors are responsible for communicating the appropriate information regarding workplace
hazards and safety requirements to their employees. The communication of this information may include
many formats such as an orientation program, job safety analyses (JSAs), safety meetings, pre-job/pre-tour
safety meetings, training, Material Safety Data Sheets (MSDSs), safe work permits, signs, posters,
procedures, or other written materials.

Contractors need a Client site contact, someone to get in touch with on a routine basis or if the job changes
and there is any uncertainty about what to do. In addition to agreeing a method of work with the Contractor,
the site contact acts as a source of help and advice should the Contractor encounter problems during the
work.

The above is sometimes facilitated by having a site focal point, somewhere for the contractors to go to
before and after each job, or if they have any questions. This site focal point is usually a control room or
Facilities Office where the site contact is usually located.

A pre-job meeting should be completed before each job starts. The length and complexity of this meeting
will vary depending on the complexity and risks of the job. The meeting is a gathering between the Client
and those carrying out the work, where last minute checks are made to ensure that everyone is aware of
the risks, the controls and the methods to be employed. It is also an opportunity to identify any
hazards/risks that may have been missed in the earlier planning stages. The circumstances just before
work starts may be somewhat different (different weather, different personnel, unexpected breakdown or
use of other equipment etc.) and the health and safety implications of these differences should be
considered.

Figure 1. A pre-job meeting.

Emergency Response, drills/exercises requirements.

SHEilds Ltd [Link] eLearning: [Link] Tel: +44(0)1482 806805

NEBOSH Intl Oil & Gas Safety Certificate v2.0 (30/10/2015) Page: 8
 1.3 - Step 3: Contractors working on site.

It is generally the Contractor's responsibility to comply with the Client's emergency response procedures
and evacuation plans. Conversely, the Client must comply with the Contractor's requirements when on the
site of a Contractor's Mobile Offshore Drilling Unit (MODU) or other type of drilling or well servicing unit.
Certain elements in the Client's and/or Contractor's evacuation procedures may include designated
assembly areas and/or evacuation routes, and the method of accounting for personnel during an incident.

Where applicable, all personnel should receive appropriate orientation and training in emergency
procedures and participate in emergency drills and exercises. For emergency evacuations, muster
locations should be identified for all personnel who will evacuate. Procedures should be in place to account
for personnel, as applicable.

Arrangement should be put in place to determine contractor employee whereabouts on site at any time. To
help managers keep in touch with the whereabouts of all the maintenance workers and contractors in a
process area, a "see at a glance" method display system can be used to identify the various types of
activity and operations. The display should be located in the plant control room or in a similar central
location. Maintaining a site entry and exit log for contractors is another way employers can track and keep
current knowledge of activities involving contract employees working on or near a process. Creative
solutions such as personal ID cards, different coloured hard hats or different coloured high visibility vests
are also sometimes used to identify contractors visually.

Responsibilities.

It is important for the Client and Contractor to understand their individual responsibilities during the
planning, performance, and completion stages of work. As part of the process, the Client may notify the
Contractor where safety requirements are not being met, but it is generally the responsibility of the
Contractor, not the Client, to communicate to Contractor employees the steps that should be taken to
correct any deficiencies.

Contractor management must:

• Be actively involved in leading their organisations to be injury free.

• Accept accountability for safety of their workers.
• Understand and support Client safety objectives.
• Develop, implement and maintain an effective safety management system that meets Client safety
objectives.

Contract workers must:

• Follow Client and Contractor safety processes and procedures.

• Play an active part in the safety management process.
• Be accountable for individual and co-workers' safety performance.

The Client retains overall responsibility for the safety of the work being carried out. They must ensure that
the Contractor is informed of all hazards and risks that may affect the Contractor's employees.

Handover and Acceptance Phase.

A process should be agreed for ensuring the contracted work is completed to the expected level of safety
and, where the service is performed within an operation or facility, the working area has been made safe,
including:

• Inspections of the work area to ensure all redundant material and equipment have been removed
and the area is safe for use. This includes:
o Physical inspections have been performed on all plant and equipment to ensure all
safeguards are operational prior to the plant and equipment being returned to service.
SHEilds Ltd [Link] eLearning: [Link] Tel: +44(0)1482 806805
NEBOSH Intl Oil & Gas Safety Certificate v2.0 (30/10/2015) Page: 9
 1.3 - Step 3: Contractors working on site.

o Safety barriers and general housekeeping levels have been restored.

o Safety provisions are available and functioning as designed.
• All relevant documentation, records and information relating to safety have been handed to the site
contact, including where appropriate, relevant operational or safe work procedures, "as built"
drawings or schematics and any testing records required by local legislation.

The site contact and the Contractor then, where appropriate, sign a record of acceptance that they are
satisfied the area is safe, including equipment and materials, and that they approve the closure of the job.
1.4 - Step 4: Keeping a check.

This step is critical in controlling jobs with contractors. It's about monitoring, checking on what is being done
and whether the job is going as planned.

Contractors are responsible for supervising their own work and for ensuring that they work safely so you do
not need to watch them all the time. However, you do need to provide some monitoring to ensure they are
working safely, and that the safety of other people (other contractors and your own employees) is not put at
risk. You have to weigh up what level of monitoring is reasonable in the circumstances.

The amount of contact with the contractor should be related to the hazards and risks associated with the
job. It needs to be decided and agreed at the beginning of the job. For high-risk jobs (for example: where a
Permit To Work is used) more contact may be needed than for jobs which you consider to be low risk. As
the work proceeds, particularly with a new contractor, a little more checking may be required, to make sure
that the agreed controls are being met.

With new contractors, despite them having been properly vetted and selected, it is still good practice to
monitor them more closely in the early stages of the relationship. This is because they may yet be
unfamiliar with your site, or your people are unfamiliar with how they work. Or, even worse, they may not be
quite as responsible and as safe as you thought! In which case you should stop the work to clarify to them
what is expected. If their behaviour does not improve then the job should be stopped and your relationship
with them should be reviewed.

The monitoring arrangements can be formalised with a number of progress meetings, particularly for
lengthy complex jobs which may require the co-operation of several contractors.

Auditing Performance During Contractor Work Execution.

For regular or permanent contractors it is necessary to have a plan of audits to formally monitor
performance. This is in addition to the regular checks that are carried out by site management. The audits
are often done in collaboration with the HSE department and require a more in depth and thorough review
of performance.

Audits are different to on the job monitoring. Audits will combine job observations with documentation
reviews and interviewing personnel. It is a more formal process to ensure that the work continues in a safe
manner, and that the terms of the agreement (Contract) are being met.

Conducting an audit (or the process an Auditor should follow):

• Notification in advance.
• Define scope of audit.
• Initial meeting before audit commences to introduce auditors and confirm scope.
• Systematic detailed review of the relevant documented policies and procedures.
• Follow the audit trail (follow the documentation back down the trail, ensuring that there is no gap).
• Audit findings meeting and agree time-scale for correcting any observations/corrective actions/non
conformance.
• Close out meeting.
SHEilds Ltd [Link] eLearning: [Link] Tel: +44(0)1482 806805
NEBOSH Intl Oil & Gas Safety Certificate v2.0 (30/10/2015) Page: 10
 1.4 - Step 4: Keeping a check.

• Produce audit report and follow up to closure of audit.

1.5 - Step 5: Reviewing the work.

The final step is about learning from the job and learning about the Contractor when the work is completed.

Reviewing is about evaluating the standard and quality of the Contractor's work, and the safety of their
performance. For example:

• Were method statements/risk assessments/permits to work followed?

• Were accidents reported and properly investigated?
• Were safety inspections carried out as agreed?
• Were safety review meetings attended?
• Were procedures followed? etc.

The Contractor's strengths and weaknesses must be clearly identified. The Contractor's performance, and
any lessons learnt, should be recorded and can be used when revising your list of preferred Contractors for
future work.
1.6 - Benefits of managing contractors.

The benefits of a good Contractor safety programme are:

• Safety expectations and capabilities are clearly understood before the work begins.
• Improved safety performance.
• Better working relationship between Client and Contractor.
• Improved safety training for both Clients and Contractors.
• Improved productivity, reliability and efficiency.

Accidents with Contractors are usually as a result of:

• A Poor selection process.

• Poor communications.
• Unfamiliarity with the site.
• The high risk work they undertake.

1.7 - Contractor Incident Management and Follow-up.

The Contractor incident management process must be aligned with Client expectations regarding incident
management:

• Provide care for injured.

• Report to Client.
• Incident investigation and analysis.
• Alcohol & Drug Testing.
• Restricted work options.
• Categorise the incident.
• Review incident with Client.
• Causal analysis of incident, incident learnings, corrective actions and follow-up plans.

In most cases Contractors will be responsible for investigating their own incidents except where the
accident has also injured the Client's personnel, damaged their equipment or interrupted operations. While
Clients are not responsible for investigating the Contractor's incidents they do have an enormous interest in
making sure that that the investigation is thorough and that all additional control measures are

SHEilds Ltd [Link] eLearning: [Link] Tel: +44(0)1482 806805

NEBOSH Intl Oil & Gas Safety Certificate v2.0 (30/10/2015) Page: 11
 1.7 - Contractor Incident Management and Follow-up.

implemented. In the UK Clients have a common law duty of care for Contractors.

Figure 1. Incident Management Life-cycle.

1.8 - Sub-contractors.

A Sub-Contractor is any party that is contracting to another Contractor.

In some situations the work is contracted from one company to another in a long chain of commercial
contracts, effectively sub-contracting out sub-contract work to the Nth degree. This can create problems in
relation to the amount of control a Client has. Each link in the sub-contractor chain adds a new point of
contact and a new company with different procedures and ways of working. In addition to this, each
company is paid slightly less than the one it is contracted to. Over many levels this can mean that the
company/people carrying out the work are doing it for much less than is the industry norm. This can have a
resulting effect on quality and safety as the managers and people may have fewer skills, and less time and
effort is invested in planning and managing the work.

However, there can be immense benefits. A principal Contractor or general Contractor may not have the
specialist skills to carry out the full project and may outsource certain tasks to a company who does have
those skills. That company may also outsource a small portion of the work to other companies who are
even more highly specialised. The principal Contractor would retain overall control of the project. This
means that a better, more competent service can be provided to the Client, at a lower risk. Provided the
Client is aware of the limits of the principal Contractor's skill set and their intention to Sub-Contractor parts
of the work, then sub-contracting can deliver projects reliably and safely.

It is important that each Sub-Contractor is selected as rigorously as the first principal Contractor, and that
the Contractor safety programme involves all the contractors at different levels.

With regards to the contract between the Contractor and the Sub-Contractor:

• The Sub-Contractor must meet all the same terms and conditions of the Contractor.

SHEilds Ltd [Link] eLearning: [Link] Tel: +44(0)1482 806805

NEBOSH Intl Oil & Gas Safety Certificate v2.0 (30/10/2015) Page: 12
 1.8 - Sub-contractors.

• The Sub-Contractor must operate to the same standards as the main Contractor.
• The Sub-Contractor must audit and review his own systems to ensure compliance with Client
requirements.
• Company supervision should always hold the principal Contractor accountable for their Sub-
Contractors (i.e. incidents, performance issues, etc.).

1.9 - Example Exam Questions on Contractors.

Here is a selection of past exam questions on contractors. As we have said previously, there is no
guarantee that these questions will ever be asked again, but these will give you a good idea of the types of
questions you could be asked.

Identify documents that could be provided by contractors in order to demonstrate their health and safety
competence to an oil and gas industry client (8).

A safety management team within an oil and gas installation are expecting the arrival of contractors.
Hazards have been identified, risks have been assessed, and contractors chosen on the basis of
competency issues.
Outline practical way of managing contractors:

1. in relation to the provision of training when they arrive for work (7).
2. During work (10).
3. Upon completion of work (3).

1.10 - Summary of Contractors.

The learning outcome for this section was:

1.0 - Explain the principles of assessing and managing contractors.

In summary we have learnt:

• About the large scale of contractor use in the Oil and Gas industry.
• The HSE's 5 Step Process for managing contractors, including job planning, Contractor selection,
on site management and supervision, and reviewing of the work.
• The benefits of managing contractors.
• The responsibilities of the Client and of the Contractor.
• How to manage contractor incidents.
• About the dangers and required controls for Sub-Contractors.

2.0 - What is Process Safety?

Process safety focuses on preventing fires, explosions and accidental chemical releases in chemical
process facilities or other facilities dealing with hazardous materials such as refineries, and oil and gas
production installations (both onshore and offshore). Process Safety is a disciplined framework for
managing the integrity of hazardous operating systems and processes by applying good design principles,
engineering and operating practices.

Occupational safety and health primarily covers the management of personal safety. However, well
developed management systems also address process safety issues. The tools, techniques and programs
required to manage both process and occupational safety can sometimes be the same (for example, a
work permit system) and in other cases may have very different approaches. LOPA (Layers of Protection
Analysis) or QRA (Quantified Risk Assessment), for example, focus on process safety whereas PPE

SHEilds Ltd [Link] eLearning: [Link] Tel: +44(0)1482 806805

NEBOSH Intl Oil & Gas Safety Certificate v2.0 (30/10/2015) Page: 13
 2.0 - What is Process Safety?

(Personal Protective Equipment) is very much an occupational safety issue.

A common tool used to explain the various different but connected systems related to achieving process
safety is described by the Swiss cheese model which we looked at in Element 1. In this model, barriers that
prevent, detect, control and mitigate a major accident are depicted as slices, each having a number of
holes. The holes represent imperfections in the barrier, which can be defined as specific performance
standards and limits. The better managed and better designed the barrier, the smaller these holes will be.
When a major accident happens, this is invariably because all the imperfections in the barriers (the holes)
have lined up to create "the perfect storm". It is the multiplicity of barriers that provide the protection. The
more barriers there are, and the smaller the holes are, the less likely they are to line up.

Process safety generally refers to the prevention of unintentional and hazardous releases of chemicals,
hydrocarbons, energy, or other potentially dangerous materials (including steam) during the course of the
process. Process safety involves, for example, the prevention of leaks, spills, equipment malfunction, over-
pressures, over-temperatures, corrosion, metal fatigue and other similar conditions. Process safety
programs focus on design and engineering of facilities, maintenance of equipment, effective alarms,
effective control points, procedures and training. It is sometimes useful to consider process safety as the
outcome or result of a wide range of technical, management and operational disciplines coming together in
an organised way.

Figure 1. The Swiss cheese model as applied to process safety.

2.1 - History of Process Safety.

Here we will summarise the historic progress made in occupational safety and process safety since the
Middle Ages:

• 1066: In England, William The Conqueror issued instructions to cover and damp down fires before
retiring.
• 1566: In Manchester (UK) the Manorial Court decreed that sacks of twigs used in bake house ovens

SHEilds Ltd [Link] eLearning: [Link] Tel: +44(0)1482 806805

NEBOSH Intl Oil & Gas Safety Certificate v2.0 (30/10/2015) Page: 14
 2.1 - History of Process Safety.

were to be stored a safe distance from the bake house and it was an offence to lay straw in the
streets and to light fires in rooms with no chimney.
• Further fire legislation followed in the 17th and 18th centuries as a result of events such as the Great
Fire of London (1666).
• The 19th century is known as the era of industrial revolution. Each technical progression has brought
with it a certain amount of threat and hazardous activity. Chemical process safety was not a major
public concern prior to almost the end of the 18th century. Industrial revolution and the emergence
of the chemical and petroleum industries required legislation to ensure safety in the workplace and
to the public.
• In the US, safety regulations started back in 1899 when the US government issued the River
Harbour Act to avoid excess dumping in waterways. At the beginning of the 19th century, especially
in the mines, thousands of innocent lives were lost because of the hostile environment. The year
1910 was reported as the worst with 1,775 deaths in mines.
• January 15, 1919: The Boston Molasses Disaster. A 15m x 27m tank of molasses burst, unleashing
8,700 cubic metres of molasses into the streets. The wave measured nearly 8m high, travelled at
35mph and killed 21 people. 150 were injured.

Figure 1. The aftermath of the Boston Molasses Disaster.

2.2 - History of Unsafe Processes: the Flixborough Disaster (1974).

The chemical plant, owned by Nypro UK and in operation since 1967, produced caprolactam, a precursor
chemical used in the manufacture of nylon. The process involved oxidation of cyclohexane with air in a
series of six reactors to produce a mixture of cyclohexanol and cyclohexanone. Two months prior to the
explosion, a crack was discovered in the number 5 reactor. It was decided to install a temporary 50 cm (20
inch) diameter pipe to bypass the leaking reactor to allow continued operation of the plant while repairs
were made.

SHEilds Ltd [Link] eLearning: [Link] Tel: +44(0)1482 806805

NEBOSH Intl Oil & Gas Safety Certificate v2.0 (30/10/2015) Page: 15
 2.2 - History of Unsafe Processes: the Flixborough Disaster (1974).

Figure 1. Diagram of temporary bypass pipe installed.

At 16:53 on Saturday 1 June 1974, the temporary bypass pipe [containing cyclohexane at 150°C (302°F)
and 1 MPa (10 bar)] ruptured, possibly as a result of a fire on a nearby 8 inch (20cm) pipe which had been
burning for nearly an hour. Within a minute, about 40 tonnes of the plant's 400 tonne store of cyclohexane
leaked from the pipe and formed a vapour cloud 100 to 200 metres (320 to 650 feet) in diameter. The cloud
came into contact with an ignition source (probably a furnace at a nearby hydrogen production plant) and
exploded, completely destroying the plant. Around 1,800 buildings within a mile radius of the site were
damaged.

The fuel-air explosion was estimated to be equivalent to 15 tonnes of TNT and it killed all 18 employees in
the nearby control room. Nine other site workers were killed, and a delivery driver died of a heart attack in
his cab.

Observers have said that had the explosion occurred on a weekday it is likely that more than 500 plant
employees would have been killed. Resulting fires raged in the area for over 10 days. It was Britain's
biggest peacetime explosion until the 2005 Buncefield fire.

Substantial destruction of property was recorded in Flixborough itself, as well as in the neighbouring
villages of Burton-upon-Stather and Amcotts. Significant structural damage affected Scunthorpe (three
miles away) and the blast was heard over thirty miles away in Grimsby.

The official inquiry into the accident determined that the bypass pipe had failed because of unforeseen
lateral stresses in the pipe during a pressure surge. The bypass had been designed by personnel who were
not experienced in high-pressure pipework, no plans or calculations had been produced, the pipe was not
pressure-tested, was mounted on temporary scaffolding poles that allowed the pipe to twist under pressure
and had not been reviewed by appropriate chartered engineers. The by-pass pipe was a smaller diameter
(20") than the reactor flanges (28") and in order to align the flanges, short sections of steel bellows were
added at each end of the by-pass. Under pressure such bellows tend to squirm or twist. These
shortcomings led to a widespread public outcry over industrial plant safety, and significant tightening of the
UK government's regulations covering hazardous industrial processes.

SHEilds Ltd [Link] eLearning: [Link] Tel: +44(0)1482 806805

NEBOSH Intl Oil & Gas Safety Certificate v2.0 (30/10/2015) Page: 16
 2.2 - History of Unsafe Processes: the Flixborough Disaster (1974).

Figure 2. Site of the explosion.

Figure 3. Aerial view of the disaster site.

SHEilds Ltd [Link] eLearning: [Link] Tel: +44(0)1482 806805

NEBOSH Intl Oil & Gas Safety Certificate v2.0 (30/10/2015) Page: 17
 2.2 - History of Unsafe Processes: the Flixborough Disaster (1974).

Figure 4. BBC footage shortly after the incident.

2.3 - History of Unsafe Processes: Seveso, Italy (1976).

The Seveso disaster was a chemical accident on July 10, 1976, at the small Italian town of Meda, 20km
from Milan in Lombardy. There was an explosion at a chemical factory which released a lot of the toxic
poison dioxin, TCDD, into the air. The cloud of poison gas covered an area 6 km long and 1 km wide. It
was named after the municipality of Seveso. It resulted in the highest known exposure to TCDD in
residential populations. There were many studies and new regulations after the accident. The European
Union directive covering the protection against such accidents is known as Seveso II today.

The company where the accident happened was called Icmesa. It was owned by Givaudan, who is owned
by Roche. Icmesa produced Trichlorophenol, which is used to produce the disinfectant Hexachlorophene.
The company was located in four communes, one of them Seveso.

None of the 20,000 people who lived in Seveso died, but the poison killed 3,000 farm animals and pets.
Another 70,000 animals had to be killed to stop the dioxin from getting into the food chain.

Thirty years after the accident, scientists reported that babies born in the area affected by the dioxin were
six times more likely to have thyroid problems. The affected children are being studied to see if this has
stopped them growing properly, or caused problems with intellectual development.

SHEilds Ltd [Link] eLearning: [Link] Tel: +44(0)1482 806805

NEBOSH Intl Oil & Gas Safety Certificate v2.0 (30/10/2015) Page: 18
 2.3 - History of Unsafe Processes: Seveso, Italy (1976).

Figure 1. Photo of the cloud.

Figure 2. Child with Chloracne "spots", a temporary and non fatal condition caused by exposure to the
dioxin.

2.4 - History of Unsafe Processes: Bhopal, India (1984).

The Bhopal Disaster, also referred to as the Bhopal Gas Tragedy, was a gas leak incident in India and is
considered to be the world's worst industrial disaster. It occurred on the night of 2nd to the 3rd December
1984 at the Union Carbide India Limited (UCIL) pesticide plant in Bhopal, Madhya Pradesh.

Over 500,000 people were exposed to methyl isocyanate gas and other chemicals. The toxic substance
made its way in and around the shantytowns located near the plant. Estimates vary on the death toll. The
official immediate death toll was 2,259. The government of Madhya Pradesh confirmed a total of 3,787
deaths related to the gas release. Others estimate 8,000 died within two weeks and another 8,000 or more
have since died from gas-related diseases. A government affidavit in 2006 stated the leak caused 558,125
injuries including 38,478 temporary partial injuries and approximately 3,900 severely and permanently
disabling injuries.

Factors leading to the magnitude of the gas leak mainly included problems such as:

• Storing MIC in large tanks and filling beyond recommended levels.

• Poor maintenance after the plant ceased MIC production towards the end of 1984.
• Failure of several safety systems due to poor maintenance.
• Safety systems being switched off to save money, including the MIC tank refrigeration system which
could have mitigated the disaster severity.

SHEilds Ltd [Link] eLearning: [Link] Tel: +44(0)1482 806805

NEBOSH Intl Oil & Gas Safety Certificate v2.0 (30/10/2015) Page: 19
 2.4 - History of Unsafe Processes: Bhopal, India (1984).

• The situation was worsened by the mushrooming of slums in the vicinity of the plant, non-existent
catastrophe plans, and shortcomings in health care and socio-economic rehabilitation.

Other factors included:

• Use of a more dangerous pesticide manufacturing method despite a less hazardous technique
being available.
• Large-scale MIC storage.
• Plant location close to a densely populated area.
• Undersized safety devices.
• Dependence on manual operations.
• Lack of skilled operators.
• Reduction of safety management.

Figure 1. Spread of the gas.

SHEilds Ltd [Link] eLearning: [Link] Tel: +44(0)1482 806805

NEBOSH Intl Oil & Gas Safety Certificate v2.0 (30/10/2015) Page: 20
 2.4 - History of Unsafe Processes: Bhopal, India (1984).

Figure 2. Summary of Bhopal disaster with map.

Video: National Geographic - Bhopal Gas Tragedy Part 1.

Please wait for the video to buffer before pressing play.

Alternatively you can download the video to watch at your convenience.

Download Video
Video: National Geographic - Bhopal Gas Tragedy Part 2.

Please wait for the video to buffer before pressing play.

Alternatively you can download the video to watch at your convenience.

Download video.
Video: National Geographic - Bhopal Gas Tragedy Part 3.

Please wait for the video to buffer before pressing play.

Alternatively you can download the video to watch at your convenience.

Download video.
Video: National Geographic - Bhopal Gas Tragedy Part 4.

Please wait for the video to buffer before pressing play.

Alternatively you can download the video to watch at your convenience.

Download video.
2.5 - History of Unsafe Processes: Piper Alpha, UK (1988).

The Piper Alpha disaster was a major disaster for the oil and gas industry and its root causes feature
prominently on the NEBOSH syllabus. For these reasons we recommend you have a good understanding
of what happened and the various causes.

SHEilds Ltd [Link] eLearning: [Link] Tel: +44(0)1482 806805

NEBOSH Intl Oil & Gas Safety Certificate v2.0 (30/10/2015) Page: 21
 2.5 - History of Unsafe Processes: Piper Alpha, UK (1988).

Figure 1. Photo with dimensions of Piper Alpha.

On July 6, 1988, the Piper Alpha oil platform experienced a series of 10 catastrophic explosions and fires.
This platform, located in the North Sea approximately 110 miles from Aberdeen, Scotland, had 226 people
on board at the time of the event, 165 of whom perished. In addition, two emergency response personnel
died during a rescue attempt. The platform was totally destroyed. It remains to this day the world's worst
offshore oil disaster in terms of lives lost and impact on the industry.

The subsequent investigation was hindered by a lack of physical evidence. However, based upon
eyewitness accounts, it was concluded that most likely a release of light hydrocarbon condensate (i.e.
propane, butane, and pentane) occurred when a pump was restarted after maintenance. Unbeknownst to
the personnel starting the 25 pump, a relief valve (RV) in the pump discharge had also been removed for
service and a blank had been loosely installed in its place on the piping flange (which was not readily
visible from the pump vicinity). Upon restart of the pump this flange leaked, producing a flammable
hydrocarbon cloud, which subsequently found an ignition source.

The Piper Alpha platform was at the hub of a network of platforms interconnected by oil and gas pipelines.
The initial explosion ruptured oil lines on Piper Alpha and the leaks were fed by the still-pressurised inter-
platform pipelines. Managers on other platforms, aware of a problem on Piper Alpha (but not its severity),
assumed that they would be instructed to shut down their operations, if needed. However, the explosion
had interrupted communications from Piper Alpha and considerable intervals (from 30 to 60 minutes)
passed before these other platforms shut down the pipelines which continued to feed the fire.

A series of follow-on explosions occurred as the fires on the platform weakened natural gas riser pipelines
on Piper Alpha. The intensity of the fires prevented rescue efforts, either by helicopter or by ship. At the
height of the event, natural gas was being burned on Piper Alpha at a rate equivalent to the entire United
Kingdom natural gas consumption rate.

SHEilds Ltd [Link] eLearning: [Link] Tel: +44(0)1482 806805

NEBOSH Intl Oil & Gas Safety Certificate v2.0 (30/10/2015) Page: 22
 2.5 - History of Unsafe Processes: Piper Alpha, UK (1988).

Figure 2. Size of the fire when the gas pipelines ruptured.

Many of the platform crew retreated to the crew accommodation module, as they had been trained, to await
evacuation. No organised attempt to was made to retreat from the accommodation module, even though it
became increasingly apparent that the conditions in the module were becoming untenable. 81 personnel
died from smoke inhalation in the crew quarters, awaiting further instructions that never came. Survivors
found ways, on their own initiative, to get to the water (some jumping to the sea from considerable heights
on the platform despite having been told in training that to do so would mean certain death).

Figure 3. After the disaster.

SHEilds Ltd [Link] eLearning: [Link] Tel: +44(0)1482 806805

NEBOSH Intl Oil & Gas Safety Certificate v2.0 (30/10/2015) Page: 23
 2.5 - History of Unsafe Processes: Piper Alpha, UK (1988).

The subsequent investigation revealed the following:

• Two separate work permits had been issued for the condensate pump: one for the pump repair and
one for testing the RV. The RV job had not been completed by the end of the shift and, rather than
working overtime to complete it, it was decided to terminate the permit for that day and continue on
the next. The craft supervisor suspended the permit and returned it to the control room without
notifying operations staff of the job status.

• During shift turnover the status of the pump work was addressed, but no mention was made of the
RV work, and there was no mention of it in the control room or maintenance logs. Continuing
problems with the adequacy of turnovers and log entries were a problem known to some (one staff
member: "It was a surprise when you found out some things which were going on").

• The work permits for the pump and the RV did not reference each other, and it is likely that the
permits had been filed in separate locations (one on the control room and one in the Safety Office).
When the online condensate pump failed later in the shift, creating an imperative to start the spare
to enable continued production, control room personnel were only aware of the pump repair work
permit, and proceeded to have the pump returned to service.

• The permit to work (PTW) system was often not implemented according to procedure ("the
procedure was knowingly and flagrantly disregarded"). For example:
o Omissions (e.g. signatures and gas test results) were common.
o Operations representatives often did not inspect the jobsite before suspending the permit at
the end of the shift, or closing the permit indicating the work had been completed.

• Craft supervisors often left permits on the control room desk at the end of a shift, rather than
personally returning them to the responsible operations representative, as required by the
procedure.

• Although the PTW system was monitored by the lead safety operator, no indications of problems
were reported, and management did not independently review the operation of the system. Based
upon an absence of information to the contrary, management assumed that they "knew that things
were going all right." It is noted that a senior maintenance technician had voiced his concerns about
the PTW system at a meeting at corporate headquarters earlier in the year. In addition, the
company had entered a guilty plea in a civil legal proceeding involving a worker fatality caused, in
part, by a PTW system problem. However, no substantive improvements in the PTW system
resulted.

• The diesel-powered fire pumps had been placed in manual mode due to the presence of persons in
the water around the platform. This practice was more conservative than company policies and a
1983 fire protection audit report recommended that this practice be discontinued. Placing the pumps
in manual meant that personnel would have had to reach the pumps to start them after the
explosion. However, conditions prevented this and, as a result, the Piper Alpha deluge system was
unavailable.

• Had firewater been available, its efficacy might have been limited. Distribution piping, including that
in the platform module where the fire were most severe, was badly corroded and pluggage of
sprinkler heads was a known problem dating back to 1984. Various fixes had been attempted and a
project to replace the fire protection piping had been initiated, but work was lagging behind
schedule. Tests in May 1988 revealed that approximately 50% of the sprinkler heads in the subject
module were plugged.

• To put the previous two observations in perspective, the structural steel on Piper Alpha had no
fireproofing and it was known (at least to management) that "structural integrity could be lost within
10 to 15 minutes if a fire was fed from a large pressurised hydrocarbon inventory".

SHEilds Ltd [Link] eLearning: [Link] Tel: +44(0)1482 806805

NEBOSH Intl Oil & Gas Safety Certificate v2.0 (30/10/2015) Page: 24
 2.5 - History of Unsafe Processes: Piper Alpha, UK (1988).

• The investigation revealed that emergency response training given to new platform personnel was
cursory and not uniformly provided. Workers were required to be trained if they had not been on
Piper Alpha in the last six months. However, training was often waived even if the interval was
considerably longer, or if the individual reported that he had previously worked off-shore elsewhere.
A number of survivors reported that they had never been trained on the location of the life rafts or
how to launch them.

• Evacuation drills were not conducted weekly as required (one 6 month period recorded only 13
drills). No full-scale shutdown drill had been conducted in the three years prior to the explosion.

• Platform managers had not been trained on their response to such an emergency on another
platform (note: the various platforms were owned or operated by different companies).

• Approximately one year before the explosion, company management had been cautioned in an
engineering report that a large fire from escaping gas could pose serious concerns with respect to
the safe evacuation of the platform. However, management discounted the likelihood of such an
event, citing existing protective systems. In fact, the gas risers upstream of the emergency isolation
valves on Piper Alpha were not protected against fire exposure and, because of the diameter and
length of the inter-platform gas lines, several days would be required to depressurise the pipelines
in the event of a breach. It was the failure of these lines that destroyed Piper Alpha and prevented
its evacuation.

• The report provided critical commentary on what was judged to be inadequate management
oversight and follow-up on each of the issues described above.

Key lessons:

• Major hazards must be systematically identified and evaluated at the design stage.
• PTW System must be rigorously implemented (including use of LOTO system).
• Shift handover must be thorough, and effective.
• Safety training in Major hazard installations is vital.
• Management is responsible for all deficiencies, only the operator's management had the knowledge,
power and legal responsibility to ensure a safe environment.
• A systematic approach is required, the deficiencies were failures in systems. Good safety
performance cannot be achieved by a "hit" and "miss" approach based on experience.
• Quality of safety management is critical, not only does any operation have to have the right safety
system but it must be a quality safety system.
• Auditing is vital – a regular and thorough auditing system should be in place and management must
act on the conclusions and recommendations.

Video: Piper Alpha Incident.

Please wait for the video to buffer before pressing play.

Alternatively you can download the video to watch at your convenience.

Download video.
2.6 - History of Unsafe Processes: Esso Longford, Australia (1998).

The 1998 Esso Longford gas explosion was a catastrophic industrial accident which occurred at the Esso
natural gas plant at Longford in the Australian state of Victoria's Gippsland region. On 25 September 1998,
an explosion took place at the plant, killing two workers and injuring eight. Gas supplies to the state of
Victoria were severely affected for two weeks.

SHEilds Ltd [Link] eLearning: [Link] Tel: +44(0)1482 806805

NEBOSH Intl Oil & Gas Safety Certificate v2.0 (30/10/2015) Page: 25
 2.6 - History of Unsafe Processes: Esso Longford, Australia (1998).

Figure 1. The jet fire lights up the night sky.

During the morning of Friday 25 September 1998, a pump supplying heated lean oil to heat exchanger
GP905 in Gas Plant No. 1 went offline for four hours, due to an increase in flow from the Marlin Gas Field
which caused an overflow of condensate in the absorber.

A heat exchanger is a vessel that allows the transfer of heat from a hot stream to a cold stream, and so
does not operate at a single temperature, but experiences a range of temperatures throughout the vessel.

Temperatures throughout GP905 normally ranged from 60°C to 230°C (140°F to 446°F). Investigators
estimated that, due to the failure of the lean oil pump, parts of GP905 experienced temperatures as low as -
48 °C (-54 °F). Ice had formed on the unit, and it was decided to resume pumping heated lean oil in to thaw
it. When the lean oil pump resumed operation, it pumped oil into the heat exchanger at 230°C (446 °F), the
temperature differential caused a brittle fracture in the exchanger (GP905) at 12.26pm.

Figure 2. Diagram showing the flow of oil and temperatures.

About 10 metric tonnes of hydrocarbon vapour were immediately vented from the rupture. A vapour cloud
formed and drifted downwind. When it reached a set of heaters 170 metres away, it ignited. This caused a
deflagration (a burning vapour cloud). The flame front burnt its way through the vapour cloud, without
causing an explosion. When the flamefront reached the rupture in the heat exchanger, a fierce jet fire
developed that lasted for two days.

The rupture of GP905 led to other releases and minor fires. The main fire was an intense jet fire emanating
from GP905. There was no blast wave, the nearby control room was undamaged. Damage was localised to
the immediate area around and above the GP905 exchanger.

An inquiry by the Royal Commission concluded:

• The Longford plant was poorly designed which made isolation of dangerous vapours and materials
very difficult.
SHEilds Ltd [Link] eLearning: [Link] Tel: +44(0)1482 806805
NEBOSH Intl Oil & Gas Safety Certificate v2.0 (30/10/2015) Page: 26
 2.6 - History of Unsafe Processes: Esso Longford, Australia (1998).

• Inadequate training of personnel in normal operating procedures of a hazardous process.

• Excessive alarm and warning systems had caused workers to become desensitised to possible
hazardous occurrences.
• The relocation of plant engineers to Melbourne had reduced the quality of supervision at the plant.
• Poor communication between shifts meant that the pump shutdown was not communicated to the
following shift.

Certain managerial shortcomings were also identified:

• The company had neglected to commission a HAZOP analysis of the heat exchange system, which
would almost certainly have highlighted the risk of tank rupture caused by sudden temperature
change.
• Esso's two-tiered reporting system (from operators to supervisors to management) meant that
certain warning signs such as a previous similar incident (on 28 August) were not reported to the
appropriate parties.
• The company's "safety culture" was more oriented towards preventing lost time due to accidents or
injuries, rather than protection of workers and their health.

2.7 - History of Unsafe Processes: Petrobras, Brazil (2001).

The P-36 was originally named the 'Spirit of Columbus' and was constructed between 1984 and 1994 in
Italy. Designed as a floating production unit, the platform was based on a conversion of the Friede &
Goldman L-1020 Trendsetter-type semi-submersible. It was redesigned for Petrobras between 1997 and
1999 and brought into operation in the Roncador Field off the coast of Brazil in May 2000. The unit was
capable of processing 180,000 bopd and 7.2 million cubic meters of gas per day. In May 2001, the P-36
was producing around 84,000 barrels of oil and 1.3 million cubic metres of gas per day when it became
destabilised by two explosions and subsequently sank.

At around 22:21 hours on the evening of 14 March 2001, drainage operations began on the portside
emergency drain tank (EDT), one of two 450 cubic metre tanks (one port, one starboard), which were used
for the storage of oil and water during maintenance or during an emergency involving the process plant. At
00:22 hours on 15 March 2001, an explosion was recorded in the starboard aft column, thought to have
been the mechanical rupturing of the starboard EDT. This caused the release of gas-saturated water and
oil into the aft starboard column and caused the platform to list 2 degrees by 00:27 hours.

This was followed by a second larger gas explosion which killed 10 members and fatally injured one
member of the attending fire-fighting crew. The resulting platform damage caused further flooding in the aft
starboard column compartments and pontoon tanks, with further sea water entry through the open sea
chest valves. By 08:15 hours on 15 March 2001, the platform had assumed a 16 degree list, which
submerged the openings of the chain lockers on the main deck level and caused a progressive list that led
to the subsequent loss of the platform.

There were 175 people on board, of whom 138 were evacuated by crane to boat between 01:44 to 04:20
hours on 15 March 2001. The remaining crew were evacuated by helicopter at 06.03 the same morning as
the platform's stability deteriorated. Over the following days, attempts were made to stabilise the platform
by injecting nitrogen into a vent line next to the damaged column, but bad weather disrupted rescue
operations. The platform eventually capsized at around 11:40 hours on 20 March 2001 before sinking in
1300m of water, making salvage of the unit impossible.

The platform sank with an estimated 9500bbl of oil on board, of which around 2000bbl leaked from the rig
in the first 24 hours. Operations to disperse the oil with chemicals and to recover the oil were undertaken in
an effort to minimise the damage from the spill.

SHEilds Ltd [Link] eLearning: [Link] Tel: +44(0)1482 806805

NEBOSH Intl Oil & Gas Safety Certificate v2.0 (30/10/2015) Page: 27
 2.7 - History of Unsafe Processes: Petrobras, Brazil (2001).

Figure 1. Petrobras platform.

Figure 2. Petrobras platform sinking.

Figure 3. Petrobras platform sunk.

Root causes identified as:

Poor design:

SHEilds Ltd [Link] eLearning: [Link] Tel: +44(0)1482 806805

NEBOSH Intl Oil & Gas Safety Certificate v2.0 (30/10/2015) Page: 28
 2.7 - History of Unsafe Processes: Petrobras, Brazil (2001).

• Poor hazard analysis process led to poor design placement of safety critical equipment.
• Component failure with insufficient backups.
• Alarm system layout. 1,723 alarms received in 17 minutes with no method of prioritisation.

Human error:

• Lack of training and communication led to confusion.

• Crew obviously unable to cope with all 1,723 alarms.
• Water sealed ballast doors not kept closed.
• Compartments not shut once initial explosion occurred.

Economical factors and cost cutting:

• Inspections, maintenance and safety checks neglected.

• Workforce downsized to half original size with production increased.

2.8 - History of Unsafe Processes: Texas City, USA (2005).

On the 23rd March 2005, a hydrocarbon vapour cloud explosion occurred at the ISOM isomerisation
process unit at BP's Texas City refinery in Texas City, killing 15 workers and injuring more than 170 others.
The Texas City Refinery was the second largest oil refinery in the state, and the third largest in the United
States with an input capacity of 437,000bbl (69,500 m3) per day as of January 1, 2000.

The refinery was built in 1934, but had not been well maintained for several years. Consulting firm Telos
had examined conditions at the plant and released a report in January 2005 which found numerous safety
issues, including "broken alarms, thinned pipe, chunks of concrete falling, bolts dropping 60ft and staff
being overcome with fumes." The report's co-author stated, "We have never seen a site where the notion 'I
could die today' was so real." The refinery had also had five managers in the six years since BP inherited it
in its 1999 merger with Amoco.

BP's own accident investigation report stated that the direct cause of the accident was "…heavier–than-air
hydrocarbon vapours combusting after coming into contact with an ignition source, probably a running
vehicle engine. The hydrocarbons originated from liquid overflow from the F-20 blowdown stack following
the operation of the raffinate splitter overpressure protection system caused by overfilling and overheating
of the tower contents." Both the BP and the Chemical Safety and Hazard Investigation Board reports
identified numerous technical and organisational failings at the refinery and within corporate BP.

Root causes:

Organisational failings included:

• Corporate cost-cutting.
• A failure to invest in the plant infrastructure.
• A lack of corporate oversight on both safety culture and Major Accident Prevention Programs.
• A focus on occupational safety and not process safety.
• A defective management of change process (which allowed the siting of contractor trailers too close
to the ISOM process unit, where most of the fatalities occurred).
• The inadequate training of operators.
• A lack of competent supervision for start-up operations.
• Poor communications between individuals and departments.
• The use of outdated and ineffective work procedures which were often not followed.

Technical failings included:

• A blowdown drum that was of insufficient size.

SHEilds Ltd [Link] eLearning: [Link] Tel: +44(0)1482 806805
NEBOSH Intl Oil & Gas Safety Certificate v2.0 (30/10/2015) Page: 29
 2.8 - History of Unsafe Processes: Texas City, USA (2005).

• A lack of preventative maintenance on safety critical systems.

• Inoperative alarms and level sensors in the ISOM process unit.
• The continued use of outdated blowdown drum and stack technology when replacement with the
safer flare option had been a feasible alternative for many years.

Figure 1. The cloud seen from a distance.

Figure 2. The damage caused by the explosion.

Video: CSB Report into the Texas City Explosion (2005).

Please wait for the video to buffer before pressing play.

Alternatively you can download the video to watch at your convenience.

Download video.

Further studying.

Below we have included links to two excellent documentaries on the Texas City disaster. One is the full
CBS documentary 'Anatomy of a Disaster', and the other is a 'Seconds from Disaster' documentary. Both

SHEilds Ltd [Link] eLearning: [Link] Tel: +44(0)1482 806805

NEBOSH Intl Oil & Gas Safety Certificate v2.0 (30/10/2015) Page: 30
 Video: CSB Report into the Texas City Explosion (2005).

last approximately 45 minutes.

We have broken the documentaries into parts to try and keep the file sizes as small as possible.

CBS 'Anatomy of a Disaster'.

Part 1_Texas_City_2005_CBS_Video_x264.mp4 (17 megabytes).

Part 2_Texas_City_2005_CBS_Video_x264.mp4 (16 megabytes).

Part 3_Texas_City_2005_CBS_Video_x264.mp4 (20 megabytes).

Part 4_Texas_City_2005_CBS_Video_x264.mp4 (10 megabytes).

Part 5_Texas_City_2005_CBS_Video_x264.mp4 (37 megabytes).

Part 6_Texas_City_2005_CBS_Video_x264.mp4 (19 megabytes).

Seconds from Disaster.

Part 1_SFD_Texas_City_Explosion_x264.mp4 (18 megabytes).

Part 2_SFD_Texas_City_Explosion_x264.mp4 (15 megabytes).

Part 3_SFD_Texas_City_Explosion_x264.mp4 (10 megabytes).

Part 4_SFD_Texas_City_Explosion_x264.mp4 (16 megabytes).

Part 5_SFD_Texas_City_Explosion_x264.mp4 (16 megabytes).

Part 6_SFD_Texas_City_Explosion_x264.mp4 (10 megabytes).

2.9 - History of Unsafe Processes: Buncefield, UK (2005).

Summary.

Early on Sunday 11 December 2005, a series of explosions and subsequent fire destroyed large parts of
the Buncefield oil storage and transfer depot, Hemel Hempstead, and caused widespread damage to
neighbouring properties.

The main explosion took place at 06h01 hours and was of massive proportions. It was followed by a large
fire that engulfed 23 large fuel storage tanks over a high proportion of the Buncefield site. The incident
injured 43 people. Fortunately, no one was seriously hurt and there were no fatalities. Nevertheless, there
was significant damage to both commercial and residential properties near the Buncefield site. About 2000
people had to be evacuated from their homes and sections of the M1 motorway were closed. The fire
burned for five days, destroying most of the site and emitting a large plume of smoke into the atmosphere
that dispersed over southern England and beyond.

The Events Leading up to the Accident.

Late on Saturday 10 December 2005 a delivery of unleaded petrol from the T/K pipeline started to arrive at
Tank 912 in bund A at about 05h30 on 11 December. The safety systems in place to shut off the supply of
petrol to the tank to prevent overfilling failed to operate. Petrol cascaded down the side of the tank,
collecting at first in the tank bund . As overfilling continued, the vapour cloud formed by the mixture of petrol
and air flowed over the bund wall, dispersed and flowed west off site towards the Maylands Industrial
SHEilds Ltd [Link] eLearning: [Link] Tel: +44(0)1482 806805
NEBOSH Intl Oil & Gas Safety Certificate v2.0 (30/10/2015) Page: 31
 2.9 - History of Unsafe Processes: Buncefield, UK (2005).

Estate. A white mist was observed in CCTV replays.

Between 05h30 and 06h00 the vapour cloud was seen by eyewitnesses and CCTV cameras to thicken and
spread.

At 06h01 the first of a series of explosions took place. These explosions caused a huge fire which engulfed
the 23 large storage tanks. The fire burned for five days, destroying most of the depot. A plume of black
smoke from the burning fuel rose high into the atmosphere and could be seen from many miles away and
in satellite images. As it developed, this plume eventually spread over southern England and beyond.

Recommendations from the Major Incident Investigation Board included the need for:

• Protection against loss of containment of petrol and other highly flammable liquids by fitting a high
integrity, automatic operating overfill prevention system.
• Measures to detect hazardous conditions arising from loss of primary containment, including the
presence of high levels of flammable vapours in secondary containment.
• A review of the existing standards for secondary containment (for example, bunds).
• Adequate on-site emergency plans, with adequately resourced, and well trained staff.
• Operators of major hazard sites to review and amend as necessary their management systems for
maintenance of equipment and systems to ensure their continuing integrity in operation.
• Local authorities to review their off-site emergency response plans for COMAH (Control of Major
Accident Hazards) sites.

Figure 1. The enormous plume of smoke during the fire.

SHEilds Ltd [Link] eLearning: [Link] Tel: +44(0)1482 806805

NEBOSH Intl Oil & Gas Safety Certificate v2.0 (30/10/2015) Page: 32
 2.9 - History of Unsafe Processes: Buncefield, UK (2005).

Figure 2. A satellite image of the plume of smoke.

Figure 3. The spread of vapour with times and location of the initial explosion.
2.10 - History of Unsafe Process: The Bombay High North Disaster (2005).

Introduction.

The Mumbai High Field was discovered in 1974 and is located in the Arabian Sea 160km west of the
Mumbai coast. The field is divided into the north and south blocks, operated by the state-owned Oil &
Natural Gas Corporation (ONGC).

The field's installations comprise four platforms linked by bridges:

• NA small wellhead platform built 1976.

• MHF residential platform built 1978.
• MHN processing platform built 1981.
• MHW recent additional processing platform.

The complex imported fluids from 11 other satellite wellhead platforms and exported oil to shore via
undersea pipelines, as well as processing gas for gas lift operations. The seven storey high Mumbai High
North (MHN) platform had five gas export risers and ten fluid import risers situated outside the platform
jacket. In July 2005, a multi-purpose support vessel (MSV) collided with the MHN platform, severing at least

SHEilds Ltd [Link] eLearning: [Link] Tel: +44(0)1482 806805

NEBOSH Intl Oil & Gas Safety Certificate v2.0 (30/10/2015) Page: 33
 2.10 - History of Unsafe Process: The Bombay High North Disaster (2005).

one gas riser and causing a massive fire which destroyed the MHN platform within two hours.

Collision.

At time of accident on 27 July 2005, the Noble Charlie Yester jack-up was undertaking drilling operations in
the field and was positioned over the NA platform. The MSV Samudra Suraksha was working elsewhere in
field supporting diving operations when a cook onboard the MSV cut off the tips of two fingers. Monsoon
conditions onshore had grounded helicopters, so the injured person was to be transferred from the MSV to
the MHN by crane lift for medical treatment. While approaching the MHN on the windward side, the MSV
experienced problems with its computer-assisted azimuth thrusters so the MSV was brought in stern-first
under manual control and the injured person was transferred off the MSV.

At around 1605 hours, strong swells pushed the MSV towards the MHN platform, causing the helideck at
the rear of vessel to strike and sever one or more gas export risers on the MHN jacket. The resultant gas
leak ignited within a short time. The close proximity of other risers and lack of fire protection caused further
riser failure. The subsequent fire engulfed the platforms MHN and MHF, causing the complete destruction
of the MHN. The fire also engulfed the MSV Samudra Suraksha, with heat radiation causing severe
damage to the NA platform and the Noble Charlie Yester jack-up. Emergency shut-down valves (ESDVs)
were in place at each end of the risers, but some risers were up to 12 km long and riser failure caused
large amounts of gas to be uncontrollably released.

Six divers in saturation chambers on MSV were left behind when the vessel was abandoned. They were
rescued 36 hours later. The MSV suffered extensive fire damage and was towed away from scene but later
sank on 01 Aug 2005, about 18km off Mumbai coast.

Aftermath and Investigation.

MHN collapsed after around two hours, leaving only the stump of its jacket above sea level. A total of 384
personnel were on board the MHN complex and NCY jack-up at the time of the accident. All installations
were abandoned with 362 crew rescued and 22 reported dead (11 fatalities with 11 missing). The flow was
shut down via sub-surface ESDVs. Significant problems were reported with the abandonment of all the
installations involved: only two of eight lifeboats and one of ten liferafts at the complex were launched. A
clean-up operation was also undertaken after a 10 nautical mile oil spill resulted from the fire.

Two areas were identified for investigation:

1. The adequacy of and failures within the risk control systems.

2. The adequacy of collision avoidance practices and procedures.

Points of interest under investigation include the location and vulnerability of the risers in the jacket relative
to platform loading zones. Some riser protection guards were in place just above sea level, but these were
only suitable for smaller offshore supply vessels and were not considered suitable for larger multi-purpose
support vessels. Also under investigation is the quantity of riser contents likely to be discharged if a riser
should fail below an emergency shutdown valve and the risk management process, including the vessel
suitability, the crew competence, communications and collision avoidance measures.

The Bombay High field accounted for 40% of India's domestic production, of which the North platform
accounted for one quarter. One month after the accident, production had been restored 60% of the pre-
accident level.

SHEilds Ltd [Link] eLearning: [Link] Tel: +44(0)1482 806805

NEBOSH Intl Oil & Gas Safety Certificate v2.0 (30/10/2015) Page: 34
 2.10 - History of Unsafe Process: The Bombay High North Disaster (2005).

Figure 1. The dive support / multi use vessel "Sagar Surakshas" 1.

Figure 2. The dive support / multi use vessel "Sagar Surakshas" 2.

SHEilds Ltd [Link] eLearning: [Link] Tel: +44(0)1482 806805

NEBOSH Intl Oil & Gas Safety Certificate v2.0 (30/10/2015) Page: 35
 2.10 - History of Unsafe Process: The Bombay High North Disaster (2005).

Figure 3. Riser pipes from sea bed ruptured and burned.

Figure 4. Eventual collapse.

SHEilds Ltd [Link] eLearning: [Link] Tel: +44(0)1482 806805

NEBOSH Intl Oil & Gas Safety Certificate v2.0 (30/10/2015) Page: 36
 2.10 - History of Unsafe Process: The Bombay High North Disaster (2005).

Figure 5. Twenty four hours after the disaster.

2.11 - History of Unsafe Processes: Deepwater Horizon (2010).

The Deepwater Horizon oil spill (also referred to as the Macondo blowout) began on the 20th April 2010 in
the Gulf of Mexico on the BP Macondo Prospect. The explosion claimed eleven lives and resulted in what
is considered the largest accidental marine oil spill in the history of the petroleum industry. Following the
explosion and sinking of the Deepwater Horizon oil rig, a seafloor oil gusher flowed for 87 days, until it was
capped on the 15th July 2010. The US Government estimated the total discharge at 4.9 million barrels.
After several failed efforts to contain the flow, the well was declared sealed on the 19th September 2010.

A massive response ensued to protect beaches, wetlands and estuaries from the spreading oil utilising
skimmer ships, floating booms, controlled burns and 1.84 million US gallons (7,000 m3) of Corexit oil
dispersant. Extensive damage to marine and wildlife habitats, fishing and tourism industries, and human
health problems have continued through 2014.

Numerous investigations explored the causes of the explosion and record setting spill. Notably, the U.S.
government's September 2011 report pointed to defective cement on the well, faulting mostly BP, but also
rig operator Transocean and contractor Halliburton. Earlier in 2011, a White House commission likewise
blamed BP and its partners for a series of cost-cutting decisions and an insufficient safety system, but also
concluded that the spill resulted from 'systemic' root causes and without 'significant reform in both industry
practices and government policies, might well recur'.

In November 2012, BP and the United States Department of Justice settled federal criminal charges with
BP pleading guilty to 11 counts of manslaughter, two misdemeanors, and a felony count of lying to
Congress. BP also agreed to four years of government monitoring of its safety practices and ethics. The
Environmental Protection Agency announced that BP would be temporarily banned from new contracts with
the US government. This ban was lifted in 2014. BP and the Department of Justice agreed to a record-
setting $4.525 billion in fines and other payments but further legal proceedings not expected to conclude
until mid 2014 are ongoing to determine payouts and fines under the Clean Water Act and the Natural
Resources Damage Assessment. As of February 2013, criminal and civil settlements and payments to a
trust fund had cost the company $42.2 billion.

SHEilds Ltd [Link] eLearning: [Link] Tel: +44(0)1482 806805

NEBOSH Intl Oil & Gas Safety Certificate v2.0 (30/10/2015) Page: 37
 2.11 - History of Unsafe Processes: Deepwater Horizon (2010).

Figure 1. Satellite image of Deepwater Horizon oil spill.

Causes and failures.

Eight catastrophic failures led to the explosion that destroyed the Deepwater Horizon drilling rig.

BP accepts its role in the disaster but also points the finger at two of its contractors.

The day before the accident, the crew had pumped cement to the bottom of the borehole, a standard
procedure intended to prevent oil leaking out. On the day of the accident, the team were conducting checks
to determine that that the well had been properly sealed.

BP says the accident was caused by the failure of eight different safety systems that were meant to prevent
this kind of incident.

1. Poor cement formulation.

The cement at the bottom of the borehole did not create a seal, and oil and gas began to leak through it
into the pipe leading to the surface. BP says the cement formulation seems not to have been up to the job.

2. Valve failure.

The bottom of the pipe to the surface was sealed in two ways. It too was filled with cement, and it also
contained two mechanical valves designed to stop the flow of oil and gas. All of these failed, allowing oil
and gas to travel up the pipe towards the surface.

SHEilds Ltd [Link] eLearning: [Link] Tel: +44(0)1482 806805

NEBOSH Intl Oil & Gas Safety Certificate v2.0 (30/10/2015) Page: 38
 2.11 - History of Unsafe Processes: Deepwater Horizon (2010).

3. Pressure test misinterpreted.

The crew carried out various pressure tests to determine whether the well was sealed or not. The results of
these tests were misinterpreted, so they thought the well was under control. The operators assumed the
cement has sealed the well, therefore the results of the test could not possibly be correct.

4. Leak not spotted soon enough.

Whether a well is under control or not, the crew at the surface should be able to detect a flow of oil and gas
towards the surface by looking for unexpected increases in pressure in the well. Exactly this kind of
increase occurred about 50 minutes before the rig exploded, but it was not interpreted as a leak. Due to
miscommunication it was assumed that the results of the pressure test had confirmed the well was sealed.

5. Valve failure No. 2.

About 8 minutes before the explosion, a mixture of mud and gas began pouring onto the floor of the rig.
The crew immediately attempted to close a valve in a device called the blowout preventer, which sits on the
ocean floor over the top of the well borehole. It did not work properly. The blowout preventer was poorly
designed and not sufficient.

6. Overwhelmed separator.

The crew had the option of diverting the mud and gas away from the rig, venting it safely through pipes
over the side. Instead, the flow was diverted to a device on board the rig designed to separate small
amounts of gas from a flow of mud. The mud/gas separator was quickly overwhelmed and flammable gas
began to engulf the rig. The mud and gas was not diverted overboard due to BP environmental targets to
reduce the number of environmental spills into the ocean. As a result of the target the crew chose to
contain the mud and gas onboard the platform.

7. No gas alarm.

The rig had an onboard gas detection system that should have sounded the alarm and triggered the
closure of ventilation fans to prevent the gas reaching potential causes of ignition, such as the rig's engines.
This system failed.

8. No battery for the blowout preventer.

The explosion destroyed the control lines the crew were using to attempt to close safety valves in the
blowout preventer. However, the blowout preventer has its own safety mechanism in which two separate
systems should have shut the valves automatically when it lost contact with the surface. One system
seems to have had a flat battery and the other a defective switch. Consequently, the blowout preventer did
not close.

"It is evident that a series of complex events, rather than a single mistake or failure, led to the tragedy.
Multiple parties, including BP, Halliburton and Transocean, were involved," said Tony Hayward, BP's chief
executive.

Seconds from Disaster Documentary.

As part of your supplementary studying for your oil and gas certificate we recommend you take the time to
download this excellent 45 minute long documentary into the Deepwater Horizon disaster.

We have split the video into 5 parts to reduce the file size and make the downloads more manageable.

SHEilds Ltd [Link] eLearning: [Link] Tel: +44(0)1482 806805

NEBOSH Intl Oil & Gas Safety Certificate v2.0 (30/10/2015) Page: 39
 2.11 - History of Unsafe Processes: Deepwater Horizon (2010).

Seconds from Disaster, Deepwater Horizon Part 1 (18 megabytes).

Seconds from Disaster, Deepwater Horizon Part 2 (17 megabytes).

Seconds from Disaster, Deepwater Horizon Part 3 (49 megabytes).

Seconds from Disaster, Deepwater Horizon Part 4 (16 megabytes).

Seconds from Disaster, Deepwater Horizon Part 5 (11 megabytes).

2.12 - Incidents that define Process Safety alongside the progress in legislation.

Figure 1. Legislation.
2.13 - What does the legislation require?

SHEilds Ltd [Link] eLearning: [Link] Tel: +44(0)1482 806805

NEBOSH Intl Oil & Gas Safety Certificate v2.0 (30/10/2015) Page: 40
 2.13 - What does the legislation require?

Figure 1. Three major pieces of legislation related to Process Safety, and their headings.

Seveso II is a European directive, and COMAH is the resulting statutory instrument.

OSHA 1910.19 is the US standard on Process Safety Management which we will look at shortly.

"Safety Case" refers to SCR05 which we looked at in Element 1.

2.14 - Process Safety Management (PSM).

The major objective of PSM of highly hazardous materials is to prevent unwanted releases, especially into
locations that could expose employees and others to serious hazards. An effective PSM program requires
a systematic approach to evaluating the whole process. Using this approach, the process design, process
technology, process changes, operational and maintenance activities and procedures, non routine activities
and procedures, emergency preparedness plans and procedures, training programs, and other elements
that affect the process are all considered in the evaluation.

The OSHA PSM Standard.

The Occupational Safety and Health Administration (the USA Regulator for Health and Safety) leads the
way with its standard in PSM (1910.119). This PSM targets processes that have the potential to cause a
catastrophic incident. The purpose of the standard as a whole is to aid employers in their efforts to prevent
or mitigate releases that could lead to a catastrophe in the workplace and possibly in the surrounding
community.

The OSHA PSM standard contains 14 elements. Many companies have developed their own systems,
based on the OSHA standard:

1. Process Safety Information.

2. Process Hazard Analysis.
3. Operating Procedures.
4. Training.
5. Contractors.
6. Mechanical Integrity.
SHEilds Ltd [Link] eLearning: [Link] Tel: +44(0)1482 806805
NEBOSH Intl Oil & Gas Safety Certificate v2.0 (30/10/2015) Page: 41
 2.14 - Process Safety Management (PSM).

7. Hot Work.
8. Management of Change.
9. Incident Investigation.
10. Compliance Audits.
11. Trade Secrets.
12. Employee Participation.
13. Pre-startup Safety Review.
14. Emergency Planning and Response.

All of those elements mentioned above are interlinked and interdependent. There is a tremendous
interdependency of the various elements of PSM. All elements are related and are necessary to make up
the entire PSM picture. Every element either contributes information to other elements for the completion or
utilises information from other elements in order to be completed.

Figure 1. Fourteen Elements of the OSHA PSM Program.

2.15 - Process Hazard Analysis.

Process Hazard Analysis (PHA) is a set of organised and systematic assessments of the potential hazards
associated with an industrial process. A PHA provides information intended to assist managers and
employees in making decisions for improving safety and reducing the consequences of unwanted or
unplanned releases of hazardous chemicals. A PHA is directed toward analysing potential causes and
consequences of fires, explosions, releases of toxic or flammable chemicals and major spills of hazardous
chemicals. It focuses on equipment, instrumentation, utilities, human actions, and external factors that
might impact the process.

There are a variety of methodologies that can be used to conduct a PHA, including but not limited to those
that we studied in Element1 such as What if?, HAZOP and FMEA. PHA methods are qualitative in nature.
The selection of a methodology to use depends on a number of factors, including the complexity of the
process, the length of time a process has been in operation, if a PHA has been conducted on the process
before, and if the process is unique, or industrially common.

In the United States, the use of PHAs is mandated by OSHA in its Process Safety Management regulation
for the identification of risks involved in the design, operation, and modification of processes that handle

SHEilds Ltd [Link] eLearning: [Link] Tel: +44(0)1482 806805

NEBOSH Intl Oil & Gas Safety Certificate v2.0 (30/10/2015) Page: 42
 2.15 - Process Hazard Analysis.

highly hazardous chemicals.

Processes controlled by a modern Industrial control system may also need to undergo a Cyber PHA in
order to understand the process risks associated with a cyber security incident. This is particularly relevant
today due to the potential of activist organisations or foreign governments to hack into IT systems to steal
information or sabotage a process (such as the 2010 Stuxnet virus in Iran or the 2012 malware attack on
Saudi Aramco). This will become more and more common as awareness increases of vulnerabilities in our
national infrastructure's IT systems.
2.16 - Spacing and layout of Operating Plant.

Loss experience clearly shows that fires or explosions in congested areas of oil and chemical plants can
result in extensive losses. Wherever explosion or fire hazards exist, proper plant layout and adequate
spacing between hazards are essential to loss prevention and control. Layout relates to the relative position
of equipment or units within a given site. Spacing pertains to minimum distances between units or
equipment. An open air design favours vapour dissipation, provides adequate ventilation, reduces the size
of the electrically classified area, and increases firefighting accessibility.

General Principles.

Plant layout is often a compromise between a number of factors such as:

• The need to keep distances for transfer of materials between plant/storage units to a minimum to
reduce costs and risks.
• The geographical limitations of the site.
• Interaction with existing or planned facilities on site such as existing roadways, drainage and utilities
routings.
• Interaction with other plants on site.
• The need for plant operability and maintainability.
• The need to locate hazardous materials facilities as far as possible from site boundaries and people
living in the local neighbourhood.
• The need to prevent confinement where release of flammable substances may occur.
• The need to provide access for emergency services.
• The need to provide emergency escape routes for on-site personnel.
• The need to provide acceptable working conditions for operators.

The most important factors of plant layout as far as safety aspects are concerned are those to:

• Prevent, limit and/or mitigate escalation of adjacent events (domino effect).

• Ensure safety within on-site occupied buildings by placing them away from hazard areas.
• Control access of unauthorised personnel.
• Facilitate access for emergency services.
• Where plant has to be installed in a hazardous area (within a vapour cloud explosion circle, for
example) then other measures such as blast/explosion resistance should be implemented to
maintain safety.

SHEilds Ltd [Link] eLearning: [Link] Tel: +44(0)1482 806805

NEBOSH Intl Oil & Gas Safety Certificate v2.0 (30/10/2015) Page: 43
 2.16 - Spacing and layout of Operating Plant.

Figure 1. An example of a good site layout.

2.17 - Positioning and Protection of Control Rooms, Critical Equipment and Temporary Refuges.

Control Rooms.

There are two major aspects of control room design that should be taken into account:

• The suitability of the structure of the control room to withstand possible major hazards events.
• The layout of control rooms and the arrangement of panels to ensure effective ergonomic operation
of the plant in normal circumstances and in an emergency.

For large plants, control rooms are likely to be situated in separate buildings away from the process plant
which they serve. For medium or small plants control rooms may be within the plant building or control
panels may be located near the equipment. Whatever the location, control rooms should be designed to
ensure that the risks to the occupants of the control room are within acceptable limits. It must be suitable
for the purposes of maintaining plant control, should the emergency response plan require it, following any
foreseeable, undesirable event within the plant.

Events that may affect the control room are:

• Vapour Cloud Explosions (VCEs).

SHEilds Ltd [Link] eLearning: [Link] Tel: +44(0)1482 806805

NEBOSH Intl Oil & Gas Safety Certificate v2.0 (30/10/2015) Page: 44
 2.17 - Positioning and Protection of Control Rooms, Critical Equipment and Temporary Refuges.

• Boiling Liquid Expanding Vapour Explosions (BLEVEs).

• Pressure bursts.
• Exothermic reactions.
• Toxic gas releases.
• Fires, including pool fires, jet fires, flash fires and fire balls.

The threat from explosions and pressure bursts should be considered in the location and structural design
of control buildings. This considers the vulnerability of the building to possible overpressures associated
with particular events. First of all control rooms should be situated away from any explosion hazards. If this
is not possible then the building should be designed to withstand an overpressure that will ensure that risks
to occupants are within acceptable limits. Particular attention should be given to the provision of windows,
the presence of heavy equipment on roofs (e.g. air conditioners) and the ability of internal fixtures to
withstand the building shaking.

In consideration of toxic gas releases the control room should provide a safe haven for its occupants. This
will include ensuring that the building is adequately sealed to prevent ingress of gases to levels of
concentration that will affect the ability, and health, of the operators to maintain control of the plant. Careful
consideration of the building ventilation system (HVAC) is required to ensure that air intakes are situated
away from areas that may be affected or to arrange that there is no air intake during an incident, preferably
by closure of an automatic valve linked to a gas analyser.

Measures for protection from fires should ensure the control room will withstand thermal radiation effects
without collapse and that smoke ingress is controlled. Materials of construction should be fire resistant for
the duration of any possible fire event. Smoke ingress may be controlled in a similar manner to toxic gas
ingress.

Consideration should also be given to unmanned satellite control rooms which can be accessed if the main
control is disabled or destroyed.

Critical Equipment.

Critical equipment is defined as equipment and other systems determined to be essential in preventing the
occurrence of, or mitigating the consequences of an uncontrolled event. Such equipment may include
pressure vessels, pressure relief devices, compressors, alarms, interlocks, emergency shutdown systems
and fire safety systems.

One area of safety that is very important is the protection of critical safety equipment against high
temperature hydrocarbon fires. The longer that valves and actuators in emergency shutdown and fire
suppression systems remain operational in the event of a fire, the greater the likelihood of averting disaster.
However, the ferocity of hydrocarbon pool or jet fires – the latter resulting from the continuous escape of
pressurised flammable media – poses major design challenges. These types of fires are characterised by
very rapid rises in temperature, typically reaching 1,100°C within the first five minutes.

There are two types of fire protection:

• Passive fire protection.

• Active fire protection.

Passive fire protection (PFP) is generally used to protect main structural elements that support walkways,
escape routes and hydrocarbon containing process vessels. It is also used to provide long (up to 2 hours)
fire resistance for fire and blast walls. This includes providing protection for covered escape routes. It is
highly effective against jet fires and pool fires. PFP is a passive system and in many ways superior to water
deluge in terms of its lower maintenance burden. It is in position permanently and does not require a
detection and initiation system. However, passive protective materials are susceptible to physical damage
and water ingress that can give rise to an unrevealed failure mechanism. Failure can be rapid on fire
SHEilds Ltd [Link] eLearning: [Link] Tel: +44(0)1482 806805
NEBOSH Intl Oil & Gas Safety Certificate v2.0 (30/10/2015) Page: 45
 2.17 - Positioning and Protection of Control Rooms, Critical Equipment and Temporary Refuges.

exposure such that it fails and compromises the performance of the component it is protecting.

Other than the usual structural protective elements such as plaster and concrete, passive fire protection is
available in the form of close fitting covers such as:

• Flexible fire resistant bags and blankets.

• Intumescent coatings.

However, these flexible forms of protection can have disadvantages in hostile conditions. They can be
susceptible to weather damage, can absorb moisture, and can sag, making them difficult to reseal after
maintenance of a valve or actuator. Thick film intumescent coatings for resistance against hydrocarbon
fires generally need to be applied to equipment at the factory. These types of coatings can hinder access
for maintenance and corrosion monitoring, and can require periodic repainting to prevent them becoming
hygroscopic when exposed to weather.

Rigid passive fire protection cabinets are designed to overcome these disadvantages by providing a
maintenance-free solution that can be retrofitted to existing process equipment in the field and which does
not restrict service access. However, the choice of construction materials is key. Some manufacturers use
metal for the outer walls of the enclosures, which can corrode due to the presence of salt or other
aggressive chemicals in the atmosphere. Furthermore, the weight of such enclosures can preclude direct
mounting on process pipes, making installation more difficult by demanding use of load-bearing support
brackets.

Figure 1. Fire resistant enclosure.

Water deluge is an active system whose effectiveness needs to be periodically checked and this requires
frequent testing that is time consuming and expensive. It requires linked gas, heat and flame detection and
initiation systems that have their own reliability and availability problems, as well as large pumps and
associated large and small-bore pipework. Salt water is used and this causes nozzle blockage and internal
corrosion.

Water deluge however has the advantage of being able to provide general area protection to personnel and
open escape routes as well as vulnerable plant items such as safety critical elements, which may also have
personnel protection functions. Deluge systems do tend to provide a wider level of protection for a range of
fire scenarios than other, more specific, protection systems. On installations with minimum facilities and
limited space, a general area protection system will tend to give a higher level of personnel protection than
SHEilds Ltd [Link] eLearning: [Link] Tel: +44(0)1482 806805
NEBOSH Intl Oil & Gas Safety Certificate v2.0 (30/10/2015) Page: 46
 2.17 - Positioning and Protection of Control Rooms, Critical Equipment and Temporary Refuges.

other more specialised systems. This is particularly relevant to open or unshielded escape routes.

Water deluge is ineffective against jet fires but is highly effective against pool fires when used with aqueous
film forming foam (AFFF) and liquid containing bunds.

We will look at Fire Protection again in Element 4.

Temporary Refuges (TR).

The TR should be a place where personnel can muster safely in an emergency, monitor and assess the
developing situation, and either take control action or initiate evacuation. An enclosed structure is usually
used but this is not always suitable. There should be sufficient safe access routes from all potentially
occupied locations to the TR.

The protection provided by the TR may be critical to the success of the emergency response. It must be
able to withstand the effects of fire, explosion, smoke and toxic gas (including secondary effects such as
impacts) for as long as is necessary during major accidents.

The design of the TR should take account of the size and layout of the installation and the numbers and
distribution of persons on board. Allowance should be made for the effects of incapacity, injuries, darkness,
smoke and damage to access and exit routes.
2.18 - Occupied Buildings Assessment.

The location and design of occupied buildings has been a recurring theme since the Flixborough incident in
1974. There have been many incidents since then that have killed or injured people who were in buildings
at chemical and petrochemical plants. After the Flixborough incident the Chemical Industries Association
(CIA) produced guidance on the location and design of chemical plant control rooms.

The CIA guidance covers all occupied buildings at an installation and is non-prescriptive and more 'goal
setting'. It is, therefore, adaptable to technical progress in the assessment of hazardous installations.
Although written by the CIA for their membership, the approach adopted is applicable to chemical hazards
generally.

The goal setting nature of the CIA guidance is, at the same time, a weakness in the sense that it does not
provide a clear series of steps to follow when performing an assessment. This is an inevitable outcome of
goal setting guidance or regulation such as the Health and Safety at Work etc. Act 1974. In both cases
further information is needed outlining the practical steps to take to achieve the goal.

The foundation of the judgement making process in the CIA guidance is the production, and use, of an
adequate risk assessment. It is used both for the design and location of new buildings and, to make
judgements about the suitability of existing buildings and the necessity for any improvements. The validity
of any judgements made using the guidance are crucially dependant on the quality of the risk assessment.
A risk assessment considers the likelihood and magnitude of a range of possible adverse effects, and then
makes a judgement about these outcomes by comparison with criteria.

Where the magnitudes and frequencies of the outcomes are combined into a single value or relationship,
then the assessment is called a quantified risk assessment (QRA). There is ample scope for debate about
the adequacy of the elements of a risk assessment, as they are each subject to varying degrees of
uncertainty.

The separate steps in a risk assessment have been described more memorably as:

• What If?
o The first step of a risk assessment involves producing a list of all the possible initiating
events that might lead to adverse effects. For a Major Hazard Installation (MHI) these can be
SHEilds Ltd [Link] eLearning: [Link] Tel: +44(0)1482 806805
NEBOSH Intl Oil & Gas Safety Certificate v2.0 (30/10/2015) Page: 47
 2.18 - Occupied Buildings Assessment.

conveniently split into 'natural events' such as flooding or seismic activity, and 'man made'
events that are under the control of the MHI occupier, such as corrosion, maloperation, or
impact by vehicular traffic.
• What Then?
o The second step of a risk assessment involves setting out how each of the initiating events
might lead to adverse effects. In the case of MHIs, the adverse effects derive from lost of
containment incidents. These may be due to the failure of a vessel or pipework, or, in the
case of packaged goods, their involvement in fire.
• Then What?
o The third step of a risk assessment involves working through the list of scenarios and
evaluating the effects on the surrounding areas, both in terms of consequences and
frequency. This might involve harm to people, structures, or the environment, according to
the type of risk assessment being carried out.
• So What?
o The final step of a risk assessment involves comparison of the calculated risks with some
standard or policy. When considering health and safety matters, the HSE discussion
document, 'Reducing Risks, Protecting People' might be used. Different comparisons would
be performed in different situations.

2.19 - Temporary Refuges and associated critical safety systems.

The first input data necessary for the sizing of a Temporary Refuge Complex is the number of people to be
accommodated inside. This element is fundamental to size the area of the TR and the space of the other
vital rooms. On the basis of the "People on board" (POB) it is possible to calculate the correct amount of
fresh air supplied by the HVAC system and the correct air flow of Breathing Air (BA) or oxygen to supply
during the emergency condition.

The Emergency condition is activated in case of accident (release of toxic gases from the wells or
hydrocarbons, jet fires and explosions). In this situation it is necessary to muster the workforce into a TR to
protect them from toxic gases, fire and blast.

During Emergency Conditions the HVAC System is designed to provide clean air to the occupants. The
"new" breathing air will be supplied by a bottled air system that will ensure the breathing air necessary to
the people inside the TR and other vital rooms.

The TR complex shall be designed in order to assure:

• The gas tightness (in order to prevent ingress of toxic hydrocarbon gas).
• The blast resistance from external explosion.
• The fire protection (insulation all along the TR surface, including floors and ceilings).
• The IP55 degree of protection (IP stands for Ingress Protection, against dusts and liquids).
• The thermal insulation.
• Minimal hook-up with external services.
• Space and facilities for maintenance and replacement of equipment.
• Safe boarding and evacuation.
• Long design life.
• Available full-time all year round without service interruptions.

The process hazard analysis shall identify the fire and explosion hazards in the operation area and will
assess the magnitude of these hazards. The objective is to provide input to the passive and active fire
protection, the blast rating, buildings and outdoor vital equipment.

Vital systems inside the TR:

• Electric energy assured by battery storage.

SHEilds Ltd [Link] eLearning: [Link] Tel: +44(0)1482 806805
NEBOSH Intl Oil & Gas Safety Certificate v2.0 (30/10/2015) Page: 48
 2.19 - Temporary Refuges and associated critical safety systems.

• Radio system.
• Emergency lighting.
• Drinking water system.
• HVAC system (to assure an acceptable temperature and breathable air inside the vital rooms).
• Fire fighting system.
• Typically all external equipments are ATEX certified (spark proof).
• All vital systems shall be able to run also under following alarm conditions:
• Loss of pressurisation.
• Plant fail to operate.
• Intake damper open and fire/gas signal.
• Internal H2S levels.
• Internal CO2 levels.
• Fire detection.

During the normal operation mode, supply and exhaust fans shall be continuously powered by the
emergency power distribution system in order to maintain a positive pressure (typically 50 Pa minimum), to
prevent the possibility of gas or smoke ingress in the vital areas and to maintain air changes for healthy
conditions.

Smoke, toxic gas and flammable gas detectors shall be installed at the HVAC air intakes. In the event of
smoke or gas being detected outside the fresh air intake, the fire and gas dampers shall shut and the
control logic system shall automatically switch the HVAC system into emergency condition mode, re-
circulating the existing air volume and supplementing it with stored oxygen.

During emergency condition the TR overpressure system shall be able to exhaust all the breathing air
necessary to assure the personnel's respiration while maintaining the correct pressure value inside the
rooms.

Fresh Air Intakes.

All HVAC fresh air intakes to be from a non-hazardous area. All air intake ducts shall be sized to retain gas
concentration for a minimum period of 10 seconds.

The fresh air intake shall be composed by:

• Smoke and heat detectors.

• Hydrocarbon and Toxic Gas detectors.
• Ductwork sized to retain gas for a minimum of 10 seconds.
• Two fire and gas dampers (i.e. dampers will close in case of detection of heat and/or smoke, for fire
& gas protection against fire, and in case of detection of flammable gases / toxic gases).
• Blast resistant damper.
• Type of accommodations inside the TR.
• The Temporary Refuge complex shall contain:
• Temporary refuge rooms with accommodation facilities.
• Radio & Telecommunications Room (with access from the complex safe area).
• Electrical Rooms.
• Battery Rooms.
• Transformer – Emergency Diesel Generator Room.
• Airlocks for entrance.
• Airlock for exit with direct access into escape tunnel.
• Compressed Breathing Air Cylinder & Water Tank/Pump Room.
• HVAC room.
• Fire suppression system Room.
• Area for external equipments.
• Control room - Office Area.

SHEilds Ltd [Link] eLearning: [Link] Tel: +44(0)1482 806805

NEBOSH Intl Oil & Gas Safety Certificate v2.0 (30/10/2015) Page: 49
 2.19 - Temporary Refuges and associated critical safety systems.

• Workshop and stores.

• First Aid room or hospital.
• Toilet and washroom facilities.

Fire and blast resistance of TRs.

Generally fire barrier performances have been determined according to SOLAS (Safety Of Life At Sea) ship
requirements with regards to a basic classification, and EN ISO 13702 which has given more detailed
requirements for offshore installations.

All relevant fire scenarios should be considered, including:

• Oil pool fires in process, drilling modules and the sea (riser leaks etc.).
• Riser jet fires.
• Process jet fires.
• Oil mist fires.
• Condensate fires.
• Accommodation fires.

The organisation should ensure that all primary and secondary structural steelwork (or other metals) can
withstand the various fire scenarios, either with or without additional passive protection. See below the
standard temperatures to which critical members can be exposed.

Structural Typical Justification Main ALARP Uncertainties

Component. Maximum for Exposure Measures. to be
Steel Surface Temperature Explored.
Temperature & Duration.
and Duration.
Supports to TR, 400°C for 60 Material yield PFP, Thermal
accommodation minutes. Note strength separation by analysis
areas and steel that limiting unaffected distance, (screening)
helideck temperature within escape redundancy in accuracy,
structure. for aluminium period and/or load paths material creep
helidecks is fire duration. (lost member as stiffness
200°C. analysis), reduced by
blowdown, 30% at 400°C,
deluge. damage to
PFP, PFP
condition and
performance.
Other primary 550°C, or At 550°C PFP, Escalation
and secondary higher. No escalation by redundancy in paths, thermal
steelwork. specific time material load paths, analysis
limit. yielding is blowdown, (screening)
likely. deluge. accuracy,
Decision to material
protect is an creep,
asset and PLL damage to
risk based PFP where
decision. used.
Structural 200°C for 60 Catastrophic PFP, support Damage to
supports for the minutes. loss of redundancy, PFP,
ESDVs and installation riser location enclosures

SHEilds Ltd [Link] eLearning: [Link] Tel: +44(0)1482 806805

NEBOSH Intl Oil & Gas Safety Certificate v2.0 (30/10/2015) Page: 50
 2.19 - Temporary Refuges and associated critical safety systems.

underdeck riser should riser, relative to TR. due to blast

pipework ESDV fail. followed by a
inboard of the ALARP fire.
ESDV. solution.
Pipe support 350°C for 60 Localised PFP PFP, plus Coatback
steelwork, minutes. increase coatback assessment,
failure of which justified to protection of pipework
could escalate limit secondary expansion and
to TR failure. escalation members to forces to
over a range avoid high supports.
of fire thermal Damage to
scenarios, transfer. PFP.
both local and
global.

In the fire risk assessment, the following factors will be considered:

• Primary structural joints/members, TR support structure to withstand a targeted jet fire.

• Escape routes across bridges, around/underneath process and drilling areas are suitably protected
from major fires to enable escape to the TR/safe areas.
• Support steelwork to critical pipework/valves, such as support clamps' steelwork, hangar steelwork
for vent lines and deluge pipework. Note that often the support steelwork is itself attached to
decks/walls/roofs that could suffer large blast displacements. Local analysis of deflection and loads
on vent, deluge lines etc. is a crucial part of the safety case.
• Base supports for plant/structures where high drag loads due to blast funnelling etc. could be a
dominant load case, or fire scenarios could result in failure before the assumed evacuation time.
• Evacuation walkways to the helideck and spider deck areas are suitable for the assessed fire/blast
loads.
• Helideck structures.

Blast barrier suitability assessment.

As we have said previously, TRs should be located as far as possible away from fire/explosion hazards to
minimise their exposure to heat and blast overpressure during an incident. However, often the risk cannot
be eliminated and physical blast barriers must be put in place to protect the structural integrity of the TR in
the event of an explosion.

Blast barrier suitability is more difficult to assess than that of fire walls. However, as the majority of the
installations are complex layouts, high inventory risk, and permanently attended it vital that this be looked at
in detail.

The following details the issues that should be include in the blast barrier suitability assessment:

• A complete set of explosion scenario investigations.

• Computational Fluid Dynamic (CFD) simulations of gas dispersion, Zonal models, the Shell DICE
model or the workbook approach if it can be justified.
• Determination of equivalent stoichiometric cloud size.
• A combination of CFD and phenomenological explosion simulation with generation of overpressure
data.
• Determination and assessment of the structure against the design explosion loads including blast
wind dynamic pressures.
• Modelling of the installation and systems response.
• Explicit consideration of escalation and interaction between fire and explosion scenarios, including

SHEilds Ltd [Link] eLearning: [Link] Tel: +44(0)1482 806805

NEBOSH Intl Oil & Gas Safety Certificate v2.0 (30/10/2015) Page: 51
 2.19 - Temporary Refuges and associated critical safety systems.

the collapse of tall structures and the external explosion effects on adjacent structures, in particular
the TR.
• Consideration of strong shock and missile generation by the explosion.

To increase blast resistance there are essentially two options:

1. Strengthening the structure by making it stronger.

2. Or make the structure more ductile so it can absorb or channel the pressure.

The connections between the walls and the top and bottom decks are arranged in such a way to maximise
flexibility at connections, while maintaining the air tight requirement of the wall. To ensure ductile design,
the connections must also have sufficient stiffness and strength to allow the wall itself to deflect and fail in a
ductile manner.

Means of escape from TRs.

The means of escape from the TR must be protected from fire and smoke, generally by nature of their
position.

Types of escape equipment will vary and include:

• Ladders.
• Escape nets.
• Zip lines.
• Life boats and escape pods.
• Slides.

More information on escape will be covered in Element 4.

Structures directly and indirectly supporting escape and evacuation routes and survival craft embarkation
areas are covered as part of the escape and evacuation system. Where applicable, the requirements for
bulkheads and decks shall also apply to doors, windows, penetrations and connections.

Adjacent structures which could collapse onto and significantly damage the TR or its systems, or could
obstruct escape and evacuation routes, shall also be evaluated. These may include derricks, cranes,
helidecks, flares, vents, masts, and smaller structures such as walkways, stairways and platforms.
2.20 - Management of Change (MoC).

Offshore experience has shown that many major incidents occur when changes are made to procedures,
equipment, activity or approved practice without re-evaluation of potential impacts with reference to
established procedures.

Change in the Oil and Gas industry.

History has many examples of inadequately managed changes that resulted in catastrophic accidents. A
well-documented MoC program can be used to demonstrate an organisation's commitment toward due
diligence in risk mitigation efforts.

Risk management strategies and strong administration form the basis of an effective MoC program. An
ability to sufficiently analyse and understand the effects and consequent risk associated with the impact of
a proposed change will provide the organisation with vital insight in deciding upon and concluding change.
Designing safety into the MoC program can effectively decrease the occurrence of undesirable change-
induced incidents. Studies into the causes of incidents reveal that severe injury accidents occur at a
disproportional rate during unusual and non-routine work activities. The establishment of policies to
manage equipment, operational and organisational deviations from existing conditions will improve safety,
SHEilds Ltd [Link] eLearning: [Link] Tel: +44(0)1482 806805
NEBOSH Intl Oil & Gas Safety Certificate v2.0 (30/10/2015) Page: 52
 2.20 - Management of Change (MoC).

promote environmental compliance, safeguard property, and preserve business reputation.

What changes?

There are three types of change which can affect safety:

• Equipment or technological.
• Operational.
• Organisational.

Examples of equipment or technological changes include:

• New equipment.
• Replacement or modification of equipment (equipment, components, infrastructure including
emergency replacements when out at sea).
• Replacement or modification of computer hardware.
• Modification to software (logic, interlocks, controls, alarms, instrumentation).
• Bypasses around equipment that is normally in service.
• Disabling of safety/critical systems for testing, calibration or repair/replacement, if not covered by
procedure.
• Modification or removal of safety equipment (fire-fighting equipment, first aid equipment, escape
and evacuation, personal protective equipment etc.).
• Changes to structural support, layout, or configuration.
• New maintenance chemicals.
• New/changed solid/liquid/gas effluents (e.g. produced fluids, waste products, by-products).
• Change to the utilisation of equipment (use different from original purpose, increased/decreased
frequency, different conditions etc.).
• Changes resulting from recommendations originated from non-conformances, root cause analysis,
hazard identification studies etc.
• Contracted equipment and facilities (e.g. drydocks, repair facilities, contracted drilling equipment for
offshore etc.).

Examples of operational changes include:

• Deviation from preventive maintenance or mechanical integrity programs.

• Deviation from inspection program or testing frequency.
• Deviation from testing methods.
• Deviation from operational procedures and safe work practices.
• Deviation from repair requirements.
• A response to external circumstances that is not defined in standard procedures.
• Change to a controlled document.
• Implementation of new procedures.
• Operations outside current operation procedures and parameters.

Examples of organisational changes:

• Changes to onboard management.

• Crew turnover/crew change.
• New contractors.
• New and forthcoming regulations.
• Acquisitions, mergers, new joint ventures and alliances.
• Elimination of positions or restructuring.
• Change of key shore-based staff supporting the ship or offshore facility.
• Crew new to company or new full crew nationality.

SHEilds Ltd [Link] eLearning: [Link] Tel: +44(0)1482 806805

NEBOSH Intl Oil & Gas Safety Certificate v2.0 (30/10/2015) Page: 53
 2.20 - Management of Change (MoC).

Organisational Change.

Organisational change is a normal and inevitable part of business life in all sectors. But organisations
associated with major accident hazards have a greater potential for disastrous consequences and higher
costs in terms of lives and money. These consequences mean that organisations managing major hazards
must aim for much higher reliability than is normally necessary in commercial decision making.

Organisational change is often an opportunity to improve health and safety, for example though reappraisal
of safeguards or clarification of personal accountabilities. However, the HSE's experience is that in many
instances organisational changes are not analysed and controlled as thoroughly as plant changes, resulting
in reduced defences against major accidents, sometimes with fatal consequences (as in the Hickson &
Welch incident). This is because, unlike management of plant change, impacts of organisational change
are less well understood, and there is a lack of robust, generally accepted approaches to ensuring safety.

Hickson & Welch - an example of poor organisational change.

In 1992, at Hickson & Welch in Castleford UK, fires killed five employees during the cleaning of a vessel
containing potentially unstable sludge. Because of a recent company reorganisation, the cleaning task had
been organised by inexperienced team leaders reporting to an overworked area manager.

The HSE incident report said:

"Companies should assess the workload and other implications of restructuring to ensure that key
personnel have adequate resources, including time and cover, to discharge their responsibilities."

Different approaches to MoC.

In their guidance 'Organisational Change and Major Accident Hazards', the HSE recommend a 3 step
approach:

Step 1 - Getting organised for change.

Step 2 - Assessing risks.
Step 3 - Implementing and monitoring the change.

SHEilds Ltd [Link] eLearning: [Link] Tel: +44(0)1482 806805

NEBOSH Intl Oil & Gas Safety Certificate v2.0 (30/10/2015) Page: 54
 2.20 - Management of Change (MoC).

SHEilds Ltd [Link] eLearning: [Link] Tel: +44(0)1482 806805

NEBOSH Intl Oil & Gas Safety Certificate v2.0 (30/10/2015) Page: 55
 2.21 - Video: Piper Alpha and poor Management of Change.

This short video illustrates the contribution poor management of change made to the Piper Alpha disaster.

Please wait for the video to buffer before pressing play.

Alternatively you can download the video to watch at your convenience.

Download video.
2.22 - Risk Assessment of Change.

Preliminary Impact Assessment.

A change is normally proposed because it is advantageous. However, a change that is not properly
evaluated can also bring negative impacts that outweigh its benefits. The ultimate goal of an MoC program
is to control the change process to minimise or eliminate any detrimental impact on safety, property, and
the environment, as well as quality, security, or any other aspect of interest to the company.

The preliminary impact assessment is very important in an MoC program, and it should appropriately
identify all potential impacts associated with the change. Training on hazard identification and hazard
management is essential to secure completeness in the preliminary impact assessment. A useful tool to
help the Initial Reviewers complete the preliminary impact assessment is a checklist, as well as prompts
and guidance built into the MoC Form. This will facilitate a brainstorming process between suitably qualified
people, where they will identify the hazards, risks and any necessary controls. It will also identify the
potential impact of the change (i.e. minor impact or potential major impact).

Detailed Risk Assessment.

When the preliminary impact assessment identifies that the change has potential for major consequences,
or the complexity of the change warrants it, then a greater degree of scrutiny is required to assess the
potential risks. In these cases, the change owner or the approver is strongly advised to request a second
more thorough and comprehensive risk assessment.

One of the main differences between the preliminary impact assessment and the detailed risk assessment
is the number of people involved. The detailed risk assessment would be carried out by a team, including
subject matter experts from various disciplines. This detailed risk assessment should provide further
clarification into the nature of risks to be controlled and produce a list of requirements or controls to be
implemented before effecting change.

A wide range of risk assessment tools can be used to determine the extent of the potential risks (i.e.
consequences and likelihood of occurrence). The following tools and techniques are typical examples of
types of risk assessments performed for managing change:

• Hazard identification and assessments, such as What-If, HAZID, HAZOP, for equipment changes.
• Structural analysis.
• Engineering analysis required for equipment modifications.
• IT analysis and approval for software changes.
• Competency analysis required by HR for crew related issues.
• Legal analysis required by Legal Department to determine if a change contravenes prevailing
legislation in different jurisdictions.
• Organisational development analysis for an organisational change.

The first step of a risk assessment is to identify all likely potential undesirable events, and then to evaluate
the risks they present in terms of how often they are likely to happen and how severe the consequences
will be if the loss occurs. Once this information is ascertained, the next step is to determine how the risk,
and therefore the change, will be managed.

SHEilds Ltd [Link] eLearning: [Link] Tel: +44(0)1482 806805

NEBOSH Intl Oil & Gas Safety Certificate v2.0 (30/10/2015) Page: 56
 2.22 - Risk Assessment of Change.

The detailed risk assessment outcome will typically lead to options such as:

• Terminating the risk i.e. do not proceed with the change.

• Managing the risk of the change using good technical experience, controls, procedures, engineering
controls etc.
• Proposing alternative solutions to the problem that originated the change.

An important element in the decision is evaluating the costs of the selection and weighing them against the
risks so that a reasonable decision can be made (remember the concept of ALARP from Element 1). If the
option to manage the risk is the one recommended by the detailed risk assessment, an implementation
plan must be developed. Such a plan should describe how the change will be executed, what specific
actions must be carried out, including the risk control options, as well as time limits and responsibilities for
addressing any HSQE issue or any negative impact prior to the change being implemented.
2.23 - Approval of Change.

If the implementation plan presented in either the Preliminary Impact Assessment or the Detailed Risk
Assessment is approved, the change may be executed. It is strongly recommended that the results of the
initial impact analysis be confirmed and validated by the 'approver'. A change whose potential impacts have
been poorly analysed may result in insufficient implementation planning. This will increase risk exposure
and the likelihood of significant and detrimental impacts.

In order to adequately perform the technical review, it is critical that the approver be competent in the field
or domain where the change is occurring. For instance, in an oil and gas company, a non-engineering
shore-based manager typically has not acquired the necessary competencies to solely provide acceptance
for a structural change. Such a change is typically reviewed for approval by an appropriately qualified
engineer.

If the approver does not concur with the outcome of the assessments and the proposed implementation
plan, he or she can reject the change and close out the MoC or ask for the Preliminary or Detailed
Assessment to be revisited.

SHEilds Ltd [Link] eLearning: [Link] Tel: +44(0)1482 806805

NEBOSH Intl Oil & Gas Safety Certificate v2.0 (30/10/2015) Page: 57
 2.23 - Approval of Change.

Figure 1. Change management and approvals process.

Approver roles and responsibilities.

An effective MoC program requires a structured approval process that complements the management
structure, the complexity of the activities involved, and the levels of competence onboard or at the shore-
base. The approver appraises the Initial Review to confirm the need for change and validate the preliminary
impact assessment and the implementation plan. If the change has major impacts and it is particularly
complex, the approver is strongly suggested to request further detail risk assessment. The program should
discourage situations where the change owner and the approver are the same individual to create an
unbiased process with adequate reviews and second opinions. As we have already said, the detailed risk
assessment, if deemed necessary, is performed by a team of subject matter experts (individuals with strong
competencies in the fields or domains where the change is taking place and impacts are being felt). The
approver of the change is normally the same person that determines who are the relevant experts to carry
out the risk assessment. The approver also signs off on the risk assessment outputs, including the
implementation plan, and designates the personnel to carry out the implementation plan. In some
instances, the approval authority may also fall on a shore-based manager with key organisational duties.
On an offshore installation, a member of the facility management should approve it.

SHEilds Ltd [Link] eLearning: [Link] Tel: +44(0)1482 806805

NEBOSH Intl Oil & Gas Safety Certificate v2.0 (30/10/2015) Page: 58
 2.23 - Approval of Change.

Needed competencies for the approver are:

• In depth knowledge of the MoC program.

• Knowledge of Preliminary Impact Assessment and Detailed Risk Assessment.
• Administrative and managerial skills.
• Necessary technical skills to understand the impact of the change.

2.24 - Temporary Changes.

It should be identified during the Initial Review if the change falls into the category of temporary or
emergency. This distinction is important as the MoC program should offer some flexibility to control
changes under these special circumstances.

A temporary change is one that is intended to exist for a short and predetermined period of time.
Management of change procedures for temporary changes should follow the same process as a permanent
change, but they are only valid for a specific time limit as they may carry a higher level of risk that is
acceptable only for a short term. Temporary changes must have a specified time limit to ensure they are
returned to the original system condition or that further steps in managing the change are addressed (i.e.
converting the temporary change into a permanent change). The intent is to make the change, and at some
future date the system will be reverted to its present or design condition. The time limit for the change
should be specified such that if the change does not revert to the original condition, then a permanent
change should be implemented. Note that a conversion from a temporary to a permanent change requires
that the MoC process be initiated. This new process is intended to highlight improvements to the proposed
change, such as new risk control measures that offer a lower risk than the current temporary situation. The
new MoC may highlight a situation that, although tolerable for the short term, would be unacceptable on a
permanent basis. Temporary changes normally require less vigorous documentation than permanent
changes. Thus, another important reason to re-initiate the MoC process when converting a temporary
change to a permanent one is to identify required updates to documents, procedures, training etc.

An example:

A fire alarm sensor next to a diesel generator malfunctions and needs to be deactivated until the required
spare is available. A temporary MoC is carried out. As part of the implementation plan, the measures to
mitigate the risk include ensuring the area remains manned. For this temporary change, the area drawings,
design documentation did not require changing, but instead, a revised temporary procedure was
implemented to manage the change.

Temporary Changes = Temporary Risk Mitigation Actions.

The company should define in the program the maximum length of time permitted for a temporary change.
Some companies offer some leeway in the mandatory time for a temporary change to be converted to a
permanent change by providing the ability to extend the time limit for the temporary change.

In either case, a system should be set up to review all temporary changes around the expiration date to
verify that either:

• The system was returned to its original condition.

• Or conversion was initiated to make the change a permanent part of the system (new MoC
required).
• Or the period for validity of the change was extended.

Note that extending the validity of the temporary changes should not be allowed, except for exceptional
circumstances. Such an extension requires careful consideration and documentation in the MoC form,
which includes as a minimum, re-validating the impact or risk assessment, and proper approvals.

SHEilds Ltd [Link] eLearning: [Link] Tel: +44(0)1482 806805

NEBOSH Intl Oil & Gas Safety Certificate v2.0 (30/10/2015) Page: 59
 2.24 - Temporary Changes.

Examples of temporary changes may include:

• Testing/calibration/repair or replacement that requires disabling safety/critical systems.

• Installing temporary piping, clamps, connections, utility connections, or hoses.
• Temporary change in routing.
• Temporary change of contractors.
• Workaround procedure.
• Temporary operation with specific safeguards bypassed or inoperative.
• Temporary de-activation of security features for carrying out maintenance or operation.

2.25 - Emergency Changes.

An emergency change is a change that must be performed in a true emergency. Generally, the situation is
such that action is required quickly, and the persons required to provide approvals may not be available to
meet the requirements of the written MoC process. In these "emergency" situations, safety could be
jeopardised by waiting for completion of the formal MoC process. In an emergency situation, the change
should be reviewed to the best of the staff's abilities. This emergency MoC process should involve a risk
assessment using any and all available resources and time to evaluate the risks involved with the change.
The process may be verbal, rather than written. The focus should be on the immediate risks only. The
verbal implementation plan should also be developed and carried out by relevant personnel, with approval
from the highest ranking personnel available with domain expertise.

In an offshore facility, the approval of emergency MoCs should fall in the person with ultimate work
authority (UWA) at the facility. In the event of an emergency creating an imminent risk or danger, the
person with the UWA has the ultimate authority for safety and decision-making at a facility. This procedure
to ensure such a high level approval for temporary MoCs will help avoid a cultural trap where team
members resort to emergency measures to circumvent the formal MoC process. At the first opportunity
after the emergency has been controlled, the change must be fully evaluated and documented using the
MoC procedure.

The reviews will dictate if the change should be:

• Reversed to continue operations as in the pre-emergency status.

• Or converted to a temporary or permanent change.

Taking advantage of the time and resources not afforded in the midst of an emergency, the output from the
MoC process review can also propose a different change to address the problems that caused or resulted
from the emergency.

Situations such as the following may require an emergency MoC:

• Correction of a deficiency that would cause an immediate threat to safety of the offshore facility or
personnel/environment.
• Imminent environmental release.
• Impending external threats that could result in a loss of hydrocarbon or other cargo, such as natural
disasters, security threats or extreme temperatures.

2.26 - Example exam question on Process Safety Management.

Here is an past exam question on management of change. As we have said previously, there is no
guarantee that this question will ever be asked again, but it will give you a good idea of the types of
questions you could be asked.

Please note how it covers topics from across the syllabus such as the definition of competence (which we

SHEilds Ltd [Link] eLearning: [Link] Tel: +44(0)1482 806805

NEBOSH Intl Oil & Gas Safety Certificate v2.0 (30/10/2015) Page: 60
 2.26 - Example exam question on Process Safety Management.

will discuss later), management of change and knowledge of well-known disasters.

1. Give the meaning of 'competence' (2 marks).

2. Outline why competence is important within management of change (4 marks).
3. Poor management of change is often a root cause of major process safety incidents within the oil
and gas industry. In the 21st century:
1. Identify a major process safety incident onshore where management of change was one of
the root causes (1 mark).
2. Identify a major process safety incident offshore where management of change was one of
the root causes (1 mark).

2.27 - Summary of Process Safety Management.

The learning outcome for this section was:

2.0 - Outline the tools, standards, measurement, competency and controls applicable to Process Safety
Management in the oil & gas industries.

In summary we have learnt:

• The definition and principles of Process Safety.

• About various historic and recent process safety related disasters.
• The content of the OSHA Management Standard for Process Safety Management, with particular
emphasis on:
• About Process Hazard Analysis.
• About Spacing/Layout of Operating Plant.
• The requirements for Protection of Control Rooms, Critical Equipment and Temporary Refuges.
• The principles of Occupied Building Assessments.
• The importance of effective Management of Change, in particular:
• The different types of changes.
• Risk Assessment of change.
• Approval of change by competent persons.
• The process for temporary and emergency changes.

Question 1.

Select the correct answer for the below question.

167 men were killed at _________?

Question 2.

Select the correct missing word to complete the below paragraph.

At _____ a distillation column flooded and over-pressurised causing release from a vent stack resulting in a
series of explosions. 15 workers killed and 180 others injured.
3.0 - Role and purpose of a Permit to Work system.

To put this part of the course materials into context, it should be remembered that a breakdown in the
Permit to Work system was a major contribution to the Piper Alpha disaster.

What is a Permit to Work System?

A permit-to-work system is a formal recorded process used to control work which is identified as potentially
hazardous (high risk). It is also a means of communication between site/installation management, plant

SHEilds Ltd [Link] eLearning: [Link] Tel: +44(0)1482 806805

NEBOSH Intl Oil & Gas Safety Certificate v2.0 (30/10/2015) Page: 61
 3.0 - Role and purpose of a Permit to Work system.

supervisors, operators and those who carry out the hazardous work.

Essential features of permit-to-work systems are:

• Clear identification of who may authorise particular jobs (and any limits to their authority) and who is
responsible for specifying the necessary precautions.
• Training and instruction in the issue, use and closure of permits.
• Monitoring and auditing to ensure that the system works as intended.
• Clear identification of the types of work considered hazardous.
• Clear and standardised identification of tasks, risk assessments, permitted task duration and
supplemental or simultaneous activity and control measures.

The terms "PTW", "permit" or "work permit" refer to the certificate or form which is used as part of an overall
system of work and which has been devised by a company to meet its specific needs.

A PTW system aims to ensure that proper planning and consideration is given to the risks of a particular
job. The permit is a written document which authorises certain people to carry out specific work, at a certain
time and place, and which sets out the main precautions needed to complete the job safely.

The objectives and functions of such a system can be summarised:

• Ensuring the proper authorisation of designated work. This may be work of certain types or work of
any type within certain designated areas, other than normal operations.
• Making clear to people carrying out the work the exact identity, nature and extent of the job and the
hazards involved, and any limitations on the extent of the work and the time during which the job
may be carried out.
• Specifying the precautions to be taken, including safe isolation from potential risks such as
hazardous substances and energy sources.
• Ensuring that the person in charge of a unit, plant or installation is aware of all the work being done
there.
• Providing not only a system of continuous control but also a record showing that the nature of the
work and the precautions needed have been checked by an appropriate person or people.
• Providing for the suitable display of permits.
• Providing a procedure for times when work has to be suspended, i.e. stopped for a period before it
is complete.
• Providing for the procedures or arrangements for work activities that may interact with or affect any
of these activities.
• Providing a formal hand-over procedure for use when a permit is issued for a period longer than one
shift or when permit signatories change.
• Providing a formal hand-back procedure to ensure that any part of the plant affected by the work is
in a safe condition and ready for reinstatement.

3.1 - Video: Permit to Work.

Please wait for the video to buffer before pressing play.

Alternatively you can download the video to watch at your convenience.

This second video shows how a breakdown in the Permit to Work system triggered the events that
destroyed the Piper Alpha platform.
3.2 - When are Permit to Work systems applicable?

Permits to Work should be considered whenever it is intended to carry out any work which may adversely
affect the safety of personnel, the environment or the plant. They are normally considered to be more
appropriate to non-routine activities which may require some form of Risk Assessment prior to work
SHEilds Ltd [Link] eLearning: [Link] Tel: +44(0)1482 806805
NEBOSH Intl Oil & Gas Safety Certificate v2.0 (30/10/2015) Page: 62
 3.2 - When are Permit to Work systems applicable?

commencing.

However, there wil be activities closely related to plant operations where PTW systems will be required.
Maintenance work carried out by plant operators, for instance, should be subject to PTW procedures.

It is also advisable to use a PTW system when two or more individuals or groups or people, perhaps from
different trades or different contractors, need to co-ordinate their activities to ensure that their work is
completed safely. This will apply equally when there is a transfer of work and responsibilities from one
group to another.

It is suggested that companies assess the risk of their activities and list specific operations and types of
work which should be subject to PTW systems. It is not intended that PTW procedures be applied to all
activities as experience has shown that their overall effectiveness may be weakened. If PTWs are required
for every job, or too many jobs, then workers tend to take the whole system less seriously. This can lead to
a 'tick-box' culture.

It is very important for clear understanding by personnel moving from site to site (especially contractors)
that PTW systems are, as far as possible, standardised between the different locations of the same
Company. It is in any event essential that anybody starting work is familiar with the local instructions
detailing when and how PTW systems are to be applied at a particular location.

Types of Permit.

Each organisation will decide on the tasks for which a permit is required.

The following tasks will normally require a permit:

• Hot Work (grinding, welding etc.).

• Confined Space entry.
• Excavation work.
• Work on live Electrical systems.
• Work on machinery.
• Asbestos work.
• Electrical isolation (Lock out, Tag out).
• Work over water.
• Diving work.

These different types of permits will often have different formats and will require different controls. For
example, hot work permits will often require additional provision of fire fighting equipment, clearance of
combustible, flammable gas testing and a fire watch after completion of the work.

SHEilds Ltd [Link] eLearning: [Link] Tel: +44(0)1482 806805

NEBOSH Intl Oil & Gas Safety Certificate v2.0 (30/10/2015) Page: 63
 3.2 - When are Permit to Work systems applicable?

Figure 1. Confined space warning sign, requiring a permit before entry.

3.3 - Key Features and Principles of a Permit to Work System.

An effective permit to work form should:

• Clearly describe the task to be performed.

• Indicate the date, location and equipment to be worked on.
• Identify the permit validity time (for example: 1 shift? 1 day? And so on).
• Identify any isolations that may be required (for example: electrical? mechanical? etc.).
• Identify any residual hazards, and the precautions required (for example: gas testing, personal
protective equipment etc.).
• Cross reference any other activities, or isolations, that may be relevant for the equipment being
worked upon.
• Make provision for permit extensions.
• Incorporate provision for permit hand back, cancellation and handover.
• Be properly displayed at the control room, at the site of the work, and a copy kept with the Issuing
Authority.

The Issuing Authority (the person responsible for the operational area for which the permit is being issued),
will be responsible for completion of the above.

In addition the issuing authority will ensure that:

• The work area has been inspected before work commences.

• Other personnel that may be affected by the work have been informed.
• The permit conditions are agreed and made clear to the Performing authority.
• The permit is signed by both Issuing and Performing authorities.
• Permit compliance is monitored for the period of the job.

The Performing authority (the person carrying out or managing the work) is responsible for:

• Overall control of the work activity.

• Ensuring that the hazards and precautions stipulated on the permit are communicated to their team
members.
• Ensuring that the precautions are followed and maintained.
• Ensuring that only work specified on the permit is carried out.

SHEilds Ltd [Link] eLearning: [Link] Tel: +44(0)1482 806805

NEBOSH Intl Oil & Gas Safety Certificate v2.0 (30/10/2015) Page: 64
 3.3 - Key Features and Principles of a Permit to Work System.

• Ensuring that the permit hand back is completed on completion of the task.

3.4 - Display of Permit to Work forms.

Copies of a PTW should be clearly displayed at the work site, or in a recognised location near to the work
site. If this is not practicable, (e.g. when a job is carried out in a number of locations) then the permit should
be kept on the performing authority. A copy should also be prominently displayed in the control room, with
additional copies at any local control rooms. In addition, a copy of the permit should be kept with the issuing
authority, or with the area authority if that person is not located at the worksite or control room. To facilitate
the requirements for multiple copies PTWs are usually printed on multi-sheet carbon paper.

During the Piper Alpha inquiry it was found that contrary to the written procedure, the performing authority's
copy of the permit was frequently not displayed at the job site, and was commonly kept in the performing
authority's pocket. Lord Cullen made a specific recommendation on this point: 'Copies of all issued permits
should be displayed at a convenient location and in a systematic arrangement such that process operating
staff can readily see and check which equipment is under maintenance and not available for operation.'

Figure 1. Active PTWs displayed in a Control Room.

3.5 - Suspension of Permits to Work.

Work may sometimes have to be suspended, for example:

• If there is a general alarm.

• For operational reasons, e.g. when the permit is for hot work and process fluid or gas sampling must
be carried out at the same time, with the possibility of a release of a dangerous substance.
• While waiting for spares.
• There is a change to the nature or scope of the work.
• Where there is conflict with another scope of work. It is important to remember that a suspended
permit remains live until it is cancelled. This means that there may still be active isolations under a
suspended permit.

SHEilds Ltd [Link] eLearning: [Link] Tel: +44(0)1482 806805

NEBOSH Intl Oil & Gas Safety Certificate v2.0 (30/10/2015) Page: 65
 3.6 - Permit Interaction.

It is important to make sure that one activity under a PTW does not create danger for another, even if the
other work does not require a PTW.

Those involved with the issue of PTWs should be aware of potential interactions, and should ensure that
when a permit is prepared, the work to be carried out takes account of other activity currently planned or
underway. It may be that the interacting activities are covered by separate responsible authorities, in which
case close liaison will be necessary. For example through cross-referencing on the permit, the task risk
assessment or in the work pack.

In the PTW system in place at the time of the Piper Alpha disaster, there was no cross-referencing when
the work carried out under one permit affected the work under another. Reliance was placed on the
memory of the designated authority.

Again, interacting activities may make special demands upon isolation procedures if an isolation is common
to more than one job, and isolations should be clearly detailed on the permit or a supporting cross-
referenced isolation certificate. See LOTO systems later for further information.
3.7 - Handover of Permits.

If work is carried over to another shift (e.g. the job takes longer than expected) then a shift handover
procedure should be in place. This handover procedure should ensure that the incoming shift is aware of
any outstanding permit-controlled jobs, the status of those jobs, and the status of the plant. Work-in-
progress should be left in a condition that can be reliably communicated to, and understood by, the
oncoming shift. A permit log, permit file or display boards are ways of recording ongoing permits. It is
essential that there is good communication between incoming and outgoing issuing and performing
authorities and it is recommended that the incoming issuing authority signs to allow the continuation of a
permit. More about this when we look at shift handovers very shortly.

In his report on the Piper Alpha public inquiry, Lord Cullen found that the handovers between phase 1
operators and maintenance lead hands on the night of the disaster had failed to include communication of
the fact that PSV 504 had been removed for overhaul and had not been replaced. This missing PSV was
the source of the leak which subsequently ignited.
3.8 - Hand-back of Permits.

The hand-back procedure should include obtaining answers to the following questions:

• Has the work been completed? This should be confirmed by the performing authority (i.e. the
person to whom the permit was issued).
• Has the plant or equipment been returned to a safe condition, in particular by removing isolations?
Has this been verified by the person responsible for signing off the permit (i.e. issuing or area
authority)?
• Has the person in control of operational activities acknowledged on the permit that the plant or
equipment has been returned to the control of the production staff?

3.9 - Permit authorisation and supervision.

A PTW system will be fully effective only if the permits are co-ordinated and controlled by an issuing or
other responsible authority, and if there is adequate supervision and monitoring of the system to make sure
that the specified procedures are being followed. This should include site visits by the issuing authority to
check whether the conditions of the permit are being complied with (as a minimum, at start and completion
of the task, with interim checks depending on hazard, complexity and duration of task).

Managers or supervisors should not rely solely on scrutinising forms to see whether they have been
completed properly, but should carry out additional checks of issuer's forms on a sample basis. Careful
consideration should be given to the number of signatures required for a permit. Signatures or 'initials'
should only be required where they add value to the safety of the work undertaken, and those signing
SHEilds Ltd [Link] eLearning: [Link] Tel: +44(0)1482 806805
NEBOSH Intl Oil & Gas Safety Certificate v2.0 (30/10/2015) Page: 66
 3.9 - Permit authorisation and supervision.

permits or supporting documentation should have specific training and authorisation from the company.
3.10 - Common faults with a Permit to Work system.

To summarise what we have discussed, here are some common faults of PTW systems:

• Discredited system and tick box culture.

• Issuer not competent.
• Receiver not competent.
• No Risk Assessment conducted.
• Failure to follow requirements/controls detailed on the Permit to Work.
• Permits not cancelled on task completion.

3.11 - Different types of Permits to Work.

As mentioned previously, different types of permit are used to control different types of activity. Each one
will require different questions and different controls. Here is an outline of some of the various types of
Permits to Work.

Hot work permit.

Hot work is usually taken to apply to an operation that could include the application of heat or ignition
sources to tanks, vessels, pipelines, and other metalwork. These may contain, or have contained,
flammable vapour. Hot work permits will also be required when carrying out hot work in areas where
flammable atmospheres may be present.

These permits usually require at least some of the following precautions:

• Pre-use check of the equipment (welding valves, pipework, flashback arrestors).

• Clearing of combustibles from the area (sweeping, wetting, tidying up etc.) and covering vulnerable
plant with non-combustible sheeting.
• Testing for flammable gas.
• Inerting or ventilation of vessels/pipework.
• Verification of the competence of the people carrying out the work (trained in hot work method used,
use of fire extinguishers etc.).
• Knowledge of means of escape and of raising the alarm.
• Provision of fire extinguishers.
• Fire watch for a period of time after completion of the work.
• Disabling of fire detection systems to prevent false activation.

Confined spaces Entry Permit.

Confined space entry permits are used to specify the precautions to be taken to eliminate exposure to
dangerous fumes or to an oxygen-depleted atmosphere before a person is permitted to enter a confined
space. The certificate should confirm that the space is free from dangerous fumes or asphyxiating gases. It
should also recognise the possibility of fumes desorbing from residues, oxygen depletion of the atmosphere
as a result of oxidation, or the ingress of airborne contaminants from adjacent sources. The certificate
should specify the precautions to be taken to protect the enclosed atmosphere against these hazards, e.g.
by forced ventilation, physical isolation or by the provision of personal protective equipment including
breathing apparatus.

They should also consider the requirements for access/egress and emergency rescue arrangements.

Diving Permits.

Diving permits can be used to control the diving activity itself and to ensure that there are no other activities
SHEilds Ltd [Link] eLearning: [Link] Tel: +44(0)1482 806805
NEBOSH Intl Oil & Gas Safety Certificate v2.0 (30/10/2015) Page: 67
 3.11 - Different types of Permits to Work.

taking place nearby which create unnecessary additional risks (e.g. over-side work, live fire-water intake
pumps).

The permit will also consider issues such as the weather, visibility, the use of Remotely Operated Vehicles,
isolations, chemical exposure, emergency response plan, contaminated waters, decompression illness,
cumulative dive time and maintenance of equipment.

Isolation (mechanical and electrical hazards).

Where maintenance requires that normal guarding is removed, or access is required inside existing
guarding, then additional measures are needed to prevent danger from the mechanical, electrical and other
hazards that may be exposed. There should be clear company rules on what isolation procedures are
required, and in what circumstances (for example, some cleaning of mixing machinery may require
isolation, even though it might not be considered a maintenance task).

The basic rules, however, are that:

• The equipment should be isolated from the power source (usually, but not exclusively, electrical
energy).
• The isolator should be locked in position (for example by a padlock).
• A sign should be used to indicate that maintenance work is in progress. Isolation requires use of
devices that are specifically designed for this purpose, not devices such as key-lockable emergency
stops or other types of switches that may be fitted to the machine. Any stored energy (hydraulic or
pneumatic power, for instance) should also be dissipated before the work starts.

If more than one maintenance worker is involved in the work, each of them should lock off the power with
their own padlock. Multi-padlock hasps can be used in such circumstances. Such isolation procedures can
also be applied to locking off valves for services (such as steam) and material supplies.

Before entering or working on the equipment, it is essential that the effectiveness of the isolation is verified
by a suitably competent person (i.e. try turning it on and also test with a voltmeter).

Radiation permit.

Radiation permits outline necessary control measures to minimise risks of exposure to radioactive sources
including site inspection, controls on source exposure, access or containment barriers and radiation
monitoring.

SHEilds Ltd [Link] eLearning: [Link] Tel: +44(0)1482 806805

NEBOSH Intl Oil & Gas Safety Certificate v2.0 (30/10/2015) Page: 68
 3.11 - Different types of Permits to Work.

SHEilds Ltd [Link] eLearning: [Link] Tel: +44(0)1482 806805

Figure 1. Example
NEBOSH Intl Oil & Gas Safety Certificate of a Confined Space Entry Permit.
v2.0 (30/10/2015) Page: 69
 3.12 - Lockout Tagout Systems (LOTO).

LOTO or "lock and tag" is a safety procedure which is used to ensure that dangerous machines are
properly shut off and not started up again prior to the completion of maintenance or servicing work. It
requires that hazardous power sources be "isolated and rendered inoperative" before any repair procedure
is started. "Lock and tag" works in conjunction with a lock usually locking the device or the power source
with the hasp, and placing it in such a position that no hazardous power sources can be turned on. The
procedure requires that a tag be affixed to the locked device indicating that it should not be turned on.

Figure 1. Examples of locked out equipment.

Interaction of work or contractors.

When two or more subcontractors are working on different parts of a larger overall system, the locked-out
device is first secured with a folding scissors clamp that has many padlock holes capable of holding it
closed. Each subcontractor applies their own padlock to the clamp. The locked-out device cannot be
activated until all workers have signed off on their portion of the project and removed their padlock from the
clamp. No two keys or locks should ever be the same. A person's lock and tag must not be removed by
anyone other than the individual who installed the lock and tag unless removal is accomplished under the
direction of the employer.

Isolation Procedure.

Modern machinery can contain many hazards to workers, from things like electrical, mechanical, pneumatic
or hydraulic sources. For example a typical industrial machine may contain things like hot fluids, moving
presses, blades, propellers, electrical heaters, conveyor belts with pinch points, moving chains, ultraviolet
light, etc.

Disconnecting or making safe the equipment involves the removal of all energy sources and is known as
isolation. The steps necessary to isolate equipment are often documented in an isolation procedure or a
lockout tagout procedure.

The isolation procedure generally includes the following tasks:

1. Identify the energy source(s).

2. Isolate the energy source(s).
3. Lock and Tag the energy source(s).
4. Prove that the equipment isolation is effective.

In many cases the equipment can simply be unplugged. However, for some equipment it may be necessary
to isolate it at a switch that is some distance away, and not visible from the equipment. The locking and
tagging of the isolation point lets others know not to re-energise the equipment.

Modern safety manufacturers provide a range of isolation devices specifically designed to fit various
switches, valves and effectors. For example, most modern circuit-breakers have a provision to have a small
padlock attached to prevent their activation. For other devices such as ball or gate valves, plastic pieces
which either fit against the pipe and prevent movement, or clam-shell style objects which completely

SHEilds Ltd [Link] eLearning: [Link] Tel: +44(0)1482 806805

NEBOSH Intl Oil & Gas Safety Certificate v2.0 (30/10/2015) Page: 70
 3.12 - Lockout Tagout Systems (LOTO).

surround the valve and prevent its manipulation are used.

Many sites have the officially stated policy that only the person who tagged the device can untag it. This
means that if a worker goes home after their shift without removing the tag from a device which is ready to
use, then they will have to travel back to the site to untag it. Giving approval for the removal of a tag over
the phone is prohibited.

Whilst this policy might seem to be encouraging workers to take the risk of not tagging out in the first place,
it is usually accompanied by a policy stating that working on a device without tagging it out will result in
instant dismissal.

Figure 2. Two padlocks isolating the electrical supply. The supply cannot be restored unless both people
remove their locks.

Different types of energy.

Electricity is the most obvious source of energy. However, there may be other energy sources that are not
so obvious and this energy will also need isolating or dissipating before work is carried out:

• Built up pressure (hydraulic, pneumatic, compressed air etc.) should be relieved or pipework fitted
with spades/blanks if there is a chance an accidental pressure release can cause injury.
• Stored electrical power in a battery or accumulators. The energy can be discharged, or isolated
electrically.
• Thermal energy may be supplied by circulation of pre-heated fluid. In such cases isolating valves
should be fitted to the supply pipework and the pipes should be drained and allowed to cool before
work is attempted.
• Radioactive sources. In this case it may be possible to remove the source or shield it.
• Static electricity can be removed by earthing or using an anti-static air gun to replace lost ions.
• Gravity. For example power presses can suddenly close under their own weight, or vehicles can

SHEilds Ltd [Link] eLearning: [Link] Tel: +44(0)1482 806805

NEBOSH Intl Oil & Gas Safety Certificate v2.0 (30/10/2015) Page: 71
 3.12 - Lockout Tagout Systems (LOTO).

suddenly roll if their brakes are not locked. In these cases a physical device such as a chock or jack
can be used to block the equipment into a set position.

Figure 3. Wheel chock for a large vehicle.

Isolation methods for pipes and pipelines in the oil and gas industry:

• Valves.
• Spades, blanks and spectacle plates.
• Physical disconnection.
• Squeeze off (clamping a pipe).
• Foam bagging (inserted into the pipe).
• Pipe plugs.
• Pipe stoppers.
• Inflatable bag.
• Hot tapping and stoppling.
• Pipe freezing.

SHEilds Ltd [Link] eLearning: [Link] Tel: +44(0)1482 806805

NEBOSH Intl Oil & Gas Safety Certificate v2.0 (30/10/2015) Page: 72
 3.12 - Lockout Tagout Systems (LOTO).

Figure 4. Blanks and spades.

Figure 5. Pipeline plug.

SHEilds Ltd [Link] eLearning: [Link] Tel: +44(0)1482 806805

NEBOSH Intl Oil & Gas Safety Certificate v2.0 (30/10/2015) Page: 73
 3.12 - Lockout Tagout Systems (LOTO).

Figure 6. Pipe freezing.

Further information can be obtained from reading the HSE guidance HSG253 "The Safe Isolation of Plant
and Equipment" which can be downloaded from the [Link] website.
3.13 - Example Exam Questions on Permits to Work and Isolation.

Here is a selection of past exam questions on PTW and isolation. As we have said previously, there is no
guarantee that these questions will ever be asked again, but these will give you a good idea of the types of

SHEilds Ltd [Link] eLearning: [Link] Tel: +44(0)1482 806805

NEBOSH Intl Oil & Gas Safety Certificate v2.0 (30/10/2015) Page: 74
 3.13 - Example Exam Questions on Permits to Work and Isolation.

questions you could be asked.

Identify FOUR types of work activity associated with an oil installation that might require a permit-to-work
AND give a reason in EACH case for the requirement (8).

A large induced draught fan is used to exhaust gases from a furnace. The hot gas flow is controlled through
pneumatically operated vanes within the fan. The fan can be isolated from the process by hydraulically
operating inlet and outlet valves. The fan needs to be stopped and isolated for electric motor and fan
repairs.

In relation to Lock Out Tag Out (LOTO) in this example:

1. (a) Identify FOUR residual energy sources that may need de-energising (4).
2. (b) Outline locations where locks and associated tags may need to be applied (4).

Welding is to be carried out on a broken pipe support bracket within a hydrocarbon processing plant. The
plant does not need to be shut down to carry out the repair.

Outline factors that would need to be considered before welding takes place (8):

1. Outline the contents of a typical permit-to-work (8).

2. Outline how the contents of a hot work permit are different to a typical permit-to-work (4).
3. Give the meaning of the following terms:
1. Lower Flammable Limit (LFL) (2).
2. Flammable range (2).

The flammability of gas is a factor to consider with maintenance tasks and particularly hot work permits.
The diagram below highlights the flammable range of a gas.

1. Explain the significance of the atmospheric range between 0% and the LFL, indicated as (a) on the
diagram, in relation to hot work permits (4).

A worker has requested a permit-to-work in order to replace damaged thermal insulation in an overhead
pipe rack that runs between two plants:

1. Identify THREE hazards associated with this activity (3).

2. Outline control measures that should be implemented to reduce the risks to the worker (5).

1. Outline TWO functions of a permit-to-work form (2).

2. Outline FOUR of the elements that should be included in a typical permit-to-work (4).
3. Identify TWO types of work activity associated with an oil installation that might require a permit-to-
work (2).

A worker has requested a permit-to-work in order to replace damaged thermal insulation in an overhead
pipe rack that runs between two plants.

1. Identify THREE hazards associated with this activity. (3)

2. Outline control measures that should be implemented to reduce the risks to the worker. (5)

3.14 - Summary of PTW and isolation.

The learning outcome for this section was:

SHEilds Ltd [Link] eLearning: [Link] Tel: +44(0)1482 806805

NEBOSH Intl Oil & Gas Safety Certificate v2.0 (30/10/2015) Page: 75
 3.14 - Summary of PTW and isolation.

3.0 - Explain the role and purpose of a Permit to Work system.

In summary we have learnt:

• The purpose, objectives and functions of a Permit to Work system.

• When permits to work are required and the different types of permit.
• The principles and key features of a permit to work.
• The responsibilities of the Issuing and Performing authorities.
• The requirements for display, suspension, handover, handback, authorisation and supervision of
permits.
• About the issues of permit interaction between contractors and plant.
• The principles of Lock-Out Tag-Out systems and the various equipment available.
• The different types of energy and how these may be isolated.

4.0 - Safe Shift Handover.

Accidents caused by poor shift handover.

The role of shift handover has been highlighted in a number of recent high profile, major accidents.
Following the 2005 Texas City refinery explosion, BP released their internal investigation report to the
public. This identified that poor shift handover was a contributor to the accident, citing the failure to
communicate the failure of a hard-wired high level alarm between shifts as a contributing event. By way of
an explanation the report stated that "there were no written expectations with explicit requirements for shift
handover."

The subsequent inquiry carried out by the Chemical Safety Board agreed with these findings, stating that
"the condition of the unit, specifically, the degree to which the unit was filled with liquid raffinate, was not
clearly communicated from night shift to day shift."

In the UK it seems clear that shift handover had a role in the 2005 explosion at the Buncefield oil storage
terminal. One of the recommendations from the Buncefield Standards Task Group was that "effective
shift/crew handover communication arrangements must be in place to ensure the safe continuation of
operations."

But this is not a new discovery. The inquiry into the 1988 Piper Alpha disaster found that prior to the
accident critical information about the status of the condensate pumps was not communicated at shift
handover. This meant operators started a pump that was not in an operational state. And before that,
following the discharge of highly radioactive material from the nuclear processing plant at Sellafield in 1983,
it was found that failures of communication between shifts created confusion regarding the contents of a
particular tank that was pumped to sea.

Effective Handover and communication.

Effective communication is important in all organisations when a task and its associated responsibilities are
handed over to another person or work team. This can occur at shift changeover, between night and day
workers, or between different functions of an organisation within a shift e.g. operations and maintenance.

The goal of handover is the accurate reliable communication of task-relevant information across shift
changes or between teams thereby ensuring continuity of safe and effective working.

Effective handover consists of three elements:

• A period of preparation by out-going personnel.

• Handover where out-going and in-coming personnel communicate to exchange task-relevant
information.
SHEilds Ltd [Link] eLearning: [Link] Tel: +44(0)1482 806805
NEBOSH Intl Oil & Gas Safety Certificate v2.0 (30/10/2015) Page: 76
 4.0 - Safe Shift Handover.

• Cross-checking of information by in-coming personnel as they assume responsibility for the task.

4.1 - Key principles of Safe Shift Handover.

To ensure safe handover, organisations should:

• Identify higher risk handovers.

• Develop staff's communication skills.
• Emphasise the importance of shift handover.
• Provide procedures for shift handover.
• Plan for maintenance work to be completed within one shift if possible.

Shift handover should be:

• Conducted face-to-face.
• Two-way, with both participants taking joint responsibility (e.g. relaying information and seeking
clarification).
• Done using both verbal and written communication (e.g. log books and checklists).
• Based on an analysis of the information needs of incoming staff (e.g. consideration to be given to
those who may require more time or explanation than others, such as those returning after
prolonged absence or inexperience of the incoming operator).
• Given as much time and resource as necessary (e.g. dependent on state of the process and
amount of maintenance work on previous shift).

Critical issues that should be communicated during shift handover include:

• The status of the plant, covering all aspects of operations and maintenance, should be
communicated to the incoming shift. These include:
o Current state of the unit.
o Temporary operations.
o Existing abnormal situations.
o Maintenance in progress.
• All process upsets or excursions that occurred during the departing shift should be discussed. Any
corrective action taken should be described.
• If a corrective action is in progress, the departing crew should explain the need for it and any
emergency response actions activated.
• Any maintenance work permits in progress. The maintenance work team should transfer
accountability about the work to the incoming maintenance work team.
• Maintenance needs that should be addressed by the incoming shift should be communicated.
• Any safety interlocks out of service, the reason for their being out of service, and the maintenance
status of the interlocks should be addressed. Also, a description of any special measures needed
because the safety interlocks are out of service should be given.
• Any incidents or events that occurred during the shift should be communicated.
• Any problems with instrumentation, controls, or utilities should be communicated.

4.2 - Written communication between handovers.

Face to face handovers are improved if they are supported by structured written material (e.g. a checklist of
items to convey, and/or a position log to review). Written material introduces redundancy in the verbal
handover, which reduces the risk of erroneous communication. It also allows one to specify ahead of time
those aspects of the communication that are most important and should not be left out.

Many companies structure their shift handovers around a variation of the SQDC (Safety, Quality, Delivery,
Cost) or the SEQPR (Safety, Environment, Quality, Production, Reliability) philosophies. These can

SHEilds Ltd [Link] eLearning: [Link] Tel: +44(0)1482 806805

NEBOSH Intl Oil & Gas Safety Certificate v2.0 (30/10/2015) Page: 77
 4.2 - Written communication between handovers.

influence the format of checklists, logbooks or visual boards which will structure the discussion.

Figure 1. An example of a SQDC metric tracking board.

Written communication is helped by the design of the documents, such as the handover log, which consider
the information needs of those people who are expected to use it. By involving the people who conduct shift
handovers and asking them what key information should be included and in what format it should be helps
accurate communication, and their acceptance contributes to its use and acceptance of the process.
4.3 - Example Exam Question on Handovers.

Here is a an example of a past exam question on safe shift handovers. As we have said previously, there is
no guarantee that this question will ever be asked again, but these will give you a good idea of the types of
questions you could be asked.

Within an oil and gas installation effective shift handover can prevent incidents.

1. Outline FOUR shift handover principles (4).

2. Practical operational issues that should be communicated at shift handover include process
problems over previous days, instrument overrides, supervisor instructions and relaying routine
operations for the next shift. Outline additional practical operational issues communicated at shift
handover (4).

4.4 - Summary.

The learning outcome for this section was:

4.0 - Explain the key principles of safe shift handover.

In summary we have learnt:

• The importance of effective shift handover.

• The three elements of an effective handover.
• The Key Principles of safe shift handover.
SHEilds Ltd [Link] eLearning: [Link] Tel: +44(0)1482 806805
NEBOSH Intl Oil & Gas Safety Certificate v2.0 (30/10/2015) Page: 78
 4.4 - Summary.

• The importance of written communication.

5.0 - Plant Operations and Maintenance.

In the continuing difficult economic times, plant reliability is essential to ensure strong oil and gas
production levels and prevent unplanned maintenance work.

Plant reliability also has its part to play in ensuring minimal damage to the environment is caused as a
result of oil and gas operations. Reliability and safety go hand-in-hand, making sure that major incidents
with the potential to affect the workforce and wider community occur as infrequently as possible.

Poor plant reliability also causes uncertainty among both investors and customers, ultimately impacting on
the bottom line.

Speaking at an industry event in 2009, Sherman J. Glass Jnr., president of Exxon Mobil refining and supply
company, said: "We know that regardless of economic conditions we must continue to improve the safety
and the reliability of operations, increase the efficiency of plants and steadily improve shareholder returns
as well as invest in new technologies."
5.1 - Asset Integrity.

Asset integrity is the ability of the asset to perform its required function effectively whilst safeguarding life
and the environment. Good asset integrity is critical to our business, as a loss of asset integrity can have
catastrophic effects, leading to major accidents that result in multiple fatalities as well as very large
economic, environmental and reputational damage (for example Piper Alpha, Texas City, Buncefield,
Deepwater Horizon etc.).

Asset integrity management is all about managing the Major Hazards associated with our operations.
These hazards generally result from the intrinsically hazardous properties of the materials that we produce,
process, transport and supply. Managing the Major Hazards is also often referred to as Process Safety
Management. Successful management of these hazards requires the safe transportation of hydrocarbons
from source to final destination without loss of containment or other hazardous event. Systems need to be
in place to prevent a loss of containment, and in the event that this does occur other systems need to be
available in good working order to detect the event and to control and mitigate the hazardous
consequences.

Asset integrity management can be visualised as a series of control measures or barriers, which
either:

1. Prevent the hazard from being released.

2. Or limit the effects of the incident if the hazard is released.

These barriers are depicted in the "swiss-cheese" model (below) which we have already discussed in
Element 1. Each barrier is a high level functional grouping of safeguards and controls selected to prevent,
or limit the effect of, a major accident or environmental event. A barrier may therefore include a number of
safety critical systems, and safety critical elements (SCEs). These are the parts of an installation and its
plant (including computer programmes) whose purpose is to prevent, control or mitigate major accident
hazards and the failure of which could cause or contribute substantially to a major accident.

SHEilds Ltd [Link] eLearning: [Link] Tel: +44(0)1482 806805

NEBOSH Intl Oil & Gas Safety Certificate v2.0 (30/10/2015) Page: 79
 5.1 - Asset Integrity.

Figure 1. Concept of barriers and SCEs.

Examples of SCEs include Temporary Refuge HVAC systems, Gas detectors, Fire detectors, Deluge
systems, Fire pumps, Emergency shutdown devices, Emergency lighting etc.

Each barrier comprises a mix of plant, people and processes. Physical plant barriers include, for example,
systems provided for emergency shutdown, relief and blowdown, fire protection and evacuation. The
presence of the physical plant barriers alone is not sufficient. These require competent people and effective
processes to ensure that they are correctly specified and that their ongoing suitability is assured. People
and processes include internal procedures and work practices; for example operating procedures, or
training and experience.

No barrier is perfect, the design limitations, and the potential for barriers to fail or be by-passed, is
represented by the holes in the barrier model (hence the name "swiss-cheese"). Asset integrity programs
are primarily focussed on assuring the ongoing suitability, and improving, the barriers.

Good Asset Integrity means designing, building and operating facilities in such a way as to reduce the risks
associated with Major Accident Hazards to As Low As Reasonably Practicable (ALARP). These activities
extend throughout the life cycle, as depicted in the Asset Integrity Life Cycle diagram below. These
activities begin with identification and specification of the barriers that are required to manage the hazards,
so that "asset integrity" is built in at the design stage. Once the facility commences operation, these barriers
need to be sustained by adequate inspection, testing and maintenance activities to ensure that they are
available to function as and when required; and the plant must be operated within the design envelope and
in accordance with the established safe operating processes. Verification of the suitability of the barriers to
manage the major hazard risks is required throughout the life cycle.

SHEilds Ltd [Link] eLearning: [Link] Tel: +44(0)1482 806805

NEBOSH Intl Oil & Gas Safety Certificate v2.0 (30/10/2015) Page: 80
 5.1 - Asset Integrity.

Figure 2. Asset Integrity Life Cycle.

5.2 - Maintenance Strategies.

In order to ensure that equipment (particularly SCEs) preserve its integrity throughout its lifecycle, it must
be maintained in an efficient state and efficient working order. A thorough inspection regime is critical to an
effective maintenance programme. In addition to any manufacturer's guidance or national requirements,
maintenance and inspections may required after installation or re-installation or where deterioration may
lead to a significant risk.

Maintenance strategies include the following:

Corrective Maintenance.

Corrective maintenance refers to when action only taken when a system or component failure has
occurred. It is thus a reactive strategy. The task of the maintenance team in this scenario is usually to carry
out repairs as soon as possible. This approach would not be suitable for the maintenance of SCE.

Preventive Maintenance.

With preventative maintenance, equipment is repaired and serviced before failures occur. The frequency of
maintenance activities is pre-determined by schedules. Preventive maintenance aims to eliminate
unnecessary inspection and maintenance tasks, to implement additional maintenance tasks when and
where needed and to focus efforts on the most critical items. The higher the failure consequences, the
greater the level of preventive maintenance that is justified.

Predictive Maintenance.

Predictive maintenance refers to maintenance based on the actual condition of a component. Maintenance
is not performed according to fixed preventive schedules but rather when a certain change in
characteristics are noted (for example: corrosion sensors supplying diagnostic information on the condition
of a system or component play an important role in this maintenance strategy). A useful analogy can be
made with automobile oil changes. Changing the oil every 5000 km to prolong engine life, irrespective of
whether the oil change is really needed or not, is a preventive maintenance strategy.

Predictive maintenance would entail changing the oil based on changes in its properties, such as the build-
SHEilds Ltd [Link] eLearning: [Link] Tel: +44(0)1482 806805
NEBOSH Intl Oil & Gas Safety Certificate v2.0 (30/10/2015) Page: 81
 5.2 - Maintenance Strategies.

up of wear debris. When a car is used exclusively for long distance highway travel and driven in a very
responsible manner, oil analysis may indicate a longer critical service interval. Some of the resources
required to perform predictive maintenance will be available from the reduction in breakdown maintenance.

Reliability Centred Maintenance.

Reliability centred maintenance (RCM) involves the establishment or improvement of a maintenance

program in the most cost-effective and technically feasible manner. It will utilise all of the other
maintenance strategies when and where they are most appropriate, depending on the likelihood and
consequences of failure, and cost benefit analysis. This will include "run to failure" for low risk equipment.
5.3 - Inspection and Testing.

Inspection.

Frequent inspection of equipment can help determine its true status and enable appropriate actions to be
taken to prevent failure. Hence, an effective maintenance inspection strategy can help to reduce the
equipment downtime.

Factors influencing inspection frequency include:

• Criticality of the equipment.

• What inspection is required by national regulations.
• Inspection is need after damage, major modification or repair.
• Equipment operating in extreme weather or harsh environments.
• Guidance from Manufacturers.

Risk Based Inspection (RBI).

RBI is a method for using risk as a basis for managing an inspection programme. RBI provides the ability to
target inspection resources at the areas of plant where inspection will provide the most benefit in reducing
risk. Risk is defined as the combination of the probability of failure and the consequences of failure.

In simple terms, it is a risk based approach to prioritising and planning inspection used in engineering
industries, and predominant in the oil and gas industries. This type of inspection planning analyses the
probability (or likelihood) and consequence of failure of an asset to calculate its risk of failure. The level of
risk is used to develop a prioritised inspection plan for the asset or assets.

It is used to prioritise inspection requirements for major oil platforms, refineries and chemical installations
around the world. It is usually carried out by means of non-destructive testing (NDT). The resulting
inspection plan outlines the type and frequency of inspection for the asset. It is used for industrial pipework,
process systems, pipelines, structures and many other types of assets in these industries.
Items with high probability and high consequence (i.e. high risk) are given a higher priority for inspection
than items that are high probability but for which failure has low consequences. This strategy allows for a
rational investment of inspection resources.

Testing.

Testing is required to ensure that SCEs continues to meet the required performance standard. For
example:

• The set pressure of a relief valve.

• Operation of HVAC dampers.
• Ventilation fan shutdown.
• Air leakage tests on TR.
• Leak testing of pipes and vessels with pressurised inert gas (nitrogen for example).
SHEilds Ltd [Link] eLearning: [Link] Tel: +44(0)1482 806805
NEBOSH Intl Oil & Gas Safety Certificate v2.0 (30/10/2015) Page: 82
 5.3 - Inspection and Testing.

• Accuracy of instrumentation.
• Operation and battery life of emergency lighting.
• Routine operation of fire deluge and sprinkler pumps.
• Gas and fire detectors.
• Operation of automatic closure of fire/blast doors.
• Closure of isolation valves such as emergency shutdown valve.
• Activation of sensors such as overfill or temperature.
• Communication methods such as radios and telephones.
• Activation of visual and audible alarms.
• Emergency shutdown commands and emergency stops.
• Blowout preventer activation.
• Non destructive testing for corrosion.
• Activation of deluge and sprinkler pumps.
• Load testing of lifting equipment.

National regulations (or guidance) may specify testing requirements for certain equipment.
5.4 - Corrosion Prevention.

Corrosion is the deterioration of materials by chemical interaction with their environment. The term
corrosion is sometimes also applied to the degradation of plastics, concrete and wood, but generally refers
to metals. The most widely used metal is iron (usually as steel) and the following discussion is mainly
related to its corrosion.

The consequences of corrosion are many and varied and the effects of these on the safe, reliable and
efficient operation of equipment or structures are often more serious than the simple loss of a mass of
metal.

Some of the major harmful effects of corrosion can be summarised as follows:

• Reduction of metal thickness leading to loss of mechanical strength and structural failure.
• Hazards or injuries to people arising from structural failure or breakdown.
• Contamination of fluids in vessels and pipes.
• Perforation of vessels, pipes allowing escape of contents, with potential for a major accident.
• Mechanical damage to valves, pumps, etc, or blockage of pipes by solid corrosion products.

Corrosion control methods include:

Protective Coatings.

Protective coatings are the most commonly used method of corrosion control. Protective coatings can be
metallic or they can be applied as a liquid "paint."

Corrosion allowance.

Metal is added to the design thickness against general corrosion loss (typically 0.5mm to 6.0mm for many
engineering purposes). Whilst the progress of depleting the corrosion allowance must be monitored and
recorded, "day one" corrosion thicknesses should be checked as a base-line measurement.

Corrosion Inhibitors.

Corrosion inhibitors are chemicals that are added to controlled environments to reduce the corrosivity of
these environments. Examples of corrosion inhibitors include the chemicals added to automobile
antifreezes to make them less corrosive.

SHEilds Ltd [Link] eLearning: [Link] Tel: +44(0)1482 806805

NEBOSH Intl Oil & Gas Safety Certificate v2.0 (30/10/2015) Page: 83
 5.4 - Corrosion Prevention.

Cathodic and anodic protection.

Cathodic protection (CP) is another technique used to control the corrosion of a metal surface by making it
the cathode of an electrochemical cell. The simplest method to apply CP is by connecting the metal to be
protected with a piece of another more easily corroded "sacrificial metal" to act as the anode of the
electrochemical cell. The sacrificial metal then corrodes instead of the protected metal.

Figure 1. Sacrificial anode on an underground tank.

SHEilds Ltd [Link] eLearning: [Link] Tel: +44(0)1482 806805

NEBOSH Intl Oil & Gas Safety Certificate v2.0 (30/10/2015) Page: 84
 5.4 - Corrosion Prevention.

Figure 2. A sacrifical anode is bolted to the hull of a boat.

5.5 - Competence and Training.

Competence.

To be competent an organisation or individual must have:

• Sufficient knowledge of the tasks to be undertaken and the risks involved.

• The experience and ability to carry out their duties, to recognise their limitations and take
appropriate action to prevent harm to those carrying out work, or those affected by the work.

Competence develops over time. Individuals develop their competence through a mix of initial training, on-
the-job learning, instruction, assessment and formal qualification. In the early stages of training and
experience, individuals should be closely supervised. As competence develops, the need for direct
supervision should be reduced.

A competent person is someone who has sufficient training and experience or knowledge and other
qualities that allow them to assist you properly. The level of competence required will depend on the
complexity of the situation and the particular help you need.

Improving and Maintaining Competence.

Global demand for crude oil and natural gas has escalated in recent years, leading to a surge in
investments and, consequently, increasing shortages of qualified workers.

Global energy demand will increase by 35 per cent from 2010 to 2035, according to the International
Energy Agency (IEA). New sources of oil and gas mean future demand will most likely be met, but the

SHEilds Ltd [Link] eLearning: [Link] Tel: +44(0)1482 806805

NEBOSH Intl Oil & Gas Safety Certificate v2.0 (30/10/2015) Page: 85
 5.5 - Competence and Training.

industry may not find the workers it needs to exploit new reservoirs.

According to the International Labour Organisation (ILO ), more than half of all oilfield professionals will
reach retirement age in the next decade. This poses a real challenge for the industry. Organisations are
responding by attempting to train local people in a much faster time-frame. While it can take up to years to
gain a University degree that is relevant to the industry, tailored vocational training can develop local
people's skills much more quickly.

As the industry changes and technology evolves, it is important to keep people's (and your) competence up
to date. Regular retraining and making an effort to keep up to date with the latest industry techniques is
important. Many professional organisations, including IOSH, require their members to following a
Continuing Professional Development (CPD) programme to demonstrate their continuing effort to maintain
and improve their knowledge.

For individual employees, continuing to learn and develop their professional skills and expand their
knowledge-base can open up opportunities for advancement in their companies. The oil industry,
especially, is cyclical in nature, depending greatly on commodity prices and the health of the overall
economy. Staying on top of best practices and growing on the job can ensure that an employee will remain
valuable to his or her employer.

In good times, when the oil and gas industry is riding high, highly-trained employees are well-positioned to
take on additional responsibilities and supervisory roles.

A well-trained workforce contributes mightily to the entire industry, whose successes and failures can have
a worldwide impact. When the BP Deepwater Horizon operation caused a massive spill in the Gulf of
Mexico, the well-publicised incident highlighted the need for enhanced emergency management training for
the energy workforce.

Measurement of Competence.

Competence can be measured and assessed during:

• Selection and recruitment.

• Performance management reviews.
• During and after training.
• During and after carrying out work.

Competence can be measured by:

• Qualifications and completion of training.

• The length of time served.
• Quality of work.
• Past safety record (accidents, incidents. Also prosecutions in the case of contractors).
• Observed attitude towards safety procedures.
• Listening to the views of other stakeholders and members of the team.

Any competency gaps identified can usually be rectified by retraining. In the case of contractors, usually
they would not have been selected had they not the required competence level.

Training.

Training means helping people to learn how to do something, telling people what they should or should not
do, or simply giving them information. Training isn't just about formal 'classroom' courses.

Training can be on the job, done online, in the classroom, or one to one. Closely associated with training is
SHEilds Ltd [Link] eLearning: [Link] Tel: +44(0)1482 806805
NEBOSH Intl Oil & Gas Safety Certificate v2.0 (30/10/2015) Page: 86
 5.5 - Competence and Training.

coaching and mentoring.

There are usually five stages to implementing a training programme in your organisation:

STEP 1: Decide what training your organisation needs.

STEP 2: Prioritise these needs.
STEP 3: Choose your training methods and determine your resources.
STEP 4: Deliver the training.
STEP 5: Check the training has worked.

Oil and Gas Industry Training.

In addition to the relevant professional qualifications (such as in engineering, or welding etc.) Oil and Gas
companies usually require all of their employees to undergo mandatory training before going offshore.

For example:

• Basic industry safety training:

o Introduction to the Hazardous Offshore Environment.
o Working Safely including Safety Observations Systems.
o Understanding the Risk Assessment Process.
o Tasks that Require a Permit to Work.
o Personal Responsibility in Maintaining Asset Integrity.
o Using Manual Handling Techniques every day.
o Controlling the use of Hazardous Substances Offshore.
o Knowledge and Practices of Working at Height.
o Being Aware of Mechanical Lifting Activities.
• Basic Offshore Safety Induction & Emergency Training (BOSIET):
o Safety Induction.
o Fire Safety and Basic Fire fighting.
o First Aid.
o Helicopter Safety & Escape.
o Survival at Sea.

5.6 - Techniques, principles, and importance of Standard Operating Procedures and Maintenance.

If there is a need for us to control Safety, Quality, Cost and Delivery then a safe, standard method of
working is essential, this is commonly known as a Standard Operating Procedure or Standardised Work.

Any process that is allowed to operate in a non-controlled manner will inevitably produce variations in the
products or services it generates. These variations are a consequence of the differing methods, employed
by different personnel and different shifts. The end result of these variations will be quality problems,
equipment failures, non achievement of performance targets and health and safety concerns.

SOPs are a way of ensuring consistency; they should be viewed as the foundation upon which any
improvement can be developed. SOPs are intended to be specific to the organisation or facility whose
activities are described and assist that organisation to maintain their process safety, quality control and
ensure compliance with governmental regulations.

If not written correctly, SOPs are of limited value. In addition, the best written SOPs will fail if they are not
followed. Therefore, the use of SOPs needs to be reviewed and reinforced by management, preferably the
direct supervisor. Current copies of the SOPs also need to be readily accessible for reference in the work
areas of those individuals actually performing the activity, either in hard copy or electronic format, otherwise
SOPs serve little purpose.

SHEilds Ltd [Link] eLearning: [Link] Tel: +44(0)1482 806805

NEBOSH Intl Oil & Gas Safety Certificate v2.0 (30/10/2015) Page: 87
 5.6 - Techniques, principles, and importance of Standard Operating Procedures and Maintenance.

General principles:

• Kept as short and as simple as possible.

• Easy to read language.
• Should use visual aids such as photos and charts as appropriate.
• Be prepared in consultation with all necessary stakeholders such as workers, production,
engineering, H&S, quality and management.
• Should be reviewed by immediate supervisor and approved by someone more senior who has the
appropriate technical competence.
• Kept up to date, reviewed regularly and revised as appropriate.
• Should form the basis of task training.
• Be available when needed. Possibly displayed at point of use, and easily retrievable in a database.

Comprehensive written operating procedures should be generated, where applicable, that address:

• Abnormal operating procedures.

• Temporary operating procedures.
• Plant trials.
• Emergency operating procedures.
• Commissioning.
• Plant Start-up.
• Plant Shut-down.
• Bulk loading and unloading.
• Process change.
• Plant change.

Maintenance.

Certain maintenance procedures are necessary to mitigate a major accident hazard, such as Permit to
Work, Non-Destructive Testing and Change Procedures.

The following aspects should be considered:

• Human factors.
• Poorly skilled work force.
• Unconscious and conscious incompetence.
• Good maintainability principles.
• Knowledge of failure rate and maintainability.
• Clear criteria for recognition of faults and marginal performance.

The following issues may contribute towards a major accident or hazard:

• Failure of safety critical equipment due to lack of maintenance.

• Human error during maintenance.
• Static or spark discharge during maintenance in an intrinsically safe zone.
• Incompetence of maintenance staff.
• Poor communication between maintenance and production staff.

Major hazards could arise from the following:

• The lack of control of spares such that incorrect materials or items outside specification (e.g. non-
flameproof equipment) are used in replacement of plant items leading to increased risk of loss of
containment, fire or explosion.
• Failure to drain and/or isolate plant prior to dismantling causing release of flammable or toxic
substances.
SHEilds Ltd [Link] eLearning: [Link] Tel: +44(0)1482 806805
NEBOSH Intl Oil & Gas Safety Certificate v2.0 (30/10/2015) Page: 88
 5.6 - Techniques, principles, and importance of Standard Operating Procedures and Maintenance.

• Maintenance being performed incompetently (particularly alarm/action set points on instruments

incorrectly set, alignment of couplings on pumps and agitators causing overheating, motors running
in wrong direction, safety features left disconnected/dismantled, gaskets left out, bolts torqued
incorrectly or bolts missing, non-return valves orientation incorrect, pipework/flexibles incorrectly
connected/installed, pipeline spades/orifice plates left in/removed).
• Scheduled maintenance not being undertaken as required or breakdown maintenance inadequate,
leading to unrevealed failures of safety critical items.
• Lack of knowledge by maintenance staff of the working environment where maintenance is being
carried out leading to ignition of flammable substances.
• Unauthorised staff performing maintenance functions.
• Failure to re-commission plant correctly after maintenance to ensure that operations are not
adversely affected in terms of safety considerations (e.g. contamination, flow rate changes, heat
transfer rate changes, mass transfer rate changes).

5.7 - Control of ignition sources during maintenance and operations.

Area classification is a method of analysing and classifying the environment where explosive gas
atmospheres may occur. The main purpose is to facilitate the proper selection and installation of apparatus
to be used safely in that environment, taking into account the properties of the flammable materials that will
be present.

Hazardous areas are classified into zones based on an assessment of the frequency of the occurrence and
duration of an explosive gas atmosphere. Fixed sources of equipment (for example: lighting, pumps,
motors, switches etc.) in those areas are designed to prevent "sparking" during their operation. In other
words, should they come into contact with a flammable material, they cannot ignite the material. More
about this in Element 4.

Maintenance work is periodically undertaken on or around, live process plant. This work may involve the
use of ignition sources (for example: burning or welding work, vehicle movements, use of power tools etc.).
Such work must be strictly controlled to avoid the possibility of fire and explosion. If carrying out Hot Work,
then a Hot Work Permit would usually be required.

The first step is to identify the possible sources of ignition.

These may include:

• Flames.
• Direct fired space and process heating.
• Use of cigarettes/matches.
• Cutting and welding flames.
• Hot surfaces.
• Heated process vessels such as dryers and furnaces.
• Hot process vessels.
• Space heating equipment.
• Mechanical machinery.
• Electrical equipment and lights.
• Spontaneous heating.
• Friction heating or sparks.
• Impact sparks.
• Sparks from electrical equipment.
• Stray currents from electrical equipment.
• Electrostatic discharge sparks.
• Lightning strikes.
• Electromagnetic radiation of different wavelengths.
• Vehicles, unless specially designed or modified, are likely to contain a range of potential ignition

SHEilds Ltd [Link] eLearning: [Link] Tel: +44(0)1482 806805

NEBOSH Intl Oil & Gas Safety Certificate v2.0 (30/10/2015) Page: 89
 5.7 - Control of ignition sources during maintenance and operations.

sources.

The possible controls are:

Figure 1. Sources of ignition and suggested control measures.

SHEilds Ltd [Link] eLearning: [Link] Tel: +44(0)1482 806805

NEBOSH Intl Oil & Gas Safety Certificate v2.0 (30/10/2015) Page: 90
 5.7 - Control of ignition sources during maintenance and operations.

Figure 2. More ignition sources and suggested control measures.

5.8 - Cleaning, Gas-Freeing, Purging, Inerting and NCDs.

Inadequate preparation of tanks, vessels and equipment which have held flammable materials, before
starting repair work has resulted in many serious accidents. It is essential therefore that the potential
hazards are fully appreciated, and that appropriate planning and preparation for the work is undertaken.

Cleaning and gas freeing are processes that are applied to tanks, vessels or other equipment in order to
prepare them for maintenance activities, such as hot work and confined space entry.

The operation of gas-freeing should be distinguished from that of cleaning. Gas-freeing (or purging) means
the removal of flammable gas or vapour from a tank, whereas cleaning refers to the removal of solid and
liquid residues.

When the residual material has been removed from the equipment, the cleaning and gas-freeing process
can commence.

The usual method of gas-freeing large tanks is by air ventilation, natural or forced. Air can be introduced
into a tank using eductors, air movers or any other suitable method which does not create a source of
ignition.

Ventilation and testing should continue during cleaning operations, to ensure that any vapour that may be
released is removed. It is important to remember during all gas-freeing operations that the use of gas
detection equipment, and the interpretation of the results, requires training and experience.

SHEilds Ltd [Link] eLearning: [Link] Tel: +44(0)1482 806805

NEBOSH Intl Oil & Gas Safety Certificate v2.0 (30/10/2015) Page: 91
 5.8 - Cleaning, Gas-Freeing, Purging, Inerting and NCDs.

Figure 1. Gas-freeing.

Before vessel entry is allowed, it is also necessary to ensure the absence of toxic gases (for example:
hydrogen sulphide) and the presence of sufficient oxygen. The concentration of which should be at least
19%. Oxygen enrichment is a severe fire hazard.

Hot water washing, high pressure water jetting and steam cleaning are commonly used for the removal of
residual product. When steam cleaning or high pressure water jetting, the risk of static build up must be
considered.

Inerting and purging.

In cases where gas-freeing and cleaning cannot be carried out, or are impracticable for other reasons, an
alternative procedure for hot work on the outside of a tank is to make the atmosphere, containing the
flammable material, non-flammable and non-explosive. This may be done in a number of ways, but the
general principle is to "purge" the tank atmosphere by removing the oxygen, thereby preventing
combustion. Nitrogen is often used for this purpose.

Nitrogen purging is an industry standard technique for the replacement of a hazardous or undesirable
atmosphere with an inert atmosphere. The two most common methods of purging are displacement and
dilution. The geometry of the process system determines which method is used.

For simple systems, displacement purging is usually more effective in terms of time and cost but, for more
complex systems, dilution purging is used.

The difference between inerting and purging.

Purging usually refers to the short-term addition of an inert gas to a tank, process vessel, or other piece of
process equipment that contains flammable vapours or gases to render the space non-ignitable for a
specific time period.

In contrast, inerting (or blanketing) is the long-term maintenance of an inert atmosphere in the vapour
space or a vessel during normal operation, e.g. filling and emptying of storage tanks.

Often the simplest and easiest way to inert a small tank or drum is to fill it with water, removing any air
bubbles in the process.

Non Condensable Products (NCDs).

NCDs from petroleum processing units (such as distillation columns or steam ejectors) are products that
are not easily condensed by cooling and remain trapped in the system. Essentially they are fluids that
remain in a gaseous state all the way through the normal temperature/pressure ranges. They consist

SHEilds Ltd [Link] eLearning: [Link] Tel: +44(0)1482 806805

NEBOSH Intl Oil & Gas Safety Certificate v2.0 (30/10/2015) Page: 92
 5.8 - Cleaning, Gas-Freeing, Purging, Inerting and NCDs.

mostly of nitrogen, light hydrocarbons, and carbon dioxide.

Air consists of a number of NCDs. These include oxygen, nitrogen, argon and carbon dioxide.

Boiler feedwater contains a small percentage of non-condensable gases in solution. When the boiler water
changes state (liquid to vapour), the non-condensable gases are released and carried with the steam into
the plant. Steam will release the latent energy to the process and condense down to condensate in the heat
transfer area, but the non-condensable gases do not condense. These gases stay in the heat transfer
component unless some method or action removes them.

The presence of NCD gases in a steam system increases corrosion, which brings about costs associated
with excessive consumption of anti-corrosion chemicals and frequent repairs. NCD gases also cause a
decrease in steam pressure and therefore in temperature. Energy transfer being less efficient, the pressure
in heat exchangers must be raised in order to obtain the target temperature. Consequently, it takes more
fuel to heat the product at the required temperature.

NCDs, can also have a serious impact on the system operating conditions, efficiency and lifetime of
refrigeration or air conditioning systems.
5.9 - Example exam questions on Plant Operations and Maintenance.

Here are examples of past exam questions on plant operations and maintenance. As we have said
previously, there is no guarantee that these questions will ever be asked again, but these will give you a
good idea of the types of questions you could be asked.

On an oil and gas production platform asset integrity includes testing of safety critical systems such as fire
detector operation.

1. Outline additional safety critical systems that may be tested (8).

2. Give the meaning of competence (2).

5.10 - Summary.

The learning outcome for this section was:

5.0 - Explain the importance of safe plant operation and maintenance of hydrocarbon containing equipment
and process.

In summary we have learnt:

• The principles of asset integrity.

• The different types of maintenance strategies.
• About risk based inspection and testing of Safety Critical Elements.
• The different methods of corrosion prevention.
• About the importance of training and competence in the oil and gas industry, and how these can be
measured, maintained and improved.
• The principles behind Standard Operating Procedures for operations and maintenance.
• About the control of ignition sources during operations and maintenance.
• About cleaning, gas-freeing, inerting, purging and non-condensables.

6.0 - Commissioning, Start-up and Shut-down.

Commissioning, Start-up and Shut-down are some of the most critical milestones on projects in the oil &
gas, refinery, petrochemical and power industry and can take many months to complete. They can also be
some of the most hazardous. A number of major accidents have occurred during these projects, including

SHEilds Ltd [Link] eLearning: [Link] Tel: +44(0)1482 806805

NEBOSH Intl Oil & Gas Safety Certificate v2.0 (30/10/2015) Page: 93
 6.0 - Commissioning, Start-up and Shut-down.

the Texas City refinery explosion.

The activities involved in these milestones can include:

• Pressure-up or pressure down.

• Plant Heating and/or cooling.
• Introduction or suspension of feed.
• Introducing heating and/or cooling sources.
• Bringing plant to desired operating conditions or shutting it down in a controlled manner.
• Increasing or Reducing flow rates.
• Draining liquids.
• Removing undesirable materials from the system.
• Leak testing with pressurised gas.
• Line blowing with pressurised gas.
• Steaming.
• Washing.
• Drying out.
• Breaking in of pumps and compressors.
• Tightness testing.
• Blowdown system testing.
• Installing and/or removing blinds.
• Valve replacement or repair.
• Pipe replacement or repair.
• Non destructive testing of metalwork and vessels.
• Installation removal of temporary bypass lines.
• Welding and other hot work.

The start-up and shut-down procedures should be ordered and phased so that interlinked plant operations
can resume or cease in a safe and controlled manner. If you recall the OSHA standard on PSM, it requires
a Pre-Start Up Safety Review.

Hazards associated with such operations include:

• Release and ignition of flammable vapours.

• Release of toxic gas (for example: hydrogen sulphide).
• The release of stored energy.
• Isolations not removed after maintenance, causing overpressure and burst pipes valves (such as in
Piper Alpha).
• Thermal shock when heating/cooling equipment.
• Overpressure of plant and equipment.
• Release and ignition of flammable hydrocarbons.
• Other occupational hazards such as falls from height, burns, asphyxiation, mechanical hazards,
slips/trips, exposure to radiation etc.

In addition to well trained staff, good supervision and effective communications (for example: radio
communications) the following controls should help to ensure effective and safe plant start up and
shutdown.

Shut-down controls include:

• Use of Permits to Work to control activities and interaction between plant and contractors.
• Effective Isolation of equipment (electrical, mechanical etc.) and LOTO.
• Venting, draining and removal of materials from equipment.
• Purging and cleaning of equipment.
• Spading or blanking of equipment (use of a "spade" list to record where they are and check they are

SHEilds Ltd [Link] eLearning: [Link] Tel: +44(0)1482 806805

NEBOSH Intl Oil & Gas Safety Certificate v2.0 (30/10/2015) Page: 94
 6.0 - Commissioning, Start-up and Shut-down.

all removed afterwards).

• Testing for flammable or asphyxiating gases (for example: before hot work or vessel entry).

Start–up controls include:

• Ensure that Permits are closed out and the equipment is ready for use.
• Spades and blanks removed to allow flow of hydrocarbon and gases.
• De-isolation of equipment.
• Vents and drains closed to prevent leaks.
• Instruments calibrated so they record accurate data and work as required.
• Alarms and gas detection systems tested and in good working order.
• ESD systems, flares, relief valves and deluge systems tested and functional.
• Pressure, leak and integrity testing, often with the use of pressurised inert gases.
• Emergency plans in place.

6.1 - Water and hydrates presence and removal.

Natural-gas hydrates are ice-like solids that form when free water and natural gas combine at high pressure
and low temperature. This can occur in gas and gas/condensate wells, as well as in oil wells and pipelines.
Hydrates are known to be one of the most challenging problems in the oil and gas industry. Methane
hydrates causing a blowout were the immediate cause of the BP Deepwater Horizon disaster, killing 11
people and causing billions of dollars worth of damage and pollution.

In drilling, record water depths are continuously being set by oil companies in the search of hydrocarbon
reserves in deep waters. Due to environmental concerns and restrictions, water-based drilling fluids are
often more desirable than oil based fluids, especially in offshore exploration. However, a well recognised
hazard in deep water offshore drilling, using water-based fluids, is the formation of hydrates in the event of
a "kick".

What is a "kick"?

The downhole fluid pressures are controlled in modern wells through the balancing of the hydrostatic
pressure provided by the mud used. Should the balance of the drilling mud pressure be incorrect then
formation fluids (oil, natural gas and/or water) begin to flow into the wellbore and up the annulus (the space
between the outside of the drill string and the walls of the open hole or the inside of the last casing string
set), and/or inside the drill pipe. This is commonly called a "kick".

What can happen during a "kick"?

If the well is not shut in (common term for the closing of the blow-out preventer valves), a kick can quickly
escalate into a blowout when the formation fluids reach the surface, especially when the influx contains gas
that expands rapidly as it flows up the wellbore, further decreasing the effective weight of the fluid.

Other than blowouts, the formation of gas hydrates in water-based drilling fluids can cause the following
problems:

• Gas hydrates could form in the drill string, blow-out preventer (BOP) stack, choke and kill line. This
could result in potentially hazardous conditions i.e. flow blockage, hindrance to drill string
movement, loss of circulation, and even abandonment of the well.
• As gas hydrates consist of more than 85 % water, their formation could remove significant amounts
of water from the drilling fluids, changing the properties of the fluid. This could result in salt
precipitation, an increase in fluid weight, or the formation of a solid plug.

Prevention of hydrate formation.

SHEilds Ltd [Link] eLearning: [Link] Tel: +44(0)1482 806805

NEBOSH Intl Oil & Gas Safety Certificate v2.0 (30/10/2015) Page: 95
 6.1 - Water and hydrates presence and removal.

The hydrate formation condition of a kick depends on the composition of the kick gas as well as the
pressure and temperature of the system. A combination of salts and chemical inhibitors, which could
provide the required inhibition, could be used to avoid hydrate formation.

Different methods are currently in use for reducing hydrate problems in hydrocarbon transfer lines and
process facilities.

The most practical methods are:

• At fixed pressure, operating at temperatures above the hydrate formation temperature. This can be
achieved by insulation or heating of the equipment.
• At fixed temperature, operating at pressures below hydrate formation pressure.
• Dehydration i.e. reducing water concentration to an extent of avoiding hydrate formation.
• Inhibition of the hydrate formation conditions by using chemicals such as methanol and salts.
• Changing the feed composition by reducing the hydrate forming compounds or adding non hydrate
forming compounds.

Figure 1. A large gas hydrate plug formed in a subsea hydrocarbon pipeline. Picture from Petrobras
(Brazil).

Figure 2. A simple chart showing the relationship between pressure and temperature in hydrate formation.

SHEilds Ltd [Link] eLearning: [Link] Tel: +44(0)1482 806805

NEBOSH Intl Oil & Gas Safety Certificate v2.0 (30/10/2015) Page: 96
 6.2 - Commissioning, testing and hook up procedures.

Commissioning of process plant is the practical test of the adequacy of prior preparations, including training
of operating personnel and provision of adequate operating instructions. The initial start-up of a production
system is one of the most challenging periods in field life; it is the first time the whole system has to work
together. Since the possibility of unforeseen eventualities cannot be eliminated during this period when
operating experience is being gained, the need for safety precautions should be reviewed. Written
instructions should be provided for all commissioning activities.

"Hook up" refers to making the connections from the well to the oil and gas separator and from the
separator to either the storage tanks or a flow line. It also includes connection of the utilities needed for the
controls to function.

A general sequence of steps in commissioning and hook up may typically include:

• System Configuration Check.

o The purpose of this activity is to trace all pipework and connections to verify the system
configuration, and to visually inspect items of equipment to ensure that they are clean, empty
and fit for purpose as appropriate.

• Instrumentation System Check - Verification of Alarms and Trips.

o The purpose of this activity is to ensure that all instrumentation, alarm settings,
microprocessor signals and hardwire trips pertaining to the installation are functional. This
will also check that signals from the field instrumentation are displayed locally and are being
correctly relayed to the computer interface rack, as well as to the computer system.

• Flushing and Cleaning of Lines and Vessels with Water.

o The purpose of this activity is to clean all items of pipework and the vessels that make up the
installation. This task shall also ensure that there are no obstructions, blockages or any
potential contaminants in any of the process lines or vessels that may have resulted from
materials being left inside the system from the construction phase.

• Assessment of Ancillary Equipment.

o The main aim of this assessment is to verify the performance of all ancillary equipment. This
may include pumps, fans, heat exchangers, condensers etc.

• Calibration of Vessels and Instrumentation.

o The purpose of this activity is to check the calibration and performance of all vessels and
instrumentation pertaining to the installation.

SHEilds Ltd [Link] eLearning: [Link] Tel: +44(0)1482 806805

NEBOSH Intl Oil & Gas Safety Certificate v2.0 (30/10/2015) Page: 97
 6.2 - Commissioning, testing and hook up procedures.

Figure 1. Objectives of commissioning.

Figure 2. The result of a flare line failure during commissioning.

6.3 - Example exam question on Start-up and Shut-down.

Here is a past exam question on start-up. As we have said previously, there is no guarantee that this
question will ever be asked again, but this will give you a good idea of the types of questions you could be
asked.

Following an annual shutdown of a process plant outline the operational control measures that could
minimise the risk of an incident before filling equipment in preparation for start-up (8)

SHEilds Ltd [Link] eLearning: [Link] Tel: +44(0)1482 806805

NEBOSH Intl Oil & Gas Safety Certificate v2.0 (30/10/2015) Page: 98
 6.4 - Summary.

The learning outcome for this section was:

6.0 Outline the hazards, risks and controls to ensure safe start up and shut down of hydrocarbon containing
equipment and process.

In summary we have learnt:

• The types of activities carried out during commissioning, startup and shutdown.
• The hazards and controls in startup and shutdown.
• The hazards and controls in relation to hydrate formation and "kicks".
• Common procedures during commissioning, testing and hook-up.

Question 3.

Please select the three correct missing words from the list below.

There are many other words associated with competency, such as:

• ______________
• Capable
• ______________
• Skilled
• ______________
• Experienced

Question 4 - Permit to Work.

Select the correct missing word from the below statement.

______ is a formal scheduling and reporting system for the maintenance of property and equipment.

SHEilds Ltd [Link] eLearning: [Link] Tel: +44(0)1482 806805

NEBOSH Intl Oil & Gas Safety Certificate v2.0 (30/10/2015) Page: 99
 SHEilds – General Contacts

SHEilds UK SHEilds FZ-LLC

SHEilds House Block 19
24 Priory Tec Park Office 204
Saxon Way Knowledge Village
Hessle Dubai
Hull PO Box 501725
HU13 9PB
Tel: +971 4 3754012
Tel: 0845 122 3408 Email: info@[Link]
Intl: +44 (0) 1482 806 805
Email: info@[Link]

Safety Training India Mumbai Safety Training India

Office No. 305, Third Floor, Sangeet Plaza,
Hyderabad
Near to Marol Fire Brigade,
8-1-21/144/1, Flat No 301
Marol-Maroshi Road,
Rismy Towers, Surya Nagar Colony
Marol Naka,
Tolichowki X Roads
Andheri (E),
Near Orange Honda Showroom
Mumbai 400 059
Hyderabad - 500008, A.P
India
Tel: +91 (0) 40 6464 0660
Tel: +91 (0) 22 3222 6805
Tel: +91 (0) 98 8575 7517
Tel: +91 (0) 72 0830 6494
Email: info@[Link]
Email: info@[Link]

Safety Training India Delhi South Africa Office

202, 203 2nd Floor, Savanah Office Park
Building No. 7, Corner. Rugby Street
Local Shoping Center, and 9th Avenue,
Near Pushpa Bhawan, Weltevredenpark,
New Delhi 110062 Roodepoort, 1715

Tel: +(0)11 43005888 Tel: +2711 675 4177

Tel: +91 9540828481 Tel: +2711 675 4178
Email: info@[Link] Tel: +2711 675 4179
Email: success@[Link]

SHEilds Ltd [Link] eLearning: [Link] Tel: +44(0)1482 806805

NEBOSH Intl Oil & Gas Safety Certificate v2.0 (30/10/2015) Page: 100