Health and Safety Executive

Process safety management systems

SPC/TECH/OSD/13

Author Unit/Section:
OSD 3.1
Target audience:
OSD IMT Leaders, IMT Inspectors OSD3 Inspectors

Purpose

This document describes key elements of a process safety management system, in a format based on the HSE publication, HSG65, Successful Health and Safety Management(1). It develops general safety management system principles into specific expectations for management of process integrity on offshore installations. It is intended for use as a basis for inspection or audits of process integrity, and as an aid for safety case assessment. It can be made available to duty holders if required.

Background

This SPC provides guidance in support of HID/OSD’s Inspection Manual, and HSE’s Assessment Principles for Offshore Safety Cases (APOSC)(8). It provides an overview of Process Safety Management, and is complementary to a series of other OSD documents relating to process integrity, which provide greater detail on specific topics (9 - 15, 33-36). This note updates a previous version of this document (OSD PBN 00/01). The original document was produced after several deficiencies in process safety management had been noted during OSD’s intervention activities.

1 Introduction

There is no single “correct” model of a process safety management system. Some duty holders have separate safety management systems for different assets, whereas others may adopt a more functional approach. In principle, different standards and procedures could be used within each of the assets or functions. In practice, however, the systems need to be developed within the constraints of the corporate SMS, and there will inevitably be areas of overlap. Some duty holders give greater emphasis than others to corporate procedures. Each duty holder should adopt arrangements that are appropriate for its business and culture; the management arrangements for process safety should be tailored accordingly.

2 Policy

Relevant Legal Provisions: An employer has a legal duty under s.2 (3) of the HSWAct 1974 to have a written policy statement with respect to health and safety. This statement of his general policy should include the organisation and arrangements for carrying out that policy, including those applicable to process safety. The MHSW Regs 1999, Reg 5 also require a record of arrangements for planning, organisation, control, monitoring and review of preventive and protective measures, including those applicable to process safety.

There is no legal requirement for a company to have a policy statement that is specific to process safety management, but it is recognised good practice(3 - 5), and helps to define the management requirements.

In addition to expressing the duty holder’s commitment to safe design and operation, compliance with legal requirements and the responsibility of employees for safe operation etc. a good policy statement, or supporting documentation, would indicate the organisation’s approach to process safety management. This would include commitment to matters such as:

  • Principles of inherent safety
  • A coherent approach to risk assessment
  • Communication of the hazard management process
  • Ensuring competence, and adequacy of resources
  • Working within a defined safe operating envelope
  • Careful control of changes that could impact on process safety
  • Maintaining up to date documentation
  • Maintenance and verification of safety critical systems
  • Line management monitoring of safety critical systems and procedures
  • Independent audits of management and technical arrangements
  • Investigation and analysis of incidents to establish root causes
  • Reviewing process safety performance on a regular (e.g. annual) basis
  • Continuous improvement, with regularly updated improvement plans
  • Principles of quality management e.g. ISO 9000

Senior management should endorse the policy, which should be adequately communicated; commitment to it should be visibly demonstrated.

3 Organising

3.1  Control

Relevant Legal Provisions: Reg 5 of the MHSW Regs 1999 requires an “organisational structure” to provide for progressive improvement in health and safety, and adequate “control” to ensure that decisions are implemented as planned. The guidance given below describes some “good practice” to help meet the legal requirements.

In HSG65 (1) terminology, “control” involves putting the policy into practice. There should be a senior figure in the organisation to co-ordinate general safety policy implementation, and a safety management programme with objectives and performance criteria.  Process safety may have a separate programme, or it may be integrated into the general programme.

Responsibilities should generally be allocated to line managers, with specialists acting as advisers.  Responsibilities and accountabilities should be clearly assigned, and appropriately reinforced e.g. through performance reviews.  Line management should be actively involved in monitoring performance, and evaluating the achievement of performance criteria.

There should be sufficient resources and expertise for the management of process safety.  This is unlikely to be achieved unless there is stable support for the asset. There is no legal requirement for resources, such as technical support, to be provided in-house.  In some of HSE’s inspections however, a lack of expertise has been noted where there has been a reliance on outsourcing of engineering requirements (13).

3.2  Communication / co-operation

Relevant Legal Provisions: HSWA 1974, s.2 (2) (c) requires “the provision of such information, instruction and supervision as is necessary...”, and s.2 (6) requires employers to consult representatives over arrangements which will enable the employer and employees to co-operate effectively. Reg. 10 of MHSWR 1999 requires employers to provide employees with comprehensible and relevant information on risks to their health and safety, preventive and protective measures, and emergency procedures. Reg. 11 requires co-operation and co-ordination of measures between different employers in the same workplace; it is not applicable to co-operation between employers and employees.

HSG65 (1) notes that communication is often the single most important area that requires improvement. It is important for management to demonstrate commitment through written/verbal communications, installation visits etc. Communications of particular relevance to process integrity are:

  • The meaning and purpose of the policy for process integrity
  • Objectives, standards, and procedures relating to policy implementation
  • Communications to secure involvement and commitment of employees
  • Responses to comments and ideas for improvement
  • Meetings where teams discuss process related safety matters
  • Discussion of lessons from accidents and incidents
  • Communication of plant status at shift and crew change handovers

Effective communication is particularly important when responsibility for a task is handed over to another person or work team (2). This can occur at shift changeover, between shift and day workers, or between different functions within a shift (e.g. operations and maintenance). High-risk situations include:

  • Those where maintenance is carried out across a shift change
  • Deviations from normal working, including start up / shutdown
  • Crew change situations, and
  • Handovers between experienced and inexperienced staff.

Duty holders should have procedures which specify simple steps to improve communications at shift / crew change (2). These include:

  • Carefully specifying what information needs to be communicated
  • Cutting out the transmission of unnecessary information
  • Using aids such as structured logs or computer displays,
  • Ensuring that key information is transmitted both verbally and in writing

3.3  Training / competence

Relevant Legal Provisions: There is no legal requirement for a specific competence assurance programme, but such programmes are recognised good practice (e.g. UKOOA and E&P Forum Guidelines).  Reg 9 of PUWER 1999 requires employers to ensure that all persons who use work equipment have received adequate training, including training in methods of use, risks such use may entail, and precautions to be taken. Reg 3 (3) of PUWER extends this duty to others who have control, to any extent, of work equipment, including duty holders. MHSWR, 1999 places specific requirements on employers to provide information for employees (Reg 10), and to take their employees capabilities into account, and ensure they are provided with adequate health and safety training (Reg 13).

3.3.1  Training programmes (3-5)

The design of a training programme for process personnel should include the general training that everyone on the installation receives, and process-specific training. Training should include Management of Change procedures, and techniques for process Hazards Analysis and Risk Assessments. Duty holders should define:

  • How (safety related) process training objectives are set;
  • What subjects are to be included in the training programme;
  • Responsibility for developing and validating training material;
  • How primary responsibility for the training is assigned;
  • How competence is established.

Process specific training should deal with:

  • The basic process, and design of the plant;
  • Critical factors which affect productivity and safety;
  • Safety considerations relating to flammability, explosivity, and toxicity.

Task specific training includes basic principles of common unit operations, such as separation, heat transfer, pump and compressor operation, and concepts of process control.  Specific unit training then concentrates on details of the units that comprise the process.

Training on operations procedures should include:

  • Safe operating limits;
  • Actions to keep within safe limits, and consequences of failing to do so;
  • Procedures for start up, normal operation and shutdown;
  • Contingencies for upsets and / or emergencies.

Training for personnel performing maintenance in process areas should include relevant aspects of process specific training. Contractor organisations should be provided with sufficient process hazard information, and site-specific information, for them to train their employees.

There should be provisions for periodic review of training material, and refresher training should be provided as and when required. Training should be frequent enough to maintain skills. It may be that for some infrequent operations, training should be given each time the operation is undertaken. Training records should be kept for comparison with the schedule, and the effectiveness of training programmes should be appropriately evaluated.

3.3.2  Competence assurance

Training does not guarantee competence, but it contributes towards it.  Competence includes knowledge, skills, experience, and personal qualities. Offshore industry guidance (E&P Forum Guidelines) (24), states that systems of competence assurance should apply, to initial recruitment and selection for new activities, and to both staff and contractors. Competence assessment schemes are available for process operators and maintenance technicians, and many companies have formal in-house schemes.

Training can be categorised into “general” and “specific” training. General training includes those subjects with which everyone at the facility should be familiar. Specific training covers core or trade skills. Competence assessment of core / trade skills is probably the most widely developed. Lead bodies, such as OPITO, set competence criteria on which qualifications can be based. Awarding bodies act independently to issue National Vocational Qualifications.

3.3.3  Enhancement of process safety knowledge (3)

Codes, standards, and guidelines for process equipment change with time; it is important for duty holders to make provision for the continuing education of technical personnel on process safety topics.

4  Planning and implementing

4.1  Introduction

Key outputs from the planning process are (1):

  • Health and safety strategy statements;
  • Plans with objectives for developing, maintaining and improving the SMS;
  • Specification of management arrangements, risk control systems, workplace precautions, and performance standards;
  • Up to date documentation.

Key tasks for implementing are:

  • Implementation of operational plans, management arrangements, risk control systems, workplace precautions etc. ;
  • Provision of the necessary resources and information;
  • Provision of feedback on performance;

Ensuring communication and participation at all levels.

Systems of planning and implementing for process integrity can be broken down into phases dealing with, a) the definition, b) the operation, and c) the maintenance, of a safe working envelope. This section of the SPC covers each of these phases in turn.

Relevant legal provisions: Various aspects of Planning and Implementing are subject to specific legislation, as indicated below.  However, unless otherwise stated, the detailed expectations specified in Sections 4.2 to 4.7 should generally be treated as “guidance”.

Risk assessment: Reg 3 of MHSWR 1999 requires a suitable and sufficient risk assessment. Reg 5 of the PFEER 1995, requires; a specific assessment of various events which could give rise to a major accident involving fire or explosion; the establishment of appropriate standards of performance for measures for protecting persons from such major accidents; and the selection of appropriate measures.

Planning and control: Reg 5 of the MHSWR 1999 requires arrangements for “planning” and “control” of preventive and protective measures identified on the basis of risk assessment. Reg 9 of PFEER 1995 requires the duty holder to take appropriate measure with a view to (a) preventing fire and explosion, including such measures to ensure the safe production, processing, use, storage, treatment, movement and other dealings with flammable or explosive substances and (b) preventing the uncontrolled release of flammable or explosive substances.

Suitability of equipment: Reg 4 of PUWER 1999 requires employers to ensure that work equipment is only used for operations for which, and under conditions for which it is suitable. Reg 3 (3) of PUWER extends this duty to others, including duty holders. Reg 10 of PUWER requires conformity with Community requirements.

Information and instructions: Reg 8 of PUWER requires employers to ensure that persons who use, supervise or manage the use of work equipment have adequate heath and safety information, and where appropriate, written instructions on the use of the equipment. Reg 3 of PUWER extends this duty to others who have control, to any extent, of work equipment, including duty holders.

4.2  Definition of the operating envelope

4.2.1  Design philosophy / basis of design / documentation (3 - 5)

Relevant Legal Provisions: Reg 4 of MHSWR 1999 requires employers to implement preventive and protective measures on the basis of principles of prevention.

The design philosophy should be based on inherent safety principles. The design basis is used to define the operating conditions and limitations of the process. Examples include pressure and temperature ranges, flow rates to achieve the production capacity, concentrations and ratios to provide safe and efficient operation, and the control philosophy. The consequence of exceeding these limits should also be defined.

Much of the process design information described above is shown on Process Flow Diagrams (PFDs), which can show information in varying levels of detail. Piping and Instrument Diagrams (P&IDs) show all process and utility piping, instrumentation and protective systems. These drawings also typically show design temperature and pressure ratings for vessels, piping specifications, relief valve settings, capacities of vessels etc.

Vendor packages within a process should be identified on the PFDs and P&IDs . Since there are usually only a limited number of copies of technical data for these units, at least one set of the vendor documents should be maintained on a central file with controlled access. Other copies may be utilised where most required for reference or troubleshooting.

Plot plans should show the layout of major process equipment and services. The plan should note special design and layout considerations, such as separation distances. Electrical area classifications are important where hydrocarbons or other flammable materials are handled.

Specification sheets should be provided for items of process equipment such as pumps, compressors, vessels, heat exchangers, and protection systems (e.g. overpressure protection, trip systems, fire mitigation systems). These sheets should typically show the design codes and standards used, the expected process conditions, the design conditions, the materials of construction, and other mechanical details.

Piping specifications include, for each line, the type of pipe used along with data on the types of fittings, valves, and gasket materials that are acceptable for the expected process materials and conditions, and the acceptable standards and conditions that the piping components must meet.

A safety critical index is a listing of all the instruments, in the process, which are important to maintaining process safety. These may include sensors, transmitters, controllers, control valves, pressure reducers etc. Each of the instruments should have a complete instrument specification sheet, with design conditions, required materials of construction for the portions in contact with process fluids, as well as the range it must cover, and its protective function.

4.2.2  Safety reviews / hazard studies etc. (3 - 5, 22)

For projects, there should be a safety review procedure, giving details of the reviews to be undertaken at the various stages of the project. Safety reviews occur at different stages. The complexity and size of a project will determine what safety reviews are needed, and when and how they should be done.

At the conceptual engineering phase, Checklist, What-if?, or Preliminary Hazards Analysis techniques are often used. In the detailed design phase, there should be a review mechanism to ensure that safety information from the conceptual engineering phase is transferred and used. After P&IDs are available, a more in-depth analysis can be completed, (e.g. HAZOP, or similar analysis).

Pre-start up safety reviews are very important, and provide the final check before the process is put into operation. They include a review of the operating procedures, and an inspection of the facility to verify that recommendations from previous studies have been implemented.

Process safety information should include reports documenting the hazard identification and analysis activities undertaken. The reviews should assign responsibilities for actions, and there should be a tracking system to record action status.

(Note: a particular problem found by HSE’s inspectors has been of HAZOP actions remaining unresolved or uncompleted (13)).

4.2.3  Miscellaneous design considerations

Some areas of plant operation are known to give rise to a disproportionate number of hydrocarbon releases. For example, incident returns from OSD’s Hydrocarbons Release Database (17) show that a high proportion of gas releases emanate from small bore piping and instrument fittings. Duty holders should recognise such risks, and aim to design them out as far is reasonably practicable. Guidance on the Management, Design, Installation and Maintenance of Small Bore Tubing Systems (18) has been prepared by UKOOA, in conjunction with the Institute of Petroleum, and provides a basis for action.

The importance of Relief and Blowdown systems has led to extensive work being carried out by international bodies such as API, and the Design Institute for Emergency Relief Systems (DIERS). These bodies have produced codes of practice typified by API 520/521 (29, 30). The codes have been supplemented by an IP guidance document, which assesses some aspects of the codes, and provides a practical guide for safe and optimum design (31).

It is vitally important to think out the philosophy of design for pressure protection at the beginning of the design process. Many of the problems that have occurred in relief and blowdown systems result from lack of strategic vision of the approach to be taken. Failures of protection systems are a regular event, and every year there are instances of either choked flare systems or liquid carry over from flare or vent stacks (31).

High Integrity Pressure Protection Systems (HIPPS) are frequently encountered on offshore installations. Other abbreviations describing this design approach include HIPS, HITS (High Integrity Trip System) and OPPS (Over Pressure Protection System). They provide instrumented protection when use of relief valves would be impractical (e.g. subsea), or unsafe, or where relief or other alternatives would be costly.

Before such a system can be adopted it is necessary to demonstrate, by means of a risk analysis or similar technique, that the HIPPS will reduce the risk of the ultimate hazard (such as vessel rupture) below a predetermined acceptable threshold (31). However, considerable care needs to be taken in the design and installation of such systems; examples have been found where the dynamics of such systems were such that the required function (e.g. valve closure) could not be achieved in the required time (13).

In the protective instrumentation arena international standards have emerged, which advocate a risk-based approach to the specification and design of Instrumented Protective Functions / Programmable Electronic Systems (PESs). The concept of Safety Integrity Levels (SILs) is now commonly used for instrumented protective functions, and has largely overtaken the concept of HIPPS (23, 26).

PESs should be designed in such a way as to ensure that safety related control systems have adequate integrity. They must be kept under secure management control and not be accessible to random changing by operators.

Safety critical protection systems should be designed in such a way that the risk of common cause, or common mode, failure is minimised. For example, shutdown systems should be independent from control systems, and the two systems should use separate tapping points (13, 19, 23, 26). Primary isolations to safety critical protection systems should be locked open to ensure that they are not inadvertently isolated.

Plant safety should not rely, ultimately, on operator response to a process control system alarm, but operators working in control rooms have an important role to play in the safety of process plant. Their mistakes can sometimes escalate into major disasters. Safety-related process alarms should be given special consideration in terms of the design of the operator interface, and the operator support provided (20). Good practice is described in Industry guidelines on Alarm Systems (21). Alarms should be limited to the number an operator can monitor, and respond to, effectively, and configured such that safety critical alarms are distinguishable from other operational alarms.

Interfaces between High Pressure and Low Pressure systems need to be adequately controlled (e.g. between process plant and closed drains systems). The possibility of accidental breakthrough of gas or liquid from a high-pressure system to a lower pressure one should be considered during the Hazard Study process. In view of the number of accidents that have occurred in this way, it is now generally considered better to carry out a specific HP / LP interface study, in addition to the more routine HAZOP procedure (13).

Older installations were often designed to standards that have since been superseded. This has resulted in absence of some safety features, such as blowdown systems, which would now be regarded as important. Similarly, a number of older offshore installations were designed with threaded pipe connections on systems containing hydrocarbons or other hazardous fluids. Piping codes such as ANSI B31.3 would now only allow their usage under very restricted circumstances. Duty holders should have arrangements to review older facilities against current standards to determine whether upgrades would be reasonably practicable (13).

4.3  Operation within the operating envelope

4.3.1  Operating procedures (3)

Relevant Legal Provisions: Reg 8 of PUWER requires instructions to include conditions and methods by which work equipment may be used, foreseeable abnormal situations and the action to be taken, conclusions to be drawn from experience of use, and for the information and instructions to be readily comprehensible to those concerned.

Operating procedures should contain clear instructions for safely conducting activities. They should address each phase of operation, including initial start up, normal operation, emergency operations (including emergency shutdown), normal shutdown, and start-up following emergency shutdown or a turnaround.

Operating procedures should also be developed whenever a temporary or experimental operation is to be conducted. For these, and for other routine procedures, a job safety analysis should also be considered.

In addition to describing the sequence of actions to be taken, the procedures should describe safe operating limits, and other safety information related to the process. The procedures should be written in language and terminology clearly understandable to the operators.

Operating procedures should be kept up to date. They should be periodically reviewed for accuracy and completeness, and monitored for compliance. (Note: Inspectors have frequently found problems with operating procedures being inadequate, or out of date (13)).

4.3.2   Permit to work / Isolation standards

Relevant Legal Provisions: Reg 10 of the Management and Administration Regulations (MAR), 1995 requires use of Permits to Work in specific situations where the nature and scale of risk arising from work to be carried out demands a stringent system of control.

Essential features of permit to work systems for use on offshore installations are detailed in Oil Industry Advisory Committee (OIAC) Guidance on Permit to Work Systems (7).

The main hazards associated with the isolation of plant and equipment relate to the release of hazardous or high temperature / pressure media. The essential requirements of an isolation scheme are also detailed in OIAC guidance (6), which should be used as a standard reference for offshore good practice.

4.3.3  Control of miscellaneous hazards

The following discussion refers to some key risk control systems and procedures which should be in place, and where particular problems have been noted in process inspections / audits (13).

Procedures should be in place for effective control and monitoring of overrides and inhibits on process protection systems (e.g. trip systems designed to ensure that operation within the safe envelope is maintained).

Procedures should also be in place where process safety is dependent on control of valve positions (e.g. implementation and monitoring of locked valve controls on shutdown valve bypasses, at HP / LP interfaces, or on pressure relief systems).

A register of trip and alarm settings should be readily available for each installation. Any changes involving deviation from the design intent should be risk assessed, subject to formal approval, and recorded on the register.

On FPSOs, the performance of process equipment can be significantly affected by vessel motion. The operating crew should be given clear instructions on the action to be taken when the limits of the operating envelope are reached.

Current offshore practice places much emphasis on local workplace risk assessment in the overall control of risks. However, there are indications that such assessments can become routinely mechanistic and superficial unless their quality and rigour is regularly monitored and challenged by management.

Specific hazards applicable to offshore installations, and requiring appropriate management procedures, include hydrates, hydrogen sulphide, and corrosion / erosion (12). Sand production is one source of erosion, and an appropriate sand management programme may be required (15). Industry practices for operations involving hydrogen sulphide are described in API RP 55 (32).

4.4  Maintenance of the operating envelope

4.4.1  Management of change (3- 5, 14)

Relevant Legal Provisions: In addition to the requirements of Reg. 5 MHSWR 1999, Reg. 9 (1) of the Safety Case Regulations requires operators or owners to revise the content of the Safety Case as often as may be appropriate. Even apparently minor modifications should be assessed for risk, logged, and relevant documentation updated.

Many of the catastrophic events that have occurred in process facilities are attributable to changes. Duty holders should have systems for ensuring that changes to the process and its equipment, or to the management system itself, are properly evaluated before their introduction.

Any management of change procedure must include personnel who have the expertise to review the proposed changes and ensure that they will not result in operations outside established safe operating limits. The people who can authorise a change should be clearly identified.

All changes should have some level of safety review. Process hazards analysis techniques (e.g. HAZOP) should be considered for the review, based on appropriate assessment of risk, and by a team representing a cross section of relevant expertise.

Arrangements should be in place for control of documents (including Safety Cases) and drawings, ensuring they are updated as required. Operating procedures should always be updated to reflect any changes to the plant.

If there has been any change to the operating envelope, (e.g. pressures, temperatures, levels, flow rates) then these must be understood by the operators and documented. The duty holder should be able to demonstrate that any change to the plant has been communicated, and that appropriate training has been given to ensure competent and safe use of the equipment.

Temporary changes need to be included as well as permanent changes, although in the case of a temporary change it may not be necessary to include all the requirements of a permanent change procedure (e.g. master P&IDs may not need to be changed, although temporarily marked drawings may be required).

There may well be times when personnel consider that there is a need to deviate from standard operating or design procedures. For these circumstances, the management system should mandate a thorough review, and appropriate level of risk assessment, by competent staff. Prior levels of authority should be in place before a variance is approved.

A specific change control problem frequently noted on offshore installations concerns a failure to re-evaluate relief requirements adequately when process fluids or operating conditions are changed, or when mechanical changes are made (13, 31). There have been several instances where relief valve capacity had not been reviewed, although the required duty had changed (13).

Another problem is that there have been a number of incidents involving release of production fluids on installations that have changed from dry gas to wet gas operations. Key safety issues include a change in corrosion / erosion rates, liquid slugging effects, increased pigging frequency, hydrate formation / inhibition, and effects on blowdown, flare and vent systems (36).

4.4.2 Inspection, maintenance and verification

Relevant Legal Provisions for Inspection and Maintenance: Reg 6 of PUWER 1999 requires employers to ensure that work equipment is inspected. This builds on the, often informal, practice of regular in-house inspection of equipment, and includes visual checks, functional checks and testing. Reg 5 of PUWER requires employers to ensure that work equipment is maintained in an efficient state, in efficient working order, and in good repair. Reg 3 (3) extends these duties to others, including duty holders. Reg 19 of PFEER 1995 also requires duty holders to ensure that all plant on the installation provided in compliance with the PFEER regulations is maintained in an efficient state, in efficient working order, and in good repair. This includes all the measures for protecting persons from a major accident involving fire and explosion. In practical terms, this includes the pressure vessels, piping and fittings for process containment, process / emergency shutdown systems, relief systems, blowdown and flare systems, open hazardous drains as well as mitigation systems such as active and passive fire protection.

Relevant Legal Provisions for Verification: Reg 19 and Schedule 7 of the Safety Case Regulations requires a verification scheme to be put into effect to verify that safety critical elements are suitable, and that they remain in good repair and condition. These requirements are also partly covered by Reg 9 (2) of PFEER. The ACOP states that setting performance standards for measures is a crucial aspect of the assessment process. They may be described in terms of functionality, reliability, availability, and survivability, and they should be measurable and auditable.

UKOOA Guidance sets out various requirements for industry to follow on Management of Safety Critical Elements (27) (SCEs). UKOOA Guidance on Fire and Explosion Hazard Management (25) is also relevant.

SCEs of particular relevance to process integrity include:

  • The hydrocarbon containment envelope: e.g. vessels & pipework, rotating machinery, risers, pipelines, corrosion protection systems, etc.
  • The ESD system: e.g. initiating devices, cabling, logic systems and software, control room panels and displays, emergency power supplies, process and riser ESDVs, SSIVs, and associated equipment, HIPPS etc.
  • Relief, blowdown, flare and vent systems: e.g. relief valves, blowdown systems, pipework and supports, knock out vessels and supports, flare.

The requirement to verify the suitability of SCEs means that there must be some recognised criteria by which suitability may be judged. Such criteria include both functional requirements and the integrity level needed to control risks adequately. Performance standards should:

  • Record the essential features of SCEs;
  • Set measurable goals that each SCE is to achieve;
  • Specify the nature / frequency of examination / testing;
  • Address the initial and continuing suitability of SCEs.

Planned maintenance routines should provide appropriate checks on the specified performance standards. Independent verification should verify that SCEs are suitable, and that they remain in good repair and condition.

In practice various problems have been noted with maintenance of integrity of the hydrocarbon-containing envelope. For example:

  • Corrosion / erosion
  • Leaks from bolted flanges
  • Piping fatigue due to vibration 

HSE’s analysis of corrosion / erosion incidents (12) indicates that attention needs to be given to systems for managing corrosion / erosion. An effective corrosion management policy should be in place.

Analysis of mechanical failure incidents (17, 34) indicates that attention needs to be given to managing leaks at bolted flanges. UKOOA / IP Guidelines for the Management of Integrity of Bolted Pipe Joints have been published, and provide a suitable basis for action.

Piping fatigue failures caused by vibrations constitute one of the major threats to safety (35). The problem is best addressed at the design stage, but for the majority of offshore piping systems there was no review, at that stage, of critical systems, with regard to dynamic analysis of flow-induced vibration. However, many duty holders have now carried out retrospective studies, and industry-related Guidelines for the Avoidance of Vibration Induced Fatigue in Process Pipework (38) have been published.

The desired goal is to remove, as far as practicable, the source of excitation, and ensure that the effect of any remaining excitation is minimised. Various methods can be used to assess the damage potential of low frequency pipework vibration, and various remedial measures are available (35, 38).

4.5  Human factors

Relevant Legal Provisions: The MHSW Regs 1999 require a suitable and sufficient risk assessment (Reg 3), and arrangements for “planning” and “control” of preventive and protective measures (Reg 5). For a risk assessment to be regarded as suitable and sufficient, human factors should be taken into account. The ACOP notes that, wherever possible, work should be adapted to the individual.

The term “Human Factors” refers to environmental, organisational and job factors, and individual human characteristics, which influence behaviour at work in a way that can affect health and safety(2). Up to 80% of accidents may be attributed, at least in part, to the actions or omissions of people. The reasons for the errors of individuals are usually rooted deeper in the organisation's design, decision-making, and management functions.

The HSE publication HSG48(2), Reducing Error and Influencing Behaviour, gives several examples of major accidents where failures of people at many levels (i.e. organisational failures) contributed substantially towards the accidents.

Human factors cover a broad field. In the past, duty holders may have viewed it as being too complex or difficult to do anything about, but a range of measures is available. There should be a systematic analysis of the causes of human failure, and appropriate measures should be implemented.

Human factors topics of particular relevance to process integrity include:

  • Ergonomic design of plant, control and alarm systems
  • Style and content of operating procedures
  • Management of fatigue and shift work
  • Shift / crew change communications, and
  • Actions to establish a positive safety culture, including active monitoring.

4.6  Investigation procedures

Relevant Legal Provisions: The MHSW Regs 1999 require a suitable and sufficient risk assessment (Reg 3), and arrangements for planning, organisation, control, monitoring and review of preventive and protective measures (Reg 5). It is not possible to comply with this legislation unless there is an adequate investigation procedure in place.

Investigation procedures should address both immediate and underlying causes, including human factors. HSG65 Appendix 5 (1) describes one approach that may be used as a guide for analysing the immediate and underlying causes. Various other approaches are also available, and widely used within the offshore industry.

4.7  Improvement plans and performance standards

Relevant Legal Provisions: MHSWR 1999 Reg 5 requires arrangements for planning, organisation, control, monitoring and review of preventive and protective measures, in order to provide for progressive improvement in health and safety performance.

Planning should provide for continuous improvement of risk control systems, such as those described above. Specific objectives should be set, for example on an annual basis. They should be measurable, and agreed with those who are expected to deliver them.

There is no requirement to have a separate improvement programme for process integrity compared with other initiatives, but it is important to ensure that process integrity is appropriately prioritised within any general safety improvement programme.

5  Measuring performance

Relevant Legal Provisions: Reg 5 of MHSWR 1999 places a general obligation on employers to monitor preventive and protective measures.

5.1  Active monitoring (1, 3)

Active monitoring gives feedback on performance before an incident occurs. It should be seen as a means of encouraging good performance, rather than penalising failure after the event. This has the additional benefit of increasing motivation for continuous improvement (1).

Various forms and levels of active monitoring include (1):

  • Examination of work and behaviour
  • Systematic examination of premises, plant and equipment by managers, supervisors, safety representatives, or other employees to
  • ensure continued operation of workplace precautions
  • Routine monitoring of progress towards specific objectives e.g. training / competence assurance objectives.

Topics of particular relevance to process integrity include those discussed in Section 4 (Planning and Implementing), such as Permit to Work Systems, change control, HAZOP close out, procedural controls for process plant protection systems, controls at HP / LP interfaces, operating procedures, workplace risk assessments etc.

Duty holders need to decide how to allocate responsibilities for monitoring at different levels in the management chain, and what level of detail is appropriate. In general, managers and supervisors should monitor the achievement of objectives and compliance with standards for which their subordinates are responsible. Those responsible for direct implementation of standards should monitor compliance in detail. Above this immediate level of control, monitoring needs to be more selective, but sufficient to provide assurance that adequate first line monitoring is taking place (1).

5.2  Reactive monitoring

Reactive monitoring is, by definition, triggered after an event, and includes identifying, reporting and measuring injuries, dangerous occurrences (including near misses), other losses, observation of hazards etc. (1). The requirements for reactive monitoring are not specific to process integrity.

6  Auditing and reviewing performance

6.1  Auditing

Relevant Legal Provisions: The Safety Case Regulations (Reg 8) require an audit system that is adequate for ensuring that relevant statutory legal provisions, including the provisions relating to process integrity in PFEER and DCR, are complied with.  There is no specific legal requirement for technical audits of process integrity management, (other than verification of SCEs).

Auditing is not a substitute for active monitoring (1). Auditing provides an independent overview to ensure that appropriate management arrangements (including monitoring) are in place, together with adequate risk control systems and workplace precautions. Various methods can achieve this. AIChE Guidelines(3-5) draw a distinction between process safety auditing, and Process Safety Management Systems (PSMS) auditing.

The focus of Process Safety Auditing is the identification and evaluation of specific hazards (e.g. inspecting hardware and finding a problem with a relief device). PSMS auditing, however, involves assessment of the management systems that ensure ongoing control (e.g. the management systems in place to ensure that pressure relief devices have been designed, installed, operated, and maintained in accordance with company standards).

Both types of audit are important. The process safety audit addresses a particular hazard found at a specific time. Offshore, this function is essentially carried out by independent verification. It could lead to correction of the hazard without addressing the underlying reason why the hazardous condition came to exist. The PSMS audit addresses the management systems intended to preclude the creation of hazards.

6.2  Reviewing performance (1)

Relevant Legal Provisions: MHSWR Reg 5 requires effective arrangements for monitoring and “review” of preventive and protective measures.

Duty holders should ensure that process integrity is included in the review process. Reviewing involves making judgements about performance, and decisions about improving performance. It should largely be based on information from monitoring and auditing. It should also be recognised that standards change, and it is good practice to review the adequacy of existing plant against current standards from time to time.

Reviewing should be a continuous process undertaken at different levels in the organisation. e.g. three monthly reviews at Department level, and annually for the organisation as a whole. The result should be specific remedial actions which establish who is responsible for implementation, with deadlines for completion.

Relevant legal provisions

The following legal provisions are particularly relevant to this document:

  • Health and Safety at Work Etc. Act, 1974 (HSWA).
  • Management of Health and Safety at Work Regulations, 1999 (MHSWR).
  • The Offshore Installations (Safety Case) Regulations, 2005 (SCR05).
  • The Offshore Installations and Pipeline Works (Management and Administration) Regulations, 1995 (MAR).
  • The Offshore Installations Prevention of Fire and Explosion, and Emergency Response) Regulations, 1995  (PFEER).
  • The Offshore Installations and Wells (Design and Construction, etc.) Regulations, 1996 (DCR).
  • The Provision and Use of Work Equipment Regulations, 1998 (PUWER).

References

  1. HSG65, Successful Health and Safety Management, HSE Books, 1997, ISBN 0 7176 1276 7
  2. HSG48, Reducing Error and Influencing Behaviour, HSE Books, 1999, ISBN 0 7176 2452 8
  3. Guidelines for Auditing Process Safety Management Systems, AIChE, 1993, ISBN 0-8169-0556-8
  4. Guidelines for Technical Management of Chemical Process Safety, AIChE, 1992,
  5. 5  Plant Guidelines for Technical Management of Chemical Process Safety, AIChE, 1992, ISBN 0-8169-0499-5
  6. The Safe Isolation of Plant and Equipment, Oil Industry Advisory Committee, HSE Books, 1997, ISBN-7176-0871-9
  7. Guidance on Permit to Work Systems in the Petroleum Industry, Oil Industry Advisory Committee, HSE Books, 1997, ISBN 0 7176 1281 3
  8. Assessment Principles for Offshore Safety Cases (APOSC)
  9. Process Integrity Assessment - Containment of Inventory (OSD internal publication, formerly PBN 98/4)
  10. Process Integrity Assessment - Emergency Isolation (OSD internal publication, formerly PBN 98/5)
  11. Process Integrity Assessment - Relief and Blowdown Systems (OSD internal publication, formerly PBN 98/6)
  12. Evaluation of Process Plant Corrosion / Erosion Incidents (OSD internal publication, formerly PBN 99/4)
  13. Summary of Findings from Process Safety Theme Audits (OSD internal publication, formerly PBN 99/5)
  14. Management of Change - Process Plant Modifications, (OSD circular SPC/TECH/OSD/07) (document removed 20/12/07)
  15. Produced Sand Management, (OSD circular SPC/TECH/OSD/19) [65KB]
  16. Process Integrity Audits and Inspections (Draft, now superseded)
  17. HSE / OD Offshore Technology Report OTO 97 950 - Offshore Hydrocarbon Releases, HSE, 1997
  18. Guidelines for the Management, Design, Installation and Maintenance of Small Bore Tubing Systems, UKOOA / IP, June 2000, ISBN 0 85293 2758
  19. API RP 14C (ISO 10418) - Petroleum and Natural Gas Industries - Analysis, Design, Installation, and Testing of Basic Surface Process Safety Systems on Offshore Production Installations - Requirements and Guidelines
  20. Alarm Systems Guidance for HID Inspectors, (HID Circular SPC/Tech/General/23) [113KB]
  21. Alarm Systems - A Guide to Design, Management and Procurement, EEMUA Publication No. 191, 1999, ISBN 0-85931-076-0
  22. ISO/DIS 17776 Petroleum and Natural Gas Industries - Offshore Production Installations - Guidelines on Tools and Techniques for Identification and Assessment of Hazardous Events, (2002).
  23. IEC 61508 - 5 Functional Safety of Electrical / Electronic / Programmable Electronic Safety Related Systems, CEI / IEC 1998
  24. E&P Forum Guidelines on Health Safety and Environment Management Systems, Report No. 6.36/210
  25. CP001 - Fire and Explosion Hazard Management, UKOOA, 1995
  26. Guidelines for Instrument Based Protective Systems, Issue 2, UKOOA,1999
  27. CP029 - Management of Safety Critical Elements, UKOOA, 1996
  28. Guidelines on Programmable Electronic Systems in Safety Related Applications, HSE, 1987, ISBN 0 11 883913 6.
  29. API RP 520 - Sizing, Selection and Installation of Pressure Relieving Devices in Refineries
  30. API RP 521 - Guide for Pressure Relieving and Depressurising Systems
  31. Guidelines for the safe and optimum design of Hydrocarbon Pressure Relief and Blowdown Systems, Institute of Petroleum, 2001, ISBN 0 85293 287 1.
  32. API RP 55 - Recommended Practices for Oil and Gas Producing and Gas Processing Plant Operations Involving Hydrogen Sulphide, 1995
  33. Older Infrastructures (OSD internal publication, formerly PBN 97/1)
  34. Mechanical Failure Incidents (OSD internal publication, formerly PBN 97/2)
  35. Vibration and Acoustic Induced Failure of Process Piping Systems (formerly PBN 97/9)
  36. Health & Safety Issues associated with Change from Dry Gas to Wet Gas Operations (OSD circular SPC/TECH/OSD/18)
  37. Guidelines for the Management of Integrity of Bolted Pipe Joints, UKOOA / IP, 2002
  38. Guidelines for the Avoidance of Vibration Induced Fatigue in Process Pipework, MTD Publication 99/100, 1999

Further information

Contact point: Head of Section OSD3.1 Process Integrity, Merton House, Bootle. Tel  VPN 523 3156

Quick links

Ask an expert 0845 345 0055

Health and Safety Executive
Caerphilly Business Park
Caerphilly CF83 3GG

Directgov - Business Link

Updated 16.07.09