IM BP Guide 2006 V 18 (2)

Integrity Managementkeeping our value inside

Integrity Management Segment Implementation Guide

Exploration and Production Version 1.0

February 2006

(ii)

Revision History Rev. Date Description Issued 0.0.0 Feb 05 Released at the Amsterdam IM conference for comment

and review by the IM community. RCW

0.5.0 Jun 05 Draft released following Define stage IM Standard and Galveston editorial team review.

RCW

0.6.0 Jul 05 Draft released for final comment from the IM community RCW 0.7.0 Oct 05 V38 legal review RCW 0.7.5 Nov 05 Draft for section-by-section technical author review RCW 0.8.0 Jan 06 January Sunbury review and legal feedback/comments RCW 0.8.1 Jan 06 Updated risk matrices as per TW and some minor edits RCW 0.9.0 Feb 06 Final version submitted for proof reading, layout and print RCW

(iii)

Table of Contents Revision History ................................................................................................ ii Table of Contents ............................................................................................. iii Use of Language ...............................................................................................2 Revisions and Clarifications...............................................................................2 Overview, Scope and Key Concepts .................................................................3

Element 1 Accountabilities .....................................................................................12 Intent...............................................................................................................12 Minimum Requirements ...............................................................................12

1.1 Definition and Scope ..........................................................................12 1.2 Single Point of Accountability .............................................................12 1.3 Engineering Authority .........................................................................13 1.4 Technical Authorities ..........................................................................13 1.5 Key Performance Indicators................................................................14

Element 2 Competence ...........................................................................................16 Intent...............................................................................................................16 Minimum Requirements ...............................................................................16

2.1 Definition and Scope ..........................................................................16 2.2 Competency Management.................................................................17 2.3 Integrity Management Competencies ................................................17 2.4 Integrity Management Training...........................................................20 2.5 Key Performance Indicators and Assurance .......................................20 2.6 References .........................................................................................21

Element 3 Hazard Evaluation and Risk Assessment ............................................24 Intent...............................................................................................................24 Minimum Requirements ...............................................................................24

3.1 Definition and Scope ..........................................................................24 3.2 Design and Build.................................................................................25 3.3 Operate ..............................................................................................26 3.4 Hazard Evaluation and Risk Assessment Methodologies ...................27 3.5 Safety Critical Equipment ...................................................................30 3.6 Documentation ...................................................................................31 3.7 Performance Management.................................................................31 3.8 References .........................................................................................32

Element 4 Facilities and Process Integrity ............................................................38 Intent...............................................................................................................38 Minimum Requirements ...............................................................................38

4.1 Scope and Definition ..........................................................................38 4.2 Integrity Management Programs........................................................39 4.3 Integrity in Design and Build...............................................................42 4.4 Operate ..............................................................................................43 4.5 Performance Management.................................................................45 4.6 References .........................................................................................46

(iv)

Element 5 Protective Systems ...............................................................................54 Intent...............................................................................................................54 Minimum Requirements ...............................................................................54

5.1 Definition and Scope ..........................................................................54 5.2 Design and Build Stages.....................................................................56 5.3 Operate Stage ....................................................................................59 5.4 Documentation of Protective Systems...............................................63 5.5 Performance Management.................................................................64 5.6 References .........................................................................................64

Element 6 Practices and Procedures......................................................................68 Intent...............................................................................................................68 Minimum Requirements ...............................................................................68

6.1 Technical Practices Hierarchy.............................................................68 6.2 Engineering Technical Practices. ........................................................68 6.3 Site Technical Practices......................................................................69 6.4 Site Operating Procedures .................................................................71 6.5 Documentation ...................................................................................72 6.6 Performance Management.................................................................72 6.7 References .........................................................................................73

Element 7 Management of Change .......................................................................76 Intent...............................................................................................................76 Minimum Requirements ...............................................................................76

7.1 Scope of Application...........................................................................76 7.2 MOC System and Procedures............................................................77 7.3 Temporary and Emergency MOC.......................................................79 7.4 Consistency of MOC Procedures .......................................................79 7.5 EA and TA MOC Roles and Responsibilities.......................................79 7.6 Key Performance Indicators and Assurance .......................................79 7.7 References .........................................................................................80

Element 8 Emergency Response............................................................................82 Intent...............................................................................................................82 Minimum Requirements ...............................................................................82

8.1 Definition and Scope ..........................................................................82 8.2 Design and Build.................................................................................82 8.3 Operate ..............................................................................................83 8.4 Documentation ...................................................................................84 8.5 Performance Management.................................................................84 8.6 References .........................................................................................84

Element 9 Incident Investigation and Learning ....................................................86 Intent...............................................................................................................86 Minimum Requirements ...............................................................................86

9.1 Definition and Scope ..........................................................................86 9.2 Major Incidents...................................................................................87 9.3 High Potential Incidents......................................................................87 9.4 Operational Excursions Beyond Design Limits ...................................87

(v)

9.5 Investigation of Lower Severity IM Incidents .....................................87 9.6 Immediate and Root Causes of IM Incidents .....................................89 9.7 Commissioning of Equipment After Incidents....................................89 9.8 Learning..............................................................................................90 9.9 Key Performance Indicators and Assurance .......................................90 9.10 References ....................................................................................90

Element 10 Performance Management and Learning............................................92 Intent...............................................................................................................92 Minimum Requirements ...............................................................................92

10.1 Definition and Scope .....................................................................92 10.2 Assessing IM Performance ...........................................................92 10.3 Minimum Requirement Assessment.............................................93 10.4 Performance Metrics Tiers ............................................................94 10.5 Key Performance Indicators ..........................................................95 10.6 Recommended Documentation for Review/Audit .........................96 10.7 References ....................................................................................97

Appendix 1 IM in Major Projects ............................................................................102 Appendix 2 IM Standard Competencies ................................................................107 Appendix 3 Safety Critical Equipment...................................................................115 Appendix 4 Acronyms .............................................................................................123 Appendix 5 Glossary of Terms ...............................................................................125

(vi)

Overview

E&P IM Implementation Guide

2

Use of Language In this Guide the following words, when used in the context of actions by BP or others, have the specific meanings:

(a) ‘Will’ is used normally in connection with an action by BP, rather than by a contractor or supplier

(b) ‘May’ is used where alternatives are equally acceptable

(c) ‘Should’ is used where a provision is preferred or recommended

(d) ‘Shall’ is used where a provision is mandated by the IM Standard and is a Minimum Requirement

(e) ‘Must’ is used where a provision is a regulatory requirement

(f) ‘Compliance’ means meeting the requirements of applicable regulations

(g) ‘Conformance’ means meeting the requirements of the IM Standard

Revisions and Clarifications The controlled copy of this Guide will be maintained and continuously improved by periodic review and electronic re-issue via the Integrity Management website:

http://integritymanagement.bpweb.bp.com

Printed copies of this Guide and printable copies downloaded from the website should be treated as ‘uncontrolled.’ Constructive comments about the Guide are encouraged and welcomed. The feedback will be collated for formal consideration by representatives of the IM community and IM Advisors. Suggestions for improvements and requests for clarification should be directed in the first instance to the document custodian,

Richard Woollam Advisor Integrity Management Mail to: [email protected]


3

Overview, Scope and Key Concepts E&P IM Implementation Guide This Implementation Guide has been written as a stand-alone document for the Exploration and Production (E&P) Segment, containing the relevant material from the Group Integrity Management (IM) Standard and the Group IM Guidance. Figure O.1 illustrates the hierarchy and relationship of these documents in the BP Group. Conformance with the Minimum Requirements in this Guide will confirm E&P Segment conforms to the Group IM Standard.

BP ManagementFramework

Group IM Standard

Group IM Guidance

E&P IM Implementation

Guide

R&M IM Implementation

Guide

GP&R IM Implementation

Guide

Group Standards Group Standards

Figure O.1 BP Group Management Framework Document Hierarchy

BP Group IM Standard

The Group IM Standard is available to download from the BP Group Integrity Management website http://integrity_management.bpweb.bp.com. The following extract from the Group IM Standard describes the Standard’s purpose, scope and applicability:

Purpose The Group IM Standard: • Sets out the IM requirements necessary to satisfy the Group Values,

particularly those relating to Risk, Health and Safety and Environmentally Sound Operations.


4

• Requires the controlled application of hazard evaluation including major accident risk assessment, process safety and engineering management, combined with internationally recognised industry standards and engineering, maintenance and operating practices developed by BP.

• Aims to reduce the number and severity of uncontrolled releases of hydrocarbons, chemicals, hazardous materials and other high-energy sources (including catastrophic and chronic releases) to the atmosphere, water or ground, and to prevent the failure of equipment and infrastructure in order to avoid serious harm to people, the environment and BP assets.

• Will help BP to benefit from greater operational integrity; better Health, Safety, Security and Environmental (HSSE) performance; increased lifecycle value of BP assets; and greater engineering standardisation and productivity.

• Will help sustain BP’s Licence to Operate, improve its operational reputation, reduce future environmental liabilities and achieve internal targets as defined in BP’s Management Framework.

The IM and Control of Work Standards are complementary. Control of Work focuses on the safe execution of workplace activities while IM concerns the total lifecycle integrity of BP Operations through design, construction, operation, maintenance and decommissioning.

Scope This Standard applies to all BP Operations (defined below). It ensures that processes are in place to confirm that all BP Operations, and the equipment used in each operation, are fit for service – the aim being to avoid loss of containment and to maintain structural integrity throughout the lifecycle of the facility and equipment in question.

Applicability This Standard shall be applied to all Business Units, projects, facilities, sites and operations that are wholly owned and operated by BP (referred to as “BP Operations”). In the case of joint ventures (JVs) and contractors, the following shall apply: • Where BP has operational control of a joint venture, BP shall, after

an appropriate risk assessment, endeavour to adopt this Standard. If necessary, it will also seek to amend the relevant agreements, either immediately or as they come up for renewal, in order to reflect this Standard.

• Where BP does not have operational control of a joint venture, BP shall, after an appropriate risk assessment, endeavour to ensure that the operator adopts this Standard. Again, BP will seek to amend relevant agreements, immediately or on renewal, to reflect this Standard. Alternatively, BP may request the approval of the JV Board to adopt the Standard.

• Where BP relies on a contractor to carry out work that would be


5

subject to this Standard if performed by BP employees, BP shall, after an appropriate risk assessment, endeavour to ensure that the contractor adopts this Standard. It will also seek to amend relevant contracts, immediately or on renewal, to reflect this Standard.

• Where it is not possible or feasible to require a joint venture or contractor to adopt this Standard or, where a joint venture or contractor has agreed to adopt the Standard in the period before any Standard is adopted, BP shall seek to influence or persuade the joint venture or contractor to adopt a set of principles based on this Standard.

Scope and Applicability in Major Projects and Operations

The IM Standard applies from the reservoir downstream to the point of custody transfer. All engineered systems are within the scope of the IM Standard and will include the following as appropriate:

• Down-hole casing, tubing and conductors

• Wellheads, Christmas trees and associated well intervention equipment

• Chokes, flow lines and production manifolds

• Process piping (hard and flexible), valves, vessels, heat exchangers, boilers and fired heaters

• Pumps and compressors

• Lifting equipment

• Safety instrumented systems and controls, including relief and blow-down systems

• Ignition prevention systems

• Fire and gas detection, fire and blast protection and suppression systems

• Fixed and floating structures, supports to critical equipment and personnel access/egress routes

• Occupied buildings, e.g., accommodation areas and control rooms

• Electrical and utility systems key to safe operation

• Sub-sea production and injection facilities

• Transmission pipelines, flow lines and risers

• Storage tanks

• Emergency response, evacuation and escape facilities

• Emergency communication systems

Overview of the IM Standard The IM Standard, the Group Guidance and this E&P Segment Implementation Guide have been developed to help prevent and mitigate integrity-related losses associated with safety, environment, business and reputation through the integration of:

• The Process Safety/Integrity Management (PSIM) Standard (2001)

• The Major Accident Risk (MAR) assessment process, introduced in 2002


6

• The appointment of Engineering Authorities (EA)

• The application of Group and Segment Engineering Technical Practices (ETP)

The IM Standard represents an evolution and expansion of the PSIM Standard from 8 to 10 Elements. The two new Elements, Accountabilities, and Practices and Procedures, were embedded in the PSIM Standard and have been extracted and expanded as separate items in the new IM Standard to emphasize their importance to a successful IM program. The contents of the PSIM and IM Standards and the approximate correlation between the Elements are summarized in the Table O.1. The Minimum Requirements in this Guide have been updated to reflect the changes from the PSIM to the IM Standard and experience gained from the application of PSIM over the past 3 years. BP recognizes that its activities might give rise to major hazards for employees, contractors, visitors, members of the public, and the environment, all of which BP desires to protect. Implicit in our approach to HSSE is the expectation that operational sites systematically identify potential IM incidents that could occur, assess their probability and consequences, and be able to demonstrate that appropriate policies,

Hazard Evaluation and Risk Assessment

Develop Risk Management Plan

Implement Risk Management Plan

Learning and Improvement

Assign accountabilities for IMSystematically identify major hazardsConduct risk assessmentAssess equipment criticalityDefine safe operating envelope

Define practices and proceduresIdentify required IM competenciesBuild equipment risk-based IM planDevelop corrosion management planBuild emergency response plan

Implement equipment IM planTest emergency response planManagement of change

Incident investigationPerformance managementAssessment against KPIsAudit and peer review

1, 3

2, 4, 5,6, 8

4, 5, 7, 8

9, 10

IM Process Key Activities Elements

Figure O.2 4-Step Integrity Management Process


7

operating procedures, prevention measures, and safety and emergency response systems have been established and understood. The Standard applies to each stage of the Capital Value Process (CVP). It is a ‘cradle-to-grave’ program that encompasses the full life cycle of an operational facility and is based on the clear identification of potential hazards associated with such facilities and the management programs developed and implemented to control the associated risks. The Group IM Standard requires that IM is a line responsibility and that Major Projects and BUs clearly identify the roles and responsibilities of the personnel who are accountable for delivering conformance. Functional support roles or teams, e.g. Engineering and Technical Authorities, inspection and technical services departments, can assist line managers in meeting the requirements of the IM Standard and any additional local integrity-related regulations.

Conformance By the end of 2008 SPU/BUs will:

1. Achieve conformance with the IM Standard OR

2 Apply for and achieve exemption from the IM Standard or parts thereof OR

3 Be prepared to shut down operation

Integrity Management

Group Standard 2006

Process Safety/Integrity Management Group Standard 2001

1 Accountabilities

2 Competence 5 Competent Personnel

3 Hazard Evaluation and Risk Management

1 Hazard Evaluation

4 Facilities and Process Integrity 3 Mechanical Integrity

5 Protective Systems 4 Protective Systems

6 Practices and Procedures

7 Management of Change 2 Management of Change

8 Emergency Response 7 Emergency Response

9 Incident Investigation and Learning

6 Incident Investigation

10 Performance Management and Learning

8 Performance Management and Assurance

Table O.1 Comparison between IM and PSIM Standards


8

Conformance with the IM Standard is defined as meeting the Minimum Requirements of this Guide. These Minimum Requirements meet the 'Mandatory Requirements' in the IM Standard.

Integrity Management Process The definition of ‘Integrity Management’ is a continuous assessment process applied throughout design, construction, operations, maintenance and decommissioning to assure that wells, facilities and structures are managed safely. There are 4 key steps as shown in Figure O.2.

Regulatory Requirements

Legislation in most countries where BP operates requires a policy on the prevention of major accidents and environmental damage for hydrocarbon production, processing, storage and export facilities. In some instances the regulations are prescriptive and dictate specific activities and schedules. BUs operating under such regimes must continue to comply with applicable regulations. The IM Standard is intended to complement regulations and defines a process to provide assurance that BP’s Minimum Requirements for IM are being met, including conformance with the Company’s Engineering and Technical Practices and with appropriate industry codes and standards. In the event of a conflict between the IM Standard and a relevant law or regulation, the relevant law or regulation shall be followed. Any such conflict shall be reported to the Group Engineering Director. If the Standard creates a higher obligation, it should be followed as long as this also achieves compliance with the law or regulation

Engineering Technical Practices

The IM Standard and this Guide make extensive reference to BP Engineering Technical Practices, ETPs. The project to develop the validated set of ETPs continues. At the time of issue of this Guide approximately 80% of the Group ETPs have been published with the remainder becoming available during 2006. The 3 year program to develop E&P Segment ETPs starts in 2006.

Safety Critical Equipment (SCE)

The E&P Segment requires the identification of SCE for the purposes of assuring availability and functionality of equipment that provides the greatest relative contribution to risk reduction for major accident hazards. The identification of SCE facilitates the prioritization of inspection, testing and maintenance tasks and the associated performance management.

IM in Major Projects

Major Projects are BP net investments exceeding $100m. Typical activities and deliverables in Major Projects to achieve conformance with the IM Standard are defined in Appendix 1 against the relevant CVP stage. These activities align with the


9

requirements of the Major Projects Common Process and should be applied to all projects as applicable, irrespective of their size.

3-Year IM Rolling Plan

All BUs/PUs are required to review and revise their existing PSIM 3-year rolling plan to achieve conformance with the IM Standard. A template and guidance notes for a 3-year rolling plan are available on the IM website, based on the Minimum Requirements in this Guide.


Having achieved conformance with the Minimum Requirements, BUs are required to continue with the 3-year rolling plan concept to drive continuous risk reduction as dictated in the Group IM Standard.

Key Performance Indicators

The IM Standard requires that BUs develop a suite of performance measures to provide assurance of IM delivery. This Implementation Guide describes the ‘3-tier’ performance metrics model recommended for E&P BUs, and suggests typical Key Performance Indicators and assurance processes for the individual Elements of the Standard.

Assurance

Business Units and Functions are accountable for implementing the Standard and for providing auditable evidence of conformance.

Accountabilities


12

Element 1 Accountabilities Intent Element 1 defines the relationship between the line leadership Single Point of Accountability for application of the IM Process and the functional accountability of the Engineering Authority in managing engineering risk.

Minimum Requirements 1.1 The SPU leader shall appoint an SPU leadership position as a Single Point of

Accountability for the implementation of the IM Standard and compliance with local IM-related regulatory requirements who shall:

• confirm that IM accountabilities are delegated to BU operations and support personnel, including BU-managed projects

• assign an IM representative responsible for IM process applications to each Major Project

1.2 The Segment shall appoint a Segment Engineering Authority and an EA for each of the Strategic Performance Units (SPU). SPU EAs shall approve BP Operation and Project organization EAs within the SPU.

1.3 BP Operation and Major Project EAs shall be accountable for verification of the processes and systems for managing engineering risk.

1.4 Engineering Authorities (Segment, SPU, BU and Major Project) shall approve Technical Authorities and assure they are engaged to address engineering discipline-specific technical requirements for managing engineering risk.

1.1 Definition and Scope Accountabilities for the successful implementation of the IM Standard reside in two distinct areas: line management and functional management. Accountability for IM through the application of the IM Standard resides in the line management of a Business Unit or Strategic Performance Unit. Single Point of Accountability for IM (SPA-IM) is a leadership position with specific accountability for IM. Accountability for ensuring processes and systems are in place for the identification and management of engineering risk is considered a functional accountability. Engineering Authorities (EAs) are appointed at the Segment, SPU, and Major Project levels with the accountability for verifying that the engineering expectations of the IM Standard are being met and are fully auditable. The responsibilities of the Engineering Authority and SPA-IM roles should not be undertaken by the same individual in order to preserve the distinction between line responsibility (SPA-IM) and functional responsibility (EA). 1.2 Single Point of Accountability The Single Point of Accountability for Integrity Management, SPA-IM, is a leadership position with line accountability for IM through application of the IM Standard and compliance with local IM-related regulations. The SPA-IM is responsible for the


13

development and execution of a BU or SPU specific IM program, including delegation of authority to appropriate individuals in the organization. Normally, the SPA-IM will sit on the management team of a BP Operation, e.g., SPU, BU or BU Major Project and will be accountable to and report to the BP Operation leader for delivery of all aspects of IM, supported by the EA who will have responsibility for engineering decisions. 1.3 Engineering Authority The EA is accountable for ensuring processes and systems are in place for the identification and management of engineering risk. The EA will be responsible for the control and application of Site Technical Practices (STPs) appropriate to the BP Operation (SPU, BU or Major Project). A key role of EAs is to provide independent engineering advice to the line and SPA-IM. In order to deal with cases where EAs believe their advice is not being taken into consideration, they shall have the opportunity and direct line communications to raise their concerns to the next higher engineering level, i.e., Segment/SPU EA, and ultimately the Group Director of Engineering, for resolution. Given the scale and diversity of activity within the E&P Segment, it has been decided that, as a minimum, EAs will be appointed for each SPU and each Major Project. Technology Vice Presidents responsible for engineering within the SPU shall approve the appointment of each SPU EA, subject to the agreement of the Group Director of Engineering. In many instances the SPU EA may delegate some responsibility to EAs at either BU or PU level. The responsibilities of E&P Segment EA are part of the role of the E&P Head of Engineering. 1.4 Technical Authorities The IM Standard defines Technical Authorities (TAs) as engineers with specific discipline expertise appointed by the EA. The EA is expected to call on expertise from appropriate TAs, but is ultimately accountable for the advice provided. The primary role of TAs is to act as the technical integrity advisors within their designated engineering disciplines or activities by ensuring the safe and consistent application of Company and regulatory codes and standards and good engineering practices. In E&P there are three key TA roles: Segment TAs, SPU TAs and Major Project TAs. TAs are appointed by the appropriate accountable EA. Areas of responsibility for TAs include:

• Application and upkeep of ETPs and STPs • Identification of technical risk and recommendations for mitigation • Technical MOC review/approval • Technical reviews of non-major projects at CVP stage-gates • Assistance to engineering staff


14

1.5 Key Performance Indicators BUs and Major Projects should consider the following KPIs which reflect the Minimum Requirements

• Identify and establish SPA-IM leadership position

• Appointment of EAs and TAs

• List of TAs regularly reviewed and updated

Competence


16

Element 2 Competence Intent Element 2 requires that staff that can affect the integrity of an Operation have clearly defined roles and are regularly assessed to have the required competencies for assigned tasks.

Minimum Requirements 2.1 The competencies of operations and maintenance personnel, including site

leadership, to carry-out IM-related tasks, shall be actively assessed and assured through a documented competency management system, e.g., CMAS

2.2 Competency profiles and assessments of EAs and TAs shall be completed and assured through a documented competency management system e.g. CMAS

2.3 All IM engineers and practitioners shall have written job descriptions and competency profiles based on the CoL descriptors. Annual competency self-assessments shall be made against these profiles. Training and development plans shall be put in place to achieve minimum Level 2 competence in IM as defined in CoL and in Appendix 2 of this Guide (Level 3 for IM Team Leaders)

2.4 All other professional and line management personnel in Operations and Major Projects having job functions relating to IM shall complete annual CoL self-assessments against their profiles. Training and development plans shall be put in place to achieve an average Level 2 competence in IM as defined in CoL and in Appendix 2 of this Guide

2.5 The Annual Engineering Plan shall include an assessment of the organizational competencies of the SPU and its contractors to deliver IM from design to operation. The assessment shall be conducted by the EA and reported as part of the annual Engineering Plan.

2.1 Definition and Scope Broadly defined, ‘competent’ is the state of being properly qualified. In the context of this Guide, competencies are the requisite abilities or qualities people, both BP and contractor, need to be effective in their jobs and meet the Company’s expectations, including those related to IM. They are the appropriate combination of qualifications, understanding, experience, skills and other qualities (attributes, attitude and aptitude) that produce good performance; the ability to carry out tasks to the standards expected in employment. These standards might include regulatory requirements and industry standards in addition to Company standards and operating and maintenance procedures. Competency is a broad topic; there are many distinct jobs, each of which requires a combination of generic skills (referred to in BP as ‘Foundation’ and ‘Core’) and discipline/specialized skills (referred to as ‘Technical and Professional’). For most of the roles in an operating BU or Major Project, IM will often be one skill in any individual’s overall skill set and will be of greater or lesser importance as defined by the job requirements. For those individuals involved continuously with IM, the ‘IM Practitioners,’ their skill level needs to be greater and reflect the full breadth of the IM Standard.


17

Although it seems obvious that people should be ‘qualified’ to perform the primary tasks associated with their employment, the scope of the necessary knowledge base, including the impact of decisions on integrity of both equipment and procedures, is perhaps less clear. It is important for personnel to understand the impact of decisions, to “know what they don’t know” and know how and when to involve specialized expertise. This is certainly the case with IM because many of its specialized skills and activities do not have immediate impact but operate over the longer term, e.g., chemical treatment of process fluids to inhibit corrosion. 2.2 Competency Management BUs and Major Projects are required by the IM Standard to actively manage the competency of their personnel. Competency management has similar features for all types of employees:

• A job or role description that defines what is to be done or the attributes of the role. This might include a job profile defining relevant written operating or maintenance procedures, or for a discipline engineer may be a summary of knowledge requirements and typical activities.

• An assessment method for comparing skills against the requirements.

• A training and development program for acquiring the requisite understanding, skill and experience.

• A verification method, including periodic re-assessment, to confirm the level of competency. This should be made by a senior person competent in the discipline of the individual being assessed, ideally either a TA or an Advisor.

• Documentation – a record of the job description, training profile for the position, and records of an individual’s assessments and verifications.

2.3 Integrity Management Competencies 2.3.1 Operations and Maintenance Personnel Competency profiles in CMAS (or equivalent management system) should include requirements for operational and mechanical integrity issues associated with individual positions. The requirements will vary with the specific position but might include appropriate competency in the areas of:

• Permit to Work, Safe Systems of Work and Golden Safety Rules

• Task-based risk assessment

• Understanding hazard evaluation

• MOC procedures

• Ongoing mechanical integrity programs such as inspection and corrosion management

• Protective systems and their testing and maintenance

• Operational surveillance of equipment, including checklist inspections

• Recognizing degradation and reporting areas of concern for specialist assistance


18

• Incident investigation associated with integrity failures or near misses

• Emergency response

• Knowledge of relevant Site Technical Practices The IM Standard requires that operating, maintenance and contractor personnel shall be competent to safely perform assigned tasks according to approved procedures that reflect current operating practices. The intent of this requirement is to assure that anyone operating or maintaining process equipment is capable of correctly operating the equipment under normal and abnormal conditions. Production Technicians should be trained, routinely assessed and verified in the following aspects of their work:

• Normal operations and safe operating limits

• Controlled start-up and shut down

• Preparation for maintenance

• Re-instatement after maintenance

• Control of emergency situations Control Room Technicians should be trained, routinely assessed and verified in:

• Preparation of process systems for remote operation

• Remote control of process systems

• Preparation of process systems for remote shutdown

• Facilitation of the maintenance of plant and equipment

• Control of emergencies and critical situations Mechanical, Electrical or Instrument Technicians should be trained, routinely assessed and verified in:

• Implementation of maintenance procedures

• Interrogation and fault finding skills

• Inspection and repair systems for restoration to required performance

• Return of equipment to service by component removal and replacement

• Monitoring and assessing performance and condition of equipment Operations and Maintenance Supervisors should be trained, assessed and verified in aspects of their positions that impact the health and safety of staff and the integrity of facilities. 2.3.2 Engineering and Technical Authorities The roles, responsibilities and competence requirements of EAs and TAs in Major Projects and in Operations are described in the E&P Engineering Authority Handbook and should be documented and managed through CMAS or equivalent, as described in the guidelines on the EA website.

http://eaweb.bpweb.bp.com/

EAs in Operations are responsible, with SCM support, for reviewing the role and responsibility of the major engineering contractors, and confirming implementation of a competency assurance process.


19

EAs in Major Projects are responsible for verifying that processes for determining engineering competence of personnel, contractors, consultants and vendors are in place and are adequate for the particular scope and nature of the project. 2.3.3 IM Engineers and Practitioners This category includes the IM Team Leader and immediate reports such as mechanical integrity and protective systems specialists, inspection engineers, materials and welding engineers, corrosion and chemicals specialists. Example skill profiles are available in CoL database, http://competencies.bpweb.bp.com, for the following IM-related roles,

IM Team Leader Pipeline Engineer Materials/Corrosion/Welding Engineer – Welding Specialism Materials/Corrosion/Welding Engineer – Corrosion Specialism Materials/Corrosion/Welding Engineer – Inspection Specialism IM Engineer (Operations) IM Engineer (Major Projects) Civil/Structural Engineers (Offshore and Onshore) Mechanical Engineer – Static Equipment

Major Projects and SPU EAs should adapt these role profiles for their IM practitioners, as appropriate to their facilities. These profiles should be used to facilitate self-assessment, highlight the levels of competency required, and identify development opportunities to address gaps and build experience level. Documented competency assessments against the profiles, including training and development plans to close identified gaps, should be made:

• For the IM Team Leader by the EA, the SPA-IM or an IM Advisor

• For the other IM practitioners by the IM Team Leader, supported as necessary by relevant Advisors or subject matter experts (e.g., in EPTG)

IM Team Leaders should have training and development plans in place to achieve Level 3 (Skillful Application) in Integrity Management in CoL (Operations Manufacturing Management) and the E&P expansion of these descriptors as shown in Appendix 2. All other IM engineers and practitioners should have training and development plans in place to achieve a minimum of Level 2 (Basic Application) in IM in CoL and the E&P expansion in Appendix 2, but progressively moving toward Level 3. A recommended career development pathway for IM Engineers is shown on the SDDN website at:

http://upstream.bpweb.bp.com/EPT/files/Integrity%20Management%20Eng.pdf 2.3.4 Other Professional and Line Management Personnel Personnel in this category are expected to include as a minimum:


20

• Discipline Engineers: project, mechanical, process, civil/structural, electrical, control, etc.

• Specialists: SCM, commissioning, HSSE, wells, machinery, etc.

• Line Managers: drilling and completions, production, operations, maintenance, HSSE, etc.

All these and any other professionally qualified engineering and line management personnel in Operations and Major Projects having job functions relating to IM should have their IM competencies assessed annually against:

• Their role profiles, as derived from CoL exemplars

• The Level 2 (Basic Application) CoL requirements for IM, as expanded in Appendix 2

These assessments should be made by their line managers, supported by relevant Advisors or subject matter experts (e.g., in EPTG). Competency gaps should be identified, documented and addressed by training and development plans. BULs and PULs should attend formal one-day IM awareness workshops facilitated by the E&P IM Function. 2.3.5 Organizational Competencies in Operations and Major Projects Based on an assessment of risk within the BU or Major Project, the EA should determine which engineering disciplines, and what level of competency in each of those disciplines, are required to support IM activities. The Annual Engineering Plans should identify the required engineering discipline resources, which may be internal or external, and any gaps that require addressing. Recommendations for the appointment of EAs and TAs in Major Projects and Operations are shown in Table E2.1. 2.4 Integrity Management Training Formal BP 2-day IM training workshops are available from the IM Function, delivered either centrally or locally in customized versions. This training is recommended for all personnel who can impact IM. Some BUs have incorporated this training into their CMAS profiles for their operations and maintenance personnel; other BUs should consider following this example. 2.5 Key Performance Indicators and Assurance BUs and Major Projects should consider the following KPIs:

• CMAS (or equivalent) implementation for operations and maintenance personnel, EA and TAs

• Percent completion of competency assessments for IM engineers and practitioners

• On time completion of IM training requirements from CoL


21

2.6 References Competency on Line (CoL)

http://competencies.bpweb.bp.com Operations Learning Progression Map

http://mylearning.bpweb.bp.com/calendar/global/progMaps/bpolp.htm Operations Training Strategy

http://ots.bpweb.bp.com/dev/training/home.htm Competency Management Assurance System

http://ots.bpweb.bp.com/dev/cmas/home.htm


22

EA/TA Roles Major Project BP staff SPU - Ops BU/PU - Ops BP staff

IM SPA (per Group Std) Yes Optional Yes

Engineering Authority Yes Yes Yes Optional Yes

IM Team Leader Yes Optional Yes

Senior IM Engineer Yes Yes

IM Engineer Optional Y or Independent Optional Optional Yes

Well Construction Eng Yes Y or Independent Yes Optional Yes

Well Operations Eng Y or Independent Yes Optional Yes

Mechanical (Facilities) Eng Yes Y or Independent Yes Optional Yes

Process Safety Eng Yes Y or Independent Yes Optional Yes

Electrical Engineer Yes Y or Independent Yes Optional Yes

Process Engineer Yes Y or Independent Yes Optional Yes

Control/Instrument Eng. Yes Y or Independent Yes Optional Yes

Pipelines Eng Yes Y or Independent Yes Optional Yes

Structural Eng Yes Y or Independent Yes Optional Yes

Materials & Corrosion Eng Yes Y or Independent Yes Optional Yes

Welding Eng Yes Y or Independent Optional Optional Y or Agency Direct

Commissioning engineer Yes Y or Independent

Table E2.1 Recommendations for Appointment of EA/TAs in Major Projects and Operations

Hazard Evaluation and Risk Assessment


24

Element 3 Hazard Evaluation and Risk Assessment Intent Element 3 requires that formal procedures are in place to identify hazards associated with normal and abnormal operations, assess risks, formally document this information and communicate it to affected staff.

Minimum Requirements 3.1 A documented risk management policy shall be in-place that assures:

• Roles/responsibilities and competencies required for hazard identification and risk management are defined.

• The procedures and tools used to identify hazards and estimate probability and consequence of risks (both normal and abnormal operations) are defined.

• The workforce understands the hazards of the operation and is aware of emergency response plans.

• Risks are eliminated, prevented, controlled, or mitigated using a continuous risk reduction process.

• An action tracking system exists to manage timely closeout of outstanding actions from risk assessments.

• Hazard evaluations and risk assessments are periodically revalidated and updated.

3.2 BP Operations and Major Projects shall complete a risk assessment using the Group Major Accident Risk (MAR) Process GP 48-50.

• Risks above the Group Reporting Line, together with a mitigation plan, shall be reported to Group Director of Engineering and recorded in the annual Engineering Plan.

• Risks below the Line shall be managed at the Segment/SPU level through a process of Continuous Risk Reduction.

3.3 A register of major hazards and risks shall be in place derived from regulatory requirements and/or through application of the BU risk management policy. The top 5 IM risks shall be identified, understood and managed at the SPU level.

3.4 A register of the Safety Critical Equipment shall be in-place derived from hazard evaluations and risk assessments.

3.1 Definition and Scope The aims of hazard evaluations and risk assessments are:

• To confirm that major hazards have been identified

• To provide and communicate the causes, probabilities and consequences of the hazards to effectively manage the associated risks

• To identify opportunities to minimize risk at source

• To identify and confirm that the appropriate prevention, control and mitigation measures (protective systems) are specified and maintained for plant, procedures and processes


25

• To confirm that these protective systems are suitable for managing the hazards, and that performance standards are in place that specify requirements for functionality, reliability and survivability, as appropriate.

• To provide knowledge about the effects and progression of hazardous events to allow specific effective and safe emergency response plans to be drawn up for each major hazard or group of hazards

• To evaluate the risks to determine if it is safe to operate and to identify opportunities for continuous risk reduction

• To create a living, easily understood hazard register that describes the causes, severity, consequences and management of each major hazard

Hazard evaluation is a living process that progressively updates the understanding of the hazards and their management over the life-cycle of the facility. This knowledge grows from the first HAZID exercise when project design concepts are being developed, through the detailed engineering stage when the primary decisions are taken, and subsequently into the implementation in construction and operation. The evaluation should be kept up to date throughout the facility life including decommissioning. Major accident evaluations address those hazards that have the potential for multiple injuries or fatalities, catastrophic loss of the facility, irreparable damage to the environment and damage to the corporate reputation. Major accident evaluations do not address occupational hazards unless significant impairment of the plant integrity is foreseen. Task Risk Assessments and ‘Safe Systems of Work’ required by the Personal Safety Standard address these occupational hazards. Major accident hazards within the scope of the IM Standard include:

• Loss of containment of hydrocarbons and other hazardous materials

• Logistics involving marine and helicopter operations

• Structural failures and heavy lifting operations

• Extreme weather conditions and earthquakes

• Security, including terrorism, sabotage and theft 3.2 Design and Build Major Projects will apply CVP which requires supporting technical, HSSE and IM information in order to pass through each stage gate. Hazard evaluations and risk assessments are important components of this information which is supported by the design safety requirements of the Major Projects Common Process (MPCP). Project teams shall reduce the exposure of people to hazards by the adoption of “inherently safer designs” (ETP GP 24-03). Hazard identification (HAZID) and associated risk assessment processes are therefore required during initial concept selection, site location, layout definition and detailed engineering to demonstrate that reasonable schemes are developed. Some examples of how designs can be made inherently safer include:

• Eliminating or reducing the quantities of hazardous materials

• Reducing the number of potential leak and ignition sources


26

• Confirming materials of construction have adequate corrosion resistance and fracture toughness

• Exploiting inherently more robust structural designs

• Separating people from the hazardous materials as far as practicable

• Selecting relatively simple and easily understood schemes Specific facility siting and layout studies shall be conducted to minimize the exposure of building occupants to flammable, toxic and other hazards. The appraise/select stages of the project provide the best opportunity to consider facility layout and to apply inherently safer design principles. All occupied structures, both onshore and offshore, shall be designed to withstand reasonable foreseeable blast and fire hazards. For guidance on blast loading see ETP GP 04-30. More detail on temporary accommodations can be found in GP RM 04-30 and GP EP 04-30 for onshore and offshore respectively. New project designs will require more hazard evaluations and risk assessments, similar to those described in Section 3.4. Novel or extrapolated design concepts beyond Company experience might require the use of Quantified Risk Assessment (QRA) techniques to assess risks to personnel and the environment. A formal hazard register shall be prepared and handed over to Operations. Studies supporting the hazard evaluations shall also be formally collated, referenced in the register and handed over together with any computer based analysis of risks and their consequences, such as fires or explosions, reliability studies, dropped objects, etc. These studies will be needed as reference documents and will require updating during operation. New projects with the potential for major accident hazards shall conduct a quantified risk assessment using the BP MAR process (ETP GP 48-50), in addition to any other hazard evaluations and risk assessments conducted for design purposes. The input data and results from these other studies may be used as input to the MAR assessment. Further guidance on the MAR Process is covered in Section 3.4. Projects shall develop a register of SCE for handover to Operations prior to commissioning - see Section 3.5. 3.3 Operate BUs shall have a documented hazard evaluation and risk assessment policy that describes the various tools and techniques to be used, by whom, and showing how conformance with the IM Standard will be achieved. An output of the evaluation shall include an auditable register of major hazards and risks. A process of continuous risk reduction shall be applied, documented and periodically updated. This risk reduction should be applied in the following order of preference: eliminate, prevent, control and mitigate.


27

BUs shall identify and assess their risks of major accidents using the BP MAR Process (ETP GP 48-50), described in Section 3.4. The data and results from any previously conducted hazard evaluations and risk assessments may be used as input to the MAR assessment. In some locations a similar assessment will already have been mandated by local regulations. Some assets may have used a semi-quantitative methodology employing risk matrices to analyse some or all major accident hazards. For new assets, hazard evaluations and risk assessments should have been received from the project. For many existing installations, there may be limited data available from other studies. Specific facility siting studies shall be conducted to evaluate the risk to personnel in occupied buildings, both permanent and temporary. These evaluations should include the initiating causes of the hazards, means to shelter, muster or evacuate, and emergency response. Recommendations from these studies should consider, in the following priority, relocation of personnel to safe locations, hardening of the building, protection from toxic material and products of combustion. These studies should be updated every 5 years or more frequently if major changes in layout or processes have been made. The Sunbury or Houston Integrity Management Teams should be consulted for further advice. Hazard evaluations and risk assessments shall be periodically revalidated to determine if they require updating. While MOC of small projects and modifications should have triggered a review and possible update of previous studies, the cumulative effect of multiple small changes will also be addressed by periodic revalidation. Other reasons to review and update previous studies include the introduction of new hazards or ignition sources, relocation of personnel including temporary accommodation and trailers, and new commercial and residential developments in the vicinity of the facility. Revalidation of hazard evaluation should be at least every 5 years, and more frequently if required by regulation or as determined necessary by the BU (e.g., due to the cumulative effect of multiple changes). BUs operating existing facilities shall develop registers of Safety Critical Equipment as described in Section 3.5. 3.4 Hazard Evaluation and Risk Assessment Methodologies There is a variety of hazard evaluation and risk assessment methodologies. Each technique has strengths and weaknesses, and produces results in different formats. Some techniques are suited to particular applications. Figure E3.1 describes some of the more important techniques, showing their level of complexity and application. 3.4.1 Task Risk Assessment Sites should have a “Safe Systems of Work” process in place to control activities involving work execution-related hazards not associated with normal operations. This process usually comprises a Task Risk Assessment (or Job Safety Analysis) and issuance of a Permit to Work. In some cases, routine ‘lower risk’ activities may be covered by a formal procedure that has been previously subjected to a Task Risk Assessment.


28

The Task Risk Assessment obliges experienced and trained staff to identify possible hazards, consider their potential risks (probability and severity), and stipulate in writing the various control measures that need to be implemented. These measures should take due account of the designated SCE. The Personal Safety Standard and its associated guidance provide more detail on this most basic of risk assessment methodologies. 3.4.2 HAZID Hazard identification, HAZID, studies are very broad in their scope, looking at all reasonably possible sources of hazard to the facility by examining each area, module and system in turn. They should initially be conducted during the concept and front-end engineering stages, with the emphasis on the major hazards, before detailed engineering design has begun. 3.4.3 Process Hazard Analysis (PHA) There is a variety of PHA methodologies that are sometimes used ranging from simple checklists to the more rigorous HAZOP technique, described below. Checklists are sometimes used to consider hazards associated with non-process MOC proposals, but are only as good as the original compilation of items on the list. Some hazards may be

Increasin

g A

pp

lication

Major Accident Risk Studies

Quantitative Risk Assessments

Hazard Identification (HAZID)

Layer of Protection Analysis

Hazard and Operability Studies (HAZOP)

What-if Checklist

Task Risk Assessment

Risk Matrix

Facility Siting Study

Incr

easi

ng

Det

ail In

creasing

Ap

plicatio

n

Major Accident Risk Studies

Quantitative Risk Assessments

Hazard Identification (HAZID)

Layer of Protection Analysis

Hazard and Operability Studies (HAZOP)

What-if Checklist

Task Risk Assessment

Risk Matrix

Facility Siting Study

Incr

easi

ng

Det

ail

Figure E3.1 Hazard Evaluation and Risk Assessment Methodologies


29

missed. What-If studies are also used sometimes to address MOC or other ‘lower risk’ activities, and are a form of structured brainstorming. They usually involve a team approach and are more flexible than checklists. Any PHA methodology used should risk rank the hazards using the risk matrix described in Table E3.1. 3.4.4 HAZOP Hazard and Operability Studies (HAZOP) are used to identify hazards and evaluate the effectiveness of safeguards in process designs. Process designs, whether a new project or MOC, should be evaluated using the HAZOP technique as described in ETP GP 48-02. A multi-discipline team steps through each P&ID, equipment by equipment, line by line, addressing a comprehensive series of deviations from the design intent, e.g., more flow, no flow, reverse flow, etc. Most HAZOP teams also use a checklist to evaluate other considerations such as maintainability, human factors and start-up/shutdown. 3.4.5 LOPA Layer of Protection Analysis (LOPA) is a technique that can be used to evaluate the effectiveness and independence of safety measures, especially protective systems. LOPA may be used to assist in the determination of Safety Integrity Levels (SIL), and may also be combined with HAZOP to evaluate the reliability of the safeguards identified in the HAZOP. ETPs GP 30-76 and 48-03 provide more information on LOPA. 3.4.6 FMEA Failure Modes and Effects Analysis employs a structured evaluation of individual components to asses the effects of their failures on systems or sub-systems. The emphasis is on the hardware aspects of a system, how it can fail, and the effects of each specific failure mode. FMEA is a qualitative, inductive, team approach that is easy

Risk Matrices

Risk matrices, based upon Boston Squares of likelihood versus consequence, are often used as a semi-quantitative tool for risk ranking a range of hazards from occupational to major accidents. This technique is used to rank the findings or hazards found in other evaluations such as HAZOPs or PHSSERs. In such studies, the consequences are usually well understood and predictable: the treatment of probabilities is often more subjective and open to interpretation. Over the years a multitude of variations has been developed, but recent drives to standardize the approach have produced the risk matrix, Figure E3.2, in the HAZOP GP 48-02 used throughout the BUs. The major hazard risk matrix, Figure E3.3, previously used by many BUs in preparing their hazard registers, is actually an extension of the HAZOP matrix. The two matrices are consistent and overlap, as shown in Figure E3.4. The major hazard risk matrix is more appropriate for the less frequent but more severe events, while the HAZOP risk matrix is more appropriate for the more frequent, less severe events.

Table E3.1 Description of Risk Matrices


30

to apply even to complex systems such as electrical or hydraulic systems. It is especially useful if performed prior to a quantitative frequency evaluation such as a fault tree analysis. 3.4.7 Facility Siting Facility siting studies are used to evaluate the layout and location of occupied buildings with respect to potential hazards. These studies consider fires, explosions and toxics, as well as the availability of shelter, muster points, and escape routes. See GP 04-30 for more guidance on blast loading of buildings and GP EP 04-30 for guidance on occupied temporary buildings for onshore and offshore facilities. 3.4.8 QRA Quantitative Risk Analysis (QRA) is the most complex and detailed form of risk assessment. Risk quantification is particularly useful in addressing major accident risks where past experience by itself is inadequate to provide the appropriate level of assurance. It also helps to identify priority areas for attention, and enables consistent decisions to be taken on risk mitigation across multiple assets. QRA involves the quantification of both likelihood of occurrence and the consequences of certain hazardous or unwanted outcomes. The likelihood is determined from historical databases or synthesised from fault trees of smaller, more common events that lead to the outcome. The impact or consequences are determined by various modelling approaches, e.g., calculating the dispersion of flammable and toxic vapors, thermal radiation from fires, and blast overpressure from explosions. QRA can require significant resources (manpower, time and cost) to analyse risks. In general, BP projects and operations will not have or need the resources to analyse every risk using QRA. It is a technique that should be used selectively when reliable decisions cannot be made using other simpler risk assessment techniques. 3.4.9 Major Accident Risk BP Operations and Major Projects shall assess their risks using the Group Major Accident Risk (MAR) Process (ETP GP 48-50). The objective of the MAR process is to facilitate identification of major accident hazards, and provide a coarse assessment of risk, which is used to prioritize areas for remedial measures and/or further assessment. It also supports the program of continuous risk reduction within the BU/SPU. As such, MAR is a simplified form of QRA, and uses a purpose-built tool (MAR Calculator) to streamline the analysis. Details of the MAR process are provided in Table E3.2. 3.5 Safety Critical Equipment The information generated from the hazard evaluations and the major hazards register shall be used to identify SCE. Equipment that has the greatest influence on the safety of people, environment and integrity of plant shall be recorded in appropriate registers that also document relevant performance standards. The registers shall include items of permanent, temporary and portable equipment as appropriate.


31

The objective of SCE is to identify the subset of equipment that is most critical to the management of major accident hazards. These are the equipment items that prevent, control and mitigate major hazards, and therefore are required to have a high reliability and availability before and during an incident. Much of this SCE will require planned inspection, testing and maintenance to confirm the reliability and calibration to function on demand in accordance with applicable performance standards. In general, fixed (static) hydrocarbon containing equipment is not considered SCE unless there is a reasonable expectation that the equipment might fail e.g. loss of wall thickness due to corrosion. The designation of SCE allows management to optimize inspection, testing and maintenance resources to manage major accident risks. As such, the SCE should typically represent ~20% of the equipment items on the Master Equipment List (MEL). Although this percentage is not mandated, significantly higher percentages will likely result in a lack of focus on those items that require preferential attention. Elements 4, 5 and Appendix 3 provide additional guidance for determining SCE. 3.6 Documentation 3.6.1 Hazard Evaluation Reports Any report that resulted from a review of hazards, such as HAZOPs, should be maintained for the life of the facility and in accordance with BP’s Records Retention Program. 3.6.2 Safety Case In some BUs, a Safety Case may be a regulatory requirement. This Safety Case will record the major accident hazards and the systems in place for their control and management. This document must be maintained current and periodically revalidated, typically every 3 years or when there is a significant change to the facility. 3.6.3 Register of Major Hazards The output from major hazard identification and risk assessment studies shall be assembled into a register for easy reference. 3.6.4 Register of SCE A register of SCE shall be assembled from the information generated by hazard evaluations and risk assessments. 3.7 Performance Management BUs/PUs shall set appropriate performance indicators to provide assurance that hazard evaluation activities are being adequately managed. Recommendations are: KPIs

• Number of HAZIDs overdue from schedule

• Percent of assets/sites within a BU with up to date hazard registers in place

• Timely resolution of action items from hazard evaluations


32

• Revalidation of hazard evaluations Assurance The Engineering Authority or Integrity Team Leader should complete an annual review of the BUs hazard evaluation, including an overall assessment of IM Standard conformance. 3.8 References Referenced in the text above:

ETP GP 04-30 Design of Buildings Subject to Blast Loading ETP GP RM 04-30 Design and Location of Onshore Portable Buildings ETP GP EP 04-30 Design and Location of Occupied Temporary Buildings –

Onshore and Offshore Facilities ETP GP 24-01 Inherently Safer Design ETP GP 30-76 Safety Instrumented Systems – Process Requirements

Specification ETP GP 48-02 Hazard and Operability Study (HAZOP) ETP GP 48-03 Layer of Protection Analysis ETP GP 48-01 PHSSER – Projects HSSE Review ETP GP 48-50 Major Accident Risk Process

Additional information:

Key HSE Process 3 http://gbc.bpweb.bp.com/hse/policy/hseright99/append/app3.htm

BP Inherently Safer Design Guidelines for New Projects and Developments: Report Number D/UTG/117/02, Integrated Draft 1, Issued by UTG Operations Excellence, 25-6-2002 http://projects.bpweb.bp.com/hse/jobaids/Inherent%20Safer%20Design%20Guidelines.doc

BP Upstream Process Safety Management Program http://psm.bpweb.bp.com

HSE for Projects http://projects.bpweb.bp.com/hse/index.htm

Methodology for Rapid Concept Risk Assessment http://projects.bpweb.bp.com/hse/plan/safetydesign_risk.doc

BP HAZID Guidelines http://projects.bpweb.bp.com/hse/plan/safetydesign_hazid.doc

BP HAZOP Guidelines http://projects.bpweb.bp.com/hse/plan/safetydesign_hazop.doc

CCPS Guidelines for PHA Revalidation CCPS Guidelines for Quantified Risk Assessment API RP 752 Management Of Hazards Associated With Location Of Process Plant

Buildings UK Safety Management System Documents

http://uksms.bpweb.bp.com/SMS_Live/index.cfm Specifically: UKCS-TS-014 Best Practice QRA

UKCS-TS-015 HSE Risk Analysis Standard


33

MAR Process

The MAR process involves,

• identifying a representative range of major accident events,

• quantifying the likelihood of those events (influenced by the engineering design of the facilities),

• quantifying the possible physical effects and assessing their consequences (influenced by the location of the people),

• presenting the results as Societal Risk (f-N curve) for comparison against a BP Group Reporting Line, and

• evaluating options to mitigate the likelihood and/or consequences of the events considered.

Irrespective of the level of the risks, a process of continuous risk reduction will be applied to the calculated risks. If the f-N curve, or part of it, falls above the Group Reporting Line, the risks need to be reported to senior management. The risks and an accompanying mitigating action plan shall be reported to the subsequent Group Chief Executive’s Meeting. For activities below the Group Reporting Line, the process of continuous risk reduction will be managed at the Segment level. The MAR Methodology and Rule Set is documented in Annex A of ETP GP 48-50, and includes the following steps:

1) Divide the facility into discrete areas having similar risk of hypothetical major accident.

2) Define hypothetical events for each area, which by definition are the higher consequence, lower frequency events.

3) For each hypothetical event, estimate the event likelihood and consequence that are used as input data to the “MAR Calculator” software.

4) Generate the f-N pairs (frequency-consequence) or f-E pairs (frequency-environmental) using the “MAR Calculator”. The software also generates the f-N or f-E curves and risk ranking of events.

Training classes are available to raise awareness of the MAR Process. A one day class provides an overview for managers and team leaders, while a two day class for practitioners covers use of the MAR Calculator tool. Further information on these classes is available from BP’s virtual training assistant (VTA) at:

https://www2.virtualtrainingassistant.com/BPGlobal/ Recognizing that even trained practitioners will require additional support to be able to perform detailed MAR calculations and achieve reproducible results, a core team of experienced risk analysts will be provided to support BUs and projects conducting MAR assessments. Further information on MAR support is available from EPTG Integrity Management (Houston and Sunbury).

Table E3.2 MAR Process Details


34

Figure E3.2 Process Hazard Analysis Risk Matrix

Unlikely to occur here or elsewhere

Unlikely to occur here but has

occurred in similar facilities

Possibility of occurring during lifetime of this

facility

Possibility of repeated events in the lifetime of the

facility

Common occurrence at this

facility

Health and Safety - Onsite

Health and Safety - Offsite Environmental Impact Business Impact Reputation Severity Level

1/10,000 yrs. to 1/1,000 yrs.

1/1,000 yrs. to 1/100 yrs.

1/100 yrs. to 1/10 yrs. 1/10 yrs. to 1/yr. >1/yr

Multiple onsite fatalities

Single fatality or multiple disabling injuries Long term damage >$10 million National media coverage. A

Medium High High High High

Single fatality

Disabling injury to one person or multiple short term health effects

Uncontained release, short term damage

$1 million to $10 million Regional media coverage. B


Single disabling injury or multiple serious injuries.

Multiple serious injuries or emergency care.

Release offsite with immediate remediation

$100,000 to $1 million

Local media coverage lasting more than 1 day C

CRR Medium High High High

Multiple first aid injuries

Emergency response and some minor health impacts Onsite contained release $10,000 to $100,000 Local media coverage day of incident D

CRR CRR Medium High High

Single first aid injury No offsite impacts No impact <$10,000 No community notification E

CRR CRR CRR Medium High

Frequency Band


35

Figure E3.3 Major Accident Risk Matrix


36

Figure E3.4 MAR and PHA Risk Matrix Continuum

Health and Safety - BP Workers and

contractorsHealth and Safety -

3rd Parties Environmental Impact Financial Loss Reputation Severity Level1

(<10-6 / yr)2

(10-6 to 10-5 / yr)3

(10-5 to 10-4 / yr)4

(10-4 to 10-3 / yr)5

(10-3 to 10-2 / yr) (10-2 to 10-1 / yr) (10-1 to 1/yr) >1/yr

>200 acute or chronic (actual or alleged) fatalities


>100,000 bbls of oil in sensitive coastal waters; >1,000,000 bbls of oil in other coastal waters (e.g. Exxon Valdez). Prolonged regional/global contamination (e.g. Chernobyl) >$10 billion

Global outrage, global brand damage and/or affecting international legislation.

A (IM) MEDIUM HIGH HIGH HIGH HIGH

>50 acute or chronic (actual or alleged) fatalities)


>10,000 bbls of oil in sensitive coastal waters. >100,000 bbls of oil in other coastal waters (e.g. Amoco Cadiz 1974). Short term damage at regional level (e.g. Sandoz warehouse fire). Prolonged contamination affecting extensive nature conservation or $1-10 billion

International media coverage. Regional outrage, for example North America, Europe. Regional brand damage. Likely to lead to change of regulations at regional level.

B (IM) MEDIUM MEDIUM HIGH HIGH HIGH

>10 acute or chronic (actual or alleged) fatalities)

1 or more acute or chronic (actual or alleged) fatalities. Multiple permanent injuries or irreversible health effects

>10,000 bbls Oil, >1,000 bbls oil in sensitive area, >100 Te of classified material (e.g. Alvenus 1984, Sea Prince 1995). Long Term damage affecting extensive area.

$100 million - $1 billion

Regional media coverage or severe national outrage. Threat of, or loss of license to operate for affected business/site. Likely to lead to change of regulations an National level.

C (IM) LOW MEDIUM MEDIUM HIGH HIGH

1 or more acute or chronic (actual or alleged) fatalities. Multiple permanent injuries or irreversible health effects.

Permanent injury or irreversible health effect affecting single person. Non permanent injuries or short term health effects affecting multiple people

Uncontained release of reportable quantity (e.g. >100 bbls oil, less if in sensitive location or >10 Te classified material). Extensive short term pollution/contamination. Prolonged pollution/contamination affecting limited area. <$100 million

National media attention or sever local outrage. Prosecution by regulator.

D (IM)A ( HAZOP) LOW LOW MEDIUM Medium High High High High

Single fatality

Disabling injury to one person or multiple short term health effects Uncontained release, short term damage

$1million to $10 million Regional media coverage. B (HAZOP)


Single disabling injury or multiple serious injuries.

Multiple serious injuries or emergency care.

Release offsite with immediate remediation

$100,000 to $1 million

Local media coverage lasting more than 1 day C (HAZOP)

CRR Medium High High High

Multiple first aid injuries

Emergency response and some minor health impacts Onsite contained release $10,000 to $100,000 Local media coverage day of incident D (HAZOP

CRR CRR Medium High High

Single first aid injury No offsite impacts No impact <$10,000 No community notification E (HAZOP)

CRR CRR CRR Medium High

Out of the bounds of either risk matrix

Out of the bounds of either risk matrix

Facilities and Process Integrity


38

Element 4 Facilities and Process Integrity Intent Element 4 confirms that materials, equipment and structures are fit for purpose, avoid loss of containment and maintain structural integrity throughout the lifecycle of the facility. The IM program establishes the safe operating limits for equipment and confirms operation within these limits. The IM program applies to all engineered equipment from well casing and tubing, through surface and sub-sea flow-lines, production and injection facilities, export systems, structures and lifting equipment.

Minimum Requirements 4.1 Documented lifecycle IM strategies and implementation programs shall be in place

and utilized for the major equipment types in the following equipment classes: • Drilling and Wells • Pipeline Systems • Pressure Systems • Structures and Lifting Equipment • Floating Systems • Temporary/Portable Equipment • Sub-sea Equipment • Electrical Systems • Rotating Equipment • Emergency Response Equipment

4.2 IM related data shall be identified and tracked, including: • Link with the output of the hazard evaluation and risk management • Safe operating limits for the facility/wells/structures • Design data and drawings from procurement, installation, commissioning and

MOCs • Results from the IM program

4.3 Major Projects and Drilling shall hand over to the Operating BU full life-cycle IM strategies and supporting implementation plans that conform with ETPs

4.1 Scope and Definition The objective of this Element is to confirm that materials, equipment and structures are fit for purpose, avoid loss of containment, and maintain structural integrity throughout the life-cycle of the facility, preventing incidents that result from failure of engineered equipment and systems The equipment types within the scope, whether BP owned or leased (contracted or rented), include, but are not limited to, those in Table E4.1. Equipment within this scope shall have an IM strategy which reflects the risk associated with its operation – the higher the risk the greater the rigor of the IM strategy and the robustness the implementation program. The integrity of a piece of equipment or facility is defined as the assurance of fitness for purpose throughout the equipment/facility life cycle by:

• Construction and Fabrication using appropriate materials, with satisfactory workmanship, in accordance with:

Regulatory requirements


39

Recognized industry codes and standards BP Group, Segment and/or Site Technical Practices

• Commissioning and Operation within the original design limits or those safe operating limits re-defined by MOC as the facility moves through its life-cycle

• Inspection, Maintenance and Repair to the original design or to fitness for service limits consistent with ETPs and/or STPs

4.2 Integrity Management Programs

Drilling and Well Pressure Systems Tubulars and casing Down-hole safety valves Drill rigs (including under contract) Well intervention equipment Christmas trees/well heads

Boilers and fired heaters Pressure vessels and heat exchangers Pipelines, piping, valves, loading buoys Closed drains Atmospheric vents Blow-down and flare systems Storage tanks

Structural Rotating Equipment Support structures Foundations Lifting equipment Access/egress structures Fire and blast walls Fixed and floating offshore structures Well conductors

Pump casings and seals Compressor casings Turbines Down hole pumps

Pipeline Systems Floating Systems Pipelines and attachments Liquid traps and dead-legs Pig launchers and receivers Flow lines and gathering systems

Hulls Ballast equipment Moorings Station-keeping equipment

Temporary/Portable Equipment Sub-sea Equipment Generators Compressors Pressure system equipment Pressurized hoses Electrical Tools

Risers and jumpers Controls and umbilicals Manifolds Connectors

Electrical Systems Emergency Response Equipment Class 1/Div I and II/EX Equipment Uninterruptible power supplies Emergency lighting systems, navaids Power generation equipment High and low voltage motors Variable frequency drives Motor control centers Switchgear

Life boats and rafts Fire fighting equipment and systems

Table E4.1 Facilities and Process Integrity Equipment List


40

Facilities and Process Integrity is managed through the implementation of an IM Program, an overview of which is shown in Figure E4.1 and described below. The main features of the IM program are: 4.2.1 Strategy The strategy should be based on BU/PU HSE, reservoir, operational, regulatory and business requirements, industry standards and BP ETPs, and be developed to deliver fit for purpose equipment over the full life-cycle of the asset. The strategy identifies the operational risk reduction requirements for the equipment and the mitigation, monitoring and inspection programs necessary to deliver the required risk reduction. The strategy details the specific program objectives and the targets which have to be met in order to deliver equipment integrity and continuous risk reduction. The strategy should also identify the single points of accountability and responsibility for delivering the steps in the program. 4.2.2 Program Planning and Scheduling The implementation plan includes the manpower, facilities, equipment and financial resources, required to implement the strategy. 4.2.3 Program Execution The execution of the plan according to schedule requiring coordination and cooperation between the IM, Operations and Maintenance Teams. The responsibilities for and expectations of each of these teams should be clearly defined as part of the strategy. The assignment of responsibilities should include the interface between teams and the transfer of data/information across organizational boundaries. 4.2.4 Performance Measurement Continuous improvement requires the measurement and gathering of data for each of the performance metrics for each step of the IM program. The performance data should be tracked and analyzed over time to provide both point-in-time evaluation and performance trends. The performance of the IM Program should be reported and reviewed on a regular basis as defined in Element 10 Performance Management and Learning.

4.2.5 Assessment and Corrective Action The size, absolute and relative, and the trend in any deviations between planned and actual performance should be reviewed and a corrective action plan developed. The scope of the corrective action plan should consider any special or mitigating circumstances and any existing corrective actions.


41

Integrity Management

ProgramImplementation

Program Planning andScheduling

PerformanceMeasurement

Assessment andCorrective Action

Integrity ManagementStrategy

ProgramExecution

Program Plan and Schedule

PerformanceMeasurement

Assessment andCorrective Action

Documentation and Data Management

Figure E4.1 Overview of the IM Program

4.2.6 Documentation and Data Underpinning the IM program is a documentation and data management system which should store the relevant information in a readily retrievable form (not archived) by the responsible discipline IM practitioner. Recommended documentation for Facilities and Process Integrity includes the following,

• BU major assets inventory – number of platforms/plant/operating sites • Up to date equipment registers, especially for SCE • Design data/drawings/manufacturing data/vendor inspection and maintenance

recommendations • Well files • Major electrical equipment – ESP, motor control center, power generation • Records of hazard identification, risk assessment methodology and results, and

risk mitigation strategy • Overall strategy documents: offshore/onshore structures, wells, pressure

systems, pipelines, storage tanks, etc. including repair standards • Derivation of equipment-specific inspection and maintenance plans and

performance standards, focused on the management of major hazards


42

• Inspection records, especially for static equipment items which might not be captured in the maintenance management system

• Maintenance and repair records • Inspection and maintenance data analysis, fitness-for-service and remaining life

evaluations • Corrosion management data and analysis

The documentation system should retain historical records to permit trending and comparison with BP Group and industry experience. 4.2.7 Summary In summary, an implemented IM program is required for all major groups of equipment that manages integrity over the full life-cycle from the design/project phase, through construction and operations to decommissioning. The IM program requires the setting of clear objectives / targets and regular performance assessment, with deviations from the expected outcomes being addressed through corrective action. 4.3 Integrity in Design and Build 4.3.1 Assurance of Integrity in Design and Manufacture The design of wells, facilities, structures and equipment is extensively covered in Company ETP, STP, industry codes and standards. Major Projects will use CVP to confirm that appropriate codes, standards, recommended practices and regulatory requirements have been considered for new equipment. Design standards should be selected from the recognized industry sources such as ISO, API, ASME and/or BP ETPs. The Major Project or BU EA shall approve the selection of the specific design standards, confirming their applicability addresses:

• The full life-cycle of the facilities from construction to decommissioning, taking account of potential future changes in production rates and fluid compositions, mechanical loading, etc.

• The achievement of inherently safer designs where practicable

• Compliance with regulations

• Continuous risk reduction through the application of performance management and continuous improvement methodologies

• Lessons learned from BUs/Major Projects and incident reports The BU or Major Project EA shall agree with the project team the requirements for integrity assurance for procured equipment and conformance with ETP 32-10 and its companion documents, ETP 32-11 to 32-17. The requirements should include:

• Approved vendor lists and / or methodology for approval

• Rules for equipment criticality rating assessment

• Linkage of criticality ratings to integrity assurance requirements including design verification, manufacturing verification checks, inspection and test plans during manufacture and controls to be applied during construction

• Involvement of third party inspection / certification bodies, or BU witnesses


43

• Management of change

• Documentation for handover to the BU At the Operate stage of CVP , Major Projects and Drilling shall provide to the BU the full life-cycle IM program and the associated equipment and resources, as appropriate, to implement the program. IM program documents shall conform with applicable ETPs and be consistent with the BU operating philosophy. 4.3.2 Integrity During Installation and Commissioning Projects and BUs should follow GP-32-20 to define the inspection and test activities for site fabrication, construction and commissioning of facilities. The BP Guidance on Certification, GOC, is an example of a system which satisfies the requirements of GP-32-20 and provides auditable documentary evidence of integrity assurance during the construction and commissioning stages of projects. Alternative systems proposed by contractors should provide the functionality defined in GP 32-20. 4.4 Operate Risk-based strategies for the management of Facilities and Process Integrity should be developed based on Company guidelines, as described below, or site-specific regulatory requirements: 4.4.1 Equipment Hazard Evaluation and Risk Assessment Equipment within the scope of this Element shall have a hazard evaluation and risk assessment completed to prioritize the development and scope of the IM program. The results of these studies shall be used to determine the level of sophistication required of the IM program. 4.4.2 Registers of Safety Critical Equipment SCE shall be identified in appropriate registers, including maintenance management systems, and assigned inspection and maintenance activities required to confirm ongoing fitness for purpose as defined by acceptance criteria/performance standards - see Element 3 and Appendix 3. 4.4.3 Derivation of Risk-Based IM Programs A wide range of proprietary and Company tools is available for the derivation of risk-based IM programs for all types of mechanical, electrical, instrument and structural equipment including drilling and wells equipment, fixed pressure systems (e.g. piping and vessels), pumps and compressors, onshore civil/structures and offshore floating and fixed platforms. In each case the risks of failure should be analyzed, taking account of,

• Current and future degradation mechanisms and rates. Some common mechanisms are listed in Table E4.2.

• The business and HSSE consequences of failure Outputs from these risk assessments should include:

• Operational actions to actively reduce predicted or observed rates of deterioration, e.g. corrosion inhibition injection and monitoring, sand control, stream velocity limits, scale and wax control, preventative maintenance practices


44

• Testing, inspection and condition monitoring programs and associated performance standards

• Maintenance regimes (predictive, preventive, time-based replacement, and run-to-failure)

Corrosion and erosion management will form a major component of the IM programs in many BUs, but the nature of the corrosion threats, and therefore the detection, control and monitoring techniques required, will vary. A corrosion management strategy for the BU should be developed and implemented, and a TA for this activity should be appointed. BP has significant resources in corrosion management and there is a large amount of advice available on the IM website. Categories of ETPs that should be used to derive risk-based IM plans for mechanical and structural equipment are shown in Table E4.3. along with typical activities and sources of additional guidance. Risk-based methods for in-service inspection and condition monitoring of equipment are likely to vary in complexity from simple and qualitative to more complex and semi-quantitative. Where large populations of the same equipment type exist (e.g., piping, pressure vessels, pipelines, offshore structures) risk-

Mechanism Common Causes

Internal corrosion CO2, H2S, and bacteria under deposits and at dead-legs

Internal erosion High velocity streams, pump cavitation, and entrained sand

External corrosion At pipe support crevices, at coating breakdown, and CUI

Loss of CP effectiveness

Anodes missing, excessive anode consumption, and/or shielding

Environmental cracking Amines, H2S, chloride ions, methanol, mercury

High Strength Materials

Cathodic protection systems and H2S on high strength steels

Fatigue Vibrational loading, wave motion, and vortex shedding

Mechanical overload Foundation settlement and loss of air gap on offshore structures

Chemical attack By production chemicals on non metallic materials

Third party interference Mechanical damage to pipelines: vessel impacts on marine structures

Elastomer degradation UV degradation, explosive decompression

Wear Loss of lubrication, shaft out-of-alignment

Thermal degradation Gaskets and seals in boilers and fired heaters

Internal arcing Loose electrical connection/water ingress

Overheating of electrical equipment

Mechanical/process overload, high contact resistance

Electrical insulation breakdown

Mechanical damage, over voltage, chemical attack

Table E4.2 Common Degradation Mechanisms


45

based tools should be used to not only derive IM plans but also set priorities and schedules, especially when backlogs exist. Particular attention is required for hydrocarbon piping systems since these usually comprise by far the largest pressure containment items and are responsible for typically 80% of leaks due to corrosion or cracking. Inspection plans for piping should pay particular attention to small diameter fittings, dead-legs and thermally insulated pipe-work, since the damage rates for these can be much faster than in the associated main piping runs. Loss of electrical integrity may result in electrocution, power loss, overheating, fires, and ignition sources. Risks associated with these events should be included within the BU IM plans. Each facility should develop and implement a hazardous/classified area electrical equipment inspection strategy and track, to closure, identified gaps as detailed in GP 12-60. Inspection and testing of electrical equipment located in such areas should be completed by qualified staff to confirm ongoing integrity for the life of the equipment. 4.5 Performance Management Mechanical, electrical and structural IM programs should have a number of checkpoints in the process to provide assurance and, if necessary, adjustments to deliver continuous improvement. The IM program will set objectives and KPIs. Regular reviews of performance against these objectives and KPIs should drive corrective actions and any appropriate changes in strategic objectives as the facilities age. KPI and strategic reviews have different objectives as described in Table 3.3. KPIs should be established for the ongoing assessment of the IM programs. The KPIs should include measures of the quantity of equipment in the program, the level of activity and progress against plans as well as measures demonstrating the results of the program. The results measures should comprise both leading and lagging indicators, e.g. a leading indicator would be corrosion rate and lagging indicator would be the number of corrosion-related repairs. Corrective actions should generally be in proportion to the deviation from target value in absolute or percentage terms. Typical KPIs might include: Mechanical Integrity

• Christmas tree and down hole safety valve failures as a percentage of the total valve stock

• Percentage of wells with known pressure anomalies that have on-going management strategy

• Percentage of identified topsides structural anomalies that have on-going management strategy

• Number of leaks • Total and overdue IM- related repairs to SCE • Percent IM repairs completed on time to SCE


46

• Number of temporary repairs to SCE beyond planned date • Planned maintenance versus total maintenance for SCE • Planned major structural inspection versus actual inspection

Electrical Integrity • Percent of critical defects on hazardous/classified electrical equipment • Number of insulation failures resulting in injury or equipment failure • Capacity test on UPS system within specification • Total and overdue inspections to SCE • Percent repairs completed on time to SCE • Inspections of main distribution system and switchgear versus plan

Corrosion Management • Corrosion inhibitor pump availability • Number of corrosion monitoring points above target corrosion rate • Percent cathodic protection in compliance with target potentials • Percent biocide treatments versus plan • Number of excursions of target oxygen levels on water injection systems • Export oil BS&W / gas dew point excursions • Operational pigging of pipelines versus plan • Glycol system pH within specification • Rich / lean amine compositions within targets

Inspection • Number of overdue SCE inspection work orders • Percent inspections completed versus plan for each equipment class • Percent of pipe-work covered by agreed inspection plans • Number of operational inspections of storage tank floating roofs versus plan • Number of smart pig runs versus plan

4.6 References ETPs and industry standards are available at http://technical_practices.bpweb.bp.com/. Most ETPs are related to design and construction requirements and are therefore mainly applicable to projects. ETPs that should be referenced for the development of the operational phase of equipment-specific IM programs are as follows:

ETP Category 06 Corrosion

GP 06-10 Corrosion and Protection Management Guidelines GP 06-14 Erosion and Erosion Control GP 06-36 Cathodic Protection: Maintenance and Monitoring GP 06-70 Corrosion Monitoring

Additional E&P Segment Corrosion ETPs will cover subjects including inhibition, offshore cathodic protection, and corrosion control in well operations.


47

ETP Category 12 Electrical

GP 12-60 Guidance on Practice for Hazardous Area Electrical Installations

ETP Category 32 Inspection and Testing

GP 32-10 to 17 Integrity Assurance for New Equipment in Manufacture GP 32-20 Inspection, Testing and Commissioning of New Plant GP 32-30 Inspection and Testing of Equipment In-Service: Management

Principles GP 32-40 In-Service Inspection and Testing: Common Requirements GP 32-41 In-Service Inspection: Pressure Vessels GP 32-42 In-Service Inspection: Piping Systems GP 32-43 In-Service Inspection: Rotating Machinery GP 32-44 In-Service Inspection: Above-Ground Atmospheric Storage Tanks GP 32-45 In-Service Inspection: Fired Heaters and Boilers GP 32-46 In-Service Inspection: Onshore Civils and Structures GP 32-47 In-Service Inspection: Mechanical Protective Devices GP 32-48 In-Service Inspection: Heat Exchangers GP 32-49 In-Service Inspection: Special and Other Equipment GP 32-50/51 In-Service Inspection and Testing: Electrical Equipment

ETP Category 43 Pipelines

GP 43-17 Guidance on Practice for Pipeline Risk Assessment GP 43-49 Guidance on Practice for Pipeline Integrity Management Systems GP 43-52 Guidance on Practice for Inspection and Defect Assessment of

Pipeline Systems GP 43-53 Guidance on Practice for Pipeline Intervention and Repair

ETP Category 65 Floating Structure

GP 65-02 IM Guidelines for Floating Production Systems

IM Guideline GPs are also planned for floating production system specific equipment including hulls, marine, offloading, station keeping and risers.

ETP Category 66 Offshore Structure

GP 66-00 Structural Integrity Management Philosophy GP 66-22 Project Requirements for Structural Integrity Management

Specification GP 66-60 Risk-based Underwater Inspection Guidelines GP 66-62 Underwater Platform Inspection Specification GP 66-64 Above-water Platform Inspection Specification


48

Drilling and Well Operations Policy

BP Drilling and Well Operations Policy, BPA-D-001 http://upstream.bpweb.bp.com/ut/home.asp?id=1828

ETPs for drilling equipment and well integrity management will be published in 2006.

Industry Standards

Industry Standard organizations whose publications relate to IM of facilities and process equipment include those listed below. Details of their specific publications will be referenced in the relevant ETPs.

ASME API EEMUA NBIC NACE


49

Equipment ETP Typical In-Service Activities Additional Guidance

Fixed offshore platforms

Category 66 series

Diving/ROV visual inspections, cathodic protection surveys, anode consumption, crack detection of welds, flooded member detection, measurements of marine growth, scour, and damage reporting.

API RP 2 series ISO 19902 UKCS-TI-007

Floating production systems

Category 65 series

Diving/ROV visual inspections, cathodic protection surveys, anode consumption, crack detection of welds, measurements of marine growth, anchoring/mooring/ballasting systems, and damage reporting.

API RP 2 series DNV Standards

Onshore civils and structures

GP 32-46 Visual inspections, sampling / coring, settlement, and level surveys.

Down-hole casing and tubing

Category 02 series

Pressure monitoring of tubing / annulus, leakage rate monitoring, caliper surveys, pressure testing, retrieval and inspection of components. Sand, scale, hydrate, and corrosion control.

BP Drilling and Well Operations Policy, BPA-D-001

Wellhead and Christmas trees

Category 80 series

Wellhead movement. Valve operation and leakage testing, valve greasing and maintenance: see also Section 4. Pressure gauge re-certification.

BP Drilling and Well Operations Policy, BPA-D-001

Drilling / well workover equipment

Category 10 series

Program for inspection, testing and certification of equipment. BP Drilling and Well Operations Policy, BPA-D-001

Process piping, pressure vessels, flexible hoses

GP 32-41/42/48/49

Visual inspections, thickness measurements, crack detection, NDE for CUI, pressure testing. Trending/interpretation of thickness data by software systems. Programs for small bore fittings, dead-legs, buried piping, hammerlock union assemblies. Internal corrosion control.

API RP 580 API 510/570/572/574/579

Rotating and reciprocating machinery,

GP 32-43

Performance monitoring (pressures, flows, temperatures, etc.), visual inspections, vibration monitoring, lube oil analysis, crack detection, thermography, pressure testing.

Boilers and fired heaters

GP 32-45 Performance monitoring, visual inspections, thickness measurements, crack detection, feed water quality controls, thermography, pressure testing

API RP 573


50

Table E4.3 Typical In-Service Activities and Associated ETPs for Mechanical and Structural IM

Transmission pipelines and risers

GP 43-52 Visual inspections, thickness readings, smart pigging, debris analysis, bacteria counts, cathodic protection surveys, pressure and leak testing.

Atmospheric and low pressure storage tanks

GP 32-44 Visual inspections, leak detection, settlement surveys, thickness measurements, cathodic protection surveys, hydrostatic testing.

API Std 653/12R1 EEMUA Publication 159

Lifting equipment GP 32-49 Visual inspections, crack detection, load testing, planned replacements.


51

Process Objective Typical Cycle

Max. Recommended

Interval KPI review

(monitoring) Review of output from the monitoring program that provides immediate feedback to an established mitigation program; e.g. the corrosion monitoring program shows corrosion rates greater than target and initiates an increase in corrosion inhibitor injection.

Weekly - Quarterly

Quarterly

KPI review (inspection)

Review of output from the inspection program that provides evidence of fitness-for-service; e.g. the inspection program shows wall thickness below or above wall thickness required for functional performance standard.

Quarterly Annual

Internal Strategic Review

Review the current mechanical, electrical and structural IM strategy to reflect any changes in the business plans plus the output from the monitoring / mitigation program

Annual 2 years

External Review

External review from outside the BU for opportunities/lessons learned which could improve the performance of existing IM programs, import / export of best practices, and to help highlight potential risks associated with ageing of the facilities.

Annual 3 years

3-Year IM Program

To record and track corrective actions required to achieve compliance with the IM Standard for mechanical, electrical and structural items, establish priorities, budgets

Annual Annual

Table E4.4 Recommended Integrity Management Program Reviews

Protective Systems


54

Element 5 Protective Systems Intent Element 5 requires that BP Operations have protective systems installed and maintained to provide protection to personnel and the environment for the full life-cycle of each facility. These protective systems and devices will be designed based upon hazard evaluations and risk assessments to prevent, detect, control or mitigate excursions beyond safe operating limits, to maintain primary containment or facilitate the escape and survival of people.

Minimum Requirements 5.1 Key data for protective systems and devices shall be identified, documented, and

kept current. 5.2 Protective systems and devices shall have:

• Defined roles based on hazard evaluations and risk assessments, and • Specifications for functionality, reliability and survivability

5.3 Safety instrumented functions (SIF) on new facilities, existing facilities and facility upgrades shall be classified using the SIL process. Alternatively, for existing facilities only, the SIL process or equivalent quantitative process shall be used on safety instrumented functions where the HAZOP (or other PHA) has categorized consequence severity as A or B (one or more onsite fatality, uncontained release causing environmental damage, or business impact over $1 million).

5.4 Protective systems and devices shall be function tested and/or inspected in accordance with STPs and SOPs, and maintained in good working order: • Test/inspection intervals shall be determined from their reliability specifications • Tests/inspections of SCE shall be carried out in the due month • Results shall be analyzed and test/inspection intervals adjusted as necessary to

confirm required reliability/integrity is achieved • Test/inspection programs shall be kept up to date

5.5 A written philosophy shall exist for alarms, shutdown and blowdown detailing design intent and linkage to hazards, risk mitigation and operating procedures.

5.6 A procedure shall be in place for control of over-rides/bypasses such that safe operation is assured. A register of overrides/bypasses shall be maintained and regularly reviewed by Operations management.

5.1 Definition and Scope In the context of the IM Standard, “protective systems” are those safety systems, devices and controls which are designed to prevent, detect, control or mitigate a major accident, or facilitate the escape and survival of people. The most critical of these items will fall within the definition of “Safety Critical Equipment” (See Appendix 3 which also includes a list of typical SCE). These systems and devices can be categorised into the hierarchy in Figure 5.1, as associated with a chain of events for accidents involving hydrocarbon loss of containment:


55

Protective systems and devices act as barriers or layers of protection preventing, with a high level of confidence, what may be a relatively frequent event or situation from becoming an undesired serious occurrence, as illustrated in Figure 5.2. The holes in the barriers represent the (low) probability that the barrier will not prevent escalation of the initial event or situation. The alignment of the holes represents the (very low) probability that all barriers are ineffective concurrently.

Protective instrumentation to sense potentially hazardous conditions and to provide either an alarm or a trip function to prevent hazard escalation

Devices to prevent equipment design limits being exceeded, especially pressure ratings

Event

Ignition prevention measures

Fire and gas detection and associated alarms and trips/interlocks

Emergency shutdown (ESD) and blowdown systems

Fire protection facilities

Evacuation and survival equipment

Figure 5.1 Protective Systems and Hierarchy


56

5.2 Design and Build Stages 5.2.1 Design Standards The role of protective systems is to reduce risks after efforts have been taken to develop an inherently safer design (ETP GP 24-03). Major Projects involving the design and installation of new protective systems should confirm appropriate design standards have been adequately considered and that a suitable philosophy has been adopted, acceptable to the asset’s TAs. For minor projects and modifications below the threshold value of CVP, the MOC process should be used, again authorised by the relevant TA. Relevant BP ETPs, which in turn invoke international and recognised industry standards, are listed in the key references in Section 5.6. Documentation requirements for both design / build and operate phases of the life cycle are addressed in Section 5.4. At some sites protective systems and devices may need to meet specific regulatory requirements. 5.2.2 Role and Specifications Minimum Requirement 5.2 requires the role and specifications for the functionality, reliability and survivability of each protective system and device to be defined. The role statement includes the condition it detects, the action it takes, and the hazard or consequences it prevents. The need for, and specification of, protective systems shall be linked to the hazard evaluation and risk assessment process (Element 3) even when they are required by industry standard or regulations. Minimum Requirement 5.5 requires a formal philosophy document to exist for alarms, shutdown and blowdown which details the design intent and the linkage to hazards, risk

Figure 5.2 Barrier or Layer of Protection Model

Initiating cause or situation

Undesired event


57

mitigation and operating procedures. This document should be available to and understood by relevant operations and maintenance personnel. Performance standards for protective systems have three elements with specifications for:

• functionality - what the protective system has to do • reliability – with what probability it needs to correctly function on demand • survivability - if it is necessary that the protective system survive an incident to

complete its protective function Functional Specification The functional specification typically includes:

• The parameter detected with set-point and tolerance, e.g. rising pressure at 23 barg ± 5%, 10kW fire size ± 20%

• The action to be taken to prevent the hazard or undesired event, e.g. isolate either valve XX or valve YY, and shut down pump A, relief valve goes fully open, extinguishant released into enclosure

• The time limit for the action to be completed, e.g. valves to close within 30 seconds

• Any additional functional requirements, e.g. valves to shut off to prevent flow exceeding a specified flow rate, temporary refuge doors to seal to defined tightness

The outcome during genuine demands or on periodic testing is either functional success meaning specification is met, or functional failure in which case remedial action will be required. Reliability Specification The reliability specification is usually stated as a probability to function correctly on demand. For safety instrumented functions it is expressed as a safety integrity level (SIL) corresponding to a decade range of probability of functioning correctly on demand as shown in Table E5.1. Minimum Requirement 5.3 requires the reliability specifications for safety instrumented functions to be classified using the SIL process. This considers the level of risk without the protective function, compares it with a target, and states the SIL, or probability of failure on demand, necessary to bring the residual risk below the target level. This process is defined in BP GP 30-76 which refers to GP 48-03 for the LOPA (Layer of Protection Analysis) method. It may be applied once to cover a group of situations with very similar hazards, equipment configurations, personnel deployment and environmental impacts. Such studies may identify that no safety instrumented functions are required where existing safeguards are sufficient to manage the risks. Minimum Requirement 5.3 allows an equivalent approach to SIL classification for existing operations only. This requires that the SIL process is applied to those safety instrumented functions where the HAZOP (or other PHA) has categorized consequence severity as A or B (one or more fatalities, uncontained release causing actual environmental damage, or business impact over $1 million). GP 48-02 describes the HAZOP methodology and defines consequence severity categories.


58

Minimum Requirement 5.3 allows an equivalent approach to the SIL process to be used for specifying reliability requirements for existing facilities. Equivalent processes should meet the following:

• Quantify the initial unmitigated risk (consequence severity times likelihood) • Take account of, in a quantified manner, other risk mitigation measures • Result in a quantified required reliability (expressed as probability of failure on

demand or SIL) of safety instrumented functions • Confirm that residual risk levels are consistent with BP corporate criteria on risk • Be documented.

With these alternative approaches it is not a requirement to carry out the SIL process on less critical safety instrumented functions. However, there may be business benefits in doing so as many sites have been able to safely extend testing intervals without increasing risk. This is not an option where testing intervals are specified in regulations. Survivability Specification Survivability specifications are only relevant to those protective devices and systems that need to survive an incident in order to fulfil their protective roles. Survivability may be defined as part of functional specifications. The requirement for survivability may apply to the following and should be identified during the hazard evaluation and risk assessment process - Element 3.

• Critical ESD valves where fire and blast protection needs to be specified

• Communications systems used in emergencies, e.g. public address and alarm systems, radio communication systems used by emergency teams

• Temporary refuge and safe havens, e.g. fire and blast protection

• Escape routes and means of personnel evacuation Guidance on design for survivability is included in GP 24-10, GP 24-23 and GP 24-24.

Safety Integrity

Level (SIL)

Probability of Failure on

Demand (PFD)

Probability of Functioning on

Demand

Risk Reduction Factor

0 or a 1-0.1 0-90% 1-10

1 0.1-0.01 90-99% 10-100

2 0.01-0.001 99-99.9% 100-1,000

3 0.001-0.0001 99.9-99.99% 1,000-10,000

4 0.0001-0.00001 99.99-99.999% 10,000-100,000

Table E5.1 Definitions of Safety Integrity Levels


59

5.2.3 Specific Design and Build Requirements Other points specific to particular protective systems for the design and build stage are:

• Overpressure protection systems should be designed in accordance with GP 44-70 and relief disposal systems in accordance with GP 44-80.

• Guidance on fire and blast structural loading and response is provided in GP 66-46.

• Safety instrumented systems and functions include HIPS (high integrity protection system), subsea HIPS/HIPPS, burner management systems, fire and gas detection systems, as well as process protection instrumentation. GP 30-80 provides guidance on the selection, architectures, and reliability analysis for safety instrumented systems. While API RP 14C is widely used for specifying protective systems including safety instrumented systems, and is a regulatory requirement in some jurisdictions, compliance does not necessarily meet the requirements of Element 5. This is because the API practice considers consequences only and not risk, which includes both consequence severity and likelihood. It is good practice to follow API RP 14C but also to apply the risk-based SIL process to determine reliability requirements which can mean that less frequent testing is sufficient in many cases but more onerous requirements may be necessary in some cases. This applies where it is permitted to deviate from API RP 14C.

• Fire and gas detection systems act to prevent or limit escalation after incidents occur. The SIL classification process is usually not the most appropriate method to define their reliability requirements due to the range of possible escalation scenarios. Reliability requirements may be defined in the risk assessment process (Element 3) or the approach detailed in GP 30-76 Annex F section F.5.2 may be used. Typical reliability of fire or gas being detected and confirmed, usually by 2 detectors, and the associated automatic action being taken are 85% to 95% but more stringent requirements may be necessary in some cases.

• Measures to prevent ignition include adherence to area classification standards for the safe use of fixed and portable electrical equipment and isolation of non-rated electrical equipment when flammable gas is detected in hazardous/classified areas.

• Assumptions on testing intervals used in reliability calculations should be formally communicated to operations and maintenance personnel.

• Protective systems and devices should be tested and/or inspected to confirm they meet their specifications before being brought into service. In most cases this will be before delivery from the vendor and again before or during commissioning. GP 32-20 and GP 30-90 provide guidance on installation and testing during site construction and commissioning.

5.3 Operate Stage 5.3.1 Need for Inspection and Testing Passive protective systems and devices e.g. flame arrestors, restriction orifices, control valves sized to limit relief flow rates, passive fire protection, thermal insulation of hot


60

surfaces, fire walls, lifeboats and other personnel escape and evacuation devices, and escape routes, shall be inspected at suitable intervals to confirm that they are available, correctly fitted, and in satisfactory condition to perform their protective role when required. Inspection intervals depend on degradation mechanisms and criticality. These intervals should be adjusted dependent on in-service inspection results. Defects affecting their functional performance should be rectified with minimum delay. Active protective systems and devices shall be inspected and function tested such that hidden failures are revealed and corrected. Examples of such systems are relief valves, critical check valves, safety instrumented functions, fire and gas detection systems, fire protection systems, electrical protection systems, communication systems required in emergencies, and escape craft. The probability of failure on demand of active protective systems is proportional to test intervals. This should be borne in mind when setting inspection and test intervals. The requirement to function test protective systems can at times be in conflict with maximizing production efficiency. Valves require full stroke testing and some critical valves require leak-testing. Electrical protection devices require functional testing of the switchgear. Sensors should be activated from the process connection, not by operating a micro-switch within the sensor. Design assumptions on test intervals appropriate to meet reliability specifications, whether from calculation or from vendor recommendations, should be followed until analysis of actual function test results shows that alternative test intervals are necessary or appropriate. Protective systems designated as SCE shall be tested/inspected in the designated month. In all cases, inspection and testing of protective systems must comply with applicable regulations. Guidance on inspection and testing of safety instrumented functions is given in GP 30-81, and for mechanical protective devices in GP 32-47; and for electrical devices in GP 32-50 and GP 32-51. 5.3.2 Analysis of Testing Results to Determine Reliability The following example illustrates how a specified reliability can be demonstrated. This example is for a medium complexity safety instrumented function but the principles apply to relief valves and other active protective systems and devices. There are four similar safety instrumented functions each comprising a pressure transmitter (or switch), logic in the shutdown system, and closure of two process isolation valves. All are SIL 1 functions/loops, meaning they need to achieve a probability of failure on demand in the range 0.01 to 0.1. They have been end-to-end tested every 6 months for 8 years. There are therefore 64 test results of which 59 were classified as operating correctly the first time they were tested and 5 were functional failures. The failures were rectified immediately or shortly afterwards. The ratio of functional failures to the total number of function tests is used as the probability of failure on demand which in this example is 5/64 = 0.078. This is in the SIL 1 range towards the higher end but is satisfactory. If the testing interval is increased from 6 months to 12 months the probability of failure would be expected to double to 0.156 which is outside the SIL 1 range. This is not acceptable. If the testing interval is reduced to 3 months the probability of failure would be expected to reduce to 0.039. However


61

such a reduction is not necessary and involves more effort. It is theoretically possible to extend testing intervals to 7 months but this is not recommended and would not fit with preferred scheduling of maintenance activities. Thus it is concluded that the current test regime is satisfactory. Where a protective system is made up of sub-systems, such as the transmitter input loop to the logic and the output loops from the logic to the valves, and these sub-systems are tested at different times or at different intervals, the probability of failure on demand (PFD) is assessed for each sub-system. The overall protective system or function’s PFD is the sum of the PFDs for the sub-system. If it is part of the functional specification that only one of the two output valves is required to close, then the PFD of the output sub-system is the conditional probability that one valve fails to close when the other valve also fails. This is PFD1 x PFD2 plus an allowance for common cause failure. For more complex situations, or when partial stroke testing of valves is used, expertise in reliability analysis should be sought. Note that this analysis requires a clear definition of functional success, as per the functional specification, and anything less than this is classified as a functional failure. Test results should be recorded in a manner which permits this analysis. Thus if both valves do not close to the specified leak tightness within the specified time, this is a functional failure. A relief valve lifting below its set-pressure is usually a nuisance (safe failure) but not a failure in its protective role of preventing overpressure (dangerous failure) though it could be a hazardous event dependent on the fluid and relief location. A relief valve lifting above the upper tolerance on its set-pressure would represent a functional failure. 5.3.3 Managing Shortfalls For existing sites, it is possible that the design or implementation of protective systems does not conform to ETPs. Examples of problems in older facilities have been:

• Lower reliability of protective instrumentation due to changes to more conservative Company or regulatory criteria for personnel safety or environmental protection

• Quality of isolations of pipelines from facilities

• Inadequate discrimination and/or insufficient electrical protection devices

• Absence of or insufficient blowdown capacity, whether manually or automatically initiated

• Non fail-safe actuators on emergency shutdown valves

• Insufficient or ineffective fire and gas detection devices and systems Where deviations are identified it will be necessary to assess the feasibility and value of selective upgrading. Alternative design or operational measures might be required as a practical way of meeting applicable risk criteria. STPs should address how such deviations will be managed as described in Section 6 of this Guide.


62

5.3.4 Specific Operate Phase Requirements The following requirements apply to specific systems in addition to the general requirements stated above.

• Fire and gas detection systems should be subject to periodic reviews, taking account of equipment location and actual air movements, to confirm that detectors are effective for the intended hazards. Portable detectors also require appropriate routine servicing and calibration. Further guidance is in GP 30-85.

• The performance of shutdown and blowdown systems during actual ESD and PSD (process shutdown) events may constitute valid test data provided it is recorded in an auditable manner. Any failure to operate on demand should trigger an incident investigation and remedial action that addresses the Root Causes of deficiencies.

• Guidance on alarm management that will assist in developing an alarm philosophy document is provided in GP 30-45. It is planned to develop a GP in category 44 on how to develop a control and shutdown philosophy.

• Protective devices in motor control centers and on electrical switching and distribution systems should be tested appropriately.

• Main and emergency power generation, distribution and associated support systems require a program of routine testing and maintenance to confirm full design functionality and reliability.

• Measures to prevent ignition of flammable materials are also protective systems. Such measures include controlling hot work and ensuring good maintenance practices to reduce the likelihood of hot surfaces and sparks from faulty equipment. Protective intrinsically safe barriers should be inspected to confirm full design functionality and reliability.

• Active fire protection systems such as pumped foam and firewater systems sprinklers and deluges, and other extinguishant systems require particular attention. Tests will often require measurements of pressures, flows and coverage. Detailed guidance is available in BP GP 24-10 (onshore) and GP 24-23 (offshore).

• Passive fire protection devices such as insulation, coatings, dikes/bunds and firewalls also require inspection and maintenance to confirm their design intent is not compromised by damage or deterioration. Particular attention should be paid to fire protection on ESD valves and actuators and their associated cabling and control tubing, particularly where it is required to confirm fail-safe operation. Detailed guidance is available in BP GP 24-10 (onshore) and GP 24-24 (offshore).

• Emergency response, evacuation and survival equipment, including breathing apparatus, life jackets, knotted ropes and lifebuoys, require routine inspections and/or scheduled replacements. Lifeboats/capsules and their associated davit launch systems require both routine maintenance and operational testing. Life rafts typically require routine inspections to confirm their integrity. Annual certification of these types of escape/survival crafts is commonly required by regulations.

• Communications equipment and systems used in emergency situations should be tested periodically. Portable equipment should be kept charged.


63

5.3.5 Control of Over-rides/Bypasses of Protective Systems All protective systems are expected to have high availability to perform their protective roles. When they are known to not be available to perform their protective functions, compensating measures should be in place to manage the risks. As stated in Minimum Requirement 5.6 operational facilities shall have procedures in place to authorise and control the non-availability or over-ride/bypass of protective systems and devices. These should be part of their MOC or Safe Systems of Work processes. Alternative means of maintaining safe operations shall be specified, such as temporary operating procedures commensurate with the risk reduction provided by the protective system, or revised safe operating limits. The cumulative effect of removals or over-rides/bypasses should be assessed and appropriate mitigation put in place to manage the additional risks. Particular attention should be paid to the time limits specified for temporary removals and overrides/bypasses. When time limits are exceeded this should trigger the MOC process. 5.4 Documentation of Protective Systems This sub-section provides guidance on how to meet Minimum Requirement 5.1. The philosophy for alarms, shutdown and blowdown shall detail the design intent and show linkages to the major accident risk process, and hazard evaluation and risk assessment. Key documentation shall be controlled, kept up to date, and accessible. Such documentation includes:

• Documentation for safety instrumented functions and systems, including HIPS/HIPPS as below. GP 30-80 provides further guidance.

1. Role statements 2. Functional specifications 3. Reliability specifications including SIL determination 4. Survivability specifications 5. Reliability analyses including reliability data sources and test

intervals 6. Piping & Instrument Diagrams 7. Cause and Effect charts 8. SAFE charts - Safety Analysis Function Evaluation charts for

safety systems designed to ISO 10418 or API RP 14C) 9. Alarm and trip set-points register

10. Alarm categorisation studies 11. Equipment technical manuals and instructions for installation,

operations and maintenance • For other protective systems and devices documentation as below. GP 32-

47 provides further guidance. Some of this information may be recorded in a “Register of Safety-Related Devices”.

1. Role statements 2. Basis for sizing 3. Functional specifications 4. Reliability specifications


64

5. Survivability specifications 6. Test / inspection intervals and any reliability analysis or other

justification 7. Equipment technical manuals and instructions for installation,

operations and maintenance • Test and inspection procedures for protective systems • Records of operational and periodic testing performance. These should be

recorded in the maintenance management system to the level of detail that permits identification of functional failures of individual devices. Recording should be in a form that facilitates data collection for reliability analysis.

5.5 Performance Management BUs/PUs shall set appropriate performance indicators to monitor and provide assurance that the ongoing integrity of protective systems is being adequately maintained. These KPIs might include:

• Number of overdue tests and inspections of SCE protective systems

• Number of overdue tests and inspections of non-SCE protective systems

• Number of shortfalls against functional specification for safety-critical protective systems during testing and actual demands in service

• Number of long term over-rides/bypasses in place

• Status of fire and gas detection systems testing and availability

• Status of hazardous/classified area electrical equipment inspections / tests / actions

5.6 References ETPs and Industry Standards available at http://etp.bpweb.bp.com

BP GP 12-03 Guidance on Practice for Power System Protection and Control BP GP 12-60 Guidance on Practice for Hazardous Area Electrical Installations BP GP 24-10 Fire Protection - Onshore BP GP 24-23 Offshore Active Fire Protection BP GP 24-24 Offshore Passive Fire Protection BP GP 30-45 Human Machine Interface BP GP 30-75 Safety Instrumented Systems – Management of the SIS Lifecycle BP GP 30-76 Safety Instrumented Systems – Process Requirements

Specification BP GP 30-80 Safety Instrumented Systems – Implementation of the Process

Requirements Specification BP GP 30-81 Safety Instrumented Systems – Operations and Maintenance BP GP 30-85 Fire and Gas Detection BP GP 30-90 Commissioning of Instrument and Control Systems BP GP 32-20 Guidance on Practice for Inspection, Testing and Commissioning of

New Plant BP GP 32-47 In Service Inspection and Testing of Mechanical Protective Devices BP GP 32-50/51 In Service Inspection and Testing: Electrical Equipment BP GP 44-70 Overpressure Protection Systems


65

BP GP 44-80 Relief Disposal Systems BP GP 48-02 Hazard and Operability Study (HAZOP) BP GP 48-03 Layer of Protection Analysis BP GP 66-46 Guidance on Fire and Blast Structural Loading and Response

IEC 60079 Part 17: Electrical Apparatus for Explosive Gas Atmospheres – Part

17: Inspection and Maintenance of Electrical Installations in Hazardous Areas (other than mines)

API RP 14C Recommended Practice for Analysis, Design, Installation, and Testing of Basic Surface Safety Systems for Offshore Production Platforms, 7th edition

ISO 10418 Petroleum and Natural Gas Industries – Offshore production installations – Basic surface process safety systems, 2nd edition

IEC 61508 Functional Safety of Electrical/Electronic/Programmable Electronic Safety-Related Systems

IEC 61511 Functional Safety: Safety Instrumented Systems for the Process Industry Sector (applies IEC 61508 to the process industries)

ANSI ISA S84.00.01 (IEC 61511) Application of Safety Instrumented Systems for the Process Industries

Practices and Procedures


68

Element 6 Practices and Procedures Intent Element 6 requires the establishment and verified application of engineering standards/practices, and site operating/maintenance procedures that are essential for the safe design, construction and operation of facilities.

Minimum Requirements 6.1 BP Operations and Major Projects shall adopt/develop and maintain Site Technical

Practices (STPs) consistent with Group and Segment ETPs. A register of STPs shall be maintained and approved by the accountable EA.

6.2 BP Operations shall develop and maintain Site Operating Procedures (SOPs) for operations and maintenance of facilities and wells. Operations Leadership shall be accountable for development, periodic review and updating of SOPs.

6.3 All approved practices and procedures shall be accessible, understood and adhered to by BP and contractor workforce and sub-contractors. Site Operations Leadership and EAs shall regularly verify conformance with practices and procedures.

6.4 All temporary or permanent deviations from ETPs, STPs and SOPs shall be subject to MOC and therefore risk assessed, documented in a register and approved by the EA for ETP/STPs or Operational Leadership for SOPs.

6.1 Technical Practices Hierarchy BP’s Management Framework defines the hierarchy of the Management Framework, Group Standards, ETPs and SOPs, and is shown in Figure O.1 and Figure E6.1. 6.2 Engineering Technical Practices. BP Group ETPs are generally based on worldwide applicable industry standards and cover the engineering design and construction subject areas that are common across the Segments. The document structure of the BP Group ETPs was created with flexibility to manage worldwide climatological, operational and local regulatory differences. The ETP system allows Segments to create supplements to the Group ETPs and allows more specific SPU, BU, site and/or project supplements. The ETP structure is illustrated in Figure E6.2. The Group ETPs may be found in the web based ETP Library and are categorized per the ETP index. The ETP Library and further ETP information may be found at the ETP web site: http://etp.bpweb.bp.com/ E&P Segment ETPs address engineering design and construction subjects unique to the Segment, e.g. wells, drilling equipment, and offshore structures. The main purpose of ETPs is to allow Operations and Major Projects to develop or update their Site Technical Practices to reflect current BP policies and recommended technology.


69

All BP Operations should submit learnings and changes of good practice to the ETPs using the ETP Shared Learning System (SLS) for validation. The ETP SLS can be accessed at http://etp.bpweb.bp.com/. Information on the SLS can be obtained at http://etp.bpweb.bp.com/sl_moreinfo.htm. 6.3 Site Technical Practices The IM Standard requires that the STPs for a site, Major Project, SPU or BU be consistent with the BP Group ETPs. This means that the requirements, denoted by “shall” or “must” in ETPs, are to be complied with.

External Industry Standards

Group ETPs

Segment ETPs

BU/Site/Project Supplement

Figure E6.2 Technical Practices Structure

Group IM Standard

MAR Process EAs and TAs Technical Practices Segment Guides

Group ETPs

E&P Segment ETPs

SPU STPs

BU STPs

SOPs

BP Management Framework

Group Standards

Figure E6.1 BP Management Framework/Technical Practices Hierarchy


70

When the STPs do not comply with the Group ETPs, the deviations and exemptions shall be risk assessed, approved and documented by the appropriate EA level (Segment, SPU, BU, or site), following the STP Control Procedure defined by the Segment EA. The IM Standard requires that ETPs relating to areas of significant risk exposure at the BP Operation shall be incorporated into the STPs within one year of their issue. All other ETPs shall be incorporated into the STPs within three years of issue. The IM Standard also requires that the STPs be updated as ETPs are updated. Revised ETPs shall be incorporated into the established set of STPs within one year of issue. The cost of maintaining and updating STPs based on existing heritage local specification sets may be such that the BU or site decides it is more economic to create supplements to the ETPs. Applicable industry standards should be used as the basis for STPs when no relevant ETPs exist. If no industry standard is available for the equipment or system to be installed, the STP should be developed using vendor requirements/recommendations and good engineering design practices, and be approved by the relevant TA and the EA All sites should have a STP Control Procedure (STPCP) approved by the Segment/SPU EA. The STPCP shall describe how the BU, site and project STPs will be developed, how exemptions to the Group ETPs will be justified and the frequency of STP review. The STPCP shall also describe how temporary deviations or exemptions to existing STPs shall be risk assessed, approved and managed, consistent with the site MOC procedure. 6.3.1 STP/SOP Development for Major Projects For new Major Projects, the project team and project EA will start with the BP Group and E&P Segment ETPs. The project team and EA will compare these ETPs against local regulations to determine additional project-specific requirements. Where considered necessary, the project-specific information will be used to create project supplements that will contain additions and / or proposed exemptions to ETPs. For green-field developments, the project team and EA will consider the use of supplements already created by their BU or by other relevant BUs or sites to be used as their supplements. For brown-field developments it is likely that project teams will adopt the existing STPs, unless there is an opportunity or need to be fully compliant with more current ETPs and newer technology. The local BU or project supplements should be submitted to the Segment or SPU EA for approval as project STPs following the STPCP. The Segment or SPU EA can consider requesting approval from the Group Director of Engineering on any major exemptions from ETPs proposed by the project. After handover to Operations, the project STPs will become the operational STPs for the site. Some Group ETPs may not require supplemental information so may become STPs.


71

For green-field projects, the embedded Operations Team will be accountable for the development of SOPs and confirming adequate training of the site Operations Team prior to commissioning and start-up. For brown-field projects, the project Team will work with the existing site Operations Team to confirm new or modified procedures and additional training are complete prior to commissioning and start-up. 6.3.2 Application of Existing STPs in Operations Existing STPs shall be reviewed against ETPs to determine whether revisions or updates are necessary. The EA shall identify STPs related to facilities where the probable result of equipment or structural failure or loss of containment would be a major accident. These STPs will normally be (but not limited to) those for SCE. Based upon a documented risk assessment, sites shall decide whether or not to update safety critical and other environmental or business critical equipment or systems to conform to the new requirements in ETPs. The EA shall confirm that any significant approved modifications are carried out in a timely manner, following the site MOC procedure. 6.4 Site Operating Procedures SOPs shall cover the following five aspects:

• Normal operations and safe operating limits

• Controlled start-up and shut down

• Preparation for maintenance

• Re-instatement after maintenance

• Control of emergency The scope of these SOPs shall include the following as appropriate,

• Drilling

• Well operations

• Production operations

• Well interventions

• Plant inspection, testing and maintenance SOPs shall be followed for normal operations and any deviation shall be risk assessed and approved by Operations Leadership. For routine tasks this process will normally take the form of a Task Risk Assessment generated by those doing the work (Performing Authority), subsequently reviewed and authorised by the facility owner or operator (Issuing Authority) and using the Site Permit To Work (PTW) system which shall comply with the Group Personal Safety Standard. For specialised non-routine tasks (e.g. complex isolations, heavy lifts, hot tapping) appropriate risk assessment tools will be required, normally involving relevant TAs so that a work plan including procedures and contingency measures can be devised that reduces the risk. Approval of site operations leadership and/or EA will be required for higher risk non-routine tasks.


72

Where applicable, a documented simultaneous operations (Sim-Ops) procedure shall be in place, detailing how hazards associated with simultaneous production, construction, wells, drilling, maintenance or diving operations, etc. will be managed. In the development of operating and maintenance procedures, particular attention should be paid to the following,

• Temporary operations

• Emergency shutdown, the conditions under which emergency shutdown is required and the assignment of shutdown responsibility to qualified operators to confirm that emergency shutdown is executed in a safe and timely manner

• Definition of operating limits, the consequences of deviation and steps required to correct or avoid deviation

• Operational surveillance of equipment, typically by daily or shift walkabouts and checklist inspections

• Shift handovers, which should be documented and auditable

• Safety systems and their functions, e.g. alarms and shutdown philosophy, facility blowdown, etc.

• Safety system bypass/override registers, which should be documented and reviewed by site Operations management on a regular basis – see Element 5

• Availability of operating and maintenance procedures to personnel who work in or maintain a process.

• Control of Work practices as described in the Group Personal Safety Standard

6.5 Documentation All BP Operations shall have a document management system that is designed to demonstrate that Minimum Requirements 6.1 to 6.4 are complied with for each site. The document management system shall be approved by site Operations leadership. The document management system shall provide an auditable trail of,

• Updates and modifications

• Deviations from ETPs, STPs or SOPs

• Approvals and review by EAs 6.6 Performance Management BUs and Major Projects shall confirm that adequate resources are provided to develop and maintain critical engineering and operational documentation, including STPs and SOPs. The following measures shall be incorporated as part of the IM Standard performance management system.

• A prioritized program for the development and updating of STPs, including the accountable TAs. This program shall form part of the EAs annual Engineering Plan.


73

• Annual certification by EAs that STPs are current and accurate, or that plans are in place to achieve this.

• Accountabilities have been assigned by Operations Leadership for the development and updating of SOPs.

• Annual certification by Operations Leadership that SOPs are up to date, accurate, accessible and being followed.

• A formal external audit of the site document management system should be carried out at least every 3 years to verify conformance with the Minimum Requirements of this Section.

6.7 References

BP Group Personal Safety Standard BP website for Engineering Technical Practices,

http://etp.bpweb.bp.com/ OSHA, Part 1910 Occupational Safety and Health Standards, 29 CFR §

1910.119, Process Safety Management of Highly Hazardous Chemicals.

Management of Change


76

Element 7 Management of Change Intent Element 7 requires that BP Operations maintain a Management of Change (MOC) system for temporary and permanent changes to technology, facilities, equipment, operations and organization to maintain continued integrity and safe operation.

Minimum Requirements 7.1 The SPU/BU shall develop and maintain a single MOC system that is applied to

temporary and permanent changes to technology, organizations, staffing levels, procedures, equipment, products, materials and substances. The MOC system shall include

• A clearly defined and documented procedure • Roles and responsibilities for each step in the MOC procedure • Review and approval of proposed changes by TA or an approved technical

reviewer 7.2 The MOC system shall include the following requirements:

• A risk assessment by relevant personnel of the proposed change • A process for the definition of measures required to manage identified risks • A specification of the timescale for the change • A review of the impact of the change on emergency response plans • An assessment of the need for a pre-start up safety review

7.3 The effectiveness of the MOC system shall be assured through processes that, • Confirm that changes accomplished their original intent • Confirm that individual changes were correctly executed • Confirm actions are closed out • Conduct annual audit of the MOC system by the EA or delegate

7.1 Scope of Application MOC shall, as a minimum, be applied to the following types of changes:

• Staffing levels and organizational changes • Roles and responsibilities • Process chemicals e.g. scale, corrosion, and wax inhibitors, and emulsion

breakers • Technology • Materials and equipment • Operating and maintenance procedures • Deferral of planned turnarounds and major maintenance activity • Process conditions beyond established operating and design limits • Testing and inspection procedures • Testing and inspection frequencies beyond the limits defined in the STPs • Protective systems including settings of mechanical devices, alarms, trips,

shutdown and blowdown systems


77

• Operating control philosophy, including the use of and changes to computer control systems

• Standards, ETPs, STPs and specifications • Projects • Engineering contracts and contractors • Equipment suppliers • Occupied buildings • Structural, marine and floating systems stability • Structural stability, weight gain and/or movement • Feedstocks • Emergency response plans • Cumulative impact of multiple changes

7.2 MOC System and Procedures MOC is a system to evaluate, authorize and document changes before they are made and confirm proper closure after the changes have been made. Its purpose is to establish the measures necessary to confirm that HSSE and operational risks arising from proposed temporary and permanent changes are managed to an appropriate level. It is also an important communication tool to inform people affected by change about what is being considered or what is going to occur. A formal written MOC procedure shall exist, applicable to temporary and permanent changes. It shall identify roles and responsibilities for the management and administration of the process and the final approving authority. The procedure shall confirm that the proposed changes are reviewed by the appropriate TA or designated technical reviewers. The EA is accountable to document the approved TA and technical reviewers for the BU/Project. Hazards shall be eliminated or reduced to an appropriate level of risk before the change is implemented. The rigor of individual MOC review shall be consistent with the level of risk created by the proposed changes. For Major Projects that are executed in or on behalf of the SPU/BU there is a preference to use the SPU/BU MOC system in order to provide consistency and continuity at handover of the Project to Operations. The use of one MOC system will also provide the SPU/BU with the ability to more easily review the Project’s design and execution and understand where exceptions to STPs or waivers to industry standards were approved by project management. The MOC procedure shall include assessment of the need for a pre-start up safety review after the change to confirm that the procedure has been correctly applied and the plant or equipment is safe to commission.


78

All MOC systems shall address the following issues as appropriate for each proposed change:

• Authority for approving changes

• Risk assessment of proposed modification

• Assure that modified plant and equipment are safe to commission

• Strategies to manage any organizational risks including manning levels

• Acquisition of required permits and regulatory approvals

• Definition of the scope and justification of the proposed change

• Documentation, including updates to drawings, data, and operating and

maintenance procedures

• Communication of potential consequences and required mitigation to staff

affected by the change

• Training requirements

• Evaluation whether the change will affect emergency response plans and

procedures

• Time limitations

• An assurance process to verify the MOC procedure is being properly applied Experience has shown that an assigned MOC coordinator/administrator on each major site or grouping of smaller sites improves system implementation and timeliness of close-out. TAs and other staff should identify and analyze the impact of ‘creeping’ operational changes, such as progressive increases in water content, H2S, solids loading, etc., against the safe operating limits defined during initial design or through approved modifications. Regular assessment of the operating envelope is regarded as prudent management and could be a regulatory requirement. If the safe operating limits are unclear, or they are being breached, MOC will be required to assess the risks and set new limits. Any potentially damaging effects of short-term changes in process conditions resulting from activities such as well commissioning and work-over activities will need to be assessed, e.g., acid or sand returns. Formal closure of a MOC should not be made until relevant documentation, especially P&IDs, cause-and-effect/SAFE charts, area classifications, and procedures, have been updated and made available to Operations. Superseded documents should be withdrawn from circulation. The use of “temporary” or “red-lined” drawings, etc., is recognized as an interim measure, but the focus should be on the issue of formal documentation. In a plant subject to continuing changes, the updating and controlled use of P&IDs can be a challenge. Best practice is to maintain P&IDs electronically for read-only access by users, rather than attempt to continually issue hard copy updates.


79

7.3 Temporary and Emergency MOC Temporary changes shall have a specified limited life span (e.g. <30, 60 or 90 days) and shall be approved using the MOC procedure. For emergency changes (e.g. required in <1 day) that cannot follow the normal MOC procedure, every effort should be made to seek appropriate technical review prior to making the change. After that change has been completed, the full MOC procedure should be completed, including additional risk assessment reflecting the completion of change actually made. 7.4 Consistency of MOC Procedures There are requirements for MOC procedures defined in a number of Group documents including

• Group Integrity Management Standard

• Getting HSSE Right (GHSSER)

• Golden Rules of Safety

• Control of Work Standard There shall be a single MOC procedure to meet these requirements with a designated single point of accountability. 7.5 EA and TA MOC Roles and Responsibilities The EA is responsible for:

• Confirming that engineering aspects of temporary and permanent changes are risk assessed and managed, and that changes are adequately documented.

• Confirming that the technical aspects of the change are reviewed by designated TAs and technical reviewers.

The EA and TA should provide input to MOCs and:

• Confirm MOCs are reviewed by relevant discipline specialists, confirming that existing safeguards are not degraded and that no staff and/or the surrounding environment will be exposed to unacceptable new hazards

• Specify mitigating engineering solutions to reduce risks to an appropriate level

• Provide input to the training of affected staff prior to start-up after the change Element 1 of this Guide and the EA Handbook provide additional guidance on the EA and TA roles. 7.6 Key Performance Indicators and Assurance The correct application of MOC systems shall be assessed and measured by indicators that monitor performance. For example: KPIs

• Number of MOCs not closed out on time (e.g. formal documentation updates

not completed 90 days past start-up)


80

Assurance

• Annual audit by the EA, or delegate, of the MOC system to confirm:

o The procedure is being applied correctly

o Risk assessments of appropriate rigor are being conducted

o The TAs and other technical reviewers are involved

o Temporary and permanent MOCs are closed out in a timely manner 7.7 References

• Golden Rules (Management of Change) http://hsse.bpweb.bp.com/safety/goldoen%20Rules

• Engineering Authority Handbook

http://eaweb.bpweb.bp.com

Emergency Response


82

Element 8 Emergency Response Intent In accordance with the BP Crisis Management Framework, Element 8 requires Business Segments and BP Operations to develop, maintain and practice crisis management and emergency response (CM&ER) plans that are based on the full range of identified hazards and risks, including those developed from the MAR Process.

Minimum Requirements 8.1 CM&ER plans shall be in place and reflect the identified hazards and risks including

those developed from the MAR process. The plans shall include: • Periodic review by the SPA IM to account for any changes in the identified

hazards and plant integrity. • A system to account for the whereabouts of personnel both within the

place of work and after an emergency evacuation, commensurate with the risk involved

• Facilities to provide initial shelter in the event of an incident and systems to remove people from the danager zone to a point of safety

• A regular schedule of drills based upon the major accident scenarios, with lessons documented, assessed and acted upon.

8.1 Definition and Scope It is essential the BUs/PUs can respond quickly to a reasonably foreseeable events. Robust CM&ER plans are required in accordance with BP Group Crisis Management and the plans set out with the following priorities:

Priority Consequence

Highest 1 People

2 Environment

3 Property

Lowest 4 Business

The plans shall be regularly reviewed and updated to reflect changes in the identified hazards, be fully understood by those likely to be impacted, and be regularly exercised and tested. 8.2 Design and Build BP’s expectations for emergency response are set out in Element 11 of GHSSER - Crisis and Emergency Management. BULs are accountable for ensuring plans and effective resources are in place throughout their organization to mobilize a response appropriate to the risk of the facility or organization. To assure the BUs can handle a ‘worst case’ incident, the concept of mutual support features strongly in the BP approach to crisis management through the establishment of strategically placed regional "emergency support centers". The Group Crisis Management Team in London


83

underpins the process and stewards the networks, which share good practice, help with drills and enable effective mutual aid through the regional support centers. It is expected that the BUs will utilize the support available from regional centers and Group Crisis Management to develop plans specific to their requirements. Response plans shall reflect the identified hazards, including those identified in the MAR process and shall be reviewed periodically to confirm they capture any changes in the risk and/or address any new hazards that are created during the operational life of the facility. IM programs will provide valuable input to response plan development. For example:

• An output of the Hazard Evaluation, Element 3, will be a register of major hazards, a primary source of information required for formulating CM&ER plans.

• Facilities and Process Integrity, Element 4, will identify and report any major deterioration of the plant and indicate any increased likelihood for an incident which might require changes to existing CM&ER plans or development of new plans to respond to new or larger risks.

• Protective Systems, Element 5, primarily contribute to preventing, detecting, controlling or mitigating a major accident, or ensuring the escape and survival of people. CM&ER plans will probably take account of the contribution of protective systems assuming they will function on demand. Proven reliability/availability of the protective systems should therefore feedback into the ER plans.

• The MOC, Element 7, will record any major changes to the operating facility. An output of the process could be to highlight any issues that might impact the existing CM&ER plans.

Individuals responsible for IM shall confirm this information is available to those who formulate the CM&ER plans and that they are made aware of significant changes in the integrity, availability or under-performance of equipment that is critical to the successful implementation of any of the plans. Additionally, the potential for a cumulative or ‘domino’ escalation of events should not be overlooked. 8.3 Operate CM&ER plans shall specify areas of responsibilities for members of the response team e.g. in the form of an organization chart. This documentation should be maintained and updated to reflect the current organization for the BU. This reinforces the importance for an MOC on personnel changes. CM&ER plans shall include requirements for periodic testing of the plan and procedures. This shall include a variety of types of drills and exercises, including those addressing major accident scenarios. Documentation from the drills shall include lessons learned and recommendations to improve the ER plans and future activities.


84

ER equipment will normally be designated as SCE and, as such, shall be subject to planned inspection, testing and maintenance. Any failures discovered during testing or inspection should be communicated immediately and alternate or temporary plans established. These may include higher dependence on mutual aid or reduced operations until response equipment can be repaired or replaced. 8.4 Documentation CM&ER plans shall be available to personnel affected by the potential incident. This documentation shall include,

• Roles and responsibilities

• Contact numbers for different types of crises or emergencies

• Considerations for communication with external parties, including the media

• Methods to account for all personnel, including contractors

• Any tools or forms expected to be used during the response

• Discussion of when to contact BP Group Crisis Management in London for support.

8.5 Performance Management Sites shall set appropriate performance measures to assure CM&ER plans address the major hazards identified by the IM strategy and that any significant deterioration in integrity can be handled by the plans. KPIs might include:

• Completion of formal periodic reviews of the CM&ER plans, reviewed and signed off by the relevant IM TAs.

• Appropriate numbers of drills that coordinate with mutual aid. 8.6 References

Group Crisis Management website: http://hse.bpweb.bp.com/crisis/ Getting HSSE Right, Element 11. EPT Website: http://upstream.bpweb.bp.com/EPT/home.asp UKCS SMS - Crisis Management-

http://uksms.bpweb.bp.com/SMS_Live/index.cfm

Incident Investigation and Learning


86

Element 9 Incident Investigation and Learning Intent Element 9 requires sites to investigate their significant IM incidents including Major Incidents (MIs) and High Potential Incidents (HIPOs), uncontrolled releases, unexpected failures of materials, equipment or structures, accelerated rates of damage, and excursions beyond safe design limits. The investigations shall identify and recommend actions to prevent recurrence and communicate the findings so others may learn.

Minimum Requirements 9.1 • IM incidents shall be classified, in terms of both their severity and whether

they are IM-related, in accordance with the IM Matrix Guidelines • MIs, HIPOs and incidents of operation beyond design limits shall be

recorded in Tr@action, formally reported, investigated by root cause methodology, documented, actions assigned and followed-up to completion

• 'Lower severity' IM incidents and events shall be reported to the individual(s) identified by the SPA-IM for review, action and tracking, as well as to the EA and appropriate TAs.

9.2 After an IM incident, • A pre-start up safety review shall be conducted to assure people, plant and

process are ‘fit for purpose’ • Lessons learned from MIs and HIPOs shall be shared internally and

externally 9.3 EA and SPA-IM shall assure implementation of lessons learned. 9.1 Definition and Scope An integrity-related incident or near miss can be an indication that the management system for integrity is inadequate, is not being followed, or has failed. Every instance of unexpected equipment failure, damage or operational upsets and excursions beyond design limits represents an opportunity to learn about the integrity of plant, structures and systems. In many cases this will be equally true for incidents that have occurred elsewhere in BP and beyond. The IM Standard requires that MIs, HIPOs and operational excursions beyond design limits be formally investigated and reported. For IM-related MIs and HIPOs a formal incident investigation shall be initiated as soon as possible and not later than 48 hours after the incident. Definitions for these events are provided below. An incident’s classification as being “integrity-related” may require review of the incident with HSE leadership as well as the integrity functional leadership and the Operations Head of Discipline. There are clear expectations for determining the Root Causes of MIs and HIPOs, developing action plans to prevent recurrence, tracking the progress of these actions, and communicating lessons learned throughout the BU and the rest of the E&P organization.


87

9.2 Major Incidents An incident, including a security incident, resulting in any of the following:

• a fatality associated with BP Operations

• multiple serious injuries

• significant adverse reaction from authorities, media, NGOs or the general public

• cost of accidental damage exceeding US $500,000

• oil spill of more than 100 barrels, or less if at a sensitive location

• release of more than ten tonnes of a classified chemical Major Incidents are required to be investigated in accordance with BP Safety and Operations Policy. 9.3 High Potential Incidents A High Potential incident is defined as an incident or near miss, including a security incident, where the most serious probable outcome is a Major Incident. This should include incidents of un-ignited gas releases that result in concentrations above the LEL. HIPOs are required to be investigated in accordance with BP Safety and Operations Policy. 9.4 Operational Excursions Beyond Design Limits Incidents where all protective devices and operational controls have failed and one or more design limits of equipment have been exceeded, e.g., for internal or external pressures, temperatures, flow velocities or structural loadings. Such incidents require formal investigation irrespective of the severity of the excursion or whether there is any immediate consequence. 9.5 Investigation of Lower Severity IM Incidents Although not mandatory in BP to formally investigate and learn from ‘lower severity’ events or incidents in the same way as MIs and HIPOs, a formal system to record and analyse this information can be used to identify trends and patterns that can enhance IM programs and may prevent higher severity events. It is recommended that BUs and PUs approach the collation of such data in the same way that has been used successfully for occupational safety. Figure E9.1 represents a ‘hierarchical’ pyramid relating minor to major incidents. Techniques that have been applied to manage the data from lower severity IM-related failures and near misses to provide valuable guidance to IM programs include:

• A formalized process for capturing the information.

• Reporting incidents and failures to the relevant TA or EA who decides the appropriate degree of investigation.

• Identification of corrective actions, resourcing and tracking


88

A reporting and investigation procedure is required for the following types of incidents:

• Small leaks of hazardous materials during operations or un-anticipated release during maintenance that have been assessed by the Process Safety TA as non-HIPO events

• Lifting of relief valves or operation of other over-pressure protection devices

• Failure on demand in service of any protective device or system classified as safety critical equipment

• In-service structural failure or damage that compromises integrity.

• Failure of lifting equipment.

• Detection of unanticipated forms or rates of equipment damage during planned inspection and maintenance

• Failure of emergency response equipment that occurs during a drill, an actual emergency or spill / release.

Information derived from failure or incident investigations should be used to modify IM programs to prevent recurrence. It is recognized that effective reporting and investigation of lower-severity events requires resource. However, the potential benefits are considered worthy of this effort. BUs are therefore encouraged to provide adequate and possibly dedicated resource for the investigation of IM-related incidents of all severities. This includes sharing and application of lessons learned from other BP sites and from external sources.

Figure E9.1 The IM Incident Pyramid

1Major

IncidentIn

crea

sin

g S

ever

ity 10

High PotentialIncidents

300In-service failures

(not currently captured)

600Incidents – no visible damage

(not currently captured)

Lear

nin

g/P

reve

nti

on

Op

po

rtu

nit

y


89

Incident investigations for lower severity events should be led by people with the appropriate competencies, e.g., the relevant TAs when equipment has failed in service. Multi-discipline teams are generally encouraged, especially for the more severe events. In all cases, the draft investigation report and recommendations should be reviewed by the relevant TAs and EA who should consider whether the investigation to date has been adequately thorough, and whether the Root Causes have been identified with appropriate recommendations to prevent recurrence. Incident investigation teams should have at least one individual trained in root cause methodology. 9.6 Immediate and Root Causes of IM Incidents Immediate Causes for IM-related failures of equipment can often be identified as being one or a combination of the following:

• Inadequate design

• Manufacturing/installation defects

• Operation beyond design

• Corrosion/erosion

• Fatigue or environmental cracking

• Brittle fracture

• Internal deposition/fouling Root Causes of IM incidents can often be associated with non-conformance with one or more of the Elements of the Standard, most frequently:

• Competency e.g., failure to understand and follow approved procedures

• Management of change e.g., failure to apply the site MOC procedure

• Accountabilities e.g., failure to assign requisite responsibilities for specific IM tasks

• Incident investigation and learning e.g., failure to investigate and act on a similar prior event

• Hazard evaluation and risk management e.g., failure to identify potential hazards and manage the associated risks

9.7 Commissioning of Equipment After Incidents 9.7.1 Major Projects Equipment failures that occur during project construction and pre- commissioning may warrant formal investigation to identify Root Causes and to determine the potential implications for the integrity of the affected and other equipment. Major equipment items that require repair following the detection of unacceptable defects or failure during testing shall be confirmed by the relevant TA as being fit for purpose. Appropriate records of repairs shall be included in the project handover documentation, including any recommendations for in-service inspection, monitoring or operating practices. Modifications designed to prevent recurrence of equipment failure shall be approved in accordance with the site MOC procedure.


90

9.7.2 Operations IM-related incidents in operations are often associated with equipment failures. Repairs or replacements for failed equipment shall be confirmed by the relevant TA as being fit for purpose, prior to returning to service, through a pre-start up safety review. Any equipment modifications designed to prevent recurrence shall be approved in accordance with the site MOC procedure. 9.8 Learning Lessons learned from IM-related MI, HIPO and lower severity incident investigations shall, where appropriate, be:

• Communicated internally within the BU

• Shared in BP by use of the ETP Shared Learning System and/or the HSSE Lessons Learned at http://hsse.bpweb.bp.com/Performance

• Shared in the E&P IM Network, e.g. via the IM Network website. 9.9 Key Performance Indicators and Assurance All BUs shall implement an assurance process that demonstrates the valuable information from incident investigations of all severities is being used to improve their IM performance. KPIs might include:

• The number of improvements to procedures and / or equipment resulting from the analysis of lower severity event investigations, inspection and testing results

• The % one-pager reporting and sharing of incident investigations for IM-related MIs and HIPOs

EAs shall provide assurance to the IM-SPA that lessons learned from internal and external IM-related incident investigations have been effectively applied 9.10 References

Key HSE Processes 5 and 6: http://gbc.bpweb.bp.com/hse/policy/Hseright99/

E&P Reporting Guidelines found on the IM website at http://integritymanagement.bpweb.bp.com/

Performance Management And Learning


92

Element 10 Performance Management and Learning Intent Element 10 requires that sites have in place a performance management system to continually assess and improve the effectiveness of their IM programs and assure conformance with the IM standard.

Minimum Requirements 10.1 Measures (KPIs) to evaluate IM performance shall be identified, tracked, actioned

and periodically reviewed including: • Performance measures for the IM Matrix – Tier I data • Performance measures to demonstrate conformance with the Minimum

Requirements in this Guide – Tier II data • Detailed performance measures selected by the BU or Major Project to

demonstrate effectiveness of specific BU IM Programs - Tier III data • IM corrective actions from IM audits, assessment/reviews or integrity-

related ASAs shall be entered into Tr@ction. 10.2 BUs shall have a documented internal and external assurance process that

includes • Implementation of IM 3-year rolling plan/Major Project plan that achieves

conformance with the Standard by January 2009, and maintains conformance beyond 2009.

• 3 year external audit that includes IM assessment • An annual IM self-assessment that reports conformance with the IM

Standard • Submission to the BUL and Group Engineering Director of an annual

Engineering Plan which identifies the top 5 IM risks 10.3 For Major Projects, an IM plan shall be developed containing required deliverables

for each CVP stage for approval by the Gatekeeper before progressing to the next CVP stage. GP 48-01 HSSE Review of Projects shall be applied.

10.1 Definition and Scope Performance management and learning are essential requirements for each BU and Major Project to determine if effective systems and procedures are in place to implement IM. Minimum requirements for performance management and learning are described in this Guide, including a suite of performance metrics to demonstrate to the BUL that integrity issues are understood and are being actively managed in both Operations and Major Projects. 10.2 Assessing IM Performance The BUL should review the performance metrics in a face-to-face meeting with operating and Major Projects personnel at least quarterly, and use the output for discussions with the assigned Group Vice President and for inclusion in the QPRs and the Annual Engineering Plan.


93

10.3 Minimum Requirement Assessment The Minimum Requirements in this Guide are typically either a management process or the output of a management process. Assessment of the quality of a management process differs from the assessment of the output from the process. 10.3.1 Program Validation Program validation involves verifying the existence of Program documentation describing the flow of information, the assignment of accountabilities and responsibilities, and the structure of the supporting organization. For example, the major components of the Integrity Management Program detailed in Element 4 are

Strategy Planning and Scheduling Execution Measurement Assessment and Corrective Action

An assessment of this Program would involve the auditing of the Program documentation to demonstrate that the Program contains the components described above, verification of the assignment of accountabilities and responsibilities for each step of the Program, and assurance that there is sufficient resource/organization to support the Program. 10.3.2 Performance Verification Effective assessment of performance of the output or content of a program consists of measuring a suite of performance indicators and comparing the measurement with a target. Performance measures can have a number of different characteristics including,

Extent Metrics which measure the extent or percent coverage of the equipment/procedures involved in the IM process.

Execution Metrics which measure the amount of activity completed against the originally planned activity level, typically on a monthly or annual basis.

Leading Indicators Metrics which lead (or input measures) and are predictive of events or incidents. These measures typically describe what will happen, e.g. corrosion rates which will lead to a loss of containment.

Lagging Indicators Metrics which lag (or output measures) and are descriptive of events or incidents. These measures typically describe what has happened, e.g. the number of releases to the environment as a result of a loss of containment.

Deviation The difference between the actual result and the targeted result which can be presented as either an absolute difference or a relative deviation from target, whether positive or negative.

Corrective Actions The corrective action resulting from a deviation from the target, which will differ depending on the degree of deviation and whether it is positive or negative.

Time The suite of metrics developed to measure IM performance delivery will be tracked against time to show the trend in delivery performance – is it improving or deteriorating?


94

A successful verification of a performance management program would review the suite of performance metrics to shows that a range of metrics were in place, that each of the measures had a target value, and that corrective actions were identified for deviation from target. 10.4 Performance Metrics Tiers BUs shall have a set of KPIs that measure the implementation and conformance with the IM Standard, and are a suitable balance between leading (input) and lagging (output) indicators. Three tiers of KPIs are recommended, as illustrated in Figure E10.1 for an Operational BU. BUs shall report Tier I data to the Performance Information system. Tier II performance measures shall reflect the Minimum Requirements in this document. Tier III should be a set of KPIs that can be set individually by BUs, as agreed with the EA/TA, to create accountability, awareness and help manage risks associated with specific hazards. KPIs should be reviewed at appropriate intervals and acted upon by the BU leadership to assure conformance with the Standard. BUs shall have an IM assurance program in place comprising both internal self-assessment and external audit. External Safety and Operations audits shall be conducted in accordance with Group policy. Audit recommendations should be prioritized by risk, assessing the probability and consequence of incidents. Assigned corrective actions shall be monitored in Tr@ction and, where appropriate, progress managed via the maintenance management system. Strategic action plans to improve IM over longer periods of time should be developed by the IM-SPA and endorsed by the BUL. Active engagement with key discipline networks to exchange best practices is expected. This can accelerate learning in BUs with poorer performance in one or more

Figure E10.1 Operational Key Performance Indicator Tiers

Tier I

Tier II

Tier III

PI feed data

QPR data

Overall IM

Min Req KPI

BU Specific

IM Prog. KPI

SET/BUL review

PUL/Ops Mgr/ EA review

Engineer/Ops/ TA review


95

IM areas. Where possible, BU staff with particular experience in one or more of the 10 Elements should participate in peer assists for other BUs. SPU EAs should define the IM deliverables that Major Projects will deliver to the BU during the project CVP stages as illustrated in Appendix 1. 10.5 Key Performance Indicators Tier I – Metrics: Required Segment PI Data

The following performance measures are currently required to be reported quarterly by BUs as part of the PI system:

Metrics Metrics Leading Total Safety Critical Equipment Work Orders Number of Overdue Safety Critical Work Orders Integrity Related Actions Due Integrity Related Actions Completed Competency Assessment Ratio Lagging Major incidents (MIs) High potential incidents (HIPOs) Number of incidents of loss of hydrocarbon containment

This data is analyzed and reported quarterly by the E&P IM Function as the IM Matrix, available on the IM website. The intent is to highlight trends in individual IM performance and identify those BUs that are doing well so they can share with the rest to drive continuous improvement. Tier II - Metrics Required by IM Standard

Tier II represents metrics that are suggested in this Guide to demonstrate conformance with the Minimum Requirements. These metrics should be reviewed by the IM SPA and BU leadership team on a frequent basis but no less than quarterly. Additionally, IM costs and progress against the 3-year rolling plan should be reported and tracked. BUs/Major Projects should consolidate the above data into overall measures/roll-ups, e.g., using traffic lights. Tier III - Additional IM KPIs Specific to the BU/Major Project

BUs/Major Projects should identify additional IM KPIs most relevant to their facilities beyond those listed in this Guide. In an Operational BU for example, the integrity of a pipeline might be critically dependent on the quality of the fluids being transported, hence relevant KPIs might capture the ongoing performance of upstream processing equipment such as,

Crude oil treating facilities o separator parameters o demulsifier injection o export BS&W


96

Gas dehydration/sweetening units o glycol/amine properties o export gas dew-point)

Water injection systems o Dissolved O2 o Biocide performance

TAs should review the Tier III metrics on a monthly basis to verify performance, identify gaps and establish corrective actions. In Major Projects, the delivery of the project IM Plan shall be assured through the CVP stage gate progression. 10.6 Recommended Documentation for Review/Audit The recommended BU documentation for assurance evaluations includes:

• Hazard register

• SCE registers

• Output from self and external audits, assessments or reviews, including

regulatory audits

• Audit actions managed in Tr@ction (or equivalent program)

• Organizational roles, responsibility and accountability for each IM Element

• Tier I, II, and III KPIs

• Results of periodic KPI reviews and resulting action plans with status

• 3-year rolling IM implementation plan

• IM-related QPR data

• Annual Engineering Plan with IM issues highlighted 10.6.1 3-Year IM Rolling Plan BUs/PUs shall develop and maintain a 3-year rolling plan that will lead to conformance with the IM Standard. This will identify the necessary activities/repairs/upgrades and will record the continuous assessment programs that will provide assurance that the expectations of the IM Standard are being or will be met. A template and guidance notes for a rolling plan are available on the IM website and are based on the Minimum Requirements. The application of the template should be as follows:

1 Review of the Minimum Requirements for each of the 10 Elements

2 Assess conformance to identify gaps

3 Assess the risks associated with gaps

4 Identify the activities to close the gaps and manage the risks

5 Estimate and record the projected cost of the activities

6 Schedule the activities within the 3-year program The costs to be included in the 3-year rolling plan should relate to:


97

• The activity sets derived from the gap analysis

• Required repairs/modifications/upgrades

• The continuous assessment programs to sustain integrity at the required level

10.6.2 Self-Assessment The IM SPA shall conduct an annual assessment of the IM program to identify gaps between actual performance and the plan, and develop corrective actions agreed with EA. Table E10.1 provides general guidance on overall levels of IM performance. BUs will achieve Level 3 after having implemented the Minimum Requirements in this Guide. Opportunities for continuous improvement and further risk reduction can be identified from the descriptors in Levels 4 and 5. 10.7 References

GHSSER and self-assessment tools:

http://hsse.bpweb.bp.com

IM website:


OE Portal for OVP offers and requests:

http://oe.bpweb.bp.com


98

Table E10.1 IM Self-Assessment Guidelines Strategy, Performance Management &

Learning, Incident Investigation Organization, Accountabilities, Competency & Learning

Mechanical, Electrical & Structural Integrity & Protective Systems Practices and Procedures

Hazard Evaluation, Management of Change MOC Emergency Response

Elements 9,10 Elements 1,2 Elements 4,5,6 Elements 3,7,8

5 IM is core business system, based on business strategic direction, understanding of risk. Minor and major IM incidents investigated to identify Root Causes. IM actions in Tr@ction up to date. Full testing, inspection, competency and assurance programs. Cross-functional assurance review of IM plan ongoing. Mitigation plans for integrity threats. Active KPI benchmarking in/across Segments. Relevant staff understand IM Standard and involved in IM process improvement.

IM fully integrated into operations and maintenance. Staff IM job descriptions, accountabilities, competency assessments and training defined and completed. EA and TAs in place and working effectively. Strong cross-functional IM alignment. External networking for transfer of best practices for continuous improvement of IM. Full use of resources e.g. alliance suppliers and shared technology. Benchmarking for best- in- class.

Full risk-based maintenance, inspection, testing and corrosion programs for facilities in place with supporting documentation. Peer reviews, forward life projections for critical equipment. SCE and other key equipment maintenance plan and functional testing benchmarked for best- in-class. Full compliance with IM aspects of Company ETPs as reflected in the STPs.

Hazard evaluation and MOC processes fully embedded from work-site to BU management, and regularly updated and communicated. Major Accident Risk assessments completed and necessary actions identified and implemented to achieve continuous risk reduction. MOC process reviewed and endorsed by EA, no significant backlog of closures. ER plans in place, tested and updated to agreed schedule.

4 Short/long-term IM program. Reporting of non-routine operations that could affect integrity. Most IM incidents reported and investigated. Management regularly reviews IM control program. Full suite of leading/lagging cost and performance metrics. Sound leadership understanding of IM Standard. Assurance/process audits in place, with quarterly review.

Organizational structure, roles and responsibilities and competencies aligned towards delivery of IM across functions. EA and TAs in place and competency assessed. Staff IM competency gaps largely addressed. Inter-BU networking.

Maintenance and inspection plans integrated with BU lifecycle strategy. Risk-based inspection and corrosion control programs for key facilities and structures, with ongoing review. Planned maintenance, inspection and testing pre-empts failures.. SCE maintenance plan & functional testing, effective performance tracking. Most STPs developed and authorized by the EA.

Risk management embedded in asset businesses processes. KPI in place for MOC close out. MOC management system enables progress tracking, final close out of documentation, and available to staff. Key IM documentation updated for changes in a timely manner. Refresher training done. ER plans in place for identified major hazards, with continuous improvement via testing and exercises.

3 IM strategy established, linked to risk-based assessments. Operating limits defined and minimal excursions. Safety critical equipment identified and included in implementation plan. Cost of IM, repairs and lost production captured. Input/ output metrics well established. Full scope of IM recognized. IM-related HIPOs and MIs fully investigated for Root Causes. Some minor IM events also reported and investigated. Assurance and process auditing program initiated with focus on safety. Staff training on process audit program started.

Roles and responsibilities largely defined for implementation of IM via cross-functional teams. Line management owns IM. BU leaders support development of IM strategy and systems. Engineering and Technical Authorities appointed and competencies assessed. Competency On-Line assessments for IM for operations and technical staff completed. IM training gaps identified.

All SCE and other key equipment have risk-based inspection, condition monitoring and maintenance plans, and defined functional performance requirements. Corrosion and damage risk assessment for facilities, structures and pipelines completed. Electrical and protective systems testing and inspection results are analyzed and intervals adjusted to confirm performance standards are met. Overdue items justified, reported, minimized and tracked. SCE registers, P&IDs, trip (set-point) registers, cause-and-effect/SAFE charts and area classifications all reasonably up-to-date. STPs being developed in alignment with ETPs

Hazard evaluation/risk assessment process with defined roles and responsibilities. Register of major hazards in place. Task risk assessments required for work permits, including non-routine activities. MOC tools used for permanent and temporary technical changes. Relevant staff know when/how risk assessment and MOC is applicable. ER plans in place, reasonably up to date and most exercises conducted as per schedule. Generally good alignment with identified major hazards


99

Strategy, Performance Management & Learning, Incident Investigation

Organization, Accountabilities, Competency & Learning

Mechanical, Electrical & Structural Integrity & Protective Systems Practices and Procedures

Hazard Evaluation, Management of Change MOC Emergency Response

Elements 9,10 Elements 1,2 Elements 4,5,6 Elements 3,7,8

2 IM focused on compliance and corrosion/erosion. No losses or failures prediction. Some integrity awareness, but no accountability. Cost of integrity control tracked. Limited audit/assurance process or metrics, but seen as improvement goal. HIPOs not reliably identified, reported or investigated

Staff competency program for IM in development. Wells, structures and safety instrumented systems not integrated in IM competency program. Random training. IM accountability not defined. Over-reliance on 3rd parties for IM. EA in place but TAs not all identified or appointed, competency assessments incomplete

PM and inspection plans compliant. SCE identification limited to protective systems. Regular reporting to supervisors on overdue PM/inspections for SCE. Basic corrosion control for facilities, structures and pipelines. . Limited inspection and testing of electrical systems. Protective systems tested but not systematically, performance not reviewed. Few STPs in place and little or no application of ETPs

Hazard evaluation tools identified, such as PHA, HAZOP and JSA. Some training done. MOC procedure used for permanent technical changes. Close-out not tracked. ER plans in place but not regularly tested or updated

1 Little or no IM strategy or metrics. Random or reactive response to problems. History of leaks and IM incidents. IM seen as a cost. No assurance or audit programs. No incident investigation capability or processes in place

Functional organization of IM inspection/repair resources. IM competencies not recognized, absence of some required skills. No EA or TAs formally appointed and competency assessed. Integrity owned only by technical specialists. Poor management of staff IM competency. Training random, for compliance only.

Random mechanical, electrical and structural inspection and maintenance. Risk identification limited. Safety Critical Equipment (SCE) and corrosion risks not defined. Unstructured testing of protective systems. Lack of understanding of IM Standard. P&IDs not updated for significant time. No STPs in place and no plan for their production. No use of ETPs

Absence of hazard evaluation records and processes for facilities process safety. Few MOC tools available, occasionally applied to physical plant changes. ER plans not current, not regularly tested and not reflective of major hazards

Appendices


102

Appendix 1 IM in Major Projects


103

Typical CVP Stage Activities and Deliverables

Element Appraise Select Define Execute Accountabilities 1. EA appointed with access

to SPU and/or Segment TAs

1. TAs appointed 2. IM engineer appointed by

SPA-IM

1. Plans defined for transitioning the EA and TAs to the SPU/BU

Competence 1. Operations staff recruitment and training plans in place

2. TA competency assessments completed

3. Competence assessment of engineering design organization completed

1. Competency development and training plans in place for start-up

2. CMAS or equivalent profiles defined for technicians and IM-related project and operations staff

Hazard Evaluation and Risk Management

1. Initial development concepts reviewed against ISD Guidelines

2. Preliminary HAZID for each design concept

1. Optimize siting and layout for inherent safety

2. Preliminary MAR and QRA to demonstrate compliance with MAR requirements

3. Initial register of major hazards from updated HAZID

1. Compliance with MAR requirements confirmed.

2. Updated register of major hazards

3. Final concept reviewed against ISD Guidelines: ISD features fixed

4. HAZOP on "approved for design" P&IDs

5. Specilaized safety studies (fire, explosion, dropped objects, ship impacts, etc)

1. Compliance with MAR requirements confirmed.

2. Register of major hazards 3. SCE defined 4. HAZOP on "approved for

construction" P&IDs: findings and action register

5. Updated safety study reports and final QRA

6. Documented risk management policy [Greenfield Projects] and update risk management policy [Brownfield Projects]

Facilities and Process Integrity

1. Operations and maintenance strategy defined

2. Project Quality Plan prepared for Define, including equipment and contract procurement

3. Data and document

1. All new or extrapolated technology identified, risk assessed and qualified.

2. Surveys, geotechnical evaluations and sitings agreed with EA.

3. Project Quality Plan updated

1. Handover certification with any punch-list exceptions approved.

2. Maintenance and inspection programs completed, including procedures and software data.

3. Corrosion / erosion management program

4. Integrity Management programs


104

Element Appraise Select Define Execute management strategy defined

4. Specific QA programs defined, including site construction and commissioning.

5. Materials selection and corrosion management strategies developed

6. EX equipment strategy developed

defined e.g. SIMS / WIMS / PIMS / FIMS

5. Handover of equipment and as-built systems documentation

Protective Systems 1. Definition of protective systems strategy

1. Definition of primary safety critical protective systems and performance standards

2. Develop philosophy for alarms, ESD and blowdown

3. Conduct preliminary SIL assessments

1. SIL assessments completed 2. SCE and performance standards

defined 3. Reliability analyses and required

test interval determined 4. Handover of process safety

documentation 5. Validation of protective systems

strategy 6. Electrical protection studies

completed Practices and Procedures

1. Design codes and standards agreed with EA

1. All project design specifications agreed with EAs and TAs

2 Deviations from ETPs documented and approved by EA

1. Documented deviations from project design standards, approved by EA.

2. Operating and maintenance procedures established and communicated

3. Handover of project developed STPs

Management of Change

1. MOC process in place for BP and contractor work activities after HAZOP

1. MOC applied in detailed design 2. Handover of outstanding MOC

actions Emergency Response 1. Preliminary CM&ER

studies and equipment performance standards

1. CM&ER plans for Operate in place and tested


105

Element Appraise Select Define Execute Incident Investigation and Learning

1. Learnings applied from MIs and HIPOs on similar design concepts

1. Learnings applied from MIs and HIPOs on similar design concepts

1. IM incidents in construction and commissioning investigated for Root Cause and corrective actions

Performance Management and Learning

1. IM in scope of Appraise PHSSER

1. IM in scope of Select PHSSER

1. Initial plan for IM Standard 2. IM in scope of Define

PHSSER

1. Detailed IM programs peer reviewed

2. 3-year IM plan developed and updated

3. IM programs in scope of Construction and Pre-startup PHSSERs

4. MOC compliance audited by EA

Appendix 2 IM Standard Competencies


108

Integrity Management Competencies in E&P

ELEMENT OF IM STANDARD

SKILL DESCRIPTION 1. ACCOUNTABILITIES Accountabilities for IM shall be defined and understood by projects, operations and technical support staff

1 2 3 4 5 Awareness Basic Application Skilful Application Mastery Expert

Understands personal accountabilities for IM as included in job description / profile. Knows how and where to access assistance for IM-related problems

Understands personal accountabilities for IM as included in job description / profile. Regularly supports / liaises with IM practitioners, EA and TAs in overall delivery of IM

Understands personal accountabilities for IM as included in job description / profile. Defines / agrees other IM accountabilities with the SPA IM, EA, TAs and individual IM staff

N/A N/A


SKILL DESCRIPTION

2. COMPETENCE All operating, maintenance and contractor personnel shall be competent and capable to safely perform their assigned tasks. They shall fully understand their role in the prevention and management of IM hazards / risks.


Understands expectations of BP to become competent in current job role. Understands IM components of job profile in CMAS or equivalent system Is aware of own responsibility in prevention of hazards to self & others. Familiar with the roles and responsibilities of the site EA and TAs and the IM Team.

Provides clear IM-related job responsibilities to team members and confirms basic competence for safety critical tasks. Sets base targets for improving safe working practices and organizes training to support. Seeks training for self to meet own IM competence needs. Working knowledge of the IM Standard

Establishes and communicates competence standards for core IM-related roles on site, including contractors, via CMAS or equivalent system. Conducts annual competency assessments of direct reports Leads the drive for rigorous contractor competency assessment process on site. Detailed knowledge of the IM Standard

Lead Assessor or Verifier in BU Competence Program (CMAS). Continuously seeking ways to further develop the IM competency of those undertaking safety critical tasks. Leads dialogue with contracted service company leadership to reinforce BP IM competency expectations and management

Expert on implementation of BP competence assurance programs. Visible coach influencing strategy of operations competence assurance at stream level & beyond. Industry representative. Leads Company efforts to develop and implement new training and competency assessment materials and tools


109


SKILL DESCRIPTION

3. HAZARD EVALUATION AND RISK MANAGEMENT

Effective assessment of major hazards and selection of appropriate tools and processes to eliminate / control / mitigate.


Basic understanding of BP's hazard evaluation and risk management philosophy. Articulates key current hazards and demonstrates basic understanding of risk management to own job role. Understands basic concepts of safety critical equipment and inherently safer design. Understands difference between hazards relating to personal safety and major accidents.

Operates to the objectives and procedures of the Control of Work Standard Participates in Task Risk Assessment / Job Safety Assessments. Participates in qualitative hazard identification and risk assessment processes, e.g. for MOC. Has working knowledge of BP MAR process, local major accident and hazard scenarios and associated regulations.

Applies detailed knowledge of local hazard regulations Seeks external input to support own hazard evaluation processes. May lead local hazard identification/risk assessment events (HAZID / HAZOP). Good understanding of QRA and MAR techniques and their applicability Manages compliance with local major accident and hazard regulations Provides key inputs to maintenance of “Safety Case” or LTO documentation

Demonstrates comprehensive understanding of hazard regulation and relevant application in upstream environments. Fully conversant with BP MAR process and derivation of Group Reporting Lines. Leads MAR studies. Leads cross-functional teams in major facility or project risk assessments. Liaises with and influences external authorities as required to meet compliance. Advises on or teaches risk assessment techniques to others in own site and region.

Acts as Company representative on legislative related industry committees. Anticipates impact of new legislation on corporate major accident prevention policies and advises accordingly. Promotes / implements best internal and external practices for hazard evaluation across BP Author / custodian of MAR ETP


SKILL DESCRIPTION

4. FACILITIES AND PROCESS INTEGRITY Application of approved IM practices to confirm engineered systems are designed, procured, constructed, operated, inspected, tested and maintained accordingly.


Demonstrates understanding of the concept and Elements of the integrity management of mechanical, structural, electrical, control and lifting equipment for own facilities. Basic understanding of planning and scheduling tools used for equipment inspection, testing and maintenance

Applies techniques and methods to predict/prevent equipment failures, based on understanding of design, quality assurance in manufacture / construction, and commissioning, operation, maintenance, inspection and condition monitoring. Familiar with the STPs and associated ETPs

Leads application of IM-related STPs/ETPs, including inspection, testing and condition monitoring programs. Leads development and application of equipment criticality / risk-based tools for IM Program manager for control of corrosion, erosion and other

Develops and manages overall BU/Asset IM programs, including capex and opex allocations. Supports site managers in developing budgets aligned with asset risk management and life cycle needs. Seeks best practices in IM in BP and beyond and imports these to

Custodian role for IM Standard and associated Implementation Guide for E&P Custodian role for facility and process IM-related ETPs Influences strategy and policy decisions around IM. Liaises with and influences


110

Participates in the development and application of equipment criticality / risk-based tools for IM in projects and operations. Familiar with relevant operational KPIs

equipment damage mechanisms that could cause loss of containment or structural failure. Applies cost and performance KPIs against targets, especially status of safety-critical equipment. Participates in IM peer reviews

own BU to fill gaps. Lead role in IM audit/peer reviews across the Segment.

regulatory bodies. Coaches and advises on full range of concepts & applications in subject matter.


SKILL DESCRIPTION

5. PROTECTIVE SYSTEMS Application of approved practices to confirm protective systems are designed, documented, installed, tested, maintained and kept in service accordingly.


Demonstrates understanding of basic concept and scope of protective systems in own facility, especially in relation to the prevention of major accidents. Basic understanding of planning and scheduling tools used for protective device / systems inspection, testing and maintenance.

Good understanding of design, operation and maintenance of protective systems in own facility. Familiar with SIL assessment techniques for safety instrumented systems. Familiar with BP ETPs and industry recommended practices to manage overpressure protection. Familiar with testing methods and performance standards of safety critical devices

Manages instrumented and mechanical safety critical protective equipment to STPs for functional performance, reliability and survivability. Actively participates in SIL assessments for safety instrumented systems. Assures temporary removal of any protective systems / devices follows local approved procedures Applies cost and performance KPIs against targets, especially status of safety-critical protective equipment.

Significant input into design of HIPPs, process alarm, shutdown and blowdown philosophies in BP assets. Sets performance standards for protective systems / devices in-line with regulatory requirements and BP practices. Seeks best practices to import. Lead role in protective systems audit/peer reviews in E&P. Leader or participant in IM peer reviews

Custodian role for protective systems related ETPs Influences strategy and policy decisions around application of protective systems to optimize major project capex. Liaises with and influences regulatory bodies on all aspects of protective systems and their management. Coaches and advises on full range of concepts & applications in subject matter.


SKILL DESCRIPTION

6. PRACTICES AND PROCEDURES Development and application of approved site technical practices (STPs) and operating procedures (SOPs) to assure that facilities are designed, constructed, operated and maintained safely.


Working knowledge of STPs and SOPs within one’s own

Detailed knowledge and application of STPs and SOPs

Leads site application of IM-related STPs.

As a site TA, develops and approves STPs within one’s own

Custodian role for Group and Segment ETPs and other


111

immediate area.

within one’s own immediate area. Participates in development / routine updating of STPs and SOPs in own area of expertise

Liaises with site EA and TAs to develop site practices, assuring compliance with IM-related ETPs as appropriate Identifies and makes risk assessment for deviations from IM-related ETPs for approval by EA

area of expertise, for approval by the EA. As a site EA, approves / updates STPs As site Operations Manager, approves / updates SOPs As subject matter expert, participates in development of national and international standards

Recommended Practices Represents BP at highest level in international standards organisations such as ISO, API.


SKILL DESCRIPTION

7. MANAGEMENT OF CHANGE Effective application of Management of Change (MOC) processes within a project or operating environment. 1 2 3 4 5

Awareness Basic Application Skilful Application Mastery Expert Demonstrates a basic understanding of concepts and scope of MOC and applies these routinely in own work environment.

Knowledgeable of site MOC process, documentation requirements and associated TAs. Understands site requirements for risk assessment of MOC proposals Participates in MOC for facilities, process, & operating condition changes. Tracks MOC close-out and confirms actions undertaken.

Manages MOC process for site facilities, process, and operating condition changes. Applies MOC to simple organizational changes as a routine. Communicates to confirm others fully understand MOC process locally. Confirms KPIs are in place for MOC close-out/tracking. Active in review process with EA to assure conformance with approved process and achieve improvements

Leads cross-functional team MOC reviews in own facility. Participates in audit/peer assists on MOC process in other assets. As TA, reviews and approves MOCs in own area of expertise. As EA, makes annual assessment of the effectiveness of the site MOC process. Applies MOC to more complex organizational changes.

Develops Group and Segment practices and policies for MOC. Liaises with regulators and other operators to seek and implement best practices for MOC


SKILL DESCRIPTION

8. EMERGENCY RESPONSE Management of emergency response (ER) plans that are based on identified risks. 1 2 3 4 5

Awareness Basic Application Skilful Application Mastery Expert Demonstrates full understanding of personal actions required under

Understands identified major hazards that exist in site/facility

Leads site ER practice exercises in part or fully.

Leads multi-discipline teams in the evaluation of readiness to

Develops Group and Segment ER and Crisis Management


112

ER situations. Understands SOPs for emergency shutdown in area of work

and how these relate to the ER plans. Participates in ER drills Understands SOPs for emergency shutdown in area of accountability. Contributes to development of SOPs for controlled emergency shutdowns.

Leads site ER/Crisis Management plan development, in consultation with other local operators and external assistance resources Seeks feedback from practice exercises and visibly builds in learning. Coaches BU to continuously improve procedures for shutdowns and ER Confirms ER plans reflect site major hazards and current IM-related risks

deal with emergencies including process, tools and behaviors. Certified competent by external bodies in management of major emergencies. Confirms readiness to deal with emergencies, retains high visibility in BU. Leads peer reviews of ER plans and capabilities in other BUs

strategies. Directs development of regional ER strategies and tactics.


SKILL DESCRIPTION

9. INCIDENT INVESTIGATION AND LEARNING Investigations of IM incidents and/or significant near misses to determine the Root Cause(s) and identify the actions that will prevent a recurrence.


Identifies IM-related incidents and near misses. Provides feedback for incident investigations relevant to own area of work.

Demonstrates understanding of incident investigation through routine use of RCFA techniques. Participates in incident investigations in own facility.

Leads investigation of IM-related incidents, including HIPOs, using RCFA in own site. Manages systems and coaches staff to assure that IM-related incidents that are not HIPOs/MIs are appropriately investigated. Tracks IM actions arising from incident investigations to closure.

Directs MI investigations across BU/Region. Applies and advises others on detailed application of RCFA.

Develops Group / Segment incident investigation strategies and tools. Analyses incident investigations across the Group / Segment to extract lessons learnt and evaluate change of policy as appropriate. Directs investigations of MIs involving multiple fatalities


SKILL DESCRIPTION

10. PERFORMANCE MANAGEMENT AND LEARNING

Provision of systems and procedures to provide assurance of the ongoing management of the major operational risks and compliance with the IM Standard


Understands the basic concepts and objectives of the audit and

Participates in site assurance audits.

Co-ordinates site assurance program to meet Company and

Understands and applies sound judgment in setting work

Develops Group / Segment assurance strategies and tools.


113

assurance process contained within the IM Standard

Familiar with the IM Matrix and its input / output measures Applies local KPIs to measure effectiveness of systems and procedures in own local area of facility.

external requirements, in consultation with the site EA. Leads an IM assurance audit annually against OVP 3.3 Establishes and uses KPIs to proactively manage identified IM risks on site. Identifies need for additional resources/skills.

program/budgets to support IM program in line with Operations Excellence Virtuous Cycle. Drives the IM Program within BU.

Analyses BU IM assurance data to identify trends and interventions required Acts as a BP consultant to advise BUs on their program and assurance development


115

Appendix 3 Safety Critical Equipment Equipment Criticality Assessments and Safety Critical Equipment (SCE) 1. Equipment Criticality Assessments For many years it has been considered good practice to conduct criticality assessment of individual equipment items in Major Projects and in Operations. Historically, equipment criticality assessments were made during detailed design in projects in order to define quality assurance requirements that were related to the combined risks to the project delivery and from equipment failure in service. The inputs to the criticality assessment were typically:

Project Risk

• Degree of novelty / maturity of the equipment design • Complexity of equipment and fabrication techniques • Delivery schedule / critical path

Operational Risk

• HSE consequences of failure in service • Business consequences of failure in service

As indicated above, the operational risk component of the criticality assessment often only considered consequence of failure and not the likelihood component of risk. The output of the project criticality assessments were quality / integrity assurance requirements, typically covering:

• Codes and standards to be applied

• Design reviews

• Contractor / vendor approvals

• Pre-production meeting

• Inspection and test plans in manufacture and system engineering

• Factory acceptance / certification

• Documentation

• Independent verification

• Transportation / protection

• Installation and commissioning Up to date guidance on criticality assessment methods for projects, and recommended quality / integrity assurance requirements for various equipment types in design and manufacture, are provided within the 32-series and 50-series ETPs. Some of these recommendations also appear in equipment-specific ETPs, e.g., GP 42-10 “Piping Systems” includes a procedure in its Appendix Q to classify project piping systems into 4 criticality ratings, the input criteria in this case being:


116

• Piping material

• Service

• Strain

• Size / temperature / pressure Major Projects in BP are now additionally tasked with providing the “maintenance and integrity build” for operations, i.e., a full suite of maintenance and inspection strategies, procedures, spare parts, data, software, specialist support contracts etc. Effective maintenance and inspection programs are essential to the safe, environmentally friendly and efficient operation of any facility. The key to determining optimal maintenance and inspection plans lies in understanding failure modes and their effects, and determining appropriate maintenance, inspection or testing tasks to predict, prevent, or mitigate the consequences of the equipment failure. The derivation of detailed maintenance plans requires operational criticality assessments that address risk in its stricter sense i.e., by considering both the probability and consequence of equipment failure in service. Input data to the operational criticality assessments would typically include the project HAZIDs, HAZOPs, QRAs, SIL assessments, corrosion studies, and reliability/availability studies developed during detailed design. A variety of BP and proprietary maintenance and inspection tools can be used for this purpose but the Company mandates no specific tools in ETPs. The tools have essentially the same objectives and characteristics and can be applied to all equipment types for which meaningful maintenance, condition monitoring and inspection tasks can be considered. They systematically analyze the “functions” of a process or sub-system to determine its criticality in the overall facility. Once the operating context and performance standards for a function are defined, individual equipment is analyzed for failure modes and effects, and individual equipment criticality can be determined. The criticality is determined by a risk assessment of failure in each category of safety, environmental and business impacts, including the cost of repair. Consequence categories can be weighted to suit the particular operation: in BP the hierarchy will normally be safety > environment > business / reputation. The criticality of the equipment function loss needs to be determined prior to considering the maintenance and inspection tasks that will predict, prevent or mitigate the equipment failure in the most cost effective manner. Critical spare parts and materials should also be identified. Operational criticality assessments and the resulting risk-based maintenance and inspection plans are consistent with the BP Common Maintenance Strategy, with “Getting Maintenance and Reliability Right”, and with ETP 32-30 “Guidance on Practice for Inspection and Testing of Equipment in Service: Management Principles”

2. Safety Critical Equipment (SCE) In some countries where BP operates, local regulations require that BUs systematically identify and declare those equipment items whose failure in service would have


117

particularly severe consequences for personnel safety by causing or contributing to a “major accident”. Such “Safety Critical Equipment” items require prioritisation of effort in projects and operations, for much the same reasons as described above. Regulations may also specify the requirement for SCE “Performance Standards” that formally document the safety function of the equipment and define its required reliability and survivability. The identification of SCE is expected to derive directly from major accident and hazard studies. The PSIM Standard and the first issue of the E&P Implementation Guide extended the concept of SCE across the E&P Segment but this has proved problematic for several reasons, particularly: • Historic inconsistency in the interpretation of SCE by our own BUs in the same

regulated locations • Confusion between the definition of a “Major Accident” as being a multiple fatality

event (see MAR ETP 48-50), and “Major Incident” as being a single fatality or multiple serious injury event (gHSSEr)

• Many different methods used to identify SCE • Some BUs had not conducted major accident studies for their facilities • Some BUs only analysed protective systems and devices against SCE criteria and

not pressure-containing fixed equipment, i.e., a “maintenance” rather than “inspection” driven approach

• Undefined relationships between operational criticality assessments and SCE • Unclear whether environmentally-critical equipment should also be SCE These inconsistencies were further highlighted by the later requirement for BUs to formally report the status of their SCE work-orders as an IM Matrix leading indicator because: • Many BUs have not integrated inspection scheduling into their CMMS (Maximo) • Not all planned tasks on SCE are necessarily safety-critical in themselves Strictly speaking, there should be no need for SCE to be defined at all if operational criticality assessments for individual equipment are made with rigour, taking account of supporting hazard identification and risk assessment data. The assessments are usually risk-weighted such that equipment whose functional failure could reasonably be expected to initiate or contribute substantially to a major accident should be reliably identified, and the status of their maintenance and inspection easily tracked. The perceived need and value in continuing to identify a special category of equipment designated “SCE” in BP is:

• To comply with local regulations that demand this anyway • To assure required availability, reliability and functionality of this equipment • To assist in the prioritisation of maintenance and inspection tasks • To provide an input performance management metric, i.e. SCE work-order status


118

The term “safety critical equipment” is not ideal and does not fully reflect the objective of its identification and management in BP. The term “major accident critical” would be more appropriate. In simplest terms, the value of identifying SCE derives from the output from numerous risk based studies which show that the majority of risk in facilities is associated with relatively few equipment items, an '80-20' type rule, as illustrated below.

% of Total Risk vs % of Equipment Items

0%

20%

40%

60%

80%

100%

0% 20% 40% 60% 80% 100%

% of Equipment

% o

f T

ota

l Ris

k

A few equipment items carry most of

the risk

3. Identification of SCE in Major Projects and Operations

1. SCE will normally be identified through HAZID and PHA/HAZOP analyses and should preferably be confirmed by operational criticality assessments or by a decision tree approach. The procedure used to identify SCE should be documented as a STP and endorsed by the EA. An example of a decision tree is shown in Figure A3.1.

2. Most major accident events will be associated with equipment failures that

result in fire, explosion or uncontrolled emission of hazardous material(s) that represent serious danger to personnel or the public. Only credible major accident failure events should be considered, i.e., where an analysis such as FMEA or RBI


119

indicates there is a realistic likelihood of equipment failure resulting in a major accident hazard event

3. The application of the SCE identification procedure should be fully auditable

4. SCE in non-regulated operations should typically represent some 10-20% of the

total equipment in order that the objectives defined above can be realised. It is recognised that:

• lower percentages could be appropriate for operations with relatively few major accident hazards

• higher percentages may apply in highly regulated locations, especially for manned offshore facilities

5. There should be a clear link between the formally identified major accident

hazards and the equipment that would make the most significant contribution to their prevention, detection, control, mitigation and evacuation. Primary focus should be given to multiple injury / fatality events, but single injury and fatality events may also be considered.

6. In most cases the 10-20% equipment identified as SCE will comprise the

highest operational criticality items across a wide range of equipment types and this will help provide assurance that associated maintenance, inspection and testing programs in place are working effectively.

7. Equipment whose failure would have no personnel safety consequences but

could cause significant damage to ecosystems should also be considered for classification as SCE where there are credible failure scenarios. Note that the decision tree in Figure A3.1 does not reference major environmental consequences and so would need to be modified by BUs accordingly, where appropriate

8. SCE registers require periodic updating. Some equipment items may become

safety critical during their lives due to deterioration and increased risk of failure, e.g., corroded pressure vessel that has been subject to fitness-for-service assessment and requiring greater inspection and monitoring effort

9. The following equipment items are most likely to represent SCE in E&P facilities, as appropriate:

• downhole and wellhead safety systems • critical fixed support structures • critical floating structures and mooring/anchoring systems • “higher risk” pressure systems equipment as identified by RBI

studies • safety instrumented functions and systems, including fire and gas

detection, of SIL rating 1 or higher • “higher risk” relief valves as identified by RBI studies • relief/blowdown systems for hazardous materials


120

• active fire protection and suppression systems • evacuation / escape / survival / temporary refuge facilities • communications equipment required to manage incidents and

emergencies • Equipment installed in a hazardous area which represents a potential

ignition source


121

Figure A3.1 Example of Safety Critical Equipment Decision Tree

during emergencies?

YesYes

IS NOT Equipment

notifica

or capable of handling failures in this equipment) leading to

protect process equipment

catastrophic failure / injury?in order to avoid

1Does the equipment contain flammables, hydrocarbons, or other hazardous chemicals?

Is the equipment part of a control, shutdown, alarm, or mitigation system

Yes

Yes

Safety Critical

EquipmentIS NOT

Safety Critical

EquipmentIS

Safety Critical

Could failure of this equipment potentially cause a significantrelease of hydrocarbons, hazardous chemicals or energy in upstream or downstream equipment?

Is the equipment designedto provide control, -tion, or mitigation functions

–

No No

No

No

No

Equipment IS NOT

Safety Critical

Is affected upstream and/or downstream equipment adequately protected against

potential significant release of flammables, hydrocarbons, or hazardous chemicals?

B

C

No

A

Start

No

Is equipment designed to

2

3Yes

D4

1Does the equipment contain flammables, hydrocarbons, hazardous chemicals?

Is the equipment part of a control, shutdown, alarm, or mitigation system?

YesYes

EquipmentIS NOT

Safety Critical

EquipmentIS

Safety Critical

Could failure of thispotentially cause arelease of hydrocarbons, hazardous chemicals or energy in upstream or downstream equipment?


No No

No

No

Yes

No

Equipment IS NOT

Safety Critical

Is affected upstream and/or downs

hazardous chemicals?

B

C

No

A

Start

No

Is equipment designe

2

3Yes

D4

during emergencies?

YesYes

IS NOT Equipment

notifica

or capable of handling failures in this equipment) leading to

protect process equipment

catastrophic failure / injury?in order to avoid

1Does the equipment contain flammables, hydrocarbons, or other hazardous chemicals?

Is the equipment part of a control, shutdown, alarm, or mitigation system

Yes

Yes

Safety Critical

EquipmentIS NOT

Safety Critical

EquipmentIS

Safety Critical

Could failure of this equipment potentially cause a significantrelease of hydrocarbons, hazardous chemicals or energy in upstream or downstream equipment?


–

No No

No

No

No

Equipment IS NOT

Safety Critical

Is affected upstream and/or downstream equipment adequately protected against

potential significant release of flammables, hydrocarbons, or hazardous chemicals?

B

C

No

A

Start

No

Is equipment designed to

2

3Yes

D4

1Does the equipment contain flammables, hydrocarbons, hazardous chemicals?

Is the equipment part of a control, shutdown, alarm, or mitigation system?

YesYes

EquipmentIS NOT

Safety Critical

EquipmentIS

Safety Critical

Could failure of thispotentially cause arelease of hydrocarbons, hazardous chemicals or energy in upstream or downstream equipment?


No No

No

No

Yes

No

Equipment IS NOT

Safety Critical

Is affected upstream and/or downs

hazardous chemicals?

B

C

No

A

Start

No

Is equipment designe

2

3Yes

D4

Is there a reasonable potential for equipment failure that could lead to a significant release or serious injuries?


122


123

Appendix 4 Acronyms Acronym Meaning API American Petroleum Institute ASME American Society Of Mechanical Engineers ASA Advanced Safety Audit BS&W Bottoms Sediment And Water BU(L) Business Unit (Leader) CMAS Competency Management Assurance System CM&ER Crisis Management And Emergency Response CMMS Computerized Maintenance Management System CMS Common Maintenance Strategy CoL Competency On Line CRR Continuous Risk Reduction CUI Corrosion Under Insulation CVP Capital Value Process EA Engineering Authority E&P Exploration And Production EEMUA Engineering Equipment And Materials Users Association EPTG Exploration And Production Technology Group ER Emergency Response ESD Emergency Shutdown ESMP Equipment Specific Maintenance Plan ESP Electric Submersible Pump ETP Engineering Technical Practice EX Explosion Protected FMEA Failure Mode And Effect Analysis GHSSER Getting Health, Safety, Security And Environment Right GOC Guidance On Certification GP Guidance On Practice GP&R Gas, Power And Renewables HAZID Hazard Identification Study HAZOP Hazard And Operability Study HIPO High Potential Incident HIPS High Integrity Protection System HIPPS High Integrity Pipeline Protection System HSSE Health, Safety, Security And Environment IEC International Electrotechnical Commission IM Integrity Management IFP Integrated Field Planning ISA Instrumentation Systems And Automation Society ISD Inherently Safer Design ISO International Standards Organization JSA Job Safety Assessment JV Joint Venture KPI Key Performance Indicator LEL Lower Explosive Limit LOPA Layer Of Protection Analysis LTO License To Operate MAR Major Accident Risk MEL Master Equipment List


124

Acronym Meaning MI Major Incident MIA Major Incident Announcement MOC Management Of Change MPCP Major Projects Common Process NACE National Association Of Corrosion Engineers NBIC National Board Inspection Code NDE Non-Destructive Examination NGO Non-Government Organization OE Operations Excellence OSHA Occupational Safety And Health Administration OVP Operations Value Process P&ID Piping And Instrument Diagram PFD Probability Of Failure On Demand PHA Process Hazards Analysis PHSSER Project Health, Safety, Security And Environment Review PI Performance Information PIMS Pipeline Integrity Management System PM Planned Maintenance PSD Process Shutdown PSIM Process Safety / Integrity Management PSM Process Safety Management PSV Pressure Safety Valve PTW Permit To Work PU(L) Performance Unit (Leader) QA Quality Assurance QPR Quarterly Performance Review QRA Quantified Risk Assessment R&M Refining And Marketing ROV Remote Operated Vehicle RBI Risk Based Inspection RCM Reliability Centered Maintenance RCFA Root Cause Failure Analysis ROV Remote Operated Vehicle SAFE Safety Analysis Function Evaluation SCE Safety Critical Equipment SCM Supply Chain Management SET Segment Executive Team SIF Safety Instrumented Function SIL Safety Integrity Level Sim-Ops Simultaneous Operations SIS Safety Instrumented Systems SLS Shared Learning System SOP Site Operating Procedure SPA-IM Single Point Of Accountability – Integrity Management SPU Strategic Performance Unit STP Site Technical Practice STPCP Site Technical Practice Control Procedure TA Technical Authority UKOOA United Kingdom Offshore Operators Association WGM Works General Manager


125

Appendix 5 Glossary of Terms The following glossary of terms is derived from the Group IM Standard. Term Definition

BP Operations BP Business Units, projects, facilities, sites and operations

Catastrophic Release

A release into the environment of a potentially harmful substance resulting from a Major Incident or substantial loss of containment.

Chronic Release A low-level release into the environment of a potentially harmful substance over an extended period of time.

Deviations Permanent Exceptions to the Standard.

Document Control Management System

An established means of controlling the issue, use and updating of documents used in the management of a site. A full document control management system (DCMS) will include reference numbers on documents, means of tracking changes and updates and regular audits of the system to confirm compliance.

Engineering Plan Annual plan developed by the BP Operation summarising IM and Engineering planning and activities including programme for implementing STP development

Engineering Technical Practices (ETPs)

BP Group’s validated set of Engineering Technical Practices, based, wherever possible, on internationally recognised industry engineering standards with preference given, where relevant, to the International Organisation for Standardisation (ISO) and the International Electrotechnical Commission (IEC) Standards.

ETP Shared Learning System

System for sharing and validating learnings and improving ETPs within the ETP website.

Hazard Condition or practice with the potential to cause harm to people, the environment, property or BP’s reputation. The focus of this document is Integrity Management hazards.

Hazard and Risk Register

A summary of typically the top 5-40 priority Integrity Management hazards and risks identified from the various Group/local hazard and risk analysis tools and processes (e.g. HAZOPs, MAR).

IM-related Major Incident/High Potential Incident

The definition of an Integrity Management incident is: Any incident where the Root Cause would be addressed by the IM Standard and where there is actual or potential harm to people or the environment. This includes: • loss or potential loss of primary containment

OR the failure of an engineered system (including mechanical, electrical, structural, lifting, process or process control, and protective systems/devices).

Life-cycle The total period during which a facility, or an asset within a facility, exists. It covers the time from initial design and construction through to decommissioning and site remediation.


126

Term Definition

Mandatory Requirements

The outcome that shall be delivered.

Operational Leader and Operational Leadership

Includes Business Unit Leaders (BULs), Works General Managers (WGMs) and Project Leaders.

Risk Assessment The process of estimating the likelihood that an incident will occur, estimating the magnitude of the consequential loss, including the environmental impact, and making a judgement as to the significance of the risk. The scale of the risk is a function of both likelihood and consequence.

Design Limits Those limits defined by the applicable codes and standards.

Root Cause(s) Possible system cause(s) of the incident.

Site Operating Procedures (SOPs)

A set of documented procedures used to control facility/plant and process operations, including inspection and maintenance practices, at each BP Operation.

Site Technical Practices (STPs)

A set of technical specifications/documentation and operations/maintenance practices used to ensure the safe and environmentally sound specification and operation of plant at each BP Operation. These are expected to include industry engineering standards (internationally recognized wherever possible) plus preventative technologies and the BP Group’s technical or engineering knowledge. They include BP ETPs and processes such as Safety Alerts as well as further knowledge propagated by BP business and discipline engineering networks and communities.

Technical Authorities (TAs)

Engineers with specific discipline expertise appointed by the EA. Their primary role is to act as technical integrity advisors within their designated engineering discipline or activity by ensuring the safe and consistent application of BP Group ETPs, regulatory codes and standards and good engineering practices.

STP Control Procedures

BP Operation systems for maintaining and managing changes to STPs.

Variations Temporary Exceptions to the Standard.

Integrity Managementkeeping our value inside