SPE 56986

Managing Offshore Process Plant Integrity

J.N.Edmondson & K.Findlay, Offshore Safety Division of the UK Health and Safety Executive
Copyright 1999, Society of Petroleum Engineers, Inc.
This paper was prepared for presentation at the 1999 SPE Offshore Europe Conference
held in Aberdeen, UK, 7-10 September 1999.
This paper was selected for presentation by an SPE Program Committee following review
of information contained in an abstract submitted by the author(s). Contents of the paper,
as presented, have not been reviewed by the Society of Petroleum Engineers and are
subject to correction by the author(s). The material, as presented, does not necessarily
reflect any position of the Society of Petroleum Engineers, its officers, or members. Papers
presented at SPE meetings are subject to publication review by Editorial Committees of the
Society of Petroleum Engineers. Permission to copy is restricted to an abstract of not more
than 300 words. Illustrations may not be copied. The abstract should contain conspicuous
acknowledgement of where and by whom the paper was presented. Write Librarian, SPE,
PO Box 833836, Richardson, TX 75083-3836, USA, Fax: 01-214-952-9435.

Abstract
Loss of hydrocarbon containment accidents present the
greatest threat to the offshore workforce. Hence it is
imperative that the highest standards are maintained with
respect to the design and operation of offshore process plant.
The Offshore Safety Division (OSD) of the UK Health and
Safety Executive, the British health and safety regulatory
body, has undertaken a series of theme audits examining the
management of offshore hydrocarbon production facilities.
The focus for the audits was the adequacy of the safety
management systems in place to control hydrocarbon
containment and included both design and operational
aspects. The paper discusses the principal findings from the
audits and describes actions required to further improve
process plant integrity management over the lifecycle of an
offshore installation.
Introduction
This paper describes the main general problem areas with
respect to offshore process integrity management identified
during 8 audits of installations on the UK Continental Shelf
over the period 1996 to 1998. The audits which were carried
out by the Offshore Safety Division of the UK Health and
Safety Executive, encompassed a range of operating
companies and also covered different installation types from
large oil installations through to floating production facilities
and manned gas platforms.
The audits examined the management of process operations
by each dutyholder. This involved looking in detail at a
process related 'slice' of each dutyholder's safety
management system against the concepts expressed in

HS(G)65, HSE's guidance document on Successful Health

and Safety Management. This included issues such as:
(a) was the plant being operated and maintained in a safe
manner through the development and enforcement of safe
working practices; (b) was the plant design as safe as
reasonably practicable and had all potential problem areas
been identified by the dutyholder and were they being
managed effectively.
The key findings from the audit reports are distilled into
this paper. Whilst only the significant problem areas
identified are detailed, this should not obscure the fact that
there were many positive features found during the audits
and that many aspects of the process operations had been
competently designed and were well managed.
Operational Problem Areas
Procedural Controls
Control of locked valves. Many installations have a number
of safety critical valves which are meant to be either locked
open or locked closed, for example around dual pressure
relief valve arrangements. In some cases a proprietary
locking system will be used but often a chain and padlock
system will be employed. In all cases there should be a valve
register identifying the valves affected, where they are
located, the position in which they are to be locked and the
frequency with which their status is to be checked. There
should also be status check sheets indicating when checks
were last carried out, by whom and the results obtained.
The audits indicated that without very close supervisory
monitoring, problems can easily occur with locked valve
systems. On the majority of installations inspected, examples
were found of valves that were either not locked or were
locked in the wrong position. On one installation it was clear
that the declared system had not operated for a considerable
period of time in that the relevant valve register could not be
found nor could records of any valve status checks.
Control of inhibits and overrides
Typical process plant will contain a number of protective
trips to prevent equipment usage outside its safe operating
envelope. There will be inhibits or overrides for these

devices, for start-up and maintenance purposes, which may

occasionally be used for the short-term maintenance of
production whilst a faulty instrument is repaired. In all cases,
a detailed register should be kept of all 'live' inhibits and
overrides together with the reason for their activation and
how long they have been in operation. Details should also be
kept of related risk assessments. The register entries and the
risk assessments should also be regularly and formally
reviewed and approved by a nominated responsible person
such as the production superintendent. The review should
also include an appraisal of the possible cumulative effects
of the various overrides that are in place.
Particular problems encountered were: (a) inhibits and
overrides initially activated to overcome short-term
production problems had become long-term without proper
assessment as to whether this was acceptable; or, whether
their continuing existence was eroding declared safety
margins. For example, to avoid potential gas 'blowby'
problems between systems operating at different pressures,
any interconnecting vessels such as gas/liquid separators will
usually have a low low level trip as a safety barrier on the
liquid outlet stream from the higher pressure vessel. In a
number of cases because of reliability problems with the
level measuring device, the trip function had been
permanently overriden in breach of good practice and
dutyholders stated design standard (API RP 14C); (b)
breakdown of discrete elements of the recording, monitoring
and review process. On one installation, overrides put on
during the shift were being removed prior to shift hand-over
so that there was nothing to report. Supervisory monitoring
was not identifying the existence of the overrides; (c) no
consideration or risk assessment of possible interactions
between a number of different inhibits and overrides. Whilst
risk assessments for individual overrides were frequently in
place, risk assessments of possible cumulative and
synergistic effects were frequently overlooked.
FPSO process operations in adverse weather
The performance of process equipment (eg separators,
dehydration and gas treatment contactor columns) on FPSOs
can be significantly affected by wave-induced vessel
movement. The equipment will normally be designed to cope
with a specified amount of movement but beyond that there
can be severe reductions in performance with potentially
serious safety implications, eg liquid carry-over into gas
streams to compressors. It is important however that: (a) the
operating envelope in terms of vessel movement for the
process equipment on each FPSO has been clearly specified
and is understood by the operational crew; (b) there are clear
instructions to the operational crew, as to what action should
be taken when the limits of the operating envelope are
reached and the parameters to be used to decide when this is
the case; c) the appropriate action defined in the instructions
is actually carried out. Situations were identified where these
criteria were not being met.
Identification of process equipment, valves and
instruments

Process equipment, valves and instruments on an installation

should be clearly tagged or marked to facilitate their rapid
identification. Several incidents have occurred in the past
where the wrong item has been operated or maintained. The
audits have revealed installations where not all relevant items
have been marked. Accurate plant identification is of great
importance. This is particularly the case on newer, more
automated plant where there will be fewer plant operators
and less physical intervention. As a result individuals may
not be as familiar with the location of all equipment.
Accurate identification of lines, valves, equipment etc is
important in promoting safe isolations and interventions.
Inadequate/out-of-date operating instructions
Typical problems identified were: (a) operating instructions
which had not been modified to reflect plant
modifications/upgrades or changed operating procedures; (b)
operating instructions which did not cover all possible
operating modes, eg different operating configurations were
occasionally employed, some of which had no written
procedures; (c) operating instructions which had no official
status. Frequently these would appear as 'ad-hoc' instructions
produced by production operators themselves outwith the
management system and without formal management
approval (sometimes without management's knowledge) ; (d)
instances where different versions of the same procedures
were in existence.
Inadequate vetting/monitoring of workplace risk
assessments
Current offshore practice places much emphasis on local
workplace risk assessment in the overall control of risk
levels. However there are indications that such assessments
can become routinely mechanistic and superficial unless
their quality and rigour is regularly monitored and
challenged by management. Evidence from the audits
suggested that this was not always occurring. For example,
an assessment of the effects of removing a high high pressure
trip on the discharge of an oil export pump indicated the
consequences to be 'none' even though there was the
potential for export riser and/or pipeline rupture. Assessment
also needs to be undertaken by staff with an appropriate level
of technical competence. For example, offshore staff may
not always be sufficiently knowledgeable to make decisions
on proposed changes that are technically very complex. It is
important that this is recognised and that there are robust
guidelines as to when issues should be referred back to
onshore staff. The monitoring process should also extend to
checking that onshore staff are delivering an appropriate
level of support.
Inadequate performance monitoring
Whilst dutyholders usually had in place procedures to cover
a wide range of different tasks and activities (eg ESDV
testing, F&G alarm testing etc), in a number of cases there
was inadequate first line supervisor/management monitoring
that these procedures were actually being followed. No
targets for monitoring were being set, ie what should be

monitored, how often, sample size etc. As a result, clear

shortfalls in performance had not been identified. For
example, on one installation detailed procedures had been
developed for the frequency and nature of ESDV testing. In
practice these procedures were not being followed and
testing was only being carried out on a very infrequent basis,
yet the installation management was unaware of this due to a
lack of active performance monitoring. On some installations
there appeared to be misunderstandings as to the relative
roles of monitoring and audit, with the supervisors confusing
their monitoring role with that of external auditors,
Testing
Setting and verification of performance standards. On
offshore installations, there are a number of areas where
safety critical items of equipment, (eg ESDVs, SSIVs etc)
need to be tested regularly against predetermined
performance standards. Particular problems identified in the
audits were: a) performance standards for the closure times
of ESDVs and SSIVs not being set; b) closure time tests not
being carried out or not being carried out with the declared
regularity; c) shutdown valve leak rate performance
standards not being set, tests not being carried out or not
being carried out with the declared regularity; d) tests
(closure time, leakage rate etc) being carried out but those
responsible being unaware of what action should be taken if
the standard was not met; e) incomplete testing of valve
closure systems. Some ESDVs have dual circuit closure
mechanisms, where operation of either circuit will close the
valve. Testing had sometimes been confined merely to
checking that the valve would close, not that each circuit
would close the valve; f) design blowdown times for both
individual vessels and overall systems which had never been
verified by plant trials.
Plant Protection Systems
Use of control valves as shutdown/ isolation valves. On
some installations, control valves were also being used for
shutdown/isolation purposes as an alternative to installing
separate dedicated shutdown and isolation valves. This is
considered to be very poor practice in that: a) it may be an
initial failure of the control valve, that necessitates operation
of the shutdown valve. 'Doubling up' on the duties clearly
increases significantly the possibility of common cause
failure; b) control valves are not designed for tight shut-off
and any leakage could contribute toward the escalation of an
incident.
Common tapping points for control and shutdown
devices
Trip tappings should always be independent of those used
for the primary controller to avoid the possibility of common
cause failure if the tapping line should become blocked or
mechanically isolated. Instances where this was not the case
and common tappings were employed were found on 3
installations. Again, this is very poor practice. For example,
the possibility of gas blowby on one installation

was greatly increased due to the low level alarm and low low
level trip being taken from the same tapping as the primary
level controller.
Unlocked bypass valves around shutdown valves
Shutdown valves are frequently fitted with bypass valves to
permit their removal for maintenance purposes or to prevent
excess differential pressure across the valve seat. However if
the purpose of the associated shutdown valve is not to be
seriously compromised, it is essential that the bypass valves
are closed in normal operation. This is usually achieved by
locking them and placing them on the locked valve register.
On several installations, bypass valves were not locked
closed and on 2 installations bypass valves were found to be
open. Figure 1 below shows a typical bypass arrangement as
shown on a P&ID.
Fig 1

No register of trip and alarm settings

During plant design, settings are specified for alarms and
trips to allow adequate time for intervention before a serious
incident develops. A register of these settings should be
available on the installation. During commissioning, or in the
light of operating experience, these settings may be changed
to achieve optimal performance (for example, changes may
be made if frequent spurious trips are found to occur).
However any changes need to be risk assessed, subject to
formal approval and recorded on the register. For most
installations this proved to be the case but there were
installations which: a) had no register of selected settings; b)
where changes could be made by control room staff, which
were not formally recorded and were not reviewed by
supervisory staff.
Long-term process alarm faults
Process alarms are incorporated within a design to try to
prevent the development of serious process upsets. Alarms
should therefore normally be in a working state and where
defective should be repaired as rapidly as possible. If this is
not possible, a formal assessment of the effects of prolonged
operation without the alarm(s) should be carried out. On
some installations, there were alarms which had clearly been
out of action for a long period of time, without any
assessment of potential consequences having been carried

out.
Common alarms to different locations
Individual process systems, (eg gas compression) are
sometimes designed to operate with a local control panel
with some alarms relayed to a central control room (CCR).
In general such arrangements can work well if appropriate
attention is paid to the alarm provisions in the central
facility. Particular problems identified were: (a) systems
which only had 'common' alarms in the CCR, providing
insufficient detail as to the nature of the fault condition.
More detailed diagnosis required dispatch of an operator to
the local control panel. Safety critical fault alarms should
always be repeated in both locations; (b) where the receipt
and acceptance of a single fault condition in the CCR would
'overwrite' the receipt of any further alarms from the same
system.
Training and Competence
Emergency training and procedures. Written procedures
did not always cover process upset conditions or describe
what action should be taken under different process
emergency conditions. This was an aspect also absent from a
number of the training and competence schemes where the
emergency training element was focused on actions to be
taken following a major incident rather than actions relevant
to preventing a process upset developing into a major
incident.
Familiarity with key risk areas
A knowledge of the principal sources of risk on an
installation may assist in modifying the behaviour of
personnel such that increased care and attention will be taken
within 'higher risk' areas such as gas compression and with
'higher risk' activities . However, although the key risk areas
on different installations had been identified during
preparation of the Safety Case, this information had not
always been successfully conveyed to operations personnel.
Lack of adequate handover of specialist process
packages
Typical process plant will incorporate a number of specialist
packages, (eg gas compression units) which will normally be
commissioned by the manufacturers own teams. Evidence
from the audits indicated that whilst platform staff were
meant to be involved in this work to gain familiarity with the
equipment, they were sometimes seen as 'in the way' and
slowing down progress and hence discouraged from detailed
involvement. This had resulted in packaging being handed
over to process personnel with only a limited knowledge of
how to operate them. One company had had two loss of
hydrocarbon containment incidents in quick succession
attributable to operator unfamiliarity.
Training and competence programmes
Some training and competence programmes were in the
process of being developed or upgraded. In general, whilst
very good training programmes appeared to be in place for
new recruits, there sometimes appeared to be gaps present

for more established staff as well as for supervisors. For

example: a) instances were found where established
operators did not have a good understanding of aspects of
the plant they were operating, eg the importance and role of
installed High Integrity Protection Systems (HIPS). In such
cases, there appeared to have been an underlying assumption
by management that no further formal training was required
by experienced personnel and consequently competence
assessment had become largely a 'paper' exercise to confirm
this belief; b) competence programmes frequently did not
extend to supervisors themselves.
Organisation
Interface management. A number of the installations had
fairly complex operational arrangements with, for example:
a) the dutyholder sub-contracting out significant parts of the
operational and maintenance functions; b) the asset owner
contracting out responsibility for production to another party
who took over the role of dutyholder.
Whilst in general these arrangements seemed to work well,
it was found that in some areas relative roles and
responsibilities were inadequately defined, with resultant
safety implications. For example, on one installation, whilst
the bulk of maintenance work had been sub-contracted out,
this did not include part of the testing functions (ESDVs etc).
However, this fact was not clear to the relevant personnel
who were meant to have been responsible for the work.
Manning levels
On some installations there was an absence of formal
procedures requiring reviews of manning levels, even though
there could have been significant changes in workload due to
factors such as the addition of new units/tie-backs etc. In one
case this has led to serious concerns that process operators
were overloaded, with potential safety implications.
Investigation
Incident close-out. Whilst thorough investigation of all
incidents and releases was a feature common amongst the
dutyholders, a number of instances were found where agreed
remedial actions still had not been implemented a
considerable time after the investigation had concluded.
It appeared that the actions had essentially become
'forgotten about' in the absence of a formal incident accident
close-out procedure.
Detailed Design Issues
Inaccurate drawings and other process information. On
the majority of older installations the accuracy of some of
the Piping and Instrument Drawings (P&IDs) was uncertain
and it was accepted that there were probably areas where
they did not reflect the actual situation. Although all
dutyholders had in place procedures for recording new
engineering work, the problem arose as a result of the many
modifications which had taken place over the years, some of
which had not been properly recorded on updated drawings.

This situation can have serious consequences if, for example,

process isolations are to be based on inaccurate drawings and
result in an unforeseen release of hydrocarbon. The remedy
required dutyholders to carry out detailed checks of existing
drawings against the actual plant. Some dutyholders were
making progress in this area but others appeared not to be
addressing the problem. Similar considerations applied to a
wide range of design data including cause and effect
drawings, control data sheets etc and even extended to
documents such as 'basis of change/design philosophy' which
on occasions had not been updated despite significant
modifications having occurred. Again, the danger was that
someone might use these outdated documents as an input
into a safety critical decision.
Inadequate vetting of design modifications
The importance of proper control of engineering design
changes is widely recognised and most dutyholders have in
place detailed procedures to cover the issue. However, for a
few companies, the procedures were still not sufficiently
robust and evidence was found of significant changes with
safety implications being agreed and implemented by
offshore personnel without the detailed knowledge and
agreement of onshore design staff.
Hazard and Operability (HAZOP) Study
Shortcomings
HAZOP studies are routinely carried out on all new plant
and major modifications. However, amongst the problems
identified with such studies were: a) HAZOP actions not
closed out. The principal findings from a HAZOP will
normally be summarised in some form of HAZOP Action
Register. This will record the nature of the problem, how/by
whom/when it is to be further addressed, the nature of the
solution agreed and confirmation that this solution has been
implemented. When these details have been provided the
action can be formally closed and 'signed off'. However in
several instances there had been no close-out and actions
remained uncompleted and problems unresolved; b) with
modifications it is important that the scope of the HAZOP
includes not only any new plant and equipment but also
addresses possible interaction with existing plant. Instances
were found where the latter aspect had not been adequately
addressed.
Inadequate examination of HP/LP interfaces
A number of major accidents onshore and incidents offshore
have occurred where there has been accidental breakthrough
from a high pressure system to one at a lower pressure.
Whilst the possibility of such events should be considered
during the normal HAZOP process, because of the
importance and history of related incidents, it is considered
better practice to carry out separate, specific HP/LP interface
studies. One dutyholder had not carried out any study of this
nature and indicated the belief the issue would have been

addressed by the HAZOPs. However detailed scrutiny of the

HAZOP records indicated that the issue had not been
adequately addressed.
Inadequate blowdown evaluation
Blowdown is an important feature of process plant design,
allowing the plant to be rapidly depressurised in the event of
a developing emergency. Although the concept is simple,
design of a blowdown system can be complex when there are
a number of potentially interfacing flows. Blowdown
systems are normally designed to the recommendations of
API RP 521, Guide for Pressure-Relieving and Depressuring
Systems. The recommendation for depressurisation is to
depressure from the initial conditions to 50% of the vessel's
design gauge pressure or to 6.9 barg, whichever is the lower,
within 15 minutes. This recommendation is based on a vessel
plate thickness of 1 in. Calculations should have been carried
out to establish whether the process vessel wall will fail,
under fire conditions, in less than 15 minutes. If this were to
be the case, the blowdown rate should have been increased
accordingly or other protective features such as passive fire
protection provided. Many light hydrocarbon liquids will
chill to low temperatures as pressures are reduced. Design
and depressuring conditions should consider this possibility.
Problems identified during the audits were: a) no computed
blowdown pressure v's time profiles for the process plant
(where available, they frequently had not been checked
against plant trials, b) additional items of process
equipment/changed operating conditions being incorporated
without their effect on the overall blowdown system being
addressed.
Relief valves
Many items of process equipment are fitted with relief valves
to protect against overpressurisation. Relief valves are sized
against specific design conditions and if these conditions
change the valve may not be adequate for the new duty.
Conditions may change either because of plant modifications
or changed operating parameters, (eg increased water cut).
Several instances were identified where relief valve capacity
had not been reviewed although the required duty had
changed. Also the design case and duty used in the sizing
calculations should be clearly specified on the relevant data
sheet. Examples of process data sheets were sighted where
this was not the case.
High integrity protection systems (HIPS)
HIPS are frequently encountered on offshore installations.
Properly designed and engineered they can provide effective
protection against different potential accident sequences.
Considerable care needs to be employed in the design and
installation of HIPS requiring the involvement of specialist
staff. However instances were identified where this had not
been the case. For example, a HIPS had been installed to
prevent line overpressurisation on a compressor bypass.
When the system was examined by the auditors, it was clear
that, with the size of valve installed, the required valve
closure time of 30 seconds could not be achieved.
Consequently, the line would have become overpressurised

and the dutyholder had to amend the design.

Threaded pipe connections on hydrocarbon duties
The use of threaded pipe connections on hydrocarbon duties,
other than for small bore instrument fittings, is not regarded
as good practice and piping codes such as ANSI B31.3
would only allow their usage under very restricted
circumstances. In recognition of this, on older installations
where a number of such connections may have been
provided with the original design, dutyholders will normally
have tried to replace or back-weld them. However, on
2 older installations, sections of pipework with threaded
connections were found. On one there had been a policy of
back-welding but a number of connections had been missed;
on another the original piping specification had not been
updated and was still shown as 'current'.
Higher Level Design Issues
Policies and standards
Review of standards on older installations. Older
installations were often designed to standards (company,
national, international) which have since been superseded
and are no longer seen as appropriate. This has resulted in
the absence of some safety features, (eg blowdown systems)
which the dutyholders themselves would view as highly
desirable (or even mandatory) for any of their newer
facilities. Similarly operating parameters (reservoir
composition, water cut, pressures etc) on older installations
may have changed significantly over time resulting in
operating conditions going outwith the original design
envelope. However, several dutyholders did not have any
policy as to whether older facilities should be reviewed
against current standards/good practice and against changed
operating parameters in order to determine whether areas
could be identified where upgrades in either equipment or
operating practices would be beneficial.
Figure 2 below shows the arrangement found on an offshore
installation which had been operated since the mid 1970s. It
clearly shows that gas breakthrough to the vent system could
easily have occurred if there had been a level control
problem with the separator.

Fig. 2
GAS / WATER IN

Company design standards

Several of the dutyholders did not have any company
policies regarding design standards but rather relied on
project standards which were agreed for a given project by
the company's design team and any associated contractor.
The effect of this can be that particular dutyholders may be
operating a number of facilities each with different standards
and that this can cause problems (some with safety
implications) if staff are transferred between installations and
are unaware that these differences exist. This appeared to be
the case for some dutyholders.
Review against identified problem areas
There are areas of plant operation which are known to give
rise to a disproportionate number of hydrocarbon releases.
For example, from incident returns reported to OSD, it can
be readily identified that a high proportion of gas releases
emanate from small bore piping and instrument fittings. As a
result, some companies had conducted campaigns to try to
improve their performance in this area by seeking to
minimise the amount of such pipework and fittings and
improve the standard of related maintenance. However,
several of the companies audited did not have any policy
with regard to the identification and review of problem areas.
Inherently safer design principles
The majority of dutyholders had no formal policy toward the
adoption of inherently safer design principles; whether these
important principles were considered or not was essentially
at the discretion of the design teams concerned.
Organisation
Lack of relevant 'in-house' engineering expertise
As a result of downsizing some dutyholders did not have
in-house expertise for all process-related engineering
disciplines and had to outsource some requirements. Such
arrangements did not always produce satisfactory results,
especially where there was not even sufficient expertise to
monitor the work of the external contractor. For example: a)
on behalf of one dutyholder an external process design
consultant submitted relief valve sizing calculations to OSD
which were clearly in error. The calculations were shown as
being approved by the dutyholder although they had no
'in-house process engineer; b) significant problems were
encountered with a compressor control system on one
installation. The problems could have been identified at the
design stage by a competent control engineer but the
dutyholder did not have one in post at the time.

GAS OUT

LIC
SEPARATOR

VENT

LCV

SUMP TANK

Conclusions
The Health and Safety Executive undertook this series of
audits in the light of concerns over the number of loss of
hydrocarbon containment incidents which were being
reported each year from installations in the UKCS. The
findings highlight areas of process operation where
additional management effort by dutyholders may be
beneficial
in
securing
better
compliance

with UK health and safety legislation and in reducing the

level of offshore risk. It is hoped that the findings will act as
a catalyst for companies to review their own systems and
arrangements in these areas and satisfy themselves that the
problems discussed are not applicable to their own
operations. OSD will also seek to examine these areas
further by means of their own inspections.
References
1. Successful health & safety management, HS(G)65, HSE
Books 1997, ISBN 0 7176 1276 7.