NEBOSH IOG1 Element1

NEBOSH
International Technical Certificate in Oil and Gas Operational Safety

Unit IOG1: Management of international oil and gas operational safety
Element 1: Health, safety and environmental management

in context
Contents
Contents
1.0 Learning outcomes............................................................................................................................ 5

1.1 Learning from incidents .................................................................................................................... 5
Introduction ........................................................................................................................................ 6
Key definitions .................................................................................................................................... 9
A set of conditions or circumstances that have the potential to cause injury or ill health. ........... 9
Responding to an accident................................................................................................................ 13
Immediate response ..................................................................................................................... 13
The accident investigation ............................................................................................................ 13
Learning lessons from previous incidents......................................................................................... 21
Buncefield (2005) oil storage depot explosions and fire .............................................................. 22
Esso Longford (1998) gas leak, explosion and fires ...................................................................... 24
Deepwater Horizon (2010) explosion, fire and oil spill ................................................................. 27
BP Texas City (2005) oil refinery explosion and fire ..................................................................... 29
Mumbai High North (2005) collision, gas leak, explosions and fire.............................................. 32
Piper Alpha (1988) oil platform explosion and fire ....................................................................... 34
Bhopal (1984) toxic gas release .................................................................................................... 37
The importance of a positive pro-active safety culture .................................................................... 39
1.2 Hazards inherent in oil and gas ....................................................................................................... 40
Definitions ......................................................................................................................................... 40
Flashpoint...................................................................................................................................... 40
Vapour density .............................................................................................................................. 40
Relative vapour density ................................................................................................................ 40
Vapour pressure ............................................................................................................................ 40
Flammable limits ........................................................................................................................... 40
Flammable, highly flammable and extremely flammable ............................................................ 41
Hazardous substances................................................................................................................... 43
Properties and hazards of gases ....................................................................................................... 45
Hydrogen....................................................................................................................................... 45
Methane........................................................................................................................................ 45
Liquefied Petroleum Gas (LPG) ..................................................................................................... 45
Liquefied Natural Gas (LNG).......................................................................................................... 46
© Astutis Ltd NEBOSH IOGC 2

Unit IOG1 Element 1
Nitrogen ........................................................................................................................................ 46
Hydrogen Sulphide ........................................................................................................................ 47
Oxygen .......................................................................................................................................... 47
Properties, hazards and controls of associated products ................................................................. 49
Additives ....................................................................................................................................... 49
Water and steam .......................................................................................................................... 50
Mercaptans ................................................................................................................................... 50
Drilling muds / drilling fluids ......................................................................................................... 51
Sludges .......................................................................................................................................... 51
Asbestos containing material (ACM) ............................................................................................ 52
1.3 Risk management techniques used in the oil and gas industries ................................................... 53
Introduction ...................................................................................................................................... 53
Recognised health and safety management systems ....................................................................... 54
HSG 65 ........................................................................................................................................... 54
OHSAS 18001:2007 ....................................................................................................................... 56
ILO-OSH 2001 ................................................................................................................................ 58
Risk assessment ................................................................................................................................ 60
Definitions ..................................................................................................................................... 60
The 5 steps approach .................................................................................................................... 61
Risk assessment for the oil and gas industry ................................................................................ 61
Hazard identification......................................................................................................................... 62
HAZOP ........................................................................................................................................... 62
HAZID ............................................................................................................................................ 63
FMEA ............................................................................................................................................. 63
JHA ................................................................................................................................................ 64
FTA ................................................................................................................................................ 65
Risks estimation and ranking ............................................................................................................ 66
Qualitative and quantitative risk assessment ............................................................................... 66
Risk evaluation and ranking .......................................................................................................... 68
Risk evaluation and reduction .......................................................................................................... 70
As low as reasonably practicable (ALARP) .................................................................................... 72
Industry related process safety standards .................................................................................... 73
The concept of ‘hazard realisation’............................................................................................... 75
The concept of ‘risk control barrier models’................................................................................. 78

Unit IOG1 Element 1
Modelling as a risk control measure ............................................................................................. 80
1.4 Documented evidence of an organisation’s process safety arrangements.................................... 82
Purpose and types of documented evidence ................................................................................... 82
Typical content of safety cases and safety reports ....................................................................... 82

Unit IOG1 Element 1
1.01.0Learning outcomes
Learning outcomes
On completion of this element, candidates should be able to demonstrate understanding of the

content through the application of knowledge to familiar and unfamiliar situations.
In particular they should be able to:
(1.1) Explain the purpose of and procedures for investigating incidents and how the lessons learnt
can be used to improve health and safety in the oil and gas industries.
(1.2) Explain the hazards inherent in oil and gas arising from the extraction, storage and processing
of raw materials and products.
(1.3) Outline the risk management techniques used in the oil and gas industries.
(1.4) Explain the purpose and content of an organisation’s documented evidence to provide a
convincing and valid argument that a system is adequately safe in the oil and gas industries.

Unit IOG1 Element 1
1.11.1Learning
Learning fromfrom
incidentsincidents
Introduction
All incidents, whether major in scale, or involving a single employee can be learned from.
Some major incidents involving oil and gas operational installations around the world include:
 the Buncefield oil storage depot explosion and fire in 2005 (United Kingdom)
 the Esso Longford gas plant explosion in 1998 (Australia)
 the Deepwater Horizon oil platform explosion, fire and oil spill in 2010 (Gulf of Mexico)
 the BP Texas City oil refinery explosion and fire in 2005 (USA)
 the Mumbai High North collision, gas leak, explosions and fire in 2005 (India)
 the Piper Alpha oil platform explosion and fire in 1988 (United Kingdom)
 the Bhopal toxic gas release in 1984 (India).
These incidents and many more have caused major devastation, serious environmental impact and
in some cases loss of life, and all demonstrate the importance of exercising effective control of the
health and safety training of personnel working within this industry.
In addition to these major incidents, relatively minor incidents can have serious consequences and
impacts on operational safety in oil and gas installations. In the UK the Health and Safety Executive
(HSE) reported in 2012/2013 that over 351 dangerous occurrences took place in the UK’s offshore
oil and gas industry, resulting in 47 major injuries and 88 lost time accidents.
Likewise, in 2013 the US Bureau of Ocean Energy Management, Regulation and Enforcement
reported 690 oil and gas industry incidents in the US, with 3 workers killed and a further 247
suffering injuries.
In 2012 the International Association of Oil and Gas Production (IOGP) reported 88 fatalities, and in
excess of 1 500 reported injuries (an average of 28 injuries per day). Companies and contractors
working in the global oil and gas industries lost 146 person-years as a result of injuries.
Therefore, other than legislative reasons for accident/incident investigation, the primary reasons for
investigation are:
Collect Establish the Obtain

information immediate information
for reporting and root required to
to the causes and pursue or
enforcing prevent a defend a civil
authorities recurrence claim
Figure 1.1: Reasons for investigating incidents

Unit IOG1 Element 1
Any organisation, through its managers and supervisors, should inform employees of the types of
accident and incidents that need reporting, e.g. accidents, dangerous occurrences, near misses and
first-aid treatments.
Through investigating incidents an organisation will be able to understand:
How and why the problems arose which caused the

accident/incident
The ways in which people are exposed to substances

or situations which can cause harm
What really happens in the workplace – e.g. why

people take shortcuts or ignore safety rules
Any deficiencies in the organisations risk control strategies
In addition to the collection of data for analysis for health and safety performance, accident/incident
investigation will also support the development of a positive health and safety culture through
learning from accidents/incidents, implementing the required remedial action and preventing
further injury to employees, or financial loss to the organisation.
The benefits for investigating accidents and incidents include:
Preventing business
Preventing similar loss due to disruption,
events from occuring loss of production or
damaged reputation
Benefits
Improvements in Improved management

employee morale and skills leading to
attitudes towards improved health and
health and safety safety performance
Figure 1.2: Benefits of investigating incidents

Unit IOG1 Element 1
Offshore injury, ill health and incident statistics from the UK’s Health and Safety
Executive (HSE)
www.hse.gov.uk/offshore/statistics.htm
Web links
Incident Statistics and Summaries from the US Bureau of Safety and Environmental
Enforcement (BSEE)
www.bsee.gov/Inspection-and-Enforcement/Accidents-and-Incidents/Listing-and-
Status-of-Accident-Investigations
Safety Performance Indicators – 2012 data (OGP Data Series) from the
International Association of Oil and Gas Producers (IOGP)
www.ogp.org.uk/Reports/Type/2012s/id/722
Many major oil/gas incidents have occurred in recent years, for example, Texas
City and Mumbai High.
Exam question
(a) Outline FOUR reasons why such incidents should be 4 marks

investigated by employers.
(b) Identify FOUR parties, other than the employer, who may 4 marks
want to investigate these types of incident.
Answers are on page 4 of the examiners’ feedback PDF, which you

can find in the revision and exam support section of the course.

Unit IOG1 Element 1
Key definitions
In the UK, the Health and Safety Executive (HSE) publication HSG 245 Investigating Injury and
Accidents at Work includes definitions of accident, near miss, and undesired circumstances.
Accident
An unplanned or unwanted event that causes injury to persons,
damage to property or a combination of both.
An event that results in injury or ill health.
Near miss
An event that, while not causing harm, has the potential to cause
injury or ill health.
Undesired circumstances
A set of conditions or circumstances that have the potential to
cause injury or ill health.
Incident
Includes all undesired circumstances and ‘near misses’ which could cause accidents. Although not
part of the HSE definition, within the context of this course the term ‘incident’ also includes
accidents that have caused harm.

Unit IOG1 Element 1
Dangerous occurrence
A dangerous occurrence is a specified near miss event that has the potential to do significant harm
and must therefore be reported to the relevant enforcing authority.
Examples of dangerous occurrences, reportable in the UK under the Reporting of Injuries, Diseases
and Dangerous Occurrences Regulations 2013 (RIDDOR) include:
 collapse, overturning or failure of lifting equipment
 explosion or fire causing suspension of normal work
 well blow-out or preventative measures required outside of normal operations
 pipeline damage causing risk of injury or pipeline shutdown
 collision between a vessel or aircraft and an offshore installation
 any fall of a person into water from more than 2 metres.
Occupational disease
Cases of the following diagnosed diseases which are linked with occupational exposure to specified
hazards must be reported.
 Carpal Tunnel Syndrome: where the person’s work involves regular use of percussive or
vibrating tools.
 Cramp of the hand or forearm: where the person’s work involves prolonged periods of
repetitive movement of the fingers, hand or arm.
 Occupational dermatitis: where the person’s work involves significant or regular exposure to a
known skin sensitiser or irritant.
 Hand Arm Vibration Syndrome: where the person’s work involves regular use of percussive or
vibrating tools, or holding materials subject to percussive processes, or processes causing
vibration.
 Occupational asthma: where the person’s work involves significant or regular exposure to a
known respiratory sensitiser.
 Tendonitis or tenosynovitis: in the hand or forearm, where the person’s work is physically
demanding and involves frequent, repetitive movements.
Cases of occupational cancer, and any disease or acute illness caused by an occupational exposure
to a biological agent must also be reported.
Offshore there are twenty five specified diseases including chickenpox, cholera, dysentery,
legionella, meningitis, rabies and viral hepatitis that must be reported upon diagnosis.
The International Labour Organization (ILO) Code of Practice recommends that occupational disease
is reported under the following categories.
(1) diseases caused by agents (chemical, physical or biological)

(2) diseases by target organ systems (e.g. respiratory system, skin diseases or musculoskeletal
disorders)
(3) occupational cancers
(4) others.

Unit IOG1 Element 1
In the UK cases of occupational disease are reported when the employer receives a written diagnosis
from a doctor that an employee is suffering from a specified condition and that the sufferer has
been doing a specified work activity.
The ILO Code of Practice sets out arrangements member nations should adopt into their legislative
processes, for the reporting of accidents, dangerous occurrences and occupational diseases.
Causes
The three levels of cause discussed in accident investigation are:
 root causes – management planning and organisational failings
 underlying cause – unsafe acts and unsafe conditions
 direct or immediate cause – the agent of injury or ill health.
es
t
iden
us
se
Loss
s
se
ca
au
u
ca Acc
tc
ing
t
ec
oo
rly
Dir
R
de
Un
Root causes Underlying Direct or Accident Loss

causes immediate causes
Generally An undesired Injury,
management, Unsafe acts and The agent of injury event that results illness or
planning or unsafe conditions or ill health (the in injury, ill property
organisational failings (the guard blade, the health, or damage.
e.g. failure to identify removed, the substance, the dust property damage.
training needs and ventilation etc.). There may be
assess competence. switched off etc.). several immediate
causes identified in
any one adverse
event.
Figure 1.3: Domino theory
Domino models present a one-dimensional sequence of events. Industrial accidents typically arise as
a consequence of a combination of causes and can be better represented by a multi-causality tree.

Unit IOG1 Element 1
Consequences
 Fatal – work-related death.

 Major injury/ ill health – may include amputations, loss of sight, a burn or penetrating injury to
the eye, any injury or acute illness resulting in unconsciousness, requiring resuscitation or
requiring admittance to hospital for more than 24-hours.
 Serious injury/ill health – where the affected person is unfit to carry out their normal work for a
period of time specified in national legislation, in the UK this is over 7-days.
 Minor injuries – for example injuries warranting first-aid treatment or no treatment.
 Damage only – any incident which causes damage to property, equipment or the environment,
or results in production loss.
Whatever the event, incidents give an organisation the opportunity to:
 measure their performance

 identify underlying deficiencies in management systems, procedures, etc.
 learn from mistakes
 reinforce key health and safety messages throughout all levels of the organisation
 identify trends and priorities for preventing future incidents
 provide information which can be used to demonstrate a defense in the event of a claim for
damages, injuries, etc.
 meet the reporting requirements of national legislation.
Investigating accidents and incidents from the UK’s Health and Safety
Executive (HSE)
www.hse.gov.uk/pubns/books/hsg245.htm
Dangerous occurrences webpages from the UK’s Health and Safety

Executive (HSE)
www.hse.gov.uk/riddor/dangerous-occurences.htm
Web links
The Reporting of Injuries, Diseases and Dangerous Occurrences Regulations

2013 (UK)
www.legislation.gov.uk/uksi/2013/1471/schedule/2/made
Recording and notification of occupational accidents and diseases code of

practice from the International Labour Organization (ILO)
www.ilo.org/safework/info/standards-and-
instruments/codes/WCMS_107800/lang--en/index.htm
Occupational diseases webpage from the UK’s Health and Safety Executive
(HSE)
www.hse.gov.uk/riddor/occupational-diseases.htm

Unit IOG1 Element 1
Responding to an accident
Immediate response
Emergency response
Make the area safe and take prompt emergency action (the circumstances will determine what
needs to be done first). Actions might include:
 isolating services
 securing the area with barriers
 administering first-aid treatment and contacting the emergency services
 informing the next of kin
 informing management and the safety representative
 notifying the enforcement authority by the quickest practicable means
 collecting initial evidence such as photographs, sketches and the names of witnesses and setting
up the accident investigation.
Initial report
 preserve the scene
 note the names of the people, equipment involved and the names of the witnesses
 report the adverse event according to company policy and procedures.
Initial assessment and investigation response

 determine appropriate level of response (see later)
 report the adverse event to the regulatory authority if necessary.
The accident investigation

The level of investigation
It is the potential consequences and the likelihood of the adverse event recurring that should
determine the level of investigation, not the actual injury or ill health suffered. Other considerations
include the opportunity to learn and improve, and whether or not members of the public were
involved.
In the UK, the Health and Safety Executive (HSE) publication HSG 245 Investigating accidents and
incidents recommends the use of the following tables to determine the appropriate level of
investigation.

Unit IOG1 Element 1
Likelihood of Potential worst case consequences
recurrence
Minor Serious Major Fatal
Certain
Likely Low Medium High
Possible High
Unlikely
Minimal Low Medium
Rare
Table 1.1: Risk/investigation level
Risk/investigation Suggested scope of investigation

level
Relevant supervisor should look into the circumstances of the

Minimal
event and try to learn any lessons to prevent recurrences.
A short investigation by the relevant supervisor or line

manager into the circumstances.
Low
Looks to identify immediate, underlying and root causes of
the adverse event, to try to prevent a recurrence and to learn
any general lessons.
A more detailed investigation by the relevant supervisor or

line manager, the health and safety advisor and employee
Medium representatives.
Looks for immediate, underlying and root causes.
A team based investigation, involving supervisors or line

managers, health and safety advisors and employee
representatives.
High
Carried out under the supervision of senior management or
directors.
Looks for the immediate, underlying, and root causes.
Table 1.2: Suggested scope of investigation

Unit IOG1 Element 1
Who should conduct the investigation?
An accident investigation should be a team effort involving management and employees.
Depending on the level of investigation and the size and complexity of the organisation a range of
personnel, including employees, supervisors, managers, safety representatives, safety practitioners
and directors, may need to be involved.
In the UK research by the HSE has shown that in organisations where there is co-operation and
consultation with employees, the number of accidents is half that of workplaces where there is no
employee involvement.
A team approach ensures that a wide range of practical knowledge and experience is brought to
bear and reinforces the message that the investigation is for everyone’s benefit.
Members of the investigation team will require:
 detailed knowledge of the work activities involved

 familiarity with health and safety good practice, standards and legal requirements
 suitable investigative skills (e.g. information gathering, interviewing, evaluating and analysing)
 sufficient time and resources to carry out the investigation efficiently
 the authority to make decisions and act on their recommendations.
Necessary resources The investigation kit might include:

The response of the  a camera or video camera  hazard warning tape
investigation team should be  pens, pencils and paper for  personal protective
prompt. It is advisable to have notes and sketches equipment (PPE)
an investigation kit prepared  witness statement forms  site plans
and ready to use.  measuring tape  an investigation checklist.
The investigation process

The accident investigation will require an analysis of all the information available to identify what
went wrong and determine what steps must be taken to prevent the adverse event from happening
again.
The investigation is typically a four stage process.
Step 1: Gathering information.

Step 2: Analysing the information.
Step 3: Identifying suitable risk control measures.
Step 4: The action plan and implementation.

Unit IOG1 Element 1
Step 1: Gathering information
The first stage of the investigation is to gather evidence to help establish what happened and how it
happened.
The investigation should look to establish the following:
1. time and location of the accident 9. whether organisation of work was a factor
2. details of injured parties and anyone else 10. whether work materials were a factor
involved
11. whether the workplace layout was a factor
3. details of injury or ill health caused
12. difficulties in using plant or equipment
4. activities being undertaken at the time
13. whether adequate safety equipment was
5. any unusual working conditions provided and used
6. whether the risk was known or not 14. contribution of cleaning or maintenance
activities
7. whether a safe systems of work existed and
was being followed 15. any other contributing factors
8. level of competence of all involved 16. an understanding of the chain of events.
Sources of information will include:
 the scene of the incident

 physical evidence including sketches, measurements, photographs, and details of the
environmental conditions at the time
 the people involved or affected
 verbal accounts and written statements regarding eye witness observations, previous
experiences and opinions (notes on witness interviews follow)
 relevant documentation, including:
 risk assessments  training records
 safe systems of work  maintenance records
 permits-to-work  previous incident reports
 work procedures / job guides  workplace inspections
 operating instructions  environmental monitoring records (e.g.
 pre-use inspections of equipment (e.g. fork temperature or dust levels).
lift trucks)
Witness interviews
An effective witness interview should be conducted as soon as possible after the incident has
occurred, and take place in a suitable, comfortable, private room, with no interruptions.
Witnesses should be interviewed one at a time but may be accompanied if necessary to put them at
ease.
The interviewer should bear in mind that the interviewee may be suffering medical shock after the
event, and may be very nervous due to the event or the interview

Unit IOG1 Element 1
The interviewer should make clear that the purpose of the interview is to understand what
happened and not to apportion blame, and look to build a rapport with the interviewee, by using
appropriate language and tone.
Open questions should be used to ensure that the witness is not led and that the account is fair,
however the questioning should focus on obtaining facts rather than feelings or opinions. Closed
questions (Yes/No answers) can be used to confirm or clarify specific points.
At the end of the interview, a written summary of the evidence given should be agreed and signed
to enable it to be attached to the final report on the incident.
Step 2: Analysing the information
The analysis step involves examining all the facts, to improve understanding of what happened and
why.
The analysis should be carried out in a systematic way, so all the possible causes and consequences
are fully considered. A team approach involving employee representatives and appropriate
specialists can be highly productive in enabling all relevant causal factors to emerge.
There are a range of formal methods available to help the process. Relatively simple examples
include:
 multi-causality diagrams
 5 whys – keeping asking why until the root causes are established
 Ishikawa diagrams (fishbone diagrams)
 a MEEP analysis (materials, equipment, environment and people) can be helpful in identifying
unsafe acts and conditions
 4Ps (place, plant, people and processes)
 human failures analysis (violations, mistakes and skill-based errors) and human factors analysis
(job, individual and organisation).
Understanding the underlying and root causes will help to identify appropriate risk control
measures.
Comparison with relevant standards

Standards produced by the UK’s HSE, the International Labour Organization, the International
Association of Oil and Gas Production, trade unions, industry groups, manufacturers and the
organisation involved should be consulted to identify if:
 suitable standards are available covering legal standards and controls required for risk
assessments
 the standards are sufficient and available to the organisation
 the standards were implemented in practice
 the standards were implemented – ‘why was there a failure?’
 changes should be made to the standards.

Unit IOG1 Element 1
Step 3: Identifying suitable risk control measures
A methodical analysis stage will enable failings and possible solutions to be identified. Risk control
measures that were not in place, or were in place but failed should be identified.
Suitable risk control measures, which if they had been in place would have prevented the accident,
can be proposed.
These solutions need to be systematically evaluated to ensure that the best options are considered
for implementation. If several risk control measures are necessary they should be prioritised in the
action plan.
It is useful to consider at this stage whether a similar accident could occur elsewhere in the
organisation and might be prevented by the implementation of the recommendations.
Step 4: The action plan and implementation
At this stage in the investigation senior management with the authority to make decisions and act on
the recommendations of the investigation team, should be involved.
An action plan for the implementation of additional risk Measurable

control measures is the necessary outcome of the accident Specific Achievable
investigation. The action plan should have SMART objectives,

i.e. Specific, Measurable, Achievable, and Realistic, with
Time Realistic
Timescale.
 Specific – specific actions are clear and well-defined. This helps both the identified responsible
person to know what is expected of them and the management to monitor and assess actual
performance against the specific timescales for completion.
 Measurable – progress towards completion of remedial actions are often needed to be
monitored whilst work is under way. It is also very useful to know when that work has been
done and the actions are completed. A measurable action achieves this end.
 Achievable – when giving deadlines for completion, the person may not be able to achieve it for
various reasons, including a lack of skill, not having enough resources, not having access to key
people and not having management support. Achievable remedial actions will ensure that
everything is in place and that if the person does not reach the goals they cannot reasonably
point the finger elsewhere.
 Realistic – remedial actions should also add useful value within the context where they are being
set, being aligned with strategies and higher goals.
 Timely – descriptions of remedial actions should also include timescales of what is required by
when. This may also include details of delivery, stating (if relevant) where actions are to be
completed. Giving a time scale adds appropriate sense of urgency and ensures that the
objectives do not dribble out over an unreasonably long timescale.

Unit IOG1 Element 1
When made, recommendations should be followed up to:
 ensure their implementation

 measure their impact to ensure they have had the desired effect or whether they have had an
unforeseen effect resulting in new risks and problems.
The investigation recommendations should also help to raise safety awareness.
 A summary of the investigation report could be circulated to supervisors, managers, etc.

 A summary could be circulated on notice boards (without naming people involved) to raise
awareness amongst employees carrying out similar work.
Making a report persuasive

To make a report persuasive it is important to:
 present the information clearly

 provide reliable evidence
 present arguments logically but without using personal bias or opinion
 avoid falsifying, tampering or concealing facts.
A report should play a key role in organising information for the use of managers, as it should review
complex and/or extensive information and provide them with facts on which they can act
accordingly.
For serious accidents/incidents it may be necessary to publish a draft report which is superseded by
a final report.
Management may need to understand the immediate causes of a serious accident/incident, and
implement immediate actions to safeguard employees, or others, from being injured and future
recurrences.
Report structure
The structure of a report is key to how it will  Title  Main details
be accepted. A good structure will help the  Contents  Conclusions
reader to easily understand the report’s
 Introduction  Recommendations
contents and purpose, together with
 Executive summary  Appendices
increasing the author’s credibility.
Web links
Investigating accidents and incidents from the UK’s Health and Safety
Executive (HSE)

Unit IOG1 Element 1
An employee was seriously injured in an accident at work within an oil and gas
Exam question
installation.
Identify the documented information that might be used by the 8 marks

investigating team to determine the causes of this accident.


Unit IOG1 Element 1
Learning lessons from previous incidents
Learning the lessons from incidents occurring within the oil and gas industries around the world is an
important tool in securing a safe place of work for employees, and minimising the impact on
neighbours and the environment should an incident occur.
Lessons for
national Lessons for the wider
Lessons learned by the organisation
regulatory industry
bodies
The organisation’s management will need to Identifying the The use of trade/industry
understand: technical issues journals can disseminate
involved and the causes and
 What went wrong?
 What systems and procedural failures the recommendations to
occurred? investigation’s prevent a recurrence by:
 What was the potential for the incident to have findings.
 Highlighting relevant
been more severe in its outcome? Broaden the points of interest to
 How can a recurrence be avoided knowledge of the wider industry.
The format, findings and recommendations should incident  Compare the causes
be presented in a format which will allow users at investigators on of the incident to
all levels of the organisation to understand and how things can previous incidents
go wrong and with common causes
implement at their level.
include these to illustrate
Any training materials developed following the similarities and
experiences in
investigation to such as: differences.
future
 Guidance notes, procedures, checklists etc.  Include trend
investigations
which are in an appropriate format to the information in relation
(will also apply
target audience and build on lessons learnt. to causes, injuries/
to the
 Audio-visual aids to illustrate causes and damage, etc.
changes in procedures. organisation
 Conclude the article
 Verbal/face-to-face training sessions to involved and
with a summary of
demonstrate new/revised procedures. the wider findings and a
 Training assessment to measure the industry sector). conclusion.
understanding of personnel.
Table 1.3: Summary of lessons learned from incidents
We will now examine seven major incidents that have led to a review of health and safety
regulation. They are presented in ascending order of human impact in terms of the loss of life.
 Buncefield (2005) oil storage depot explosions and fire
 Esso Longford (1998) gas plant explosion
 Deepwater Horizon (2010) explosion, fire and oil spill
 BP Texas City (2005) oil refinery explosion and fire
 Mumbai High North (2005) collision, gas leak, explosions and fire
 Piper Alpha (1988) oil platform explosion and fire
 Bhopal (1984) toxic gas release.

Unit IOG1 Element 1
Buncefield (2005) oil storage depot explosions and fire
UNITED KINGDOM
Hemel Hempstead
London
Buncefield oil depot
M1
Hemel
Hempstead
Marchmont pond
0 500m
Figure 1.4: Buncefield oil depot, 2005
During the early hours of 11 December 2005 a series of explosions ripped through the oil storage
depot in Buncefield, Hemel Hempstead. As a result of the explosions, a large proportion of the
storage depot was engulfed. There were over 40 injuries, but no fatalities. There was, however,
significant damage to both commercial and residential properties surrounding the depot, and a large
area around the site was evacuated.
The fire burned for several days, destroying most of the depot, and emitting large volumes of black
smoke into the atmosphere. The cause of the incident was identified as the formation of a
flammable mixture of petrol, or other flammable spirit, and air which ignited resulting in the
explosion and fire.
From 19:00 on 10 December to 03:00 on 11 December, the filling of Tank 912 with petrol occurred,
and at some point the tank became full and overflowed. Evidence gathered during the investigation
indicated that the protection system, which should have automatically stopped the filling operation,
failed to operate.
From 05:20 pumping continued causing fuel to flow down the side of Tank 912 and through the air.
This resulted in the rapid formation of a rich fuel/air mixture surrounding the tank. At 05:38 CCTV
footage shows a vapour cloud of about 1 m in depth, and by 05:46 this increased to 2 m in depth. By
05:50 the vapour cloud began to escape outside of the depot, and at 06:01 the first explosion
occurred, followed by more explosions and the fire which engulfed all 20 large storage tanks.
The ignition point is thought to possibly have been a generator house and pump house in the vicinity
of the depot.

Unit IOG1 Element 1
Lessons learned
In the aftermath of the incident, the UK Health Protection Agency and Major Incident Investigation
Board gave the following advice to prevent a recurrence:
 safety measures to be in place to prevent fuel from exiting the tanks into which it is stored
 additional safety measures were also recommended to prevent escaping fuel from forming a
flammable vapour, and to stop pollutants from damaging the environment
 arrangements should be in place for the effective testing and maintenance of overfill prevention
systems, such as the high-level switch that failed on Tank 912.
How Buncefield fire unfolded news report from the British Broadcasting
Web links
Corporation (BBC)
news.bbc.co.uk/1/hi/4525504.stm
Investigation reports from the UK’s Health and Safety Executive (HSE)
www.hse.gov.uk/comah/investigation-reports.htm

Unit IOG1 Element 1
Esso Longford (1998) gas leak, explosion and fires
AUSTRALIA
Longford
Lake Wellington
Longford
Lake Coleman
Esso Longford plant
0 10km
Figure 1.5: Esso Longford plant, 1998
In 1998 the Longford gas plant was jointly owned by Esso and BHP, with Esso solely responsible for
the operation of the plant.
The plant was constructed in 1969 as the on-shore receiving point for oil and natural gas from
production platforms in the Bass Strait.
The plant consists of three gas processing plants and one crude oil stabilisation, and was the primary
provider for natural gas to Victoria, and some supply to New South Wales.
The feed from the platforms in the Bass Strait consists of liquid and gaseous hydrocarbons, water
and hydrogen sulphide (H2S). The water and H2S were removed before reaching the plant, leaving
the hydrocarbon stream to be fed into Gas Plant 1.
This stream contained both gaseous and liquid components, with the liquid component referred to
as ‘condensate’.

Unit IOG1 Element 1
The LPG was further extracted by means of a shell and tube heat exchanger, in which heated ‘lean
oil’ and cold ‘rich oil’ (oil which has absorbed liquefied petroleum gas) are pumped into the
exchanger, cooling the lean oil and heating the rich oil.
On the morning of 25 September, a pump supplying heated lean oil to heat exchanger GP905 in Gas
Plant 1 went off-line for several hours. This was due to an increase in flow from the Marlin Gas Field
resulting in an overflow of condensate in the absorber.
Heat exchanger GP905 was used to transfer heat from a hot stream to a cold stream, and therefore
operated at a range of different temperatures – the normal temperature range was from 60oC to
230oC. During the investigation it was estimated that the failure of the lean oil pump caused
temperatures in parts of GP905 to fall as low as -48oC, causing ice to form on the unit.
This extreme cold caused parts of the vessel to become brittle.
It was decided to resume pumping heated lean oil into the heat exchanger to thaw it out. When the
lean oil pump resumed operation, it pumped oil into the heat exchanger at 230oC. This temperature
differential caused a brittle fracture to occur in the heat exchanger at 12:26.
As a result roughly 10 metric tonnes of hydrocarbon vapour immediately vented from the rupture in
the heat exchanger, which formed a vapour cloud and drifted downwind. At 170 meters distant from
the heat exchanger, the vapour cloud ignited causing a deflagration (an explosion in which the
reaction front moves at a speed less than the speed of sound i.e. is sub-sonic).
When the flame front reached the rupture in the heat exchanger, a fierce jet fire developed lasting
for two days.
The rupture in GP905 caused other releases and minor fires. The main fire was an intense jet fire
emanating from the heat exchanger. There was no blast wave, damage was localised around GP905,
and the nearby control room was undamaged.
Two workers were killed, and eight others injured.

Unit IOG1 Element 1
Lessons learned
Esso attempted to blame a control room operator for the incident claiming he acted negligently. The
Royal Commission under High Court Judge Dawson however cleared the employee of any
negligence, and instead found Esso fully responsible for the incident.
The Commission concluded that:
 the Longford plant was poorly designed, which made the isolation of dangerous vapours and
materials very difficult to achieve
 there was inadequate training of personnel in the normal operating procedures of a hazardous
process
 excessive alarm and warning systems had led site workers to become desensitised to possible
hazardous situations
 the relocation of plant engineers to Melbourne had severely reduced the provision of
experienced supervision at the plant
 poor communications between shifts resulted in the pump shutdown not being communicated
to the next shift.
In addition, the following management failings were also identified:
 Esso had neglected to commission a HAZard and OPerability (HAZOP) study of the heat exchange
system, which would have highlighted the risk of rupture caused by sudden temperature
changes
 Esso’s two-tiered reporting system – operators to supervisors to managers – resulted in a similar
incident (on the 28 August) not being reported
 Esso’s ‘safety culture’ was oriented towards preventing lost time accidents and injuries, as
opposed to protecting workers and their health.
Following the incident, Victoria introduced the Major Hazard Facilities Regulations to regulate safety
at plants containing major chemical hazards, these Regulations required site operators to
demonstrate control of major chemical hazards through the use of a Safety Management System
and a Safety Case.
The Esso Longford Gas Plant Accident: Report of the Longford Royal
Web links
Commission from the Parliament of Victoria (Australia)

www.parliament.vic.gov.au/vufind/Record/37873
Australian gas users sue Esso news report from the British Broadcasting
Corporation (BBC)
news.bbc.co.uk/1/hi/business/2235458.stm

Unit IOG1 Element 1
Deepwater Horizon (2010) explosion, fire and oil spill
UNITED STATES
Louisiana
New Orleans
Texas
Deepwater Horizon oil rig
Gulf of Mexico
CUBA
0 200km
MEXICO
Figure 1.6: Deepwater Horizon, 2010
The Deepwater Horizon platform was a 9-year old semi-submersible mobile offshore drilling
platform, owned by Transocean and operated under lease by British Petroleum from 2008. The
platform was located in the Gulf of Mexico.
In April 2010 exploratory drilling was underway at a depth of approximately 5 000 feet in the
Macondo Prospect in the Mississippi Canyon Block roughly 41 miles off the Louisiana coast. At the
time of drilling a production cast was being constructed, which when completed would have been
tested for integrity and a cement plug inserted to preserve the site for future use.
On the 20 April high pressure methane escaped from the well all the way up the drill column, and
expanded over the platform. This ignited, causing an explosion which engulfed the platform in fire.
Eleven employees were found dead, presumed to have been killed by the explosion, with two
further oil-related deaths reported afterwards, and all other employees escaped in lifeboats.
The fire burned for around 36 hours, and eventually the platform sank on 22 April. On the 23 April
the floating oil slick was discovered where the rig had previously been. The wellhead was eventually
capped on 15 July, but not until nearly 5 million barrels of crude oil had escaped, with the wellhead
finally sealed off on the 19 September after an estimated 53 000 barrels a day of crude oil escaped.
The US Government declared this the worst environmental disaster the US had experienced, and it is
thought that the oxygen depletion together with the oil dispersant Corexit used on-site, were major
causes of the environmental damage experienced along the coast of Louisiana.

Unit IOG1 Element 1
Lessons learned
During the investigation it emerged that in a number of events leading up to the 20 April explosion
and fire, BP had been adopting riskier procedures, witnesses claimed this was possibly in an effort to
save both time and money, and was taken against the advice offered by workers on the platform
and contractors.
In relation to the cementing procedure it was suggested that the blowout preventer failed to fully
engage, and that there may have been problems with both the hydraulics and controls.
Another contributory factor is thought to be the displacement of protective drilling mud with
seawater which occurred a few hours before the explosion.
The US Government Commission into the disaster accused BP of being responsible on 9 faults
including:
 failure to use a diagnostic tool to test the strength of the cement

 ignoring the pressure test that had failed
 not plugging the pipe with cement.
The Commission recommended:

 better management of decision-making processes
 better communication between the company and its contractors
 that key engineering and rig personnel had effective training.
Deepwater Horizon Blowout Animation video (YouTube) from the US

Chemical Safety Board (CSB)
www.youtube.com/watch?v=FCVCOWejlag
Web links
Gulf of Mexico Oil Spill Multimedia Collection multimedia news pages from
The New York Times (USA)
www.nytimes.com/interactive/us/spill_index.html
Deep Water: The Gulf Oil Disaster and the Future of Offshore Drilling report
from the National Commission on the BP Deepwater Horizon Oil Spill and
Offshore Drilling (USA)
www.gpo.gov/fdsys/pkg/GPO-OILCOMMISSION/content-detail.html

Unit IOG1 Element 1
BP Texas City (2005) oil refinery explosion and fire
USA
Texas City
Dallas
Houston
BP Texas Texas City
City refinery
Galveston Bay
0 1km
Figure 1.7: BP Texas City, 2005
BP’s largest and most complex oil refinery in Texas City, Texas had a rated capacity of 460 000
barrels per day and an ability to produce about 11 million gallons of gasoline a day (approximately
3% of the gasoline supply of the US). The refinery had 30 process units spread over a 1 200 acre site
and employed about 1 800 BP staff producing gasoline, jet fuels, diesel fuels and chemical feed
stocks.
On 23 March 2005 at 13:20 an explosion and fire occurred at the refinery’s isomerisation (isom) unit
killing 15 people and injuring 70 to 100 others. The incident involved a sudden release of flammable
hydrocarbon liquid and vapour from an atmospheric vent stack in the refinery’s isom unit. Workers
in nearby trailers were killed and injured in the subsequent explosions.
The isom unit converted low octane blending feeds into higher components for blending to
unleaded regular gasoline. The unit was in four sections including the raffinate splitter, which took a
non-aromatics stream from the aromatics recovery unit (ARU) and fractionated it into light and
heavy components.

Unit IOG1 Element 1
The 114 foot tall stack, which dated from the 1950s and was not tied in to a safety flare system, was
overfilled with hydrocarbons during the start-up of the raffinate splitter tower, a 164 foot tall
distillation column that became flooded with at least 120 vertical feet of liquid (compared to normal
operating levels of less than 10 vertical feet).
The flooded tower experienced a sudden pressure increase, opening relief valves and venting
hydrocarbon liquid and vapour that overwhelmed the vent stack and its associated blowdown drum.
LEGEND
LAH = Level alarm high
LAL = Level alarm low
LT = Level transmitter Blowdown
Safety relief valves lift PT = Pressure transmitter drum
Raffinate sending raffinate to overflows
floods blowdown drum releasing
tower hydrocarbons
to the
atmosphere
Air cooled
Raffinate condenser
F-20
feed Raffinate blowdown
splitter PT drum
tower and
To 3-lbs
stack
LT shows system
level 10 feet
Reflux drum
LT
and falling
LAH Gooseneck
Reflux pump LAH
LAL
To sewer Blowdown drum

releasing contents
to sewer
Figure 1.8: BP Texas City incident diagram

Unit IOG1 Element 1
Lessons learned
The US Chemical Safety and Hazard Investigation Board (CSB) investigation concluded that:
 key alarms and a level transmitter failed to operate properly and to warn operators of unsafe
and abnormal conditions within the tower and the blowdown drum
 the start-up of the raffinate splitter was authorised despite known problems with the tower
level transmitter and the high-level alarms on both the tower and blowdown drum (a work order
dated 10 March and signed by management officials, acknowledged that the level transmitter
needed repairs but indicated that these repairs would be deferred until after start-up)
 the majority of 17 start-ups of the raffinate splitter tower from April 2000 to March 2005
exhibited abnormally high internal pressures and liquid levels (these were not investigated as
near misses and the adequacy of the tower’s design, instrumentation, and process controls were
not re-evaluated)
 written start-up procedures for the raffinate splitter were incomplete and directed operators to
use the so-called ‘3-lb’ vent system to control tower pressure, even though the pressure-control
valve did not function in pre-start-up equipment checks.
The detailed investigation into the incident and subsequent report on BP’s process safety
management and safety culture made 10 Recommendations.
1. Process safety leadership is imperative and must be demonstrated through the articulation of
clear messages on the importance of process safety backed up through policies and actions.
2. An integrated and comprehensive process safety management system should be established to
systematically and continuously identify, reduce, and manage process safety risks.
3. Process safety knowledge and expertise should be systematically improved at all levels.
4. A process safety culture that is positive, trusting, and open should be developed.
5. Accountability for process safety should be clearly defined at all levels in executive
management and in the refining managerial and supervisory reporting lines.
6. Support for line management should be improved.
7. Leading and lagging performance indicators for process safety should be developed,
implemented and maintained.
8. Process safety auditing should be improved through the establishment of an effective system.
9. Board monitoring of the implementation of the panel recommendations with public reporting of
progress made.
10. The lessons learned from the Texas City tragedy and from the Panel’s report should be used to
transform the company into a recognised industry leader.
The Explosion at Texas City news report from CBS news (USA)
Web links
www.cbsnews.com/news/the-explosion-at-texas-city
BP America Refinery Explosion web pages, video and report from the US
Chemical Safety Board (CSB)
www.csb.gov/bp-america-refinery-explosion

Unit IOG1 Element 1
Mumbai High North (2005) collision, gas leak, explosions and fire
New Delhi
INDIA
Mumbai High Mumbai

North
Bengaluru
Bay of Bengal
Arabian Sea
0 500km
Figure 1.9: Mumbai High North, 2005
The Mumbai High field is India's largest offshore oil and gas field. It is about 160 km west of the
Mumbai coast and has been operated by the Oil and Natural Gas Corporation (ONGC) since 1974.
The Mumbai High North (MHN) platform was a 30 year old 7-storey steel structured oil and natural
gas processing complex with a capacity of 80 000 barrels of crude per day. It was connected by
bridges to three other platforms.
 NA – a small wellhead platform built in 1976.
 MHF – a residential platform built in 1978.
 MHW – a recent additional processing platform.
On 27 July 2005 at 04:05 local time a multi-purpose support (MPS) vessel collided into the MHN and
ruptured the export gas lift riser resulting in the break out of a major fire. The MPS vessel, the
‘Samudra Suraksha’, was engaged in an operation to transfer an injured cook to the MHN for
medical treatment. Monsoon weather conditions meant that helicopters were not available, so the
vessel came alongside MHN to affect a man-riding basket transfer. The “Samudra Suraksha”
approached on the windward side under manual controls (the leeward crane and the dynamic
positioning thrusters were not working). The ‘Samudra Suraksha’ experienced a strong heave, and
the helideck struck the risers (export gas lift). The resulting leak ignited very quickly afterwards and
the resulting fire engulfed virtually all of MHN and MHF, with NA and the MHW rig severely affected
by heat radiation.
The fire was so intense that the MHN was abandoned in accordance with the disaster management
plan and within two hours, the whole platform collapsed into the sea. Eleven people were known to
have died in the incident with a further eleven missing and unaccounted for.

Unit IOG1 Element 1
The flow of oil and gas was shut down through the sub-surface emergency shutdown valves (ESDV)
preventing a large scale ecological disaster although a clean-up operation was still required to deal
with the resulting 10 nautical mile oil spill.
Lessons learned
At the time of this incident, no regulatory body or organisation for the governance of offshore safety
in oil and gas existed in India. The incident lead to an international review of offshore petroleum
safety standards and eventually in 2008 India entered into a Memorandum of Understanding with
the Bureau of Ocean Energy Management Regulations and Enforcement (BOEMRE).
The investigation into the incident addressed two main areas.

 The adequacy of and failures within the risk control systems.
 The adequacy of collision avoidance practices and procedures.
Risk control systems

The investigation highlighted concerns regarding the location and vulnerability of the risers in the
jacket relative to platform loading zones. Some riser protection guards were in place just above sea
level, but these were only suitable for smaller offshore supply vessels and were not considered
suitable for larger multi-purpose support vessels.
A risk management scheme would have immediately picked up on the fact that export risers are a
major hazard due to their high volumes of explosive hydrocarbons. In the UK Hydrocarbon risers on
offshore installations are generally considered safety critical elements and, therefore, are subject to
independent verification of assessment.
Collision avoidance
 The offshore installation manager (OIM) should never have allowed the vessel to approach the
platform in such bad weather.
 The MPS captain should have aborted his approach when he realised one of the thrusters was
not working properly (this was acknowledged as a difficult judgment call by the captain when
one of his fellow crew required medical attention and all other avenues had been exhausted).
Both of these areas of concern highlight a general concern regarding the lack of competence of key
personnel including the OIM and the MPS captain. There were also serious concerns regarding the
escape and rescue arrangements. Only two out of the eight lifeboats were able to be launched, and
only one out of ten life rafts. The monsoon conditions also meant that no helicopters could take off
from land and so were unavailable to help.
Ten dead in India oil field fire news report from the British Broadcasting
Corporation (BBC)
Web links
news.bbc.co.uk/1/hi/world/south_asia/4721933.stm
Mumbai High North Platform Disaster article in online journal from

Memorial University of Newfoundland (Canada)
journals.library.mun.ca/ojs/index.php/prototype/article/view/468

Unit IOG1 Element 1
Piper Alpha (1988) oil platform explosion and fire
Shetland Islands North Sea
NORWAY
Orkney Islands
Piper Alpha
0 50km
SCOTLAND
Figure 1.10: Piper Alpha, 1988
On the 6 July 1988 a gas pump pressure safety valve was removed as part of a maintenance
programme on the North Sea oil rig Piper Alpha. When it was identified that the maintenance work
could not be completed by the end of the day, a blanking plate was fitted over the end of the pipe
where the safety valve had been removed. During the night shift, another gas pump failed, and
without the engineers knowing that the safety valve had been removed, they tried to restart the out
of service pump. This resulted in a release of gas which exploded, penetrating firewalls and causing
gas and oil pipes to fail due the intense heat, adding more fuel to the growing fire.
The platform was fitted with an automatic deluge sprinkler system, capable of pumping hundreds of
tons of sea water onto a fire, but it had been switched off due to divers being in the water earlier in
the day and had not been switched back to automatic. Additionally many of the sprinkler pipes and
heads were corroded. As a result when needed this safety system did not operate.
Twenty minutes into the incident, large diameter pipes weakened and burst, resulting in gas being
released at two thousand pounds per square inch pressure. This further increased the size of the
fire. A safety boat arrived on the scene, but its equipment shut down when turned on causing a
delay in the assistance it was able to provide to the survivors.
Many employees took refuge in the accommodation block, but the continual movement of persons
into and out of the block allowed smoke to enter. By now no-one could reach the lifeboats, so many
employees jumped from the platform into the North Sea. 61 persons survived.
The accommodation block eventually slipped into the sea, with a major part of the platform
following. The whole incident occurred in just 22 minutes and claimed 167 lives.

Unit IOG1 Element 1
Lessons learned
The Piper Alpha incident brought about the introduction of the Offshore Installations (Safety Case)
Regulations 2005, with the regulatory control for offshore installations in the UK becoming the
responsibility of the HSE.
 Permit-to-work systems – the system had been relaxed on the platform, allowing informal
systems to operate especially in the control and communication of permits. It is thought that the
permit for the work on the gas pump safety valve was lost, and during the hand-over between
shifts the overrunning of the maintenance work may not have been discussed.
Following the disaster the control over permits, introduction of permit co-ordinators and control
room competencies were subject to review and improvement.
 Safety management – Lord Cullen’s report identified that this was lacking, and was described as
being ‘superficial’. Some managers did not have adequate qualifications, tolerated poor
practices and did not appear to audit operational systems properly.
The delays in decision-making allowed oil production to continue from other platforms
connected to Piper Alpha while the incident was on-going.
 Design – the original oil exploration platform was adapted for gas processing, but no changes
were made to firewalls. The original constructions could withstand fire, but were never designed
to withstand an explosion, and were breached by the resulting gas explosion.
Another poor design feature was the number and size of pipelines on or attached to the
platform, all of which helped feed the fire.
 Maintenance systems – these were closely associated with the permit-to-work systems, and it
was identified that:
 effective maintenance procedures would have prevented the control room operators
from switching over to the out of commission gas pump when the other pump failed
 improved control over the deluge system would have controlled the switching off while
divers where in the water, and switching back to automatic once the area was clear
 improved control over audit and inspection reports would have identified that the
corroded sprinkler pipes and heads needed repairing or replacing.
 Safety training – it was identified that some workers who ignored safety training or instructions
given to them survived, whilst others who followed procedures and took refuge in the
accommodation block died when it failed and sank into the North Sea.
The investigation identified that training in emergency procedures, particularly leadership by
management, was lacking both on-shore and off-shore, and was therefore inadequate for
dealing with such an incident.
 Safety audits – the audits conducted by Occidental Petroleum on its North Sea fields, were
carried out regularly but not to a satisfactory standard. Some audits identified few issues
regarding safety and emergency systems, and possibly overlooked the corroded sprinkler
system, whilst other findings raised in audits were simply ignored.

Unit IOG1 Element 1
Safety legacy left by Piper Alpha news report from the British Broadcasting
Web links
Corporation (BBC)
news.bbc.co.uk/1/hi/scotland/north_east/7487375.stm
Piper Alpha: Lessons Learnt, 2008 from Oil & Gas UK

http://www.oilandgasuk.co.uk/cmsfiles/modules/publications/pdfs/HS048.
pdf

Unit IOG1 Element 1
Bhopal (1984) toxic gas release
Delhi
Bhopal
Union Carbide plant INDIA
Railway station
Hospital Hospital
Upper lake Lower lake
Bhopal
0 2km
Figure 1.11: Bhopal, 1984
On the 2 and 3 December 1984 a chemical incident at the Union Carbide India Ltd plant in Bhopal,
India, released a toxic gas cloud that engulfed the city causing:
 1 700 to 2 700 fatalities
 50 000 serious injuries
 more than 1 000 000 people to be affected.
The plant manufactured Sevin (a pesticide) using a highly toxic chemical called methyl isocyanate
(MIC).
On the 2 and 3 December an accident occurred when 120 to 240 gallons of water accidentally
entered a MIC storage tank. The MIC hydrolysed (decomposed on contact with the water) causing
the build-up of heat and pressure. This in turn caused the tank rupture disc to burst.
Equipment installed and designed to handle a MIC release included a recirculating caustic soda
scrubber tower, and a flare system designed to moderate flows from process vents but not to deal
with runaway reactions from storage. This was due to a design assumption that full cooling would be
provided by the refrigeration system. At the time of the incident, this system had been turned off,
and the flare system was shut down for maintenance and repairs.
A system of pressurised sprinklers was intended to form a water curtain over any escaping gas, but
this was identified in the aftermath as being ineffective as the water pressure was too low for water
to reach the height of the escaping gas.

Unit IOG1 Element 1
Lessons learned
The Bhopal disaster changed the way that the chemical industry organised and managed the storage
of chemical stocks, required the raising of safety standards and procedures.
In the aftermath conflicting stories emerged with regards to how the water entered the MIC storage
tank, these included operator error, contamination and sabotage.
The root cause of the incident is considered to be the ineffective management system in place at the
time of the incident:
 management did not initially respond effectively to the potential hazards of a MIC release
 there was uncertainty over the amount of MIC on site, and it was generally considered to have
been more than was required
 the main process and management expertise was based in the USA, with local management
apparently not fully understanding the process, and the consequences of changes made to the
plant design, maintenance and operations systems, back-up emergency systems and the
corporate responsibility to the surrounding communities.
1984: Hundreds die in Bhopal chemical accident news report from the
British Broadcasting Corporation (BBC)
news.bbc.co.uk/onthisday/hi/dates/stories/december/3/newsid_2698000/
2698709.stm
Web links
Bhopal Disaster video from the Disasters Channel (YouTube)

www.youtube.com/watch?v=yt9F520v16s
Methyl Isocyanate web page from the US Environmental Protection Agency

(EPA)
www.epa.gov/ttn/atw/hlthef/methylis.html

Unit IOG1 Element 1
The importance of a positive pro-active safety culture
Effective health and safety management will require employers to establish control, in the same way
they do for their organisation’s quality or financial management systems.
To be successful health and safety management should be given similar priorities as quality
assurance, production and financial management.
Effective systems manage health and safety on a day-by-day basis, with clear (visible and felt)
leadership being demonstrated by directors, managers and supervisors, all of whom should show a
pro-active approach to managing workplace health and safety risks.
A safety culture can be defined as:
A system of shared beliefs and values about the importance of health and safety in the
workplace, and the associated way in which all persons behave.
Safety culture is not a difficult idea, but it is usually described in terms of concepts such as ‘trust’,
‘values’ and ‘attitudes’. It can be difficult to describe what these mean, but you can judge whether a
company has a good safety culture from what its employees actually do rather than what they say!
Cultures continually evolve and continuous attention is required to ensure changes are positive and
not negative. High staff turnover, initiative overload and inconsistent decision making can make it
very difficult to maintain a positive health and safety culture.
What should be evident from discussing the Bhopal, Piper Alpha and Deepwater Horizon incidents is
that failures in organisational structures, systems and procedures can be equal contributory factors
in major oil and gas incidents as human and technological failings.
Web links
Step Change in Safety (UK)

www.stepchangeinsafety.net

Unit IOG1 Element 1
1.21.2Hazards inherent
Hazards inherent in oil and gas
in oil and gas
Definitions
Flashpoint
This is the lowest temperature at which there is sufficient vaporisation of a substance capable of
producing a flash momentarily when a source of ignition is applied. This is useful when considering
storage and processing of substances. If temperatures can be kept below the flashpoint then
flammable vapour will not be produced.
Vapour density
This is the mass of vapour per unit volume.
Relative vapour density

The density of vapour relative to air – this indicates whether a flammable vapour is likely to rise in
the air or, more commonly, sink and accumulate in low-lying area.
Vapour pressure
The pressure exerted by a vapour when the liquid and vapour are contained at the same
temperature – e.g. within a closed vessel.
This will increase with temperature, and a high vapour pressure at a given temperature will result in
the liquid becoming volatile and more likely to produce a flammable vapour.
Flammable limits
These can also be referred to as explosive limits in relation to explosions.
 The lower flammable limit (LFL) or lower explosive limit (LEL) is the minimum concentration of
fuel in air that is sufficient to allow combustion to occur. If the mixture is below the LFL, then the
mixture is too lean to burn.
 The upper flammable limit (UFL) or upper explosive limit (UEL) is the maximum concentration
of fuel in air that is sufficient to allow combustion to occur. If the mixture is above the UFL, then
the mixture is too rich to burn.
The upper and lower flammable/explosive limits are expressed in units of volume percent, with the
flammable/explosive range occurring between these limits – e.g. hydrogen has a
flammable/explosive range of between 4 to 74%.

Unit IOG1 Element 1
LFL UFL
LEL UEL
Mix too lean Mix too rich
(low fuel / Flammable/explosive (high fuel /
high air) range low air)
100%
Fuel
Air
0%
Hydrogen
4% 74%
Figure 1.12: Flammability limits
To minimise the risk of a fire or explosion occurring, the oil and gas industries set the control of such
fire and explosion risks below the lower explosive level (LEL), this is to ensure that no flammable
mixture is present during process, tankage, etc. operations with the area being monitored either by
fixed detectors, or portable detectors worn or used by personnel. These are usually set at or under
10% of the LEL, and will raise an alarm if the 10% level is exceeded.
Flammable, highly flammable and extremely flammable

In the UK flammable liquids are sub-classified as follows.
 Flammable – Liquids with a flashpoint below 55oC but which are not highly flammable.
 Highly flammable – Liquids with a flashpoint below 21oC, but which are not extremely
flammable.
 Extremely flammable – Liquids with a flashpoint lower than 0oC.

Unit IOG1 Element 1
Outline the following terms.
Exam question
(a) Upper flammable limit (UFL). 2 marks
(b) Lower flammable limit (LFL). 2 marks
(c) Flashpoint. 2 marks
(d) Highly flammable liquids. 2 marks


Unit IOG1 Element 1
Hazardous substances
The United Nations (UN) has identified that within member countries there is a mixture of signage
for hazardous substances. In an effort to produce common signs, the UN has consulted on and
introduced the Global Harmonization Standard (GHS).
In the European Union this has been implemented as the Classification, Labeling and Packaging of
Substances and Mixtures (CLP) Regulation.
In the UK chemical hazard classifications are made under the Chemicals (Hazard Information and
Packaging for Supply) (CHIP) which by 2015 will have fully switched over to the UN GHS symbols.
Classification CHIP Symbol GHS Symbol(s)
Corrosive
Substances or preparations which may on contact with
living tissue cause severe burns.
Irritant
Substances or preparations which can cause irritation
through immediate, prolonged or repeated contact with
skin or mucus membrane.
i
Possible ill health effects include irritation and rashes.
Sensitisation
Substances that may cause an allergic reaction.
Carcinogenic
Substances or preparations which if inhaled, ingested or
absorbed into the skin may cause cancer.
Mutagenic
A mutation is a permanent change in the genetic material

of a living organism. Mutagens are substances or
preparations which if inhaled, ingested or absorbed into
the skin may induce heritable genetic defects or increase
their likelihood.
Table 1.4: Hazardous substance signage (1 of 2)

Unit IOG1 Element 1
Classification CHIP Symbol GHS Symbol(s)
Harmful
A substance or preparation which if inhaled, ingested or

absorbed into the skin may pose limited health risks.
Possible ill health effects include headaches and nausea.
Toxic
Substances which impede or prevent the function of one
or more organs within the body, such as kidneys, liver and
lungs.
Possible ill health effects include poisoning and long term

ill health.
Table 1.4: Hazardous substance signage (2 of 2)
Globally Harmonized System of Classification and Labelling of Chemicals (GHS)

Web links
from the United Nations (UN)

www.unece.org/trans/danger/publi/ghs/ghs_welcome_e.html
CHIP Regulations from the UK’s Health and Safety Executive (HSE)
www.hse.gov.uk/chemical-classification/legal/chip-regulations.htm

Unit IOG1 Element 1
Properties and hazards of gases
In the oil and gas industries, gases are used and created during production and processing of oil and
gas products.
Hydrogen
Hydrogen (H2) is colourless, odourless, lighter than air and non-toxic, it is however an asphyxiant in
high concentrations.
This is widely used in petroleum refining as a catalyst regenerator, and is a highly flammable and
explosive gas which forms an ignitable mixture in air over a wide range, from 4.9% to 75%.
Explosive mixtures can form rapidly and be easily ignited by low-energy sparks, and will react
vigorously with oxidising agents.
Methane
Methane (CH4) is used in the manufacturing of hydrocarbons, as well as forming the main
constituent of natural gas.
Methane is highly flammable and explosive, forming an ignitable mixture with over a narrow range –
5% to 15% – and is very light. Methane is an asphyxiant, and usually has an odorising agent added to
it.
Methane can collect beneath structures such as roofs, ceilings and platforms to create pockets of
explosive mixtures.
Liquefied Petroleum Gas (LPG)

LPG, either propane (C3H8) or butane (C4H10), is gas at normal temperature and pressure, but if
placed under pressure becomes a liquid. It is a colourless and odourless gas, which will have an
odorising agent added to make it detectable (except when used in a chemical reaction).
LPG is commonly used as a feedstock during chemical petroleum and high-octane liquid fuel
manufacturing, but is also used as a fuel gas for heating, cooking, lighting and combustion engines,
as well as a fuel gas in welding/cutting.
LPG is highly flammable and denser then air, therefore it will collect at low levels and form explosive
mixtures, in some cases weak mixtures can be ignited with the flame flashing back to the source of
the leak. The flammable range is 2% to 10% for propane and 2% to 8% for butane.
Inhalation of LPG fumes/vapours can cause drowsiness, with exposure to moderately high
concentrations leading to serious medical conditions even death.

Unit IOG1 Element 1
The risks associated with LPG are its flammability and explosive properties, together with the fact it
is stored under high pressure, and therefore at a low temperature, to retain its liquid state. When
released, LPG will return to its gaseous state with a corresponding rapid and sizeable increase in
volume.
While the main risks are associated with fire and explosion, as LPG is heavier than air accidental
releases will pose a serious asphyxiant risk to persons working in low-lying areas, or in confined
spaces.
There is also the risk of frost burns due to the low temperatures, as well as a musculoskeletal injury
risk to persons handling cylinders.
Liquefied Natural Gas (LNG)

Natural gas and LNG are composed primarily of methane (80% – 99%) and also contain small
quantities of ethane, propane and heavier hydrocarbons, as well as other minor substances. North
Sea gas has 93.7% methane content.
From the liquefied state LNG will readily vapourise to form a highly flammable odourless gas, is non-
toxic and is an asphyxiant (again an odorising agent is added to make it detectable). LNG will form an
explosive mixture with air, with vapours capable of being ignited some distance away from a leak
and the flame front spreading back to the original source.
LNG is stored at -161oC at atmospheric pressure in a liquid form within specially designed steel inner
tanks with an outer concrete shell and no ground connections, on release it will revert back to its
gaseous state, with a rapid and sizable increase in volume.
Pressurised storage and transportation is not used, as this greatly reduces the risk of catastrophic
vessel failure, which will result in events such as boiling liquid expanding vapour explosions (BLEVEs).
The accidental release of LNG and its subsequent dispersion will create a fire and explosion hazard,
such as a pool fire spread, evaporation and pool fires.
Nitrogen
Nitrogen (N2) forms the majority of our atmosphere (approximately 78% by volume) and is a
commonplace, odourless, colourless, tasteless non-flammable gas.
Industrial nitrogen is produced by the fractional distillation of air, and in the oil and gas industries is
commonly used as an inerting gas covering a flammable or explosive substance – e.g. as a gas layer
above liquid stored within a tank or vessel.
In addition to the above use, liquefied nitrogen is also used to freeze or purge pipes.

Unit IOG1 Element 1
Off-shore, nitrogen is also used for a number of well service operations, such as drill stem testing,
perforating operations or nitrogen lifts.
Hydrogen Sulphide
Hydrogen Sulphide (H2S) is a colourless, flammable gas with a distinctive offensive odour of rotten
eggs, and will form an explosive mixture in ranges of between 4% to 46%.
H2S is heavier than air and will accumulate in low level areas, and travel long distances to an ignition
source and then flash back.
H2S is also a toxic gas, which will irritate the eyes, skin and respiratory tract and eventually lead to
respiratory paralysis. It will rapidly deaden the sense of smell, and will occur in natural areas such as
swamps, sewers, ponds, etc. or where there is rotting vegetable matter.
The exposure effects will be dependent upon duration, frequency and the concentration, as well as
the susceptibility to respiratory agents by the person exposed – e.g. someone who smokes will be
more susceptible to lower concentrations of H2S than someone who does not.
It can also be present in subsurface formations, so detection equipment must be in place and
operational during drilling and other extractive operations, together with appropriate personal
protective equipment, effective emergency procedures and training of operators involved.
H2S can enter drilling mud from subsurface formations, as well as being generated by sulphate-
reducing bacteria stored in muds, or formed on the concrete legs of platforms below a gas-tight
floor.
Oxygen
Oxygen (O2) is a colourless, odourless gas that is essential to support both life and combustion.
Oxygen enrichment can cause fires and explosions, as well as violent reactions with some oils and
greases, and is used in mixture with fuel gases, such as acetylene, during welding and cutting
operations to intensify combustion.
Oxygen is non-flammable, but supports combustion, combustible materials will ignite more readily
in an oxygen enriched atmosphere and burn more rapidly with a near explosive violence.
Oxygen can also be absorbed into clothing, and under such conditions a spark or other small ignition
source can result in flash-burning.
Off-shore, oxygen can also be used to detect and quantify the flow of water in or around a borehole,
based on oxygen activation.

Unit IOG1 Element 1
Web links
Gas Risks web pages from BOC Industrial Gases (UK)
www.boconline.co.uk/en/sheq/gas-safety/gas-risks/index.html
(a) Identify the hazardous properties of liquid petroleum gas 4 marks

Exam question
(LPG).
(b) Outline the risks associated with liquid petroleum gas 4 marks
(LPG).


Unit IOG1 Element 1
Properties, hazards and controls of associated products
Additives
Properties Hazards Controls
Anti-foaming agents Physical form: Risk assessment for the

Also known as defoamers and are used in use of hazardous
Powder, liquid,
processing and cooling liquids to reduce substances.
vapour, gas – which
issues caused by foam and dissolved or will determine the Automated dosing
trapped air, such as: potential route of systems as opposed to
 cavitation which will cause reduced entry into the body: workers hand-dosing.
pump efficiency and increased noise  inhalation Safe procedures for
 reduction in the capacity of pumps and  ingestion storage and handling.
storage tanks  absorption
PPE/RPE
 bacterial growth in the fluids  injection.
 dirt and debris formation and surface Personal protective
flotation. Hazard equipment and
Can be oil, power, water, silicone or glycol classification: respiratory protective
based. equipment appropriate to
 toxic
the nature and extent of
Anti-wetting agents  harmful
the exposure hazard:
Coatings placing a waterproof barrier  irritant
 corrosive  chemical resistant
between the surface of a material and water
 sensitising overalls/clothing
– will also provide good anti-corrosion
 carcinogenic.  safety goggles
protection.
 half- or full-face
Micro-biocides respirator
Treatments added to industrial fluids –  chemical resistant
cooling and process water – especially in gloves.
ponds, lagoons, reservoirs, etc. where fluids
will be standing.
Corrosion preventatives
Additives to industrial fluids to delay or
prevent the formation of corrosion within
fuel systems and process pipelines.
Refrigerants
Used in a heat cycle – a phase change from
gas to liquid state.
Table 1.5: Properties, hazards and controls of additives

Unit IOG1 Element 1
Water and steam
Both are extensively used in the oil and gas industries in such processes as cooling, lubrication
(drilling muds) and sea water for fire deluge systems.
Both water and steam flooding are commonly used as advanced recovery methods to increase
reservoir pressure in order to ‘push’ hydrocarbons out, requiring the use of injection wells. This
process can often increase the amount of oil recovered from a reservoir.
Thermal recovery is also often used. Steam is injected into a well which is then returned to
production. Cyclic steam injection is extensively used in heavy-oil reservoirs, tar sands and in some
cases to improve infectivity before steam flood or in-situ combustion operations.
On-shore steam is also used in re-boilers, and is a good reservoir for heat energy and transfer.
If steam comes into contact with workers, there is the risk of serious scalding and burns due to the
heat. Steam generated from water will occupy around 1700 times its original volume, and it is this
expansion process which drives pistons or turbines. A serious danger from this expansion has been
the pressure generated, which has resulted in boiler explosions. Therefore, steam boilers require a
range of protective measures and devices to prevent overpressurisation. Condensation of steam will
cause a reduction in volume, as well as produce a vacuum great enough to collapse a vessel.
Hazards Controls
Hazards associated with high pressure and high Control measures associated with high pressure
temperature water and steam are: and high temperature water and steam are:
 pressure injection of fluids into the body  safe handling procedures and systems of
 severe steam burns work
 inhalation of high concentrations of steam,  wearing of appropriate personal protective
resulting in burns to the lungs and clothing and equipment.
respiratory tract, and in severe cases
asphyxiation.
Table 1.6: Hazards and controls of water and steam

Mercaptans
These are a group of sulphur-containing organic chemical substances, with an offensive odour
similar to rotting cabbage, and are sometimes added to gas to allow detection by our sense of smell.
Accidental leaks and discharges of mercaptans can be easily detected due to the recognisable odour.
Inhalation can cause headaches, nausea, vomiting, as well as irritation to the eyes and respiratory
tract. Very high concentrations can lead to breathing difficulties, cyanosis, loss of consciousness, and
muscle spasms.
When working with mercaptans, workers should wear appropriate respiratory protective
equipment, especially where potentially harmful levels may occur.

Unit IOG1 Element 1
Drilling muds / drilling fluids
Drilling fluids are used in the drilling of deep holes, during oil and gas extraction. The mud will often
form an integral part of the drilling process, reducing friction and heat. The mud will also act as a
carrier for the materials through which the drill is passing, by suspending the debris and carrying it
up to the surface.
Depending upon their viscosity and density, different muds will be used in different circumstances,
muds can be aqueous (water based) or non-aqueous (gas based) and may be synthetic in nature or
contain minerals.
Hazards Controls
Hazards associated with drilling muds Control measures necessary for the safe use of drilling
include: muds include:
 contact with additives – diesel oil and  flammable gas detection equipment
its fumes, anti-foaming agents  suitable fire-fighting equipment and training for
 exposure to natural gases and operatives
flammable materials which can be  hazardous substance assessments and safe
returned to the surface by the drilling systems of work limiting exposure to drilling mud
action  health surveillance at regular intervals for
 fire and explosion hazards related to operatives at the drill site, shale shaker/ conveyor
additives and materials brought to and mud pit
the surface, especially in proximity to  appropriate personal protective clothing to
a shale shaker or conveyor. prevent skin contact with the mud.
Table 1.7: Hazards and controls of drilling mud
Sludges
The constitution of sludges (drilling wastes) is dependent upon the geological formation of the base
being drilled. If naturally occurring radioactive materials (NORMS) such as uranium and thorium are
present the sludge will present a small radiological hazard and is referred to as low specific activity
(LSA) sludge.
LSA sludges will often be found in the following oil and gas production areas:
 the production well
 safety valves
 well heads
 production manifolds
 separators
 water separators.
LSA sludges are found in both on-shore and off-shore drilling activities, and will be contained in the
brine solutions found around the pockets of oil and gas, therefore, they will also be present in the
material returned to the surface as part of the drilling operation. The radioactive decay products,

Unit IOG1 Element 1
most often radium, can stay in the brine solution or settle out to form sludges in tanks and/or mud
pits, as well as forming a mineral scale inside pipelines and drilling components.
In gas production areas, LSA can be found in the form of lead-scale, with pyrophoric iron often found
in sludges off-shore and on-shore, the latter requires special control measures for its safe disposal.
The radioactivity of LSA scale will depend upon how much radium is present, this will vary with the
type of rock and its content of uranium or thorium. The scale will not be readily soluble, and its
removal from production equipment will require the use of specialist dispersing chemicals, or high
pressure water flushing.
The health risks to workers depend upon the radioactivity of the material being drilled through.
Workers may be exposed by:
 inhalation of radioactive dust from dried contamination
 direct contact with radioactive sludge
 ingestion of radioactive contamination.
Therefore, it is important that all personnel working with LSA scale are protected against contact
with radioactive materials, debris, etc.
LSA sludges will vary in constitution from:

 soft and easily removed scales
 tough and hard to remove scales.
The level of radioactivity can range from just above ‘background’ to levels requiring restricted,
controlled areas and classified workers.
LSA scale is considered a radioactive substance, therefore its handling and disposal poses high
occupational health and hygiene risks and will require site operators to have in place effective
controls and procedures for:
 recognising the risk posed by radioactive LSA scale
 development, introduction and training in effective procedures to protect workers from
exposure to scale, minimise the environmental impact during cleaning operations and make
reference to the relevant national legislation.
Asbestos containing material (ACM)

ACM may be present in offshore and onshore oil and gas installations built before 1999. A simple
rule of thumb is the older the installation the more likely it is that ACM could be present in lagging,
boarding, brake linings, gaskets, arc shields for electrical switchgear and external sheeting on
buildings and shelters.
Accidental exposure to ACM has occurred, especially in older off-shore installations, where the
material has been poorly protected from the elements thus releasing asbestos fibres into the
environment.
In the UK site operators are required to conduct an asbestos risk assessment, and produce a register
where ACM is known or suspected to be present.

Unit IOG1 Element 1
1.3 Risk management techniques used in
1.3 Risk management techniques used in the oil and gas industries
the oil and gas industries
Introduction
The UK’s Health and Safety Executive (HSE) webpages Managing for Health and Safety provide
guidance for all organisations and make the following statements regarding leading and managing
for health and safety in the process industries.
 Leadership on the key area of process safety is critical.

 Board level involvement and competence are essential - constant and active engagement in, and
promotion of, process safety by the leadership sets a positive safety culture - ‘rigour in
leadership’.
 Key factors to address are:
 How do you maintain corporate knowledge, overall technical leadership and
competence?
 How do you monitor process safety performance to ensure business risks are effectively
managed?
 Do you publish safety information to provide public assurance?
In this section we will examine how the oil and gas industries can take ‘a sensible and proportionate
approach to risk management’ of the major risks associated with process safety.
Web links
Managing for health and safety web pages from the UK’s Health and Safety
Executive (HSE)
www.hse.gov.uk/managing

Unit IOG1 Element 1
Recognised health and safety management systems
All management systems have four core elements:
 plan – a considered policy setting out the aims and objectives of the system as a whole or sub-
elements
 do – the implementation of the plan, including training for core personnel in their associated
roles, responsibilities and duties
 check – monitoring and assessing the effectiveness of the plan and training, against aims and
objectives set out in the plan
 act – reviewing performance against the plan, leading into continuous improvement of the
management system.
Plan: establish the objectives

and processes necessary to
deliver results in
accordance with the Do: implement
organisation’s the process.
health and safety
policy.
Plan Do
Act Check
Check: monitor and
Act: take actions
measure processes
to continually
against health and
improve health and
safety policy, objectives,
safety performance.
legal and other requirements;
report the results.
Figure 1.13: Plan, do, check, act cycle
HSG 65
HSG 65 is published in the UK by the Health and Safety Executive (HSE) as a guide to successful
health and safety management. The guide is more concerned with continual improvement than the
attainment of minimum health and safety standards. The framework shown in Figure 1.14 is from
version 2 (now superseded by version 3 with a simplified plan, do, check, act framework), and was
used by HSE Inspectors when auditing the health and safety management arrangements of
employers.

Unit IOG1 Element 1
Policy
Organising
Planning and
Auditing
implementing
Measuring
performance
Reviewing
performance
Figure 1.14: Popimar framework (HSG65 v2)

Policy:
 set a clear direction, aims and objectives for the organisation to follow.
Organising:
 put in a structure and arrangements to deliver the policy effectively.
Plan and implement:

 establish, operate and maintain good systems to deliver the policy’s aims and objectives
effectively.
Measure:
 measure performance against agreed standards to reveal where improvement is needed also
praise instances of good working practice, compliance with procedures, etc.
Audit:
 planned assessment of arrangements to ensure they are effective, suitable and meet any legal
requirements as well as in-house standards.
Review:
 review of performance – actual vs. planned taking into account relevant experiences and
applying lessons learnt.
Web links
Successful health and safety management (HSG 65 v2) from the UK’s Health
and Safety Executive (HSE)
www.astutis-resources.com/public/HSG65_1997_Successful_Health_Safety_
Management.pdf

Unit IOG1 Element 1
OHSAS 18001:2007
OHSAS 18001:2007 is an internationally recognised accredited standard for occupational health and
safety (OHS) management. Organisations can be registered to OHSAS 18001 by an independent,
third party, certification body.
OH&S Policy
Management
review
Planning
Checking and
Implementation
corrective
&
action
Operation
Figure 1.15: OHSAS 18001

Policy:
 appropriate to the nature and scale of organisational risks
 commitments to:
 the prevention of injury
 legal compliance
 continual improvement
 provides a framework for setting and reviewing occupational standards
 communicated
 periodically reviewed.
Planning:
 on-going hazard identification, risk assessment and establishment of necessary control measures
 results of risk assessments considered when determining risk control measures
 results documented and kept up-to-date
 establish, implement and maintain a procedure for identifying and accessing legal and other OHS
requirements
 establish, implement and maintain OHS objectives which must be measureable.

Unit IOG1 Element 1
Implementation and operation:
 provide adequate resources

 define roles, responsibilities and accountabilities
 appoint a senior manager with specific OHS responsibilities
 competent persons in place
 effective internal communication structures
 procedures for employee consultation
 appropriate level of documentation
 appropriate operational controls – purchasing, emergencies, etc.
Checking and corrective action:
 procedures to monitor and measure occupational health and safety performance

 procedures for evaluating legal etc. compliance
 procedures to record investigate and analyse accidents
 procedures for dealing with actual or potential non-conformity including taking corrective action
 records demonstrating compliance with the management system and 18001 criteria
 internal audit programme.
Management review:
 results of internal audits and evaluations of compliance
 results of consultation
 communications from external parties (including complaints)
 of occupational health and safety performance
 how well objectives have been met
 status of investigations and corrective actions
 follow up from previous reviews
 recommendations for improvement.
Web links
Occupational health and safety management (BS OHSAS 18001) from the
British Standards Institution (BSI)
www.bsigroup.com/en-GB/ohsas-18001-occupational-health-and-safety

Unit IOG1 Element 1
ILO-OSH 2001
ILO-OSH 2001 is a guideline offering a recommended occupational health and safety management
framework, issued by the International Labour Organization (ILO). There are main common elements
with the UK’s HSG 65 and OHSAS 18001, however, the framework is not legally binding on ILO
member states and does not seek to replace national laws, regulations or standards.
To be successful the ILO recognizes that there must be a national policy on health and safety and
occupational health and safety management systems in place.
Policy
Organising
Audit
Planning &
Action for implementation
improvement
Evaluation
Figure 1.16: ILO-OSH 2001
Policy:
 more emphasis on employee participation
 employees and safety representatives to have sufficient time and resources to allow effective
participation
 formation of a health and safety committee
 occupational health and safety should be compatible or integrated with the organisation’s other
management systems
Organising:
 setting of responsibilities, accountability, competence, training and communication

 effective supervision to ensure protection of workers
 establishment of prevention and health promotion programmes
 worker access to records, monitoring documents, etc.
 health and safety training available to all employees.

Unit IOG1 Element 1
Planning and implementation:
 development of a plan following an initial review of any existing health and safety system
 plan to remedy any deficiencies
 support compliance with national legislation and require continual improvement
 contain measureable and realistic objectives
 hazard identification and risk assessment
 establish, implement and monitor procedures.
Evaluation:
 emphasis on the health and welfare of workers

 recommendations concerning investigation of work-related accidents, injuries, ill health, disease
and incidents.
Action for improvement:
 arrangements introduced and maintained for any preventative and/or corrective actions in
relation to performance monitoring, audits and management reviews
 arrangements in place for continued improvement of the management system.
Audit:
 performed by competent and trained personnel at agreed intervals
 will review:
 elements of the management system
 employee participation and consultation
 national legislation compliance
 meeting objectives.
Web links
Guidelines on occupational safety and health management systems (ILO-OSH

2001) from the International Labour Organization (ILO)
www.ilo.org/safework/info/standards-and-instruments/WCMS_
107727/lang--en/index.htm

Unit IOG1 Element 1
Risk assessment
Definitions
 Hazard – the potential of a substance, activity or process to cause harm. Hazards can take many
forms such as chemicals, electricity or working at height from a ladder.
 Risk – the likelihood of a substance, activity or process to cause harm. Risk also includes the
severity of the injury or loss which could arise. A risk can be reduced and a hazard controlled
through good health and safety management.
It is important to understand the difference between hazard and risk as the two terms are often
confused.
Physical Hazards
Noise, vibration, light, heat, cold, ultraviolet and infrared rays, ionising
radiation, etc.
Biological Hazards
Bacteria, viruses, plants, animals or food products. Contracting diseases

from humans, animals or insects.
Chemical Hazards
Use, handling or storage of chemical substances, which after accidental

exposure may cause acute or chronic illness.
Psychological Hazards
Arising out of stress due to bullying or harassment at work, deadlines, or

arising out of an injury at work.

Unit IOG1 Element 1
The 5 steps approach
Risk assessment is the cornerstone of a
successful and effective health and safety
Identify hazards
management system. When carried out
effectively, a risk assessment can enhance the
protection of employees, and others, from Identify who might be
injury or loss arising out of work activities, harmed and to what extent
processes, etc.
Evaluate risks
In the UK the HSE publication INDG 163 Risk
assessment sets out the framework from
which suitable and sufficient risk assessment Record the significant
can be conducted. findings
The 5 steps approach is best suited for less

Review and revise
complex risks than will be found in the oil and
gas industries, and is best suited for
organisations where the ranking of risk is not a major requirement.
Risk assessment for the oil and gas industry

Where more complex risks are present, as in the oil and gas industries, a more technical in-depth
method will be required.
It is important that the risk assessment must be carried out as thoroughly and detailed as necessary.
In the UK’s HSE publication Offshore Information Sheet No. 3/2006 Guidance on Risk Assessment for
Offshore Installations the main stages in a risk assessment are:
Hazard identification
Risk estimation and

Identification
ranking of risks
of possible
additional
risk
Risk evaluation and reduction
implementation of risk
reduction measures to
ensure regulatory
compliance
Review
Figure 1.17: Risk assessment for offshore installations

Unit IOG1 Element 1
Hazard identification
Hazard identification tools used in the oil and gas industries include the following.
 HAZOP HAZard and OPerability Studies.

 HAZID HAZard Identification.
 FMEA Failure Modes and Effects Analysis.
 JHA Job Hazard Analysis.
 FTA Fault Tree Analysis.
Whichever of the above tools are selected, it must be appropriate to the operational environment
and risks – e.g. onshore drilling, offshore drilling and production, onshore refining and processing,
storage and transportation.
HAZOP
HAZOP was introduced by ICI in the 1960s to allow the identification of hazards in the design of their
chemical installations, and involves the identification of potential hazards so that suitable
precautions can be introduced to control them.
This technique is particularly effective during the design of chemical or other hazardous installations
and processes. The study is carried out by a multi-disciplinary team with expertise in design,
commissioning, production and process operations, together with maintenance and health and
safety management.
HAZOP studies couple a guideword and a parameter to generate possible deviations from the
design intention.
Guideword Possible deviations from guideword
No, or No flow of oil

None, or No flow of gas
Not No electric current
No supply pressure
More Relate to any quantitative increase or decrease in parameters.
(a quantitative increase)  More or less:

 flow pressure, electric current, viscosity, volume,
or
weight, temperature, etc.
Less
(a quantitative decrease)
Table 1.7: HAZOP guidewords (1 of 2)

Unit IOG1 Element 1
Guideword Possible deviations from guideword
Part of For example:

(a quantitative decrease)
 One or more compounds or mixtures missing
Or As well as
(quantitative increase)
Reverse Reverse flow – e.g. backflow

(opposite of intention)
Other criteria  What other events can occur?

 Instrumentation fault or failure.
 Corrosion of components.
 Failure of pressure vessel or pipework.
 Sampling and monitoring activities.
Table 1.7: HAZOP guidewords (2 of 2)
HAZID
HAZard IDentification applies ‘brainstorming’ techniques, again driven by key words appropriate to
the study underway.
This tool is useful when considering changes to existing plant layouts, as the assessment team will
often map hazards and their locations on a walk-through of the area being studied.
In essence, HAZID is a hazard spotting exercise intended to pick out as many hazards as possible for
later review and assessment.
FMEA
This technique is commonly used to calculate the failure, or malfunction, of components in an
assembly, piece of equipment or the operation of a plant, and allow the calculation of the possibility
of failure or malfunction occurring.
The study will list individual components, and examines each of their individual failures and the
effects of any such failure, on the system as a whole. It begins with the question:
If this item fails, what will the result be?
The study can be used during the design stages of a new process, or when reviewing the safe
operations of an existing process, to identify and fix potential problems before they occur.
Questions asked include:
 In what way can each component fail?

 What might cause this type of failure?
 What could be the effects of this type of failure?
 How serious could the failure be?
 How is each failure detected?

Unit IOG1 Element 1
JHA
In general health and safety practice a job hazard analysis (also known as job step analysis, or job
safety analysis, JSA) is often used to identify hazards at each action step in a process with a view to
introducing corresponding preventive and/or protective measures.
When using such reductionist (breaking down) techniques it is important to not lose sight of the
whole. A holistic view can often lead to a top level solution that makes more sense overall than a
series of lower level solutions.
The basic stages of a can be remembered as
Select Select an appropriate task to be analysed. JHA is not suitable for jobs defined too
broadly, e.g. overhauling an engine, or too narrowly, e.g. positioning car jack.
Record Record each step in the process. Observing somebody actually doing the task helps
to ensure the process is accurately captured.
Examine Examine each step to identify hazards. Tools such as

can be used to help identify all
potential hazards, unsafe acts and conditions.
A team approach with input from operational and supervisory staff is usually
recommended.
Develop Develop a safe system of work using hierarchical approaches to specify appropriate
control strategies.
Implement Implement the safe system of work, ensuring appropriate consultation and worker
involvement.
Monitor Monitor the ongoing effectiveness of the system and revise as necessary.

Unit IOG1 Element 1
FTA
FTA is a technique that focuses on a particular undesired event or system failure (the top event) and
aims to determine all of the ways in which it could occur.
Causal factors are organised in a logical manner and represented pictorially in a tree diagram which
depicts combinations of causal factors (equipment failures, human errors etc.) and their logical
relationship to the top event.
In a completed fault tree the top event is linked to the initiating events through a series of
intermediate levels where the necessary conditions for an event to occur are combined at ‘and’ or
‘or’ gates. The gates and other significant symbols used in a fault tree are illustrated and explained in
the following table.
And gate – fault occurs if all input events true
Or gate – fault occurs if any input event true
Base event – further analysis not useful
Undeveloped events – not analysed further at this time
Event – Event which is further analysed (may be the top event or an intermediate
event)
A Transfer gate – Event analysed at point A on a different page
Fault trees may be used proactively to identify potential causes of failure at the design stage or
operating phase of a process or system, and can also be used reactively to analyse failures and
determine root causes.
Where the probabilities of base events can be determined (through analysis or testing) a fault tree
can be used to determine the probability of the top event occurring.

Unit IOG1 Element 1
Risks estimation and ranking
Qualitative and quantitative risk assessment
In the UK, the Offshore Installations (Safety Case) Regulations require that:
 all hazards with the potential to cause a major accident or incident have been identified
 all major accident and incident risks have been evaluated and measures have been, or will be,
taken to control the major accident/incident risks to ensure compliance – known as compliance
demonstration.
The risk assessment methodology applied should be efficient (cost-effective) and of sufficient detail
to enable the ranking of risks in order, for subsequent consideration of risk reduction. The rigour of
assessment should be proportionate to the complexity of the problem and the magnitude of risk.
As shown below an appropriate level of assessment is selected from simple qualitative assessment
at the lowest end of the scale to complex, fully quantified assessments at the highest end.
Qualitative (Q)
Qualitative risk assessment involves the assessor(s) determining the severity and likelihood based
upon descriptions. This approach does not include assigning a numerical value to each hazard to
determine its risk level.
 Severity: Minor injury, first-aid injury, over-7-day injury, major injury and fatality.
 Likelihood: Very unlikely, unlikely, likely, very likely and certain.
Semi-quantitative (SQ)
Semi-quantitative risk assessment assigns numerical values to the severity and likelihood statements
to allow the assessor(s) to determine an overall numerical ranking. This approach is still subjective
and provides approximate ranges of severity and likelihood.
Severity Likelihood
1 Minor injury 1 Very unlikely
2 First-aid injury 2 Unlikely
3 Over-7-day injury 3 Likely
4 Major injury 4 Very likely
5 Fatality 5 Certain
Table 1.8: Enumerating severity and likelihood
Quantitative risk assessment (QRA)
QRA involves assessors assigning a numerical value for severity and likelihood for the risks associated
with each hazard. This is an objective assessment based on historical evidence and test data as well
as expert opinion.

Unit IOG1 Element 1
A full ranking of each element of the process/activity can then be carried out, which will allow the
prioritisation of additional control measures, or the modification of existing ones so that all
identifiable risks are evaluated and appropriately controlled.
Determining the risk assessment method to use

The assessment process will move through the three
phases, with the level of detail increasing proportionate
to the risk being evaluated, this will involve taking into Intolerable QRA
Escalation of risk
account the level of estimated risk within agreed
tolerances, and the complexity of deciding on what risk SQ
reduction measures can be applied.
Broadly
Q – Is this adequate for deciding on appropriate control acceptable Q
measures?
 If yes the method can be used to assess and record
the findings and recommendations.
Figure 1.18: Determining RA method
 If not adequate then move to SQ.
SQ – Is this more in-depth approach more appropriate for deciding on suitable controls?
 If yes the method can be used to assess and record the findings and recommendations.
 If not firstly increase the detailing of the modeling to see if it meets requirements, if it does
record the findings and recommendations.
 If not adequate then move to QRA.
QRA – Is this approach more appropriate for in-depth modelling of the risk and deciding on suitable
controls?
 If yes the method can be used to assess and record the findings and recommendations.
 If not increase the detailing of the modeling until it is appropriate, then record the findings and
recommendations.
In order to make the decision at each stage it is important to determine both the complexity of the
installation/operations and the existence of relevant industry standards and benchmarks.
 Q will often be sufficient for those installations where there are clear standards and benchmarks
for design and risk reduction.
 Q or SQ may be sufficient during the different lifecycle stages of an installation, such as
combined operations or decommissioning, as these approaches can lead to specifying good
practices and risk reduction measures.
 SQ could be applied to less complex installations, or those with smaller workforces – such as
drilling installations, normally unattended installations (NUIs) – as in these cases good practice
procedures will be relied upon to control risks such as transporting workers between platforms
by helicopter, etc.
 QRA would be appropriate for large integrated or nodal platforms as these are likely to have a
combination of complexity and risk level which could only be adequately determined by QRA.

Unit IOG1 Element 1
Risk evaluation and ranking
The likelihood or frequency of an accident or incident occurring and the severity can be estimated
and ranked using a risk matrix. The matrix can vary in complexity, Table 1.9 shows a 5 x 5 matrix.
Fatality 5 10 15 20 25
Major
injury
4 8 12 16 20
Severity
Serious
injury 3 6 9 12 15
First aid
injury 2 4 6 8 10
Minor
injury 1 2 3 4 5
Very Unlikely Likely Very Certain

unlikely likely
Likelihood
Table 1.9: Risk evaluation and ranking
Using the above matrix it is possible to evaluate the risk and identify if any additional risk control
measures are required, which can be determined using the table below.
1–4 Low Risk Maintain current risk control levels and measures
Additional risk control measures should be planned to reduce the

5 – 10 Medium Risk
risk further
Work must STOP immediately or not begin if in the planning phase,

12 – 25 High Risk
until the risk level can be reduced by additional controls
Table 1.10: Additional control measures

Unit IOG1 Element 1
When making the evaluation and ranking a risk do not forget to take into account current risk
control measures, as these may only require modifying as opposed to new measures being identified
and introduced.
The HSE’s Offshore Information Sheet No. 3/2006 also identifies that different aspects of a single risk
may be affected by different situations.
 Whilst carrying out a risk assessment on an offshore gas platform, part of the assessment
requires considering if during an emergency (such as discussed in Section 1.1) would any
fatalities or major injuries be caused by the initial phases of the incident, as the incident
escalates or would they occur during an escape, evacuation or rescue.
 The risk assessment would need to quantify the likelihood of when fatalities or major injuries
could occur, and to what severity.
A guide to selecting appropriate tools to improve HSE culture report from

the International Association of Oil and Gas Producers (IOGP)
www.iogp.org/Reports/Type/435/id/562
Risk assessment INDG163 from the UK’s Health and Safety Executive (HSE)
www.hse.gov.uk/pubns/indg163.htm
Web links
Managing for health and safety web pages from the UK’s Health and Safety
Executive (HSE)
www.hse.gov.uk/managing/index.htm
Process Safety Management web page from the US Occupational Safety and
Health Administration (OSHA)
www.osha.gov/Publications/osha3132.html
Guidance on Risk Assessment for Offshore Installations from the UK’s Health
www.hse.gov.uk/offshore/sheet32006.pdf

Unit IOG1 Element 1
Risk evaluation and reduction
Input Process Output
Hazards and risks Risks are contained Risks are prevented

entering the site are and controlled from leaving the site
minimised throughout the including in products
process operations manufactured during
the process stage
Figure 1.19: Implementing risk management
The actual management of risk will occur in the planning and implementation phases of whichever
health and safety management system is adopted by an organisation. The containment of hazardous
materials, together with the effects of hazardous processes and systems, is the core feature of any
risk management system adopted in the oil and gas industries, supported by an effective
maintenance programme and process change procedures to ensure continued plant integrity.
Risk management must be an integral part of any project – from the concept and design phases, to
the construction and commissioning and eventual handover to the site operator for start-up and
operation, as well as forming an integral aspect of on-going process and maintenance operations
during production activities.
Therefore, risk control systems will be required for:
Physical resources:
 design, selection, purchase and construction of the oil and gas process workplace, either as an
onshore drilling operation, offshore oil and gas production platform or onshore oil and gas
processing and storage facility
 design, selection, purchase and installation of oil and gas processing plant, drilling and pumping
equipment, etc.
 design, selection, purchase and installation of safety critical plant such as deluge systems,
explosion venting, etc.
 design and construction of appropriate workplace facilities, such as worker accommodation,
welfare and rest facilities, and control room suites, maintenance facilities, etc.
 plant, equipment and substances used by contractors.
Human resources:
 the recruitment and selection of oil and gas process operators, engineering and maintenance
personnel, safety and medical personnel, laboratory technicians, etc.
 selection of suitable, competent and experienced contractor organisations.

Unit IOG1 Element 1
Information:
 health and safety standards to be followed for oil and gas installations
 health and safety guidance for the safe operation and maintenance of oil and gas installations
 changes in health and safety legislation, revisions to approved codes of practice, etc.
 technical guidance relating to risk control for oil and gas installations
 management information
 development and maintenance of an effective pro-active health and safety culture that seeks
continual improvement.
The risk management system, and individual risk control measures, should be appropriate for and
proportional to the risks identified by the organisation. Once the risk control measures have been
set and implemented for the input stage, it is important that the organisation then focuses its risk
control strategies on the process stage to ensure continued safe operation of the plant.
Therefore, the risk control measures during the process stage will need to address the following four
areas:
Production Plant and Procedures Personnel

workplace substances
 the field, rig or  drilling, and  organisational  effective
process area storage pumping procedures – shift management and
 associated support and transportation and work patterns leadership
facilities and  system for oil and  task design and  competence and
systems gas safe systems of recruitment of
 safe means of  how oil and gas is work for personnel
access and egress handled and maintenance  training, including
 working stored operation. update or
environment  all materials used refresher as
 welfare facilities in the process required
and area.  health surveillance
accommodation for personnel
 pipelines and exposed to noise,
structures vibration, ionising
 electrical and radiation,
instrumentation chemicals etc.
installations.
The risk control programme must be flexible enough to effectively control risks which may arise
outside of normal plant operations, such as breakdowns and emergencies such as leaks, fires and
explosions.
The risk management system must also include measures to minimise risks arising from foreseeable
serious or imminent danger.

Unit IOG1 Element 1
As low as reasonably practicable (ALARP)
All oil and gas installations must comply with the relevant health and safety legislation, as well as
adopting both qualitative and quantitative risk assessment methods to accurately evaluate risks and
prioritise risk control measures.
All too often though, the decision for adopting, or not, new or additional risk control measures, or
maintaining those already in place to ensure they remain effective, is based on cost, as opposed to
legal and moral reasons for minimising risk and safeguarding the health and safety of employees,
contractors and neighbours.
Also some organisations will only apply risk control measures as required by law, and will stop
implementation when they perceive legislative compliance has been reached.
To guide site operators on reaching an acceptable standard of risk control, the concept of ‘as low as
reasonably practicable’ (ALARP) has been developed and introduced into legislation.
All risks should be reduced to ALARP. In some cases a cost benefit analysis may need to be
undertaken to determine the most appropriate level of control to achieve. It is also important that
all risks and their associated risk control measures are compared against set and approved oil and
gas industry guidance and best practice codes.
Risk magnitude
Risk cannot be
High
Unacceptable tolerated (except in
risk
Region extraordinary
circumstances)
Risk tolerable only if

reduction is impracticable
or cost is grossly
disproportionate to the
improvement gained
Tolerable (ALARP)
Medium Region
risk
Risk tolerable if cost of

reduction would exceed
the improvement gained
(ALARP)
Broadly
Acceptable
Low Region
risk
Figure 1.20: Tolerability of risk

Unit IOG1 Element 1
Industry related process safety standards
Sources of written safety guidance, and oil and gas industry good practice include:
 United Kingdom – HSE guidance notes and approved codes of practice (ACoP)
 international – standards from national or internationally accredited organisations such as
British Standards, European Committee for Standardization (CEN), European Committee for
Electrotechnical Standardization (CENELEC), International Organization for Standardization (ISO),
International Electrotechnical Commission (IEC), International Labour Organization (ILO)
 industry specific or sector guidance from trade federations, professional institutes, trade union
organisations, etc.
Within the oil and gas industries, whether on- or offshore, the concepts of inherently safe and risk
based design, engineering codes and good practice are core foundations for operational safety.
Inherently safe design involves design engineers employing a variety of techniques to achieve risk
reduction through the principle of ‘designing out’.
Prevention, detection and mitigation are all essential aspects of any inherently safe design, but the
emphasis must remain on firstly preventing the hazard from occurring.
Such methods will include:
 Hazard elimination – which involves Examples

removing the hazard as the first
Offshore:
priority, as opposed to accepting and
reducing the hazard through risk  risk: a large quantity of highly flammable liquid is
reduction measures and assessment. stored in a vessel adjacent to an accommodation
area on a gas production platform
 preventative measure: relocate the flammable
liquid storage tank from proximity to
accommodation areas to minimise the impact on
a safe refuge area in the event of an incident.
Onshore:
 risk: a large storage tank of highly flammable

liquid is planned for construction close to the
boundary of a storage depot near to a busy trunk
road
 preventative measure: the storage tank location
is changed to further within the site boundary, so
that in the event of an incident the impact on the
adjacent trunk road would be minimised (as
would the effects of a major road traffic incident
occurring close to the storage tank).

Unit IOG1 Element 1
 Consequence reduction – if the above Example
cannot be achieved, then the next step  risk: maintenance personnel habitually use a
is to identify less hazardous solutions to toxic anti-foaming agent in a pipeline to prevent
achieve the same design outcome. This bacteria growth
can involve techniques such as reducing  preventative measure: identify if a less
exposure to a hazard, reducing the dangerous substance is available which is just as
amount of hazardous materials stored effective in removing bacteria growth from
as well as substituting the hazardous within the pipeline.
with less hazardous alternatives.
 Likelihood reduction – the probability

Example
of a hazardous event occurring is
 risk: process displays too complicated to
reduced through techniques such as
understand, leading to misinterpretation of
simplification (lowering the likelihood
information displayed to panel operators
of an initiating event) and redundancy
 preventative measure: improve the design and
or safeguards (reducing the events
layout of display screens and how information is
progression).
displayed to reduce the chance of human error.

Unit IOG1 Element 1
The concept of ‘hazard realisation’
Hazard realisation asks the question ‘What if?’ repeatedly until a hazard and its consequences are
fully understood before the hazard results in a major accident.
To illustrate this concept, we will examine the consequences of a major hydrocarbon release (HCR) –
a release of 25 kg or more of hydrocarbons.
Issues relating to a loss of containment causing

hydrocarbon release (HCRs). A study undertaken by the UK’s HSE
identified that small bore tubing
 A major source of HCRs are failures involving system
systems (SBTs) accounted for the
piping – flanges, piping integrity, valves – and
majority of hydrocarbon releases
instrumentation – small bore tubing systems.
greater than 25 kg.
 Main operating system experiencing HCRs – gas
compression. The same survey also identified
 Most common operational cause is incorrect or that during inspections of SBT, 26%
improper operation – human factors. of fittings examined contained
 Most common procedural cause is failure to comply faults – under-tightened, incorrect
with operating procedure – human factors. or mismatched components, leaks
or poor design and installation.
The scenario:
What?  a major HCR leak over 25 kg.
 from a pipeline to a gas compression plant, in close proximity to welfare

Where? accommodation (canteen), with an electrical fault in control gear for a
mechanised feed pump.
 during lunch-break with 50 workers present in the canteen

When?  whilst the gas compression unit’s automatic fire deluge system is switched to
manual during maintenance work on the water feed pipe.
How?  a leak in a weld on the pipe-line which expands over time eventually rupturing.

Unit IOG1 Element 1
 no planned preventative or inspection programme in place
 no detection equipment in place for hydrocarbon release
 no emergency plan in place for hydrocarbon release
Why?  no portable fire-fighting equipment in the vicinity of the gas compression unit
 poor response by plant operators due to lack of emergency action training
 poor leadership by management due to lack of emergency plan
 slow decision-making processes.
The consequences:
 the hydrocarbon leak Is ignited by the electrical fault

 an explosion and fire engulf the canteen killing or seriously injuring all 50
What? employees
 the gas compression unit is destroyed In the blast, resulting in lost production
whilst the incident is investigated and the unit reinstated.
 no warning was given of the hydrocarbon release

 no water was available from the fire deluge system
 the hydrocarbon release took place undetected over a long period of time
 no additional fire-fighting equipment was available for responders
Why?
 other on-shift personnel were present in other areas of the installation
 there was no trained emergency team, no emergency plan in place or practiced
 the response time for emergency earn took too long due to lack of leadership
and slow response.
From this process we can examine the possibilities within each of the What? Where? When? How?
and Why? elements for both the scenario and the outcome.
Now we’ll examine the same scenario but with some key changes that reflect that the facility is
following national and industry safety guidance and best practice.
The scenario:
What?  a major HCR leak over 25 kg.
Where?  from a pipeline to a gas compression plant with an electrical fault in control
gear for a mechanised feed pump
 no accommodation or other facilities in close proximity to the plant
 BUT hydrocarbon release detection is installed around/throughout the plant
and an automatic fire deluge system has been returned to service following
maintenance.

Unit IOG1 Element 1
When?  during normal operations with the fire deluge and hydrocarbon detection
system in operation.
How?  a leak in a weld on the pipeline which expands over time eventually rupturing.
Why?  the leak has happened before a scheduled inspection programme for the gas
compression unit has begun – last carried out 2 years prior to the incident.
The consequences:
What?  the hydrocarbon leak is detected soon after the pipe weld ruptures alerting
operation staff to the leak
 isolation procedures are started
 but due to the undetected electrical fault on the feed pump control gear a fire
and explosion occur
 damage and injuries are minimised due to no buildings in close proximity to the
gas compression plant, the leak detection, isolation actions, and automatic fire
deluge system
Why?  the number of personnel in and around the gas compression unit was minimal
due to normal operations and no buildings in close proximity
 operations personnel were well trained in emergency isolation procedures,
much of which was carried out remotely from the control room, with operators
based at the gas compression unit aware of emergency response and escape
procedures
 management had practiced responding to a major incident and therefore made
accurate decisions quickly
 responders were well trained and had the benefit or the automatic deluge
system to aid in extinguishing the fire
 the hydrocarbon release detection equipment allowed early detection before a
large gas cloud could be formed
 a planned maintenance and inspection programme was in place, with the gas
compression unit due to be shut down for inspection and planned
maintenance.
It can be seen from this scenario that the hazard was greatly reduced due to the adoption of good
industry practice in plant design, maintenance planning and emergency planning and training.

Unit IOG1 Element 1
The concept of ‘risk control barrier models’
In addition to the risk controls we’ve been discussing, another risk control method involves placing
‘barriers’ between:
 the causes (sometimes referred to as the hazards) and the event (or top event)
 the event and the consequences.
In Offshore Information Sheet No 3/2006 the UK’s HSE discusses the concept of using barriers in
what is known as a bow-tie diagram.
Prevention controls Mitigation and

recovery controls
Consequences
Causes
Event
Figure 1.21: Events and consequences bow-tie diagram
A bow-tie diagram will illustrate the linkage between all of an event’s initiators and their eventual
consequences, including the barriers which can be placed to prevent, control or mitigate the
outcome of the event.
In the bow-tie diagram, the barriers are sometimes referred to as lines of defence (LOD) or layers of
protection (LOP). Each barrier can be assigned a reference number, and can be common to several
event initiators.
James Reason’s accident causation model also theorises that for an organisational accident to occur
the protective barriers and safeguards (defences) designed to prevent losses must be breached.
Reason coined the term ‘defences in depth’ to explain the concept of successive layers of protection
guarding against the possible failure of the one in front.
In an ideal world the layers of defences-in-depth prevent the hazard from adversely affecting people
and assets but in the real world each layer of defence will have gaps or weaknesses. Reason
explained these gaps in his ‘Swiss cheese’ model, which illustrates a moving picture with each
defence coming into and out of play depending on local conditions. The ‘holes’ in each defence also
move, shrink or grow in response to operator actions and local needs.

Unit IOG1 Element 1
The ‘holes’ may be created by active failures and/or latent conditions.
Active failures are unsafe acts that have a direct and immediate effect on system safety. Typically
they are errors and violations at the sharp end of the system.
Latent conditions include: poor design, gaps in supervision, undetected manufacturing defects,
training gaps and maintenance failures. Latent conditions may be present for many years before
they contribute to a breach of the layers of defences. Latent conditions typically arise from strategic,
top level decisions.
For an organisational accident to occur a rare conjunction of a set of holes in successive defences is
necessary. These windows of opportunity create an accident trajectory enabling the hazard to reach
and damage people or other assets.
Danger
Some
! Hazards
‘holes’ due
to active
failures
Defences
in depth
Other holes
due to latent
conditions
Losses
Figure 1.22: Swiss cheese model

Unit IOG1 Element 1
Modelling as a risk control measure
Modelling is the use of computer software that uses mathematical calculations, to simulate the
effects from major events such as explosions or gas or liquid releases. The computer model analyses
the data related to the event such as the fuel type and amounts, environmental aspects such as wind
speed, wind direction and air temperature, and physical constraints such as confinement, proximity
and construction of any structure. The model then provides a simulation or prediction of what is
likely to happen.
Typical use of modelling techniques would be for the effects of thermal radiation and blast zones. In
relation to explosions, the software would predict the temperatures and blast pressures that would
be produced from an explosion of a particular material in defined conditions and circumstances.
A major consideration during the design of any oil and gas plant is the avoidance of incidents leading
to a fire and/or explosion, together with the protection of personnel, neighbours, assets and
corporate reputation. To achieve this aim will require appropriate separation between hazards and
vulnerable areas, the degree of separation can be determined by the use of modeling.
Modelling the effects of explosions could be used to demonstrate the value of or improvements that
could be gained from:
 minimising the concentration of key equipment in high risk areas
 minimising liquid hydrocarbon inventory stored/transported within process equipment
 reducing vulnerability through the selection of intrinsically safe equipment
 minimising the exposure of personnel to hazards arising from process complexity and
maintenance.
Through modelling it is possible to explore the significance of any major hazards scenarios, and allow
the predicting of likely initiators by:
 identifying the key contributors to explosion risks, in order to aid prioritising of explosion control
measures
 exploring the effectiveness of current preventative and protective measures, to aid justification
of the adequacy of current controls, and the need or not for introducing additional controls.
Modeling will also aid in justifications on plant safety arrangements as set out in safety cases.
Some common uses of modelling
Thermal radiation modelling is used to predict the levels of thermal radiation including the
temperatures that could be expected, the spread or distances over which these temperatures would
travel and the time they would last for.
Blast zone modelling is used to predict the levels of pressure, rate of rise of pressure, and maximum
pressure, which could be expected. It would also predict the extent and duration of the pressure
wave.

Unit IOG1 Element 1
Dispersion modelling is used to predict factors relating to releases of gases and liquids. These
include the evaporation rate of a flammable liquid from, for example, a spillage or rupture, or the
dispersion of leaking vapours/gases together with the likely concentrations at any given location on
and off-site. The modelling will take into account vapour density, and the likelihood of the leaking
vapours/gases settling in low-lying areas.
Process integrity web pages from the UK’s Health and Safety Executive (HSE)
www.hse.gov.uk/offshore/processintegrity.htm
Web links
ALARP “at a glance” webpages from the UK’s Health and Safety Executive
(HSE)
www.hse.gov.uk/risk/theory/alarpglance.htm
Guidance on Risk Assessment for Offshore Installations from the UK’s Health
www.hse.gov.uk/offshore/sheet32006.pdf
Risk management tools and techniques are used to minimise hazardous events
associated with oil and gas exploration and production activities.
Exam question
(a) Identify risk management tools and techniques. 6 marks
(b) Identify the steps of risk management AND outline EACH

of the steps identified. 8 marks
(c) Identify project phases where risk management applies. 6 marks


Unit IOG1 Element 1
1.4 Documented evidence of an organisation’s
1.4 Documented evidence of an organisation’s process safety
process safety arrangements
arrangements
Purpose and types of documented evidence

The types of documented evidence used in the oil and gas industries are:
 safety cases for offshore platforms

 safety reports for onshore installations.
Safety cases are required to demonstrate that operators of offshore installations have carried out
the necessary design, construction, commissioning and operational arrangements to ensure the risks
to health and safety of those working on the facility, or in connected activities, have been reduced as
low as reasonably practicable.
The safety case will demonstrate, to the duty holder and relevant national competent authority, that
the duty holder is capable of controlling major accident/incident risks effectively, and is a core
document for confirming that risk controls and safety management systems are in place and
operating effectively.
Safety reports contribute to preventing major accidents/incidents at onshore installations having

specified amounts of hazardous substances.
The report will demonstrate the operator has measures in place to prevent major
accidents/incidents, and limit consequences to personnel, neighbours and the environment. This is
achieved by systematically examining the site’s operations, the potential for major
accidents/incidents and the measures in place to prevent them.
The report demonstrates that a systematic and detailed process has been carried out to determine
appropriate risk controls, and where deficiencies were identified the remedial action to taken to
introduce additional risk controls.
Typical content of safety cases and safety reports

As with the contents of a risk assessment, the safety report/case will be appropriate and
proportionate to the scale of the installation and the nature of the hazards arising from process
activities or stored within its boundaries.
 Identification of major accident hazards through risk assessment (Q, SQ, QRA), bow-tie
diagrams, information from previous operations and incident reports and input from design
drawings and calculations.

Unit IOG1 Element 1
The impact(s) of any potential major accident hazard(s) will be analysed and summarised to
identify:
 each individual hazard scenario

 threats to safety and what will cause them to be realised
 barriers in place to prevent any such threats and the consequences of each threat
should they be realised
 necessary recovery measures
 factors which could lead to the escalation of the hazard and/or its consequences.
 Evaluation of major accident risks and the measures in place, or to be introduced, to control
such risks. This will detail all existing ‘designed-in’ precautions and safety measures, and
reference into previous or existing risk controls, which are then evaluated to ensure their
adequacy or if further risk controls are necessary to demonstrate ALARP by:
 identifying each hazard and/or accident scenario

 assessing the frequency
 assessing the consequences
 assessing occupied and unoccupied locations as separate criteria
 assessing facilities and arrangements for evacuation, escape and rescue (EER)
 where identified, high risks should be assessed individually
 identify and assess risk control measures proposed to achieve ALARP.
 Arrangements for auditing and audit reporting setting out a schedule of the type and frequency
of auditing, locations to be covered, how the audit will be conducted, reporting mechanisms for
recommendations, arrangements for monitoring completion of action plans and overall
responsibility for their completion.
 Safety management system in place, including controls for the management of contractor, and
sub-contractor personnel and activities, such as:
 selection criteria and approved contractor lists

 returned health and safety data from contractors, such as pre-qualification
questionnaires confirming competencies and experience of the contractor organisation
and its employees.
 Major accident prevention policies that are in place to support the safety management system
and vice versa.
 Identification of safety critical elements in place to manage major accident hazards – scenarios,
possible causes, preventative/mitigating controls and recovery systems.

Unit IOG1 Element 1
 Details of emergency plans including plans of the installation detailing locations of emergency
and safety equipment, location of control room or points, isolation and shutdown controls, safe
access and escape routes, access to and arrangements for crewing rescue boats and their launch
procedures.
Preparing safety reports: Control of Major Accidents Hazards Regulations

1999 (COMAH) from the UK’s Health and Safety Executive (HSE)
Web links
A guide to the Offshore Installations (Safety Case) Regulations 2005 from

the UK’s Health and Safety Executive (HSE)
www.hse.gov.uk/pubns/books/l30.htm
Safety cases webpages from the UK’s Health and Safety Executive (HSE)
www.hse.gov.uk/offshore/safetycases.htm
Exam question
Safety cases and safety reports provide documented evidence that an oil and
gas installation is safe.
Outline the typical content of these types of document. 8 marks


Unit IOG1 Element 1
© Astutis Ltd
All rights reserved.
No part of this study material may be stored in a retrieval system, reproduced

or transmitted in any form, or by any electronic, photographic or other means
without the express written permission of Astutis Ltd.
Applications for written permission to reproduce any part of this study

material should be sent to Astutis Ltd, 6 Charnwood Court, Parc Nantgarw,
Cardiff, CF15 7QZ.
Information sourced from the Health and Safety Executive and Government
Departments has been reproduced and/or adapted under the terms of the
open government license for public sector information version 2.0, as
presented by the National Archives at:
www.nationalarchives.gov.uk/doc/open-government-licence/version/2
Information obtained from other sources has been properly acknowledged

and referenced.
Whilst every effort has been made to ensure the currency and accuracy of the
information contained within Astutis Ltd bears no liability for any omissions or
errors, or any concepts and interpretations advanced by the authors.

Unit IOG1 Element 1

NEBOSH IOG1 Element1

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

NEBOSH IOG1 Element1

Uploaded by

Copyright:

Available Formats

NEBOSH

International Technical Certificate in Oil and Gas Operational Safety

Element 1: Health, safety and environmental management

1.0 Learning outcomes............................................................................................................................ 5

© Astutis Ltd NEBOSH IOGC 2

© Astutis Ltd NEBOSH IOGC 3

© Astutis Ltd NEBOSH IOGC 4

On completion of this element, candidates should be able to demonstrate understanding of the

In particular they should be able to:

© Astutis Ltd NEBOSH IOGC 5

Collect Establish the Obtain

Figure 1.1: Reasons for investigating incidents

© Astutis Ltd NEBOSH IOGC 6

Through investigating incidents an organisation will be able to understand:

How and why the problems arose which caused the

The ways in which people are exposed to substances

What really happens in the workplace – e.g. why

Any deficiencies in the organisations risk control strategies

The benefits for investigating accidents and incidents include:

Improvements in Improved management

Figure 1.2: Benefits of investigating incidents

© Astutis Ltd NEBOSH IOGC 7

(a) Outline FOUR reasons why such incidents should be 4 marks

Answers are on page 4 of the examiners’ feedback PDF, which you

© Astutis Ltd NEBOSH IOGC 8

An event that results in injury or ill health.

© Astutis Ltd NEBOSH IOGC 9

(1) diseases caused by agents (chemical, physical or biological)

© Astutis Ltd NEBOSH IOGC 10

Root causes Underlying Direct or Accident Loss

Figure 1.3: Domino theory

© Astutis Ltd NEBOSH IOGC 11

 Fatal – work-related death.

Whatever the event, incidents give an organisation the opportunity to:

 measure their performance

Dangerous occurrences webpages from the UK’s Health and Safety

The Reporting of Injuries, Diseases and Dangerous Occurrences Regulations

Recording and notification of occupational accidents and diseases code of

© Astutis Ltd NEBOSH IOGC 12

Initial assessment and investigation response

The accident investigation

© Astutis Ltd NEBOSH IOGC 13

Minor Serious Major Fatal

Likely Low Medium High

Table 1.1: Risk/investigation level

Risk/investigation Suggested scope of investigation

Relevant supervisor should look into the circumstances of the

A short investigation by the relevant supervisor or line

A more detailed investigation by the relevant supervisor or

Looks for immediate, underlying and root causes.

A team based investigation, involving supervisors or line

Looks for the immediate, underlying, and root causes.

Table 1.2: Suggested scope of investigation

© Astutis Ltd NEBOSH IOGC 14

An accident investigation should be a team effort involving management and employees.

Members of the investigation team will require:

 detailed knowledge of the work activities involved

Necessary resources The investigation kit might include:

The investigation process

The investigation is typically a four stage process.

Step 1: Gathering information.

Step 3: Identifying suitable risk control measures.

Step 4: The action plan and implementation.