Brazil ANP Requirement

See discussions, stats, and author profiles for this publication at: https://www.researchgate.
net/publication/254536897
Application of the 17 Practices of the Management System for Operational

Safety on Marine Installations for Drilling and Production of Oil and Natural
Gas in Brazil
Conference Paper · October 2011

DOI: 10.4043/22685-MS
CITATIONS READS
5 1,818
1 author:
Caroline Morais
Brazilian Regulatory Agency of Petroleum, Gas and Biofuel (ANP)
28 PUBLICATIONS 102 CITATIONS
SEE PROFILE
All content following this page was uploaded by Caroline Morais on 02 March 2017.
The user has requested enhancement of the downloaded file.

OTC 22685
Application of the 17 Practices of the Management System for Operational

Safety on Marine Installations for Drilling and Production of Oil and Natural
Gas in Brazil
Caroline Pinheiro Marques de Morais (ANP)
Copyright 2011, Offshore Technology Conference
This paper was prepared for presentation at the Offshore Technology Conference Brasil held in Rio de Janeiro, Brazil, 4–6 October 2011.
This paper was selected for presentation by an OTC program committee following review of information contained in an abstract submitted by the author(s). Contents of the paper have not been
reviewed by the Offshore Technology Conference and are subject to correction by the author(s). The material does not necessarily reflect any position of the Offshore Technology Conference, its
officers, or members. Electronic reproduction, distribution, or storage of any part of this paper without the written consent of the Offshore Technology Conference is prohibited. Permission to
reproduce in print is restricted to an abstract of not more than 300 words; illustrations may not be copied. The abstract must contain conspicuous acknowledgment of OTC copyright.
Abstract
According to Brazil’s Petroleum Law (Law No. 9.478/97), the National Petroleum Agency (ANP) must establish the
technical and design requirements on Operational Safety to be accomplished by operators of concessions and
inspect their marine facilities with respect to drilling and production of oil and natural gas. Considering this, was
prepared the Technical Regulation of the Management System for Operational Safety on Marine Installations for
Drilling and Production of Oil and Natural Gas, approved by Resolution ANP n°. 43/2007.
Historical Accidents have taught that prescriptive regulations could discourage the creation, or delay the
implementation, of new technologies in the field of safety engineering, since the natural tendency of the market,
governed by the time and cost optimization, is to obey what was proposed and not overcome it. Therefore, the
Technical Regulation of the Management System for Operational Safety applied by the ANP is composed of 17
Safety Management Practices that allow the operator of the concession to correlate them to their own guidelines
for the management and safety technologies and methods that best meet each facility.
This paper aims to explain how compliance with each practice of this regulation could have prevented the most
likely causes of historical oil industry accidents.
1 - Introduction
The first reading of the Technical Regulation of Operational Safety, approved by Resolution ANP n°. 43/2007,
usually seems subjective or hard to understand. During ANP audits, the crew on board usually understand the
meaning of each management practice of this regulation trough the auditors explanation on remarks made. Since
not everyone has the opportunity to follow an audit or read their reports, this article attempts to clarify
the understanding of the rules by the correlation of each management practice to an accident.
Historical accidents were chosen to figure this paper since they are known and disseminated globally. All the
accidents here described are a sum of several errors. The objective of this paper is not to correlate each error to a
lack of a management practice, but to pick at least one error that, if didn’t occur, could avoid the accident or at
least minimize its severity.
2 - Operational Safety Regimen
The Operational Safety Regimen is understood to mean the regulatory structure established by the ANP with the
purpose of guaranteeing Operational safety, taking into account the responsibilities of the Concessionaire and the
duties of the ANP in conducting the activities on marine installations for exploration and production of oil and
natural gas.
2 OTC 22685
In very summarized words, the Operational Safety Regimen works like this: the responsabilities of the
Concessionaire, among others, are to submit to the ANP the documentation described in the 3rd article of
Resolution ANP n°. 43/2007 before starting an installation operation and provide free access to the Concession
Area and to the operations, for inspections and auditing of the facilities. The ANP duties are, among others, carry
out the analysis of that documentation and carry out audits at the installation to verify the performance of the
Operational Safety Management System
2.1 - Technical Regulation Of The Management System For Operational Safety On Marine Installations For
Drilling And Production Of Oil And Natural Gas (SGSO)
The Objective of this Technical Regulation is to establish requirements and directives for implementation and
operation of a Management System for Operational Safety (SGSO), to guarantee the operational safety of marine
installations for drilling and production of oil and natural gas, aiming at the protection of human life and
environment, by the adoption of 17 management practices.
Installation Operator is the definition adopted for the Concessionaire or company designated by the concessionaire
to be responsible for the management and execution of all operations and activities of an Installation. Installations
covered are Drilling Installations, Production Installations; and Storage and Offloading Installations. The
Exploration and Production Activities covered are well drilling, well completion and refurbishment, production of oil
and natural gas, primary petroleum processing, oil storage and offloading and natural gas compression and
offloading.
This Technical Regulation is applicable to the entire Life Cycle of drilling and production Installations, including the
phases of design, construction, installation, operation and decomissioning. This Regulation does not apply to
Marine Installations for drilling and production that are in transit or installations that are not executing authorized
operations, to Onshore Installations for drilling and production and to transport Pipelines.
3 - Management Practices of SGSO
The 17 Management Practices contained in this Technical Regulation are:

Management Practices nº 1: Culture of Safety, Commitment and Managerial Responsibility;
Management Practices nº 2: Involviment of Personnel;
Management Practices nº 3: Qualification, Training and Personnel Performance;
Management Practices nº 4: Work Environment and Human Factors;
Management Practices nº 5: Selection, Control and Management of Contracted;
Management Practices nº 6: Monitoring and Continuous Improvement of Performance;
Management Practices nº 7: Audits;
Management Practices nº 8: Information and Documentation Management;
Management Practices nº 9: Incident Investigation;
Management Practices nº 10: Design, Construction, Installation and Decomissioning;
Management Practices nº 11: Critical Operational Safety Elements;
Management Practices nº 12: Risk Identification and Analysis;
Management Practices nº 13: Mechanical Integrity;
Management Practices nº 14: Planning and Management of Major Emergencies;
Management Practices nº 15: Operational Procedures;
Management Practices nº 16: Management of Change;
Management Practices nº 17: Safe Working Practices and Control Procedures in Special Activities.
4 – Correlation of the accidents with Management Practices of SGSO
To make this correlation, the following will be used systematically:

1st) It is presented to management practice in its entirety, the way it is written in the Regulations. It’s good to notice
that this is a free translation and has no legal effect for compliance or enforcement purposes. The original
document can be obtained at www.anp.gov.br/segurancaoperacional
2nd) An offshore accident will be presented with a brief description of the incident, in full withdrawal of the
reference used.
3rd) Remarks will be made, like they are prescribed on the audits.
4th) Evidence of the mistakes made in the accident that correspond to the prescribed observation will be presented.
OTC 22685 3
4.1 – MANAGEMENT PRACTICE No. 1: SAFETY CULTURE, COMMITMENTS AND MANAGERIAL

RESPONSIBILITY
1.1 Objective
The operator of the installation will define the Operational Safety values and politics, will implement an
organizational structure defining the responsibilities and duties of the personnel involved, as well as establishing
means of communication of values, policies and goals and will be committed to the availability of resources for the
implementation and operation of the Operational Safety Management System.
1.2 Safety Values and Policy
The Installation Operator must establish and disseminate the safety values and policy for the personnel involved in
the installation activities.
1.3 Organizational Structure and Managerial Responsibility
The Installation Operator will be responsible for:
1.3.1 Establishing the organizational structure for management of the Installation regarding to the Operational
Safety.
1.3.2 Ensuring the effective participation of Installation Managers in the activities related the Operational Safety.
1.3.3 Define the duties and responsibilities of the entire workforce in the Operational Safety, including the
installation Managers, other operators’ employees and personnel of contracted companies.
1.4 Means of Communication
The Installation Operator will define the communication system for the workforce.
The communication system will be established to:
1.4.1 Inform the Workforce about the policy, values, goals and plans to achieve the performance established for
the Operational Safety.
1.4.2 Establish mechanisms for mutual and continuing communication between the managers and the workforce
aimed at the improvement for operational safety.
1.5 Resource Availability and Planning
The Installation Operator must plan and provide the necessary resources for the implementation and operation of
the Safety Operational Management System and to comply with all requirements established in this Technical
Regulation.
Related accident: Deepwater Horizon, Macondo Well

Operator: British Petroleum (BP)
Summary
“The explosion that tore through the Deepwater Horizon drilling rig at 20th April, 2011, as the rig’s crew completed
drilling the exploratory Macondo well deep under the waters of the Gulf of Mexico, began a human, economic, and
environmental disaster. Eleven crew members died, and others were seriously injured, as fire engulfed and
ultimately destroyed the rig. The accident spread millions of barrels of oil in the Gulf, polluting hundreds of
kilometers of coast. The well was only capped in July.”1
“The Deepwater Horizon was a semi-submersible mobile offshore drilling unit (MODU). In 1998, BP signed a
contract with Transocean securing the services of DeepwaterHorizon from the time it first left the shipyard for a
period of three years.
The accident was summarized by the Chief Counsel’s2 team as follows: “The Macondo well blew out because the
cement that BP and Halliburton pumped down to the bottom of the production casing on April 19 failed to seal off,
or ‘isolate’ hydrocarbons in the formation. As rig personnel replaced heavy drilling mud in the well and riser with
seawater on April 20, they steadily reduced the pressure inside the well. At approximately 8:50 p.m., the drilling
fluid pressure no longer balanced the pressure of hydrocarbons in the pay zone at the bottom of the well. At this
point, the well became ‘underbalanced’.
Once the well was underbalanced, hydrocarbons began to flow into the annular space around the production
casing. In oil field terms, the Macondo well was ‘taking a kick’. Those hydrocarbons flowed down through the
annular space to the bottom of the well, into the production casing through the ‘shoe track’, then up the well and
into the riser. As they traveled up the well, the hydrocarbons expanded at an ever-increasing rate and the kick
escalated into a full-scale blowout. Transocean‘s rig crew did not respond to the kick before hydrocarbons had
entered the riser, and perhaps not until mud began flowing out of the riser onto the rig floor. Within 10 minutes of
the rig crew‘s first response, hydrocarbon gas from the well ignited, triggering the first explosion.
Behind the overall technical findings is a complex web of human errors, engineering misjudgments, missed
4 OTC 22685
opportunities, and outright mistakes. The Chief Counsel’s team finds that management failures lay at the root of all
of the technical failures discussed in their report. For the National Commission on the BP Deepwater Horizon these
were “failures that place in doubt the safety culture of the entire industry.” 1
“Saying that everyone is accountable can be beneficial in certain instances, such as with respect to personal safety
and “stop-job” authority, but can lead to a diffusion of personal responsibility for process safety.”2
Remark on Item 1.3: The Installation Operator did not establish the organizational structure for management of
the Installation regarding to the Operational Safety, did not ensure the effective participation of Installation
Managers in the activities related the Operational Safety and did not define the duties and responsibilities of the
entire workforce in the Operational Safety, including the installation Managers, other operators’ employees and
personnel of contracted companies.
Remark on Item 1.5 - The Installation Operator did not plan and provide the necessary resources for the
implementation and operation of the Safety Operational Management System.
Objective Evidences:
 The BP team did not know who was accountable for important practices associated with safety.
 The risk register for the Macondo well focused exclusively on the impact risks might have on time and cost
– it did not include safety as an element.
 The Chief Counsel’s team observed that the Macondo team understandably made individual decisions
consistent with an orientation toward efficiency but did not step back to consider what the safety
implications of those decisions were when taken together.
4.2 – MANAGEMENT PRACTICE No. 2: INVOLVEMENT OF PERSONNEL
2.1 Objective
The Installation Operator must carry out the management practice in order to promote the involvement, the
awareness and the participation of the workforce in the execution of the Operational Safety Management System.
2.2 Personnel Participation
2.2.1 Setting conditions for workforce participation in the development, implementation and periodic evaluation of
the Operational Safety Management System.
2.2.2 Promoting awareness and information activities related to operational safety, as well as providing
participation opportunities for the entire workforce.
Related accident: Odeco Ocean Prince Semi-Sub
Operator: The Burmah Group
Summary
“Constructed in Smith's Docks, Middlesborough, and launched in July 1965, the Ocean Prince was the first semi-
sub in the North Sea, the first semi-sub built in UK and the first rig to find oil in UK waters while drilling in October
1966. The rig was built to the Ocean Queen design, which had been used previously in the Gulf of Mexico.
In March 1968, the rig was driling for The Burmah Group 100 miles off Scarborough in the Dogger Bank area,
drilling with the rig resting on the sea bed. The barge engineer had advised against this position as excessive
currents in the area caused scouring around the bow and stern of the rig, leaving only the centre of the rig
supported. The rig crew had also reported the existence of cracks in the steel structure of the vessel, but pressure
to decrease rig downtime caused the advice to be ignored and both Odeco and Burmah decided to continue
drilling.
In the early hours of 06 March (accounts differ, but newspapers agree on 06 March), the Ocean Prince was
experiencing gale-force conditions, with 50-foot waves and winds in excess of 80 knots. The rig was on the
receiving end of an extreme battering by the elements and, with every large wave, was lifted up and heavily
dropped back onto the sea floor. The 45 crew on board could see cracks opening in the main deck and structural
beams and notified shore personnel that the rig was in danger of breaking up. Of the various authorities contacted,
OTC 22685 5
only Capt. Robert Balls of Bristows, the rig's regular chopper pilot, set out immediately to rescue the crew.
By 07:10 hours, the portside pontoon broke in half and a main deck support split, allowing the whole port-aft area
containing the drillfloor, derrick and radio room to collapse into the sea. Flying conditions were in excess of
recommended helicopter limits but, shortly thereafter, the Bristow's chopper made its first landing on the rig and
airlifted 18 of the crew to the neighbouring Constellation rig. Two more journeys were made to extract the
remainder of the rig's crew. Less than an hour after the last pick-up, the entire rig broke up and sank into the
stormy seas.”3
Remark on Item 2.2.1: The Installation Operator did not set conditions for workforce participation in the
implementation of the Operational Safety Management System.
Objective Evidence:
“The rig crew had also reported the existence of cracks in the steel structure of the vessel, but pressure to
decrease rig downtime caused the advice to be ignored and both Odeco and Burmah decided to continue drilling.”
4.3 – MANAGEMENT PRACTICE No. 3: QUALIFICATION, TRAINING AND PERSONNEL PERFORMANCE
3.1 Objective
The Installation Operator must carry out the management practice in order to ensure that the workforce perform
their functions in a safe manner, according to the organizational structure and responsibilities established at the
Operational Safety Management System.
3.2 Organizational Structure
3.2.1 The operator will define the organizational structure of the Installation, establishing the function classification
and the duties related to the function assigned.
3.2.2 Based on the function classification, the Operator will identify the training, competence, skills and knowledge
levels required to each function, which qualifies the employee to perform the duties related to the function
assigned. The functions and duties considered hazardous or that can produce impact on Operational Safety or
Operational Safety Critical Elements should be emphasized.
3.3 Training
3.3.1 Establishing the training requirements in order to qualify the employee to perform the duties related to the
function assigned.
3.3.2 Dimensioning the training program in accordance with the function classification and the duties related to the
function assigned.
3.3.3 Ensuring that contracted companies establish the training requirements and programs as defined on items
3.3.1 and 3.3.2.
3.3.4 Establishing the qualification and training required to carry out the activities considered at the operational
procedures.
3.3.5 The following training types should be considered:
3.3.5.1 Awareness Training
Necessary for all workforce, as well as visitors, whenever boarding installations covered by this Technical
Regulation.
3.3.5.2 General Training
Necessary for the workforce assigned to routinely perform operations, inspections, maintenance and engineering
activities.
This training should be conducted as part of the Operational Safety Management System implementation and must
be periodically reviewed.
3.3.5.3 Specialized Training
Necessary for the workforce assigned to perform specific activities related to this Technical Regulation.
This training should be conducted as part of the Operational Safety Management System implementation and must
be periodically reviewed.
3.3.6 Training Registration and Verification
The operator must be able to provide evidence that the workforce has received the training associated to the
functions assigned, and must create means to periodically check the compliance with this requirement.
6 OTC 22685
Related accident: Odeco Ocean Ranger Semi-Submersible
Operator: Mobil
Summary
“The Ocean Ranger was built for ODECO by Mitsubishu, Japan in 1976 and was one of the largest semi-subs
working offshore in the early 1980s. It was approved for 'unrestricted ocean operations' and was designed to
withstand extremely harsh conditions at sea, including 100 knot winds and 110 foot waves.
In February of 1982, the rig was on hire to Mobil and was drilling the J-34 well in the Hibernia Field, about 166
miles east of Newfoundland. On the night of 14th February, a major Atlantic storm was forecast and the rigs in the
Hibernia Field, including the Ranger, prepared for the worsening weather by hanging-off the drillpipe in the well
and by disconnecting the rigs from the sub-sea stacks. At about 1900 hours local time, the nearby Sedco 706
experienced a large, powerful wave which damaged some items on deck, including the loss of a life raft. Soon
after, radio transmissions from the Ocean Ranger were heard, describing a broken window and water in the ballast
control room, with discussions on how best to repair the damage.
At 00:52 hours local time, on 15th February, a MAYDAY call was sent out from the Ocean Ranger, noting a severe
port list to the rig and requesting immediate assistance. The standby vessel, the Seaforth Highlander was
requested to come in close as countermeasures against the 10-15 degree list were proving ineffective. At 01:30
hours local time, the Ocean Ranger transmitted its last message: 'There will be no further radio communications
from the Ocean Ranger. We are going to lifeboat stations'. In the middle of the night, in the midst of atrocious
winter weather, the crew abandoned the rig at around 01:30 hours. The rig remained afloat for another 90 minutes,
sinking between 03:07 hours and 03:13 hours local time.
The United States Coast Guard Marine Board of Investigation report into the Ocean Ranger sinking summarised
the chain of events leading to the loss of the Ocean Ranger as follows:
1. a large wave appeared to cause a broken portlight;

2. the broken portlight allowed the ingress of sea water into the ballast control room;
3. the ballast control panel malfunctioned or appeared to malfunction to the crew;
4. as a result of this malfunction or perceived malfunction, several valves in the rig's ballast control system
opened due to a short-circuit, or were manually opened by the crew;
5. the Ocean Ranger assumed a forward list as a result of the forward list, boarding seas began flooding the
forward chain lockers located in the forward corner support columns;
6. the forward list worsened;
7. the pumping of the forward tanks was not possible using the usual ballast control method as the magnitude
of the forward list created a vertical distance between the forward tanks and the ballast pumps located
astern that exceeded the suction available on the ballast system's pumps;
8. detailed instructions and personnel trained in the use of the ballast control panel were not available;
9. at some point, the crew blindly attempted to manually operate the ballast control panel using brass control
rods;
10. at some point, the manually operated sea valves in both pontoons were closed;
11. progressive flooding of the chain lockers and subsequent flooding of the upper deck resulted in a loss of
buoyancy great enough to cause the rig to capsize.
“All 84 crew members died, despite concerted attempts by the crews of several standby boats to rescue men from
the water. The bodies of 22 of the 84 crew were found in the days after the tragedy and tests concluded that all
had died as a result of drowning while in a hypothermic state. No exposure suits were worn and the temperature of
the sea water at the time was 29 degrees F (-2 deg Celsuis). The remains of the rig itself were found by sonar
search over the following weeks, resting in an inverted position approximately 485 feet south-east of the wellhead,
surrounded by major items of debris such as the derrick. The rig had capsized bow-first, turning over and striking
the sea floor with the forward ends of the rig's pontoons.”3
OTC 22685 7
Remark on Item 3.3.3 or Item 3.3.4: The Installation Operator did not establish the training requirements in order
to qualify the employee to perform the duties related to the function assigned and did not establish the qualification
and training required to carry out the activities considered at the operational procedures.
 Personnel trained in the use of the ballast control panel were not available.
 At some point, the crew blindly attempted to manually operate the ballast control panel using brass control
rods;
 At some point, the manually operated sea valves in both pontoons were closed;
 The ballast control panel malfunctioned or appeared to malfunction to the crew and as a result of this
malfunction or perceived malfunction, several valves in the rig's ballast control system opened due to a
short-circuit, or were manually opened by the crew;
4.4 – MANAGEMENT PRACTICE No. 4: WORK ENVIRONMENT AND HUMAN FACTORS
4.1 Objective
The Installation Operator must carry out the management practice in order to encourage an adequate work
environment and to consider the human factors during the whole Installation lifecycle.
4.2 Work Environment and Human Factors
4.2.1 Analyzing the aspects of the work environment in order to consider the human factors during the whole
lifecycle of the installation and their systems, structures and equipments.
4.2.1.1 The codes and standards related to the work environment and human factors should be identified and
considered in the phases of design, construction, installation and decommissioning.
4.2.1.2 During the operation, should be promoted the awareness of the workforce involved in the operation and
maintenance, related to situations and conditions that may cause incidents.
Related accident: Ekofisk Bravo Platform
Operator: Phillips Petroleum Company
Summary
“The Ekofisk field was discovered in 1969, with production coming on-stream in 1971, and the field has since been
extensively developed. The Ekofisk Bravo platform is situated to the north of the Ekofisk field and is one of two
wellhead production facilities at Ekofisk. On 22 April 1977, it was the location of a blowout and North Sea's biggest
oil spill.
The Ekofisk B blowout occurred during a workover on the B-14 production well, when about 10,000 feet of
production tubing was being pulled. The production christmas tree valve stack had been removed prior to the job
and the BOP had not yet been installed. The well then kicked and an incorrectly installed downhole safety
valve failed. This resulted in the well blowing out with an uncontrolled release of oil and gas. The personnel were
evacuated without injury via lifeboats and were picked up by a supply vessel.
The initial flow was estimated at 28,000 bpd with a calculated total release of 202,380 bbls. Up to 30 to 40% of the
oil was thought to have evaporated after its initial release and the Norwegian Petroleum Directorate reported a total
spill estimate between 80,000 bbls and 126,000 bbls.
The well was capped after seven days on 30 April 1977. Rough seas and higher than average air temperatures
aided the break up of much of the oil. Later investigations reported no significant enviromental damage and no
shoreline pollution. There was also no significant damage reported to the platform.
The official inquiry into the blowout determined that human errors were the major factor which led to the
mechanical failure of the safety valve. These errors included faults in the installation documentation and
equipment identification and misjudgements, improper planning and improper well control. The blowout was
significant because it was the first major North Sea oil spill. Also significant was that the ignition of the oil and gas
was avoided and that there were no fatalities during the evacuation.” 3
8 OTC 22685
Remarks on Item 4.2.1.1: The codes and standards related to the work environment and human factors were not
identified and considered in the phases of design, construction, installation and decommissioning.
The code or standard used for the installation of the downhole safety valve was not clear enough to prevent human
erros, probably because he did not take into account “huma factors”.
4.5 – MANAGEMENT PRACTICE No. 5: SELECTION, CONTROL AND MANAGEMENT OF CONTRACTED
5.1 Objective
The Installation Operator must carry out the management practice in order to establish requirements for selection
and evaluation of contracted, considering the aspects of operational safety in all activities covered by this
Technical Regulation.
5.2 Selection and Evaluation of Contracted
The Installation Operator should establish requirements concerning the aspects of operational safety for selection
and evaluation of contracted, according to the risk of undertaken activities.
5.3 Operator Responsibilities
5.3.1 Establishing the responsibilities of contracted, concerning the Operational Safety.
5.3.2 Ensuring that all contracted companies that provide services to the Installation:
a) Have trained employees on the safe work practices of the Installation;
b) Have periodically instructed employees about the hazards related to the activities performed, including fires,
explosions and release of noxious substances;
c) Have qualified employees to execute their responsibilities regarding the Installation Emergency Plan; and
d) Notify any risk identified to the Installation Operator.
5.4 Training of Contracted
5.4.1 Should be kept evidence that contracted employees have received adequate training in order to perform their
functions in a safe manner.
Related accident: Deepwater Horizon, Macondo Well

Operator: British Petroleum (BP)
Summary
The same as presented at Management Practice 1
“In particular, although BP personnel recognized the ‘significant stability challenges’ of using foamed cement for
the Macondo production casing, and that changes to the retarder concentration in the cement design might
increase the risks of foam instability,BP does not appear to have insisted that Halliburton complete its foam stability
tests — let alone report the results to BP for review — before ordering primary cementing to begin. When asked
why, a BP representative said, “I think we didn't appreciate the importance of the foam stability tests”.
(…)
The cement slurry itself was poorly designed — some of Halliburton‘s own internal tests showed that the design
was unstable, and subsequent testing by the Chief Counsel‘s team raised further concerns.
Halliburton appears to have done little to supervise the work of its key cementing personnel and does not appear to
have meaningfully reviewed data that should have prompted it to redesign the Macondo cement slurry.
If the Rig Crew Had Recognized the Kick Earlier, They Could Have Shut in the Well Before Gas Entered the Riser
Transocean Should Have Trained Its Employees Better on How to Respond to Low-Frequency, High-Risk Events
Several times during the evening of April 20, data anomalies indicated that hydrocarbons were flowing into the
well. Despite noticing the anomalies “and taking time to discuss them” the rig crew did not recognize that a kick
was under way.
(…)
To a skilled observer, those anomalies “would have caused alarm.” But there appears to have been no hint of
alarm. Instead, the rig crew spent at least 10 minutes “discussing” the “anomal,” “scratching their heads to figure
what was happening.”
(…)
Transocean leaves open the possibility that its rig crew ―did not have the experience or training to interpret
pressure anomalies during the negative pressure test. If true, then the crew likely did not have sufficient training or
ability to interpret the recurrence of those anomalies during the final displacement.
OTC 22685 9
Transocean further states that its crew relied on the operator (BP) to make a final assessment of anomalies during
the negative pressure test. But when those anomalies reappeared during the displacement, the rig crew did not
notify BP rig personnel and ask for their help in interpreting the data.”
Remarks on Itens 5.2 and 5.4.1: The Installation Operator did not establish requirements concerning the aspects
of operational safety for selection and evaluation of contracted, according to the risk of undertaken activities and
did not kept evidence that contracted employees have received adequate training in order to perform their
functions in a safe manner.
Objective evidences:
 “BP Did Not Adequately Supervise Halliburton’s Work” 2

“Transocean Personnel Lacked Sufficient Training to Recognize That Certain Data Anomalies Indicated a
Kick” 2
4.6 – MANAGEMENT PRACTICE No. 6: MONITORING AND CONTINUED IMPROVEMENT OF

PERFORMANCE
6.1 Objective
The Installation Operator must carry out the management practice in order to establish performance indicators and
goals to evaluate the effectiveness of the operational safety and to promote continuous improvement of the
Installation safety conditions.
6.2 Safety Goals and Performance Indicators
6.2.1 Establishing the Operational Safety objectives to carry out the performance verification.
6.2.2 Defining a set of pro-active (to evaluate the conditions that may start or contribute to the occurrence of
accidents) and reactive performance indicators.
6.2.3 Establishing the Operational Safety goals.
6.2.4 Establishing regular reviews of the performance established for the Operational Safety.
6.2.5 Establishing a system of preventive and corrective actions when identified insufficient performance.
6.3 Monitoring
The operator of the installation will be responsible for:
6.3.1 Establishing and maintaining documented procedures to regularly monitor and measure the main
characteristics of the operations and activities that may cause incidents. Such procedures must include: the
register of information to track the relevant operational controls, the performance and the compliance with the
safety goals.
6.3.2 Establishing means for periodic evaluation of the compliance with applicable safety legislation and standards.
Related accident: Petrobras-26 (P-26)

Operator: Petrobras
Summary
Accident at sea chest pressure due to differential during underwaterinspection in P-26. On February 8, 2007, the
a professional diver fromm "Continental Maritime Sevices", performed work on the sea chest of the P-26, when
someone on the platform when a pump manually or automatically acted, sucking the diver in the direction of the
sea chest. In video4, one can see the moment that appears large amount of air bubbles, which lasts about 30
seconds.
The diver was sucked into by differential pressure, needing to use his strength to withstand the
pressure. He is now unable to act in the same profession and underwent operation for placement of pins in his
column.
Annex 6 of the Regulatory Standard No. 15 of the Ministry of Labor in Brazil5, presents the following:
“2.4 Obligations of the Commander of the vessel or the Head of Platform Diving.
2.4.1 It is the responsibility of the commander in charge of the vessel or platform diving:
a) does not allow for any activity that could pose danger to divers who have the as a support vessel, referring to
the diving supervisor on that may affect the safety of operation before the dives are initiated;
(...)
10 OTC 22685
c) ensure that no maneuver is performed and any machine or equipment stops working, if they offer danger to
divers in operation;
(...)
2.5 Obligations of the Diving Supervisor.
2.5.1 It is the responsibility of the diving supervisor:
(...)
h) establish, with the commander in charge of the vessel or platform diving, the measures necessary for the proper
conduct and safety of the diving operation, before it starts;
(...)
2.10.21 All dive team members, especially supervisors, must take appropriate precautions regarding the safety of
operations, with regard to planning, preparation, implementation and procedures emergency, as detailed below:
I - The Planning:
(...)
d) underwater hazards, including drains, suction pumps, or where the pressure difference Hydrostatic can create a
hazard for divers;”
Remarks on item 6.3.2: The operator of the installation did not establishing means for periodic evaluation of the
compliance with applicable safety legislation and standards.
Objective evidence: The operator or the ballast master and the diving supervisor did not guarantee safe
operation in accordance with the regulation on Unhealthy Activities and Operations (NR15) of the Ministry of
Labour, specifically the noncompliance to the items 2.4.1.a, 2.4.1.c, 2.5 .1.2.10.21.d h of Annex 6 of this standard,
about work under hyperbaric conditions.
4.7 – MANAGEMENT PRACTICE No. 7: AUDITS
7.1 Objective
7.1.1 The objective of this management practice is to create and apply mechanisms for evaluating the
effectiveness of the implementation and operation of the SGSO, looking for conformity with the requirements
contained in this Technical Regulation, by means of audits.
7.1.2 For compliance with this practice, the audits can be internal or third party, considering all the requirements of
the SGSO at the end of one audit cycle.
7.1.3 The audit team should be able to carry out the audit impartially and objectively, no matter if the auditing
process is conducted by internal employees or third party.
7.2 Audit Planning
7.2.1 The Installation Operator will be responsible for the preparation of the auditing plans, applicable to the
specific natures of the various phases of Installations’ Life Cycle and will define the audit teams.
7.2.2 The audit plans must be developed in order to consider the management practices applicable to the actual
stage of the Installation Life Cycle, during a particular audit.
7.2.3 The audit plan should present the areas and activities to be audited, and might consider the execution in only
part of the Installation, since all the facilities of the operator have been considered by the end of the auditing cycle.
7.2.4 Information on previous audits, performance assessments, accidents investigations and the accident risks
will be considered in the preparation of the audit plans and might be used in the audits cycle definition.
7.2.5 The composition of the audit team will be specified considering:
a) The Audit Plan;
b) The size and complexity of the installation;
c) The Operational Safety Critical Elements;
d) The appointment of a leader that must be independent from the purpose of the audit.
7.3 Audit Execution
The Installation Operator will be responsible for carrying out the audits, using appropriate methods (onboard
documents evaluation, checklists, field observations and interviews), considering the audit schedule and the
mandatory information that should appear in the reports to be prepared by the auditing team.
7.3.1 All information necessary for the audit execution must be available to the Audit team.
7.3.2 The Installation Operator must define the audit cycle, considering a maximum period of 2 (two) years. In
extraordinary situations, when technically justified and at the discretion of ANP the time limit may be extended, but
never exceeding 3 (three) years.
7.3.2.1 The first audit in the management practice Nº 11 - Operational Safety Critical Elements must be performed
before the operation beginning.
7.3.2.2 The first audit of the management system should be performed at the limit of one year after the operation
OTC 22685 11
beginning, excepting item 7.3.2.4.

7.3.2.3 For production facilities, the requirements established in the management practice Nº 10 - Design,
Construction, Installation and Decomissioning will be audited after the design detailing, but before the operation
beginning.
7.3.2.4 The practice Nº 4 – Work Environment and Human Factors - must be audited at the design phase and
periodically checked during the operation.
7.3.3 The Installation Operator should maintain the audit reports concerning the requirements of the Operational
Safety Management System (SGSO).
7.4 Audit Evaluation
7.4.1 The Installation Operator should prepare the action plan for the treatment of nonconformities described in the
audit report, containing the Corrective and Preventive Actions, as well as the time limits and the divisions or
employees responsible for the implementation. The measures and respective time limits should be compatible with
the risks involved.
7.4.2 The Installation Operator will be responsible for the implementation and monitoring of the measures
described at the action plan, and should communicate the actions in progress to the Workforce involved in the
activity or management practice audited.
Summary
The same as presented at Management Practice 1, plus the following statements:
“The Deepwater Horizon Blowout Preventer Was Not Recertified. It was well known by the rig crew and BP shore-
based leadership that the Deepwater Horizon blowout preventer as not in compliance with certification
requirements. (Internal BP document). BP’s September 2009 audit of the rig found that the test ram, upper pipe
ram, and middle pipe ram bonnets were original and had not been recertified within the past five years. According
to an April 2010 assessment, BOP bodies and bonnets were last certified December 13, 2000, almost 10 years
earlier. Although the September 2009 audit recommended expediting the overhaul of the bonnets by the end of
2009 and emails between BP leadership discussed the issue, the rams had not been recertified as of April 2010. A
Transocean rig condition assessment also found the BOP‘s diverter assembly had not been certified since July 5,
2000. Failure to recertify the BOP stack and diverter components within three to five years may have violated the
MMS inspection requirements. An April 1, 2010 MMS inspection of the rig found no incidents of noncompliance
and did not identify any problems justifying stopping work. The inspection did not identify the fact that the
Deepwater Horizon‘s BOP had not been certified in accordance with MMS regulations.”1
Remarks on itens 7.1.3, 7.4.1 and 7.4.2: The audit team should be able to carry out the audit impartially and
objective. The Installation Operator did not prepare an action plan for the treatment of nonconformities described in
the audit report, with measures and respective time limits compatible with the risks involved or it was not
responsible for the implementation and monitoring of the measures described at the action plan.
 “BP’s September 2009 audit of the rig found that the test ram, upper pipe ram, and middle pipe ram
bonnets were original and had not been recertified within the past five years.”
 “Although the September 2009 audit recommended expediting the overhaul of the bonnets by the end of
2009 and emails between BP leadership discussed the issue, the rams had not been recertified as of April
2010.”
4.8 – MANAGEMENT PRACTICE No. 8: INFORMATION AND DOCUMENTATION MANAGEMENT
8.1 Objective
The Installation Operator will define in the Management System control and access procedures to documents
related to the operational safety.
8.2 Responsibilities in Information Management
The Installation Operator will develop a documentation control system that considers the development, updating,
distribution, control and integrity of the information and the entire documentation required by this Technical
Regulation.
8.3 Information Access
The Installation Operator will be responsible for guaranteeing adequate access of personnel to the information and
documentation related to this Technical Regulation, considering the work activities and the training requirements.
12 OTC 22685
Related accident: Montara Wellhead Platform

Operator: PTTEP Australasia (PTTEPAA)
Summary
Prior to 21 August 2009, Australia had not seen an oil spill of the magnitude of the uncontrolled release of oil and
gas (the Blowout) from the Montara Wellhead Platform (WHP) in over 20 years. The volume of oil spilt from the
Montara WHP makes the Blowout Australia’s third largest oil spill after the Kirki oil tanker in 1991 and the Princess
Anne Marie oil tanker in 1975. However, the Blowout is the worst of its kind in Australia’s offshore petroleum
industry history.
In the early hours of 21 August 2009, a small ‘burp’ of oil and gas was reported as having escaped from the H1
Well at the Montara WHP. The oil and gas had travelled a distance of over four kilometres from the reservoir
beneath the sea bed. Whilst the initial ‘burp’ subsided, approximately two hours later the H1 Well kicked with such
force that a column of oil, fluid and gas was expelled from the top of the well, through the hatch on the top deck of
the WHP, hitting the underside of the West Atlas drilling rig and cascading into the sea.
For a period of just over 10 weeks, oil and gas continued to flow unabated into the Timor Sea, approximately 250
kilometres off the northwest coast of Australia. Patches of sheen or weathered oil could have affected at various
times an area as large as 90,000 square kilometres.6
Remark on Item 8.2: The Installation Operator did not develop a documentation control system that considers the
development, updating, distribution, control and integrity of the information and the entire documentation required
by this Technical Regulation.
“Finding 36: There were a large number of significant deficiencies in various PTTEPAA documents dealing with
well control – such as the WOMP, the Well Construction Standards, the two Drilling Programs in force in March
and August 2009, and instructions given to drillers. These deficiencies were, in aggregate, an important systemic
factor which indirectly contributed to the Blowout.” 6
“Finding 39: The respective roles and responsibilities of PTTEPAA and Atlas, particularly with respect to well
control, were not adequately defined, documented or implemented.” 6
4.9 – MANAGEMENT PRACTICE No. 9: INCIDENTS INVESTIGATION
9.1 Objective
The objective of this management practice is to describe the requirements that must be considered for conducting
the investigation of each incident related to the Operational Safety.
9.2 Procedures and Investigation Organization
The Installation Operator shall establish a procedure for conducting the investigation of incidents with undesirable
consequences for Operational Safety.
9.2.1 The investigation procedures must include:
a) Sizing and definition of the investigation team, and
b) Criteria for conducting the site investigation, considering the preservation of the physical evidences, the
schedule and execution of interviews and the collection and identification of documents, further data and
appropriate records.
9.2.2 The incident investigation should be conducted with strict observance of legal impositions.
9.3 Investigation Execution
The Installation Operator will be responsible for carrying out the incident investigations, according to the
procedures established as described above, promptly mobilizing the team, establishing the work methodology and
assuming the responsibility for the content of the report to be issued by the investigation team.
9.3.1 The investigation team will begin the investigation as soon as possible, but never later than 48 hours after the
end of the incident in order to preserve evidence, except by an unpredicted event.
9.3.2 The investigation team must prepare the investigation report that should contain, in addition to the required in
the applicable legislation, all information considered relevant to subsequent implementation of actions that intend
to avoid or minimize the reoccurrence possibility.
9.3.3 The incidents investigation report must be stored and available for ANP at any time.
9.3.4 An annual report will be submitted to ANP consolidating all Installation incidents, containing at least the
following information:
a) Incidents Date;
OTC 22685 13
b) Classified and categorized types of Incidents;

c) Related installations, processes, equipment and activities;
d) Consequences for Operational Safety;
e) The identified causes;
f) Factors that contributed to the Incidents occurrence;
g) Corrective Actions implemented to minimize the immediate consequences of the incidents;
h) Preventive Actions implemented to prevent reoccurrence; and
i) The assessment of non-conformities trends and recommendations appointed in the investigation reports.
9.4 Corrective Actions
The Installation Operator will be responsible for establishing, registering and implementing the necessary
Corrective Actions, based on the measures appointed in the investigation report. The time limits for the
implementation must be suitable to the actions complexity and risks involved.
9.5 Preventive Actions
The Installation Operator will be responsible for establishing, registering and implementing the necessary
Preventive Actions, based on the measures appointed in the investigation report. The time limits for the
implementation must be suitable to the actions complexity and risks involved.
Related accident: Bourbon Dolphin

Operator: Chevron
Summary
“The Bourbon Dolphin capsized with the loss of the lives of eight of those on board, while carrying out anchor work
at the Transocean Rather on 12th April 2007. The accident was investigated by the UK Health and Safety
Executive, the Norwegian maritime authorities and a Norwegian Royal Commission, which reported on 28th March
2008. (…) This extremely high specification made it suitable, so it seemed, for moving the Transocean Rather
which was drilling a prospect for Chevron, West of Shetland in 1100 metres of water. The Rather was provided
with a chain wire combination to allow it to work in deep water, but to conform to the POSMOOR requirements
modifications to this system were required to prevent anchor uplift in the worst of the prospective winter weather,
and as a consequence 916 metres of chain were added to the rig’s own 900 metres, this being deployed from the
chain lockers of the attendant anchor-handlers.
(…) At the time Shell had recently completed a well with the Transocean Rather further to the south-west utilising
the first prelaid moorings ever to be used for an exploration well in the UK sector. Although details of the operation
were never made generally available, the job took weeks and the marine community in Aberdeen were aware of
the difficulties. A video taken from the bridge of one of the Gulf Offshore UT722s, and subsequently circulated,
showed a pennant wire breaking at the roller, and snaking back with vicious force towards the bridge windows.
This alone would have put anyone off. In fact this operation resulted in the irrepairable damage to several of the
Rather’s anchor wires, so the rig had to visit the repair base at Invergordon before starting on the Chevron project.
This was described in the Commission’s report as ‘technical problems with the departure from the Shell field’.
(…) To allow it to work in deep water, the Transocean Rather uses a combination of chain and wire. (…)In order for
the chasers to be able to run down the wires without damaging them, they are fitted with rollers in the lowest part,
and during the mooring of the rig at Rosebank G these rollers had been damaged, and so an a lternative technique
was to be used to recover the moorings.
(…) In the very first session where witness statements were taken the First Officer testified that on departure from
Lerwick, he had been told to write the GM in the logbook and that the figure had been 0.29 metres. This would
have raised concerns in the mind of an experienced deck officer who was aware of the work that the ship was
about to carry out, but the First Officer’s experience was very limited. In the event none of the stability experts
could replicate this condition no matter how they loaded the ship, so one assumes that it was a figure picked out of
the air by either the Chief Officer or the Captain.
(…) The watch had changed at 12:00, the Captain and one of the First Officers being relieved by the Chief Officer
and the other First Officer, and it seems likely that the Chief Officer, who had limited experience in the driver’s seat,
was relying entirely on the joystick, and therefore solely on thruster power to get the ship back on the line. It may
be a feature of modern offshore ship operations that the transverse thrust available is so great that even quite
experienced drivers are surprised when the required manoeuvre cannot be achieved simply by pushing the joystick
14 OTC 22685
over. Old hands could probably propose two or three alternative techniques which would have brought the ship
back onto the line. The Commission however, felt that the rig should have registered this loss of position and have
provided assistance, or abandoned the run altogether.
In the event, the Bourbon Dolphin asked for assistance and the Highland Valour was sent over with instructions to
grapple the chain astern of it, to take some of the weight, and therefore allow it to move off towards the anchor
position. The Highland Valour started to grapple at about 15:00 and after some effort seemed to have made
contact with the chain at 16:10. Very soon after this there was a close approach between the two ships. The
testimony regarding this event is confused, and much was made of it by the press after the witnesses had
described it, however it seems most likely that the Bourbon Dolphin drifted astern towards the Highland Valour,
and in order to avoid collision the latter quickly lowered away the workwire, and disengaged the grapnel from the
chain.
The rig issued an instruction that no further attempts to grapple should take place and the log stated that “Both
vessels instructed to move away from No 3”. At 16:40 the Bourbon Dolphin was nearly 950 metres to the east of
the line and was getting close to the No 3 anchor wire. The Commission took it as an indication of poor
communication that neither the OIM of the rig, the man formally in charge of the rig move, or the Barge Supervisor
the senior marine person, were informed of the near miss.
After the near miss the Captain of the Bourbon Dolphin returned to the bridge and it appears that he took over in
the driver’s seat, and the Chief Officer started to transfer ballast to correct a list of about 5 degrees to port. The
ship wanted the rig to start to run out its wire, but as an alternative the towmaster proposed that the ship should
start to run out its workwire, which was still connected to the chain. The chain was, at this time leading between the
starboard towing pins, and was tight up against the inner pin, apparently preventing the bow turning to port. It was
reported that the towmaster requested that this pin be lowered to allow the chain to move to port, however he
denied this. The Commission considered that in some way the possibility entered the thinking of the bridge team,
and that as a consequence they lowered the pin. The witnesses testified that they “saw the chain smack over
against the port outer pin, and that they heard a loud bang”.
Shortly afterwards the ship listed heavily to port and then, after about 15 seconds returned to upright. The Chief
Engineer warned the bridge that the starboard engine had stopped, and the surviving First Officer testified that he
saw the winch tension increase to 330 tonnes. As the ship listed again the First Officer activated the winch
emergency release and left the bridge. The ship continued to list to port and at 17:08 rolled over.
(…) This was that the angle of departure of the chain was between 40 and 60 degrees from aft, and that while it
was unlikely that the tension reached the 330 tonnes claimed by the First Officer, a tension of 200 tonnes if the
angle had been 40 degrees, or 180 tonnes if the angle had been 60 degrees would have resulted in the margin of
stability being overcome.
After the ship capsized the OIM immediately raised the alarm, and in accordance with the communications
documentation for the contract, the managements of both Transocean and Chevron were informed within minutes.
The crew members who had managed to escape from the ship were now either in the sea or had climbed onto a
rescue float or a container. The Highland Valour approached the casualty and launched its MOB boat at 17:30. It
immediately went to the container on which three of the survivors were, and recovered them to the ship. The ERRV
(Emergency Response and Rescue Vessel) Viking Victory which was assigned to the Transocean Rather launched
its two fast rescue craft and picked up the cook, who was floating in the sea. The FRCs also picked up the three
survivors who were on a rescue float, as well as the body of the Chief Officer. All the vessels then began to search
for survivors, although it was not until 1839 that the numbers on board were confirmed as being 15.
In the hours of darkness the search continued, although the helicopters were detached to take the survivors to the
Sheltlands, to bring out navy divers and to start to downman the rig. The Grampian Frontier arrived on the location
to provide ROV services and to act as a base for the divers. By 15:45 on the following day the coastguard informed
the rig that the nature of the operation had changed from a rescue to a salvage operation. Eight of the crew of the
vessel had died including the Captain and his fifteen year old son, who had been on board undertaking work
experience.
(…) All aspects of the operation up to and after the capsize were investigated in depth by the Commission, and
also by Transocean, the owners of the rig, and by Chevron the operator, who hired the ships. The Commission
OTC 22685 15
discovered that the ship had had a previous incident where it had taken a serious list when an anchor had moved
on the deck, but that this had not been reported. It discovered that the Stability Book, which, although it was
supposed to be readily accessible to the master, extended to more than 500 pages, only conformed with the
stability criteria because a smaller winch than that installed was used, and the work wire was retained between the
inner towing pins, an impossible situation. The Stability Book also failed to provide instructions on the use of the
stability tanks, which was prohibited during anchor-handling, although the experts determined that in fact the
stability tanks had been in use. The examples of stability conditions in the book also required more than 500
tonnes of fuel to be carried at all times, limiting the theoretical operating period for the ship to a few days. The
master who had been relieved on at the crew change testified that on two occasions he had requested clarification
on stability from his company, but that none had been forthcoming. The Stability Book, despite its defects had been
approved by the Norwegian Maritime Directorate.
To many it must therefore seems pretty clear that if the stability of the vessel had been paramount in the minds of
the crew of the ship, and if they had been provided with the appropriate information presented in the appropriate
way, there would not have been a disaster. Bourbon’s formal procedures should have ensured that this happened,
but even when it was evident that maintaining the stability of the Bourbon Dolphin would require more that the
usual level of attention, nothing was done to ensure that the master who joined on 30th March was fully informed. If
he had been it is possible that the ship might have been fuelled in Scrabster on 30th March and in Lerwick on 10th
April. Whether No 2 anchor would have been run on 12th April, or whether contact with No 3 anchor would have
been avoided remains debatable, but it is pretty certain that the vessel would have remained upright.” 7
Remarks on Itens 9.3 : The Installation Operator did not carry out the incident investigations promptly mobilizing
the team, establishing the work methodology and assuming the responsibility for the content of the report to be
issued by the investigation team.
Objective Evidence: The Commission discovered that the ship had had a previous incident where it had taken a
serious list when an anchor had moved on the deck, but that this had not been reported.
4.10 – MANAGEMENT PRACTICE No. 10: DESIGN, CONSTRUCTION, INSTALLATION AND

DECOMISSIONING
10.1 Objective
The objective of this management practice is to describe the requirements that must be considered by the
Operational Safety Management System to promote safety at the design, construction, installation and
decommissioning phases.
10.2 Management and Organization
The operator of the installation must:
10.2.1 Observe the design criteria and consider the codes, industry standards and good engineering practices
when planning the design, construction, installation and decommissioning.
10.2.2 Identify codes, standards and good engineering practices related to Operational Safety during the design,
construction, installation and decommissioning phases.
10.2.3 Consider the codes, standards and good engineering practices related to Operational Safety during the
installation items and equipments procurement process.
10.2.4 Consider in the design phase the human exposure reduction to the consequences of any equipment or
system failure.
10.3 Safety at the Design, Construction, Installation and Decommissioning Phases
The operator of the installation must establish a system that:
a) All aspects that may introduce risks to Operational Safety are properly considered in the installation design and
in the subsequent updates at design, construction, installation and decommissioning phases;
b) Work environment and human factors are considered in the installation design and in the subsequent updates at
design, construction, installation and decommissioning phases; and
c) Means of design modification are established when identified aspects that may introduce risks to the Operational
Safety, during the construction and installation phases.
Related accident: Sleipner A

Operator: Statoil
16 OTC 22685
Summary
“The Sleipner A Platform was Condeep-type platform (abbreviated from concrete deep water structure), built for
Statoil in Norway by the company Norwegian Contractors. The Condeep-type platform consists of two units, the
hull and the deck. The hull is a gravity base made up of support pilings and concrete ballast chambers from which
three or four shafts rise and upon which the deck sits. Once fully ballasted, the hull sits on the sea floor. In the case
of the Sleipner A, there were 24 chambers, of which four formed the 'legs' supporting the facility on top.
In August 1991, prior to the mating of the hull and the deck unit, the hull was towed into Gandsfjord where it was to
be lowered in the water in a controlled ballasting operation at a rate of 1m per 20 minutes. As the hull was lowered
to the 99m mark, rumbling noises were heard followed by the sound of water pouring into the unit. A cell wall had
failed and a serious crack had developed, and sea water poured in at a rate that was too great for the deballasting
pumps to deal with. Within a few minutes the hull began sinking at a rate of 1m per minute. As the structure sank
deeper into the 220m fjord, the buoyancy chambers imploded and the rubble struck the floor of the fjord creating a
3.0 magnitude record in a local seismograph station.” 3
Remark on Item 10.2.1: The operator of the installation did not observe the design criteria and consider the
codes, industry standards and good engineering practices when planning the design, construction e installation.
Objective Evidence:
The post-accident investigation by SINTEF discovered that the root cause of the failure resulted from inaccurate
finite element approximation during calculations in the design of the structure. Essentially, stresses on the ballast
chambers were underestimated by 47% and some concrete walls were designed too thin. Upon reaching a given
pressure, these walls failed and cracked allowing sea water to enter the unit at an uncontrolled rate, eventually
sinking the base unit.
4.11 – MANAGEMENT PRACTICE No. 11: CRITICAL OPERATIONAL SAFETY ELEMENTS
11.1 Objective
management system to identify the Critical Operational Safety Elements of the Installation and to establish
systems of management and control.
11.2 Identification of Critical Operational Safety Elements
11.2.1 The Installation Operator will identify and describe the essential characteristics and functions of Critical
Operational Safety Elements, which are classified into three categories:
a) Critical Operational Safety Equipments;
b) Critical Operational Safety Systems; and
c) Critical Operational Safety Procedures.
The elements are considered critical when essential for the prevention or mitigation or, in case of failure, may
cause an operational accident.
11.3 Critical Operational Safety Elements Management and Control
11.3.1 The Installation Operator will establish contingency procedures and will define a system for approval and
control, to be used when Critical Operational Safety Equipment or System are degraded or out of operation.
11.3.2 Such procedures shall establish temporary measures that could supplement the absence of a Critical
Operational Safety Equipment or System due to failure, degradation or shut down.
Such measures must include when applicable:
a) Implementation of alternative equivalent controls;
b) Production reduction or limitation, and
c) Isolation and shut down of equipment, systems, installations.
11.3.3 The operator of the installation will establish the time period in which the temporary procedures will be
permitted, until corrective measures are taken.
Related accident: Plataforma de Cherne (PCH-2)

Operator: Petrobras
Summary
At 22:30h of the 19th January of 2011, the platform of PCH-2 (Cherne 2), located in the Campos Basin
about 120 km from the coast, with production of 9,300 barrels of oil a day, was shut down on , when a major
fire began at the transfer module. The flames reached the safety valves of the production separators and was
only quelled more than one hour after it was reported.8
OTC 22685 17
The fire destroyed power and instrumentation cables of the platform, among other damage. The lamps near
the zone of the fire melted. Support boats that were near the platforms were called but did not had to act because
the fire had been controlled. The fire frightened the 160 crew working on the platform, but did not occurred panic.
All went to the muster point to await instructions and did not have to go to the lifeboats.8
Workers at Campos Basin reported that the fire was large and could be observed from far, lasting over an
hour. The labor union also received complaints of individual workers about the deluge system on the platform: the
system had not worked in the emergency since it was inoperative awaiting the implementation of recommendations
type A (immediate stop) made at a Technical Report of Inspection. 9
At a meeting with part of the crew, was reported in a document sent for SindipetroNF, that the ESD-3 was
usually ‘by-passed’, among other issues. 10
Remark on Item 11.3.2: The Installation Operator did not establish contingency procedures when a Critical
Operational Safety System went degraded or out of operation. These procedures should establish temporary
measures that could supplement the absence of the Critical Operational Safety System.
Objective Evidence:
 The deluge system had not worked in the emergency since it was inoperative awaiting the implementation
of recommendations type A (immediate stop) made at a Technical Report of Inspection.
 The ESD-3 was usually ‘by-passed’.
4.12 – MANAGEMENT PRACTICE No. 12: RISK IDENTIFICATION AND ANALYSIS
12.1 Objective
The objective of this management practice is to establish requirements for identification and analysis of risks that
can result in incidents, to be conducted at different stages of the Installation Life Cycle, through the use of
recognized tools with results properly documented.
12.2 Types of Risks Analysis
The operator of the installation will be responsible for the identification and for the conduction of quantitative or
qualitative risk analysis as applicable, aiming at the recommendation of actions to control and reduce Incidents that
may affect the Operacional Safety.
12.3 Risk Identification and Analysis Methodology
The Risk Identification and analysis methodology must:
a) Be defined in the scope;
b) Consider the Critical Operational Safety Elements;
c) Consider previous risk analysis performed at the Installation or at similar facilities;
d) Consider the historical analysis of incidents occurred at the Installation or at similar facilities;
e) Consider the layout, human factors and external causes, when applicable;
f) Classify the identified risks; and
g) Identify the necessary actions for mitigation and risk prevention.
12.4 Risk Analysis Execution
12.4.1 The risk identification and analysis must be performed by a multidisciplinary team.
12.4.2 The number of people involved and the experience characteristics must be determined by the dimension
and complexity of the activity, installation, operation or enterprise to be analyzed.
12.4.3 The risk analysis must be approved by the Installation Manager or by a designated person of the company
or organization legally responsible for the installation.
12.5 Preparation of the Risk Analysis Report
12.5.1 The Installation Operator will be responsible for preparing the identification and risk analysis reports to be
held in the installation.
12.5.2 The risk identification and analysis report must address the following points at least:
a) Team components Identification;
b) Objective and scope of the analysis;
c) Description of the Installation, part of the installation, system or equipment that will be submitted to the analysis;
d) Methodology justification;
e) Methodology description;
f) Risk Identification and analysis;
g) Risks classification; and
18 OTC 22685
h) Recommendations and conclusions.

12.5.3 The risk identification and analysis reports must be available during the conduction of audits, inspections or
installation verifications.
12.6 Results
12.6.1 The Installation Operator will be responsible for the implementation of Corrective Actions related to the
recommendations contained in the risk analysis.
12.6.2 The results should indicate the need for updating the Critical Operational Safety Elements list, when
applicable.
12.6.3 The Installation Operator will be responsible for documenting the implementation of Corrective Actions. The
alteration or refusal of any action must be justified and registered.
12.6.4 The Installation Operator must keep evidence that the risks were systematically evaluated during the
design, construction, commissioning and operation phases, as well as before the decommissioning.
Related accident: Mumbai (Bombay) High North Platform

Operator: Oil and Natural Gas Corporation (ONGC)
Summary
“The Mumbai High Field was discovered in 1974 and is located in the Arabian Sea 160km west of the Mumbai
coast. The field is divided into the north and south blocks, operated by the state-owned Oil & Natural Gas
Corporation (ONGC). The field's installations comprise four platforms linked by bridges:
 NA small wellhead platform built 1976;
 MHF residential platform built 1978;
 MHN processing platform built 1981;
 MHW recent additional processing platform.
The complex imported fluids from 11 other satellite wellhead platforms and exported oil to shore via undersea
pipelines, as well as processing gas for gas lift operations. The seven-storey high Mumbai High North (MHN)
platform had five gas export risers and ten fluid import risers situated outside the platform jacket. In July 2005, a
multi-purpose support vessel (MSV) collided with the MHN platform, severing at least one gas riser and causing a
massive fire which destroyed the MHN platform within two hours.
At time of accident on 27 July 2005, the Noble Charlie Yester jack-up was undertaking drilling operations in the
field and was positioned over the NA platform. The MSV Samudra Suraksha was working elsewhere in field
supporting diving operations when a cook onboard the MSV cut off the tips of two fingers. Monsoon conditions
onshore had grounded helicopters, so the injured person was to be transferred from the MSV to the MHN by crane
lift for medical treatment. While approaching the MHN on the windward side, the MSV experienced problems with
its computer-assisted azimuth thrusters so the MSV was brought in stern-first under manual control and the injured
person was transfered off the MSV.
At around 16:05 hours, strong swells pushed the MSV towards the MHN platform, causing the helideck at the rear
of vessel to strike and sever one or more gas export risers on the MHN jacket. The resultant gas leak ignited within
a short time. The close proximity of other risers and lack of fire protection caused further riser failure. The
subsequent fire engulfed the platforms MHN and MHF, causing the complete destruction of the MHN. The fire also
engulfed the MSV Samudra Suraksha, with heat radiation causing severe damage to the NA platform and the
Noble Charlie Yester jack-up. Emergency shut-down valves (ESDVs) were in place at each end of the risers, but
some risers were up to 12 km long and riser failure caused large amounts of gas to be uncontrollably released.
Six divers in saturation chambers on MSV were left behind when the vessel was abandoned. The were rescued 36
hours later. The MSV suffered extensive fire damage and was towed away from scene but later sank on 01 Aug
2005, about 18km off Mumbai coast.
MHN collapsed after around two hours, leaving only the stump of its jacket above sea level. A total of 384
personnel were on board the MHN complex and NCY jack-up at the time of the accident. All installations were
abandoned with 362 crew rescued and 22 reported dead (11 fatalities with 11 missing). The flow was shut down
via sub-surface ESDVs. Significant problems were reported with the abandonment of all the installations involved:
only two of eight lifeboats and one of ten liferafts at the complex were launched. A clean-up operation was also
undertaken after a 10 nautical mile oil spill resulted from the fire.
OTC 22685 19
Two areas were identified for investigation:

 the adequacy of and failures within the risk control systems
 the adequacy of collision avoidance practices and procedures.
Points of interest under investigation include the location and vulnerability of the risers in the jacket relative to
platform loading zones. Some riser protection guards were in place just above sea level, but these were only
suitable for smaller offshore supply vessels and were not considered suitable for larger multi-purpose support
vessels. Also under investigation is the quantity of riser contents likely to be discharged if a riser should fail below
an emergency shutdown valve and the risk management process, including the vessel suitability, the crew
competence, communications and collision avoidance measures.
The Bombay High field accounted for 40% of India's domestic production, of which the North platform accounted
for one quarter. One month after the accident, production had been restored 60% of the pre-accident level.” 3
Remark on Item 12.3: the Risk Identification and analysis methodology did not consider: previous risk analysis
performed at similar facilities, the historical analysis of incidents occurred at similar facilities and external causes.
Objective Evidence:
Some riser protection guards were in place just above sea level, but these were only suitable for smaller offshore
supply vessels and were not considered suitable for larger multi-purpose support vessels.
4.13 – MANAGEMENT PRACTICE No. 13: MECHANICAL INTEGRITY
13.1 Objective
Operatioanal Safety Management System to ensure that the installation, its systems, structures and equipments
will undergo the necessary inspections, tests and maintenance, in a planned and controlled manner, in order to
guarantee mechanical integrity and Fitness for Purpose.
13.2 Inspection, Test, Maintenance and Procurement Planning
13.2.1 Establishing plans and procedures for inspection, testing and maintenance, in order to ensure the integrity
of its mechanical systems, structures, and Critical Operational Safety Equipments and Systems. This
documentation must be aligned with the manufacturers’ recommendations, codes, standards and good engineering
practices.
13.2.2 Establishing procedures for inspection, testing and maintenance containing clear instructions for safe
conduction of this activities.
13.3 Activities Control
The operator of the installation will be responsible for:
13.3.1 Registering all activities related to mechanical integrity carried onboard.
13.3.2 Ensuring that the operating procedures, manuals or any other document related to the installation, its
systems, structures and equipment are available to the maintenance staff (own employees or contracted) when
applicable.
13.3.3 Establishing requirements for quality assurance in the execution of the procedures.
13.3.4 Ensuring that all Critical Operational Safety Equipments and Systems are covered by inspection, testing and
maintenance plans.
13.3.5 Any deviation from the design specifications must be ruled by the requirements of the Management Practice
Nº 16 - Management of Change.
13.4 Monitoring and Results Evaluation
The Installation Operator will be responsible for monitoring and evaluating the results of the inspections and tests.
Related accident: Atlantic Pacific Marine Corp. Ranger I

Operator: Mitchell Energy Offshore Corp
Summary
“The Ranger I, a jack-up workover barge, was built in 1968 and consisted of an upper hull supported by three
cylindrical legs fixed to support mat. After having spent 2 months in an Alabama shipyard in the spring of 1979, the
rig was towed to a new drilling location in Block 189L. Once on location, the rig was jacked up, pre-loaded and the
derrick skidded into position. Operations on the new well began on 10th May 1979 with the installation of the
conductor.
20 OTC 22685
The first sign of possible trouble occurred between 1500 and 1800 hours on the afternoon of 10th May. The
Ranger I experienced a violent shudder, with personnel reporting it as a violent shaking or a vertical fall of up to
30cm. Up to an hour was spent trying to locate the cause of the movement without success. Work aboard the rig
then continued, including the offloading of supplies from the Delta Seahorse supply boat.
At about 22:30, prior to a shift change, the Ranger I collapsed into the sea. The stern leg, below the
accommodation block, broke near the connection to the support mat causing the upper hull to fall stern-first and
strike the Delta Seahorse. The bow legs supported the upper hull for a short time, then collapsed, allowing the
upper hull to fall to the sea. The upper hull then separated from the legs, drifted to the west and sank over the
course of the following day.
Prior to the initial collapse, most of the crew were in the living quarters, with 13 men in the galley. The survivors
reported experiencing a rapid fall followed by sudden jolt as the upper hull struck the water. The lower floor of the
accommodation unit flooded instantly to a depth of 2-3 feet. The men escaped either through the galley's port door
or through galley windows taking seat cushions or life jackets for floatation. Three patterns developed: one group
gathered at the helideck; a second group swam to the Delta Seahorse whilst a third jumped overboard to get away
from the upper hull before it sank.
The Delta Seahorse, alongside the Ranger I, signaled a MAYDAY and picked up four crew from the water, going
on to co-ordinate further rescue operations. The Miss Angela, busy towing another rig at the time of the collapse,
was also dispatched to aid the rescue and picked up a further 14 men. Coast Guard helicopters recovered another
four men from the water. Eight men lost their lives in the accident, with many of the survivors suffering serious
injuries.
The remains of the rig were later salvaged and examined by the U.S. Coast Guard. The investigating board
concluded that the Ranger I had collapsed as a result of an existing fatigue crack in the stern leg, near the
connection to the mat.At around 17:00 hours on 10 May 1979, the crack had rapidly propagated around the leg,
causing the leg to break and the rig to shudder. Over the following hours, a combination of dynamic and static
loading dislodged the broken leg and caused the rig to collapse.” 3
Remark on Item 13.2.1: The Installation Operator did not establish plans and procedures for inspection structures.
Objective Evidence:
The investigating board concluded that the Ranger I had collapsed as a result of an existing fatigue crack in the
stern leg, near the connection to the mat.
4.14 – MANAGEMENT PRACTICE No. 14: PLANNING AND MANAGEMENT OF MAJOR EMERGENCIES
14.1 Objective
The Installation Operator must carry out the management practice in order to ensure the appropriate planning and
management of major emergencies that might occur during the installation operation.
14.2 Planning and Management of Emergencies
14.2.1 The Installation Operator must define the team responsible for the production of the Emergency Plans.
14.2.2 The qualification and experience of the item 14.2.1 team must be determined by the dimension of the
scenario considered and by the complexity of the activity, installation, operation or enterprise to be examined.
14.2.3 The Installation Operator will be responsible for:
a) Identifying, under terms of Management Practice nº 12 (Identification and Risk Analysis), the major emergencies
and describe the associated accident scenarios;
b) Evaluating the response capacity to each accidental scenario;
c) Providing effective actions for emergencies response.
14.3 Major Emergencies Response
14.3.1 Preparing, documenting and establishing the Installation Emergency Plan containing the procedures for
planning and response to emergencies.
14.3.1.1 The Installation Emergency Plan can be complemented with resources and supplementary response
structure available in other location. The plan should indicate how structures and shared resources will be
triggered, in spite of belonging to the own operator or third party.
14.3.2 Establishing a training program that considers the members of the emergency response team. Other people
exposed to accident scenarios must be trained at the procedures for alarm and evacuation at least. The
requirements of international codes and standards for emergency response must be considered, as well as the
practices adopted by other applicable regulations in Brazil.
14.3.3 The Plan must also include:
a) installation identification and legal responsible;
b) description of the Installation accesses;
OTC 22685 21
c) accidental scenarios;
d) alarm systems;
e) accident communication;
f) organizational response structure;
g) procedures for emergency response;
h) equipment and response materials, and
i) supplementary resources and response structures trigger procedure, when applicable.
14.3.3.1 - Accidental scenarios resulting from the accidental hypothesis "oil spill" can be considered in a particular
emergency plan, such as "SOPEP - Shipboard Oil Pollution Emergency Plan" and / or other Emergency Plan
defined by other specific regulation.
14.4 Response Resources Management
The Installation Operator will be responsible for identifying all the response resources, including the emergency
systems and equipments, as well as all support services-providing contracted companies, ensuring their suitability
and availability.
14.5 Communication System
The Installation Operator must establish reliable and effective alarm and communication systems, as well as the
internal and external communication procedures, including regulatory agencies and other appropriate government
authorities.
14.6 Simulated Exercises
14.6.1 Conducting periodic simulated exercises considering all the scenarios covered by the Emergency Plan.
14.6.2 The simulated exercises must be:
a) coordinated with all organizations and regulatory authorities, when applicable;
b) analyzed in order to evaluate the need for updating the Emergency Plan;
c) accurately documented; and
d) scheduled to consider all the scenarios covered by the Installation Emergency Plan.
14.7 Emergency Plan Update
The Emergency Plan must be updated in the following situations:
a) when indicated by a risk analysis;
b) when indicated by the Emergency Plan performance evaluation, after an incident or
simulated exercise;
c) when physical, operational or organizational changes affect the installation procedures or the response capacity;
or
d) other situations at the ANP discretion.
Related accident: Bohai 2 Jack-up

Operator: China Petroleum Department
Summary
“The Bohai No. 2 jack-up was operated by the Ocean Oil Company and sank on 25 November 1979, resulting in
the deaths of 72 out of the 74 personnel on board. The jack-up encountered a storm with force 10 winds while
under tow in the Gulf of Bohai between China and Korea.
Reports state that waves washing over the main deck broke a ventilator pump free, causing it to fall and puncture a
one-meter hole in the deck. Flooding of the pump-room then occurred, causing the rig to settle in the water and
become less stable. The adverse weather conditions and lack of stability eventually caused the jack-up to capsize
and then sink.
A number of causes were attributed to the severity of the accident, including the failure to correctly stow deck
equipment prior to towing and the failure to follow standard tow procedures with regards to weather. Insufficient
training for the crew on the use of lifesaving equipment and emergency evacuation procedures was also stated as
the main causal factor in the high number of fatalities. The accompanying tow boat was reportedly unable to
perform basic rescue operations of the crew from the water.
Salvage operations including underwater explosion and cutting were later undertaken on the Bohai 2 by Yantai
Salvage company in April 1981.” 3
Remark on Item 14.6.1: The Installation Operator did not conduct periodic simulated exercises considering all the
22 OTC 22685
scenarios covered by the Emergency Plan.
Objective Evidence:
“Insufficient training for the crew on the use of lifesaving equipment and emergency evacuation procedures was
also stated as the main causal factor in the high number of fatalities. The accompanying tow boat was reportedly
unable to perform basic rescue operations of the crew from the water.” 3
4.15 – MANAGEMENT PRACTICE No. 15: OPERATIONAL PROCEDURES
15.1 Objective
Operational Safety Management System (SGSO) when establishing procedures, to ensure a safe operation at the
installation.
15.2 Preparation and Control of the Operational Procedures
15.2.1 Preparing, documenting and controlling the operational procedures for the operations that are conducted at
the Installation, with clear and specific instructions for the safe execution of activities, considering the operational
particularities and the activities complexity.
15.2.2 Ensuring that the operating procedures are updated and available onboard, for all personnel involved.
15.3 Procedures for Start-up and Decommissioning
The Installation Operator will establish and implement procedures for start-up and decommissioning operations.
Mechanisms for updating the information regarding the preoperation should be provided, when applicable.
15.4 Simultaneous Operations
15.4.1 The Installation Operator will identify the various categories and types of Simultaneous Operations when
existing significant operational interfaces and particularly when the Simultaneous Operations:
a) introduce new hazards that were not specifically considered at the risk analysis;
b) require special logistics, support measures or safe working procedures that were not specifically considered in
other Management Practices of this Technical Regulation; and
c) affect the availability / functionality of Operational Safety Critical Elements.
15.4.2 The Installation Operator will establish and implement procedures to manage Simultaneous Operations.
15.4.3 The control procedures must cover the following aspects:
a) The identification of the new risks introduced by Simultaneous Operations and the verification of appropriate
preventive and/or mitigation measures for the risks identified;
b) Responsibilities definition, to ensure an adequate coordination among all organizations involved, including the
emergency response.
Related accident: P-36 Semi-Sub

Operator: Petrobras
Summary
“The P-36 was originally named the 'Spirit of Columbus' and was constructed between 1984 and 1994 in Italy.
Designed as a floating production unit, the platform was based on a conversion of the Friede & Goldman L-1020
Trendsetter-type semi-submersible. It was redesigned for Petrobras between 1997 and 1999 and brought into
operation in the Roncador Field off the coast of Brazil in May 2000. The unit was capable of processing 180,000
bopd and 7.2 million cubic meters of gas per day. In May 2001, the P-36 was producing around 84,000 barrels of
oil and 1.3 million cubic metres of gas per day when it became destabilised by two explosions and subsequently
sank.
At around 2221 hours on the evening of 14 March 2001, drainage operations began on the portside emergency
drain tank (EDT), one of two 450 cubic metre tanks (one port, one starboard), which were used for the storage of
oil and water during maintenance or during an emergency involving the process plant. At 0022 hours on 15 March
2001, an explosion was recorded in the starboard aft column, thought to have been the mechanical rupturing of the
starboard EDT. This caused the release of gas-saturated water and oil into the aft starboard column and caused
the platform to list 2 degrees by 0027 hours.
This was followed by a second larger gas explosion which killed 10 members and fatally injured one member of the
attending fire-fighting crew. The resulting platform damage caused further flooding in the aft starboard column
compartments and pontoon tanks, with further sea water entry through the open sea chest valves. By 0815 hours
OTC 22685 23
on 15 March 2001, the platform had assumed a 16 degree list, which submerged the openings of the chain lockers
on the main deck level and caused a progressive list that led to the subsequent loss of the platform.
There were 175 people on board, of whom 138 were evacuated by crane to boat between 0144 to 0420 hours on
15 March 2001. The remaining crew were evacuated by helicopter at 0603 the same morning as the platform's
stability deteriorated. Over the following days, attempts were made to stabilise the platform by injecting nitrogen
into a vent line next to the damaged column, but bad weather disrupted rescue operations. The platform eventually
capsized at around 1140 hours on 20 March 2001 before sinking in 1300m of water, making salvage of the unit
impossible.
The platform sank with an estimated 9500 bbls of oil on board, of which around 2000 bbls leaked from the rig in the
first 24 hours. Operations to disperse the oil with chemicals and to recover the oil were undertaken in an effort to
minimise the damage from the spill.
The Petrobras Inquiry into the P-36 sinking - independently verified by Det Norske Veritas - summarised the chain
of events leading to the loss of the P-36 and proposed the following as the most likely causes of the accident:
 the alignment of the port EDT to the Production Header instead of to the Production Caisson, permitting the
entry of hydrocarbons into the starboard EDT;
 the unexpected flow of oil, gas then water under pressure through the entry valve of starboard EDT, causing
overpressure inside the tank;
 the mechanical rupture of the starboard EDT, which released oil, water and gas and initiated flooding in the
starboard column;
 the rupturing of the service sea water pipe in the starboard column, causing further flooding of the starboard
column;
 gas migration to upper areas of the starboard column via open doors and ventilation hatches;
 an ignition source causing the gas cloud to explode, resulting in major platform damage;;
 the activation of two fire-fighting pumps, which caused further flooding via the ruptured sea water pipe ;
 the failure of watertight dampers, which allowed water to invade all aft starboard pontoon rooms, including the
pump room, propulsion room, water injection room and access tunnel;
 the ingress of water causing the failure of the seawater pump, with the intake valves to the sea-chest
remaining open;
 further flooding via the open sea-chest valves causing a progressive platform list;
 the submersion of the chain locker pipes at the main deck level, which caused downflooding in the platform;
 the continued slow flooding of the starboard aft pontoon tanks and deck box compartments, until water
eventually flooded the central caisson and caused the platform to capsize then sink .
The main causal factors were listed as:
 the alignment of the port EDT to the Production Header instead of to the Production Caisson, permitting
the entry of hydrocarbons into the starboard EDT;
 the delay in the activation of the port EDT drainage pump, allowing the reverse flow of hydrocarbons for
about one hour;
 the failure of activators to close ventilation dampers, allowing water to flood the starboard column and
pontoon compartments;
 two sea water pumps being under repair without measures in place in case of emergency;
 Inadequate contingency plans and inadequate training for dealing with emergency ballast and stability
control situations;” 3
Remarks on Itens 15.2.1: The operational procedures for some operations that are conducted at the Installation
did not consider the operational particularities and the activities complexity.
Objective Evidence
24 OTC 22685
The storage of a large quantity of contaminated water in the drains storage tanks during a considerable part of the
period in which the platform was in operation, contrary to the Platform Operating Manual. According to the manual,
the status of these tanks during normal operation is to remain isolated, and they should only be used for the
emergency draining of large volumes of petroleum from the process vessels, or in an emergency situation that
required the storage of large volumes of production water in the tanks.10
The operation described was characterized as a critical non-conformity with regard to standard operational and
process procedures, determining the cause of the accident.
Although the hydraulic configuration of the drainage system of the drains storage tanks allowed their contents to be
pumped to the processing plant through the production header, the standard draining procedure required that the
operation should have been carried out through the production caisson with the subsequent discharge of the water
into the sea. The option to remove water from the tank via the production header was contrary to the operating
requirements of the Platform Operating Manual. 11
4.16 – MANAGEMENT PRACTICE No. 16: MANAGEMENT OF CHANGE
16.1 Objective
Operational Safety Management System to ensure that permanent or temporary changes to be conducted at the
installation will meet the requirements established in this Technical Regulation and in the applicable legislation.
16.2 Types of Changes
Changes in operations, procedures, standards, installations or personnel must be evaluated and managed in order
to ensure that the risks remain at acceptable levels.
16.3 Control Procedures
The Installation Operator will establish and implement a procedure to manage changes that may affect the
Operational Safety. This procedure must consider:
16.3.1 The description of the proposed change, including the justification for the change and the design
specification, when applicable.
16.3.2 The hazards assessment and the impact on global activities, before the implementation of changes.
16.3.3 The updating of procedures and documentation affected by the changes.
16.3.4 The training and communication for all staff affected by the changes.
16.3.5 The authorization for the proposed change should be issued by appropriate management level.
16.3.6 The possibility of updating the authorization, when the planned period for temporary changes needs to be
extended.
16.3.7 The process of Management of Change should be documented, stored and available for onboard
consultation for 2 (two) years at least. After that period, the documentation generated by the process of
Management of Change should be kept for a minimum period of 5 (five) years, in a place defined by the operator.
Related accident: Piper Alpha Platform

Operator: Ocidental
Summary
“The Piper Field was discovered by Occidental in January 1973, with the Piper Alpha platform becoming
operational in 1976. Located about 120 miles north-east of Aberdeen, the platform initally produced crude oil. In
late 1980, gas conversion equipment was installed allowing the facility to produce gas as well as oil. A sub-sea
pipeline, shared with the Claymore platform, connected Piper Alpha to the Flotta oil terminal on the Orkney Islands.
Piper Alpha also had gas pipelines connecting it to both the Tartan platform and to the separate MCP-O1 gas
processing platform. In total, Piper Alpha had four main transport risers: an oil export riser, the Claymore gas riser,
the Tartan gas riser and the MCP-01 gas riser.
On 06 July 1988, work began on one of two condensate-injection pumps, designated A and B, which were used to
compress gas on the platform prior to transport of the gas to Flotta. A pressure safety valve was removed from
compressor A for recalibration and re-certification and two blind flanges were fitted onto the open pipework. The
dayshift crew then finished for the day.
During the evening of 06 July, pump B tripped and the nightshift crew decided that pump A should be brought back
into service. Once the pump was operational, gas condensate leaked from the two blind flanges and, at around
22:00 hours, the gas ignited and exploded, causing fires and damage to other areas with the further release of gas
OTC 22685 25
and oil. Some twenty minutes later, the Tartan gas riser failed and a second major explosion occurred followed by
widespread fire. Fifty minutes later, at around 2250 hours, the MCP-01 gas riser failed resulting in a third major
explosion. Further explosions then ensued, followed by the eventual structural collapse of a significant proportion
of the installation.
167 men died as a result of the explosions and fire on board the Piper Alpha, including two operators of a Fast
Rescue Craft. 62 men survived, mostly by jumping into the sea from the high decks of the platform. Between 1988
and 1990, the two-part Cullen Inquiry established the causes of the tragedy and made recommendations for future
safety regimes offshore. 106 recommendations were made which were subsequently accepted and implemented
by the offshore operators.
A number of factors contributed to the severity of the incident:
 the breakdown of the chain of command and lack of any communication to the platform's crew;
 the presence of fire walls and the lack of blast walls - the fire walls predated the installation of the gas
conversion equipment and were not upgraded to blast walls after the conversion;
 the continued pumping of gas and oil by the Tartan and Claymore platforms, which was not shut down due
to a perceived lack of authority, even though personnel could see the Piper burning .” 3
Remark on Item 16.2: Changes in installations were not evaluated and managed in order to ensure that the risks
remain at acceptable levels.
Objective Evidence:

The design of the facility did not include sufficient protection of the structure against intense fires2
 The platform initally produced crude oil. In late 1980, gas conversion equipment was installed
allowing the facility to produce gas as well as oil. Presence of fire walls and the lack of blast walls -
the fire walls predated the installation of the gas conversion equipment and were not upgraded to
blast walls after the conversion.
4.17 – MANAGEMENT PRACTICE No. 17: SAFE WORKING PRACTICES AND CONTROL PROCEDURES IN
SPECIAL ACTIVITIES
17.1 Objective
Operational Safety Management System to control and manage the risks during the execution of special activities,
not covered by other management practices.
17.2 Permit to Work
17.2.1 The Installation Operator must establish a work permission system and other means of control to manage
activities in risk areas. The system must consider:
17.2.1.1 The establishment of the activities that may involve risks to the Operational Safety and must require a
Permit to Work.
17.2.1.2 The Permit to Work must include additional measures of precaution and mitigation that may be required to
safely perform the activity.
17.2.1.3 The previous analysis of the safety conditions for the activities execution, as well as the hazards in the
workplace.
17.2.2 The Installation Operator must ensure that the Permit to Work system:
a) Will be documented and will contain clear and concise instructions and authorization forms; and b) Establishes
controls and permissions approved by an appropriate managing or supervision level.
17.3 Monitoring
17.3.1 Monitoring the performance of activities in accordance with the requirements established in approved
procedures, in the Permit to Work and in the associated information and documentation.
17.3.2 Ensure that the Permit to Work and further controls are used until the end of the activity.
Related accident: Piper Alpha Platform

Operator: Ocidental
26 OTC 22685
Summary
The same described at Management Practice 16.
Remark on Item 17.3.2: The Installation Operator did not ensure that the Permit to Work and further controls are
used until the end of the activity.
Objective Evidence:
During the evening of 06 July, pump B tripped and the nightshift crew decided that pump A should be brought back
into service
“The communication problem that occurred on Piper Alpha seemed to be a general one: “unless he was involved
himself in suspending a permit, a night-shift lead production operator would not know which permits had been
suspended and accordingly what equipment had been isolated for maintenance purposes”. Again, the people who
performed the work did not seem to understand clearly (or to be willing to communicate) dependencies and
couplings among components, and how maintenance of one affected the others. The question simply does not
seem to have been addressed. It may be that the formal procedures are too complicated for the workers who
perform the job and that they consider it necessary to take shortcuts to alleviate the load. If that is the case, the
procedures should be streamlined and simplified so as to remove the source of the problem. 12
5 - Conclusion:
This paper aims to explain how compliance with each practice of this regulation could have prevented the most
likely causes of historical oil industry accidents. Accidents are many times understood as a coincidental alignment
of completely different technical failures. It’s true that many technical failures contributed to them, but almost
always all these failures back to failure of management.
As shown in this paper, ANP’s operational safety regulation is not prescriptive, not to discourage the creation and
implementation of new technologies in the field of safety engineering. It is believed that if the Installation Operator
has a good management on the minimum requirements demanded by this safety regulations, accidents can be
avoided.
Finally, as Chief Consils Report stated: “Saying that everyone is accountable can be beneficial in certain
instances, such as with respect to personal safety and “stop-job” authority, but can lead to a diffusion of personal
responsibility for process safety.” 1
The references on the Resolution ANP 43/2007 and to its Technical Regulation are a free translation and has no
legal effect for compliance or enforcement purposes. The original document can be obtained at
www.anp.gov.br/segurancaoperacional.
The data and opinions included on this paper are the sole responsibility of its author
and do not necessarily reflect ANP’s institutional opinions.
6 – References
1 Deep Water, The Gulf Oil Disaster and the Future of Offshore Drilling, Report to the President National
Commission on the BP Deepwater Horizon Oil Spill and Offshore Drilling, January 2011
2 Macondo – The Gulf Oil Disaster, Chief Counsel’s Report, 2011 - National Commission on the BP Deepwater
Horizon Oil Spill and Offshore Drilling
3 Avaiable in < http://home.versatel.nl/the_sims/rig/index.htm>, accessed in: February 20th, 2011, at 15:42.56
4 Video avaiable <http://www.youtube.com/watch?v=UOqJCfRwmw8>, accessed in: July 13th, 2011, at 20:13.10
5 Norma Regulamentadora 15 (NR15) – Ministério do Trabalho do Brasil
6 Montara Commission of Inquiry, Parliament House, 2010

View publication stats
OTC 22685 27
7 Victor Gibson April, 2008, summary compiled using the report of the Commission of Inquiry into the loss of the
Bourbon Dolphin, the Rig Move Procedures for the Transocean Rather from 213/26-1z Rosebank to 205/1-I
Rosebank and the Marine Log for the Event. Avaiable in
http://www.shipsandoil.com/Features/The%20Bourbon%20Dolphin%20Accident.htm, accessed in May 3rd, 2011, at
09:16:33
8 Avaiable in <http://unbcoffshore.blogspot.com/2011/01/incendio-em-plataforma-cherne-2-pch-2.html>, accessed

in May 3rd, 2011, at 09:37:47
9 Note from the labor union (sindicato dos petroleiros do norte fluminense - Sindipetronf), January 27th, 2011
10 Document from the labor union (sindicato dos petroleiros do norte fluminense - Sindipetronf), avaiable at
<http://www.sindipetronf.org.br/Publica%c3%a7%c3%b5es/Not%c3%adcias/tabid/62/NoticiaId/2149/Default.aspx>
, accessed at March 4th, 2011, at 10:12:01
11 Analysis of the Accident with the Platform P-36, Report of the ANP / DPC Comission of Investigation, July/2011
12 M. Elisabeth PatC-Cornell, Learning from the Piper Alpha Accident: A Postmortem, Analysis of Technical and
Organizational Factors, RiskAnalysis, Vol. 13, No. 2, 1993

Brazil ANP Requirement

Uploaded by

Copyright:

Available Formats

You might also like

Brazil ANP Requirement

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Brazil ANP Requirement

Uploaded by

Copyright:

Available Formats

See discussions, stats, and author profiles for this publication at: https://www.researchgate.

Application of the 17 Practices of the Management System for Operational

Conference Paper · October 2011

The user has requested enhancement of the downloaded file.

Application of the 17 Practices of the Management System for Operational

Copyright 2011, Offshore Technology Conference

2 - Operational Safety Regimen

3 - Management Practices of SGSO

The 17 Management Practices contained in this Technical Regulation are:

4 – Correlation of the accidents with Management Practices of SGSO

To make this correlation, the following will be used systematically:

4.1 – MANAGEMENT PRACTICE No. 1: SAFETY CULTURE, COMMITMENTS AND MANAGERIAL

Related accident: Deepwater Horizon, Macondo Well

4.2 – MANAGEMENT PRACTICE No. 2: INVOLVEMENT OF PERSONNEL

Related accident: Odeco Ocean Prince Semi-Sub

Operator: The Burmah Group

4.3 – MANAGEMENT PRACTICE No. 3: QUALIFICATION, TRAINING AND PERSONNEL PERFORMANCE

Related accident: Odeco Ocean Ranger Semi-Submersible

1. a large wave appeared to cause a broken portlight;

4.4 – MANAGEMENT PRACTICE No. 4: WORK ENVIRONMENT AND HUMAN FACTORS

Related accident: Ekofisk Bravo Platform

Operator: Phillips Petroleum Company

4.5 – MANAGEMENT PRACTICE No. 5: SELECTION, CONTROL AND MANAGEMENT OF CONTRACTED

Related accident: Deepwater Horizon, Macondo Well

4.6 – MANAGEMENT PRACTICE No. 6: MONITORING AND CONTINUED IMPROVEMENT OF

Related accident: Petrobras-26 (P-26)

4.7 – MANAGEMENT PRACTICE No. 7: AUDITS

beginning, excepting item 7.3.2.4.

4.8 – MANAGEMENT PRACTICE No. 8: INFORMATION AND DOCUMENTATION MANAGEMENT

Related accident: Montara Wellhead Platform

4.9 – MANAGEMENT PRACTICE No. 9: INCIDENTS INVESTIGATION

b) Classified and categorized types of Incidents;

Related accident: Bourbon Dolphin

4.10 – MANAGEMENT PRACTICE No. 10: DESIGN, CONSTRUCTION, INSTALLATION AND

Related accident: Sleipner A

4.11 – MANAGEMENT PRACTICE No. 11: CRITICAL OPERATIONAL SAFETY ELEMENTS

Related accident: Plataforma de Cherne (PCH-2)

4.12 – MANAGEMENT PRACTICE No. 12: RISK IDENTIFICATION AND ANALYSIS

h) Recommendations and conclusions.

Related accident: Mumbai (Bombay) High North Platform

Two areas were identified for investigation:

4.13 – MANAGEMENT PRACTICE No. 13: MECHANICAL INTEGRITY

Related accident: Atlantic Pacific Marine Corp. Ranger I

Related accident: Bohai 2 Jack-up

scenarios covered by the Emergency Plan.

4.15 – MANAGEMENT PRACTICE No. 15: OPERATIONAL PROCEDURES

Related accident: P-36 Semi-Sub

The main causal factors were listed as:

4.16 – MANAGEMENT PRACTICE No. 16: MANAGEMENT OF CHANGE

Related accident: Piper Alpha Platform

A number of factors contributed to the severity of the incident:

Related accident: Piper Alpha Platform

3 Avaiable in < http://home.versatel.nl/the_sims/rig/index.htm>, accessed in: February 20th, 2011, at 15:42.56

4 Video avaiable <http://www.youtube.com/watch?v=UOqJCfRwmw8>, accessed in: July 13th, 2011, at 20:13.10

5 Norma Regulamentadora 15 (NR15) – Ministério do Trabalho do Brasil

6 Montara Commission of Inquiry, Parliament House, 2010

8 Avaiable in <http://unbcoffshore.blogspot.com/2011/01/incendio-em-plataforma-cherne-2-pch-2.html>, accessed

You might also like