You are on page 1of 4

The Fundamentals of Asset Integrity Management

Online Training Series Course Summary

COURSE B: THE FUNDAMENTALS OF ASSET INTEGRITY RISK


MANAGEMENT

Module 1: Preventing major incidents by managing barriers


The age of the organizational accident
Most major accidents involve both active and latent failures
Active errors are associated with front line operators of a complex system, whose
effects are felt almost immediately - these are like for example what may actually
go wrong on a particular day, like operator error or something didnt go the
intended way and something actually failed. Active errors are said to be the result
of latent failures.
Latent errors may lie dormant within system for a long time and are errors that did
not occur within the frontline or was not a direct cause of a failure. Operators tend
to be inheritors of system defects created by poor design, incorrect installation,
faulty maintenance, bad management decisions, etc.
We need to address the underlying issues and investigate further into lets say design, in
the event of an incident/accident - for from the first look inward, it may seem as though it
was a front=line error (e.g.. operator error), when truly it was not. It is increasingly
important to focus on organizational processes and cultures (which affect human
behaviour) in order to raise standards of safety in high-technology sectors.

Case Studies
Texas City Refinery, USA 2005
BP acquired refinery during 1996 merger with Amoco 23rd March 2005 had major explosion in
isomerization unit. There were 15 fatalities, over 170 injuries.
Active Failures:
Raffinate splitter overfilled with hot liquid and relieved to blow down drum.
Liquid overflowed from drum into process sewer and vapour cloud developed,
ignited by diesel pick-up truck 25 feet away.
Latent Failures:
Combination of equipment failure, poor risk management, poor staff management
and working culture, maintenance and inspection failures, inadequate general
health and safety assessments
BP had not distinguished between occupational safety versus process safety

Deepwater Horizon, Gulf of Mexico, USA 2010


April 2010, oil well blowout in deep water; 11 workers killed, 17 seriously injured.
Largest marine oil spill in history of petroleum industry (~4.9m barrels), In July 2010, BP took a
charge in its financial results of $32 billion, by June, $100 billion wiped off BPs market value
Active Failures:
Failings in cementing, blowout preventer, reading of pressure data,
communication within and between BP and its contractors
Latent Failures:

Course summary developed by Michelle McIntyre on behalf of Oil and Gas Fundamentals Oil and Gas Fundamentals 2012

THIS IS A CONFIDENTIAL SUMMARY OF THE CONTENTS OF AN ONLINE TRAINING COURSE FOUND AT WWW.OILANDGASFUNDAMENTALS.COM.
IT IS FOR THE REVIEW OF COURSE PARTICIPANTS ONLY AND IS NOT FOR DISSEMINATION COPYRIGHT RESTRICTIONS APPLY
The Fundamentals of Asset Integrity Management
Online Training Series Course Summary

Focus on speed over safety most decisions made in favour of approaches which
were shorter in time and lower in cost
This led to:
New Bureau of Ocean Energy Management, Regulation and Enforcement (BOEM)
takes over from Minerals Management Services (MMS)
New safety and environmental legislation implemented requiring Safety Case and
verification of safety critical elements performance

Buncefield oil storage depot, UK 2005


11th December 2005, vapour cloud explosions following tank filling at oil storage depot, 43
people injured (none seriously) - this may have been higher if this had occurred during the week.
Resulting fire engulfed 20 large tanks and took 5 days to extinguish - total cost 1bn!
Active Failures:
Automatic protection system to prevent tank over-filling did not operate
This led to:
Vapour cloud explosion generated much higher overpressures than expected,
instigating scientific research
Led to recommendations for improved design and operation of fuel storage sites
(25), emergency preparedness (32), and investigation of explosion mechanism (3),
land use planning (18).

We need to address latent failures, design issues and operation issues and address those to get

rid of those issues. For example we need to design them out of the processes as far as possible
and to make sure that we maintain our plant, processes and people in the way that we expect
during our design process for them to continue during the operational phases - so what we have
is what we thought we were going to have and still continue to have throughout the lifetime.

Accident pyramids
Conventional thinking - conventionally, safety improvements have been focused on reducing
the number of personal safety incidents - hence improving the personal safety levels, and it
was of the belief that this would help in improving the process safety levels. But sadly, this
was not so.

Evolving Thinking - in recent times, it has become the understanding that the thinking has
been evolved and includes 2 types of safety performances:
o Personal Safety Performance - which involved the improvement of the overall safety
performance such as putting up signs, conducting toolbox sessions with employees
etc..
o Process Safety Performance - which involved the improvement and adequate usage
of safety management systems. Improvement of this involved identifying areas
where things might go wrong and designing them out/managing the residual risks.

What causes accidents to happen?

Course summary developed by Michelle McIntyre on behalf of Oil and Gas Fundamentals Oil and Gas Fundamentals 2012

THIS IS A CONFIDENTIAL SUMMARY OF THE CONTENTS OF AN ONLINE TRAINING COURSE FOUND AT WWW.OILANDGASFUNDAMENTALS.COM.
IT IS FOR THE REVIEW OF COURSE PARTICIPANTS ONLY AND IS NOT FOR DISSEMINATION COPYRIGHT RESTRICTIONS APPLY
The Fundamentals of Asset Integrity Management
Online Training Series Course Summary

Swiss Cheese Model


o We are reliant on a number of different barriers to make sure that our plants and
operations continue to function. But any one barrier is never going to be 100%
effective. All barriers have 'holes' and weaknesses. This Swiss Cheese Model puts
forward that when these 'holes' line up is when you are going to get problems.
o Lets say you have 5 barriers, and 2 of these barriers have 'holes' or these defences
didn't work, you can end up with an incident or near miss. If you have 5 out of your
5 barriers with 'holes' that line up is when you are going to have accidents.
o We can have fallible decisions that introduce latent failures/weaknesses in the
design that establish an environment that promotes unsafe acts occurring which
causes the barriers to line up at the wrong time and can cause accident(s).

Spinning Disk (Dynamic) Model


o This is different from the Swiss Cheese model - our risk control/management is
forever changing/dynamic
o Based in the same concept that we have hazards contained by multiple barriers
which have 'holes' and when the 'holes' align, the hazards can pass through - then
potential harm can be a result.
o These barriers may be physically engineered containment, behavioural controls
dependent upon people, recovery measures etcand these 'holes' in these
spinning disks will be latent incipient or things that people for whatever reason
may be for example have made a mistake or has been set up to fail and have

caused the hole to actually occur at that time.


Basic ideas behind the causes and so we need to have a process in place to have some sort of
process to:
a. Know what we're guarding against,
b. Identify what the controls need to be,
c. Look at where the weaknesses, and
d. Make sure we'd continue to function the way we need to.

Asset integrity risk management process - ISO 31000 Integrated Risk management
The steps in an Asset Integrity Risk Management Process are as follows:
1. Establish Context of Decision to be made of either process, plant or operations youre
evaluating risk for. Establish what are the drivers for this such as
a. External drivers - legislations, stakeholders etc..
b. Internal drivers - internal processes etc..
But also what are the boundaries, what is the audience etc..
After which you conduct Risk Assessment by executing the following 3 steps:
2. Identify the Risk - you must identify the risks in order to be able to know what can
potentially go wrong before you can make sure they are managed effectively.
3. Analyse the Risk - frequency and consequence of the risk, understand these properly so
as to be able to know if we have suitable controls in place.
4. Evaluate the Risks - decide whether or not you want to manage the risks and whether
the organization wants to accept the level of risk.

Course summary developed by Michelle McIntyre on behalf of Oil and Gas Fundamentals Oil and Gas Fundamentals 2012

THIS IS A CONFIDENTIAL SUMMARY OF THE CONTENTS OF AN ONLINE TRAINING COURSE FOUND AT WWW.OILANDGASFUNDAMENTALS.COM.
IT IS FOR THE REVIEW OF COURSE PARTICIPANTS ONLY AND IS NOT FOR DISSEMINATION COPYRIGHT RESTRICTIONS APPLY
The Fundamentals of Asset Integrity Management
Online Training Series Course Summary

After evaluation of the risk, you can:


a. Terminate the risk and walk away completely, or
b. Transfer the risk giving the risk to other organizations to perform services or
contract out certain levels of risk via insurance - all of which contains some level of
financial penalty, or
c. Treat the risk where when risks are retained, they can be treated and extra
controls can be put in place or extra management measures can be put in place to
treat the risks and make them smaller and from preventing release to recovery of
risk if released, or
d. Tolerate the risk - by retaining the residual risk and tolerating a certain level of
risk. But you have to understand the controls of the risks and assess how good the
controls are going to be and continue to be.
NB: Risk assessment should be an input into a decision-making process NOT a
justification for a decision already made.
So to be able to make an informed decision, we need to know the risks we are getting into and
how well the controls are going to manage the risks. This cycle must be monitored and reviewed throughout the cycle
continuously and all steps in this process must be communicated and consulted throughout the organization.

Barrier diagram (bowtie model)


The Bowtie model is good at visualizing how to manage risk and the better you can visualize the risk, the better you
can understand the risks, the better you can identify where the flaws are hence better at closing up the 'holes'.
The parts of the Bowtie are as follows:
o Centre point of Bowtie is where the hazard is at. A hazard is something/situation with the potential to cause
harm. E.g. driving a vehicle
o The Top Event is where you can lose control of the hazard
o Consequences - credible worst case scenarios that might result from the release of a hazard
o Threats - these are possible causes that might get us to the point of releasing the hazard
o Barriers - these are not 100% effective but for consequencesmitigation measures might be the most
efficient barrier that can diminish or reduce the possible maximum consequence that we might have. On the
side of the threats, prevention of the hazard is the most effective barrier. Barriers become the focus for
enquiry - focus for places asking such things as "are we doing as well as we thought we could?"
Asset integrity risk management
Identify the hazards; then assess the risk (frequency and consequence); then determine the preventative and
recovery measures necessary; then establish what the barriers have to do; then ensure that they will continue to
function for the future suitable, sufficient and available

Key learning points


Disasters dont happen because someone doesnt hold the hand rail or put a lid on their coffee cup they result
from flawed ways of managing asset integrity that allow risks to accumulate
Asset Integrity is about preventing and minimizing the consequences of a major incident and is achieved when
facilities are structurally and mechanically sound and perform the processes and produce the products for which
they were designed
Major Incidents result from weaknesses (holes) in the barriers
Barriers may be prevention, detection, control, mitigation and emergency response measures and may be a mix of
plant, process and people.

Course summary developed by Michelle McIntyre on behalf of Oil and Gas Fundamentals Oil and Gas Fundamentals 2012

THIS IS A CONFIDENTIAL SUMMARY OF THE CONTENTS OF AN ONLINE TRAINING COURSE FOUND AT WWW.OILANDGASFUNDAMENTALS.COM.
IT IS FOR THE REVIEW OF COURSE PARTICIPANTS ONLY AND IS NOT FOR DISSEMINATION COPYRIGHT RESTRICTIONS APPLY