Many serious accidents or incidents, including the Piper Alpha disaster in 1988, involve root

causes associated with shift handover.

An outgoing operator is handing over to an incoming operator at the end of a shift .
(a) Explain the key principles of safe shift handover.
. Information on specific operational issues is not required in part a. (10)
Shift handovers should involve the following principles:

 Be treated as high priority

 Not be rushed but be allowed as much time and resources as is necessary to ensure the
accurate communication of information
 Be conducted using both verbal and written means of communication
 Be conducted face to face, with both parties taking joint responsibility for the effective
communication of necessary information
 Be conducted in an environment which is conducive to good communication without
distractions
 Involve all shift personnel.

(b) Outline the main operational issues communicated at shift handover. (10)

 Work permits – the status of existing permits and the status of work in progress
 The updating of work permits
 Preparations for upcoming maintenance
 New personnel to the shift
 Any plant overrides – existing and planned
 Information about any abnormal events
 Any existing or planned shutdowns
 Any changes in plant parameters
 Any routine operations and existing parameters which may need to be carried out by personnel
from the incoming shift
 Any breakdowns which may have occurred
 Any faults which have occurred with safety critical equipment
 Inhibits to the Fire and Gas (F & G) and Emergency Shutdown (ESD) systems
 Any completed work and equipment which has returned to service.

2 (a) Identify the hazardous properties of Liquid Petroleum Gas (LPG). (4)

 LPG is an odorless, odorizing agent added in chemical reactions

 Colorless gas.
 Toxic and can cause Asphyxiation.
 Highly flammable.

(b)Outline the risks associated with Liquid Petroleum Gas (LPG). (4)

 Has a density of 2.0 when compared with air and tends to drift in low lying areas such as pits,
cellars, drains, etc. As such, it is difficult to disperse.
 Expands at a rate of 250:1 at atmospheric pressure when it changes from a liquid to a gas.
Consequently, it can cause a massive vapor cloud from a relatively small amount of liquid when
that liquid is released into the air.
  To store it effectively, it has to be converted from a gas to a liquid, which means it is stored at a
temperature of between 0°C and −44°C. Consequently, any moisture which settles to the
bottom of the tank storing the LPG will need to be drained off. This operation is extremely
hazardous as it carries the risk of this water freezing the drain valve in an open position and
allowing LPG to escape.
 Liquefied petroleum gas (LPG) is toxic and can cause:
(a) Asphyxiation.
(b) Cold burns to the skin on contact.
(c) Brittle fracture to carbon steel on contact.
(d) Environmental damage.
(e) Fire and explosion

3 Safety cases and safety reports provide documented evidence that an oil and gas
installation is safe.

Outline the typical content of these types of documents. (8)

 Identification of major accident hazards using assessments (Q SQ QRA), bow-tie

diagrams, etc. The impacts of potential major accident hazards should be analyzed and
identify
a. Each hazard scenario.
b. Threats to safety and what causes them.
c. Barriers to prevent those threats,
d. Consequences of each threat were it realized
 Evaluation of major accident risks and measure, taken (or to be taken) to control those
risks, using details of all existing "designed-in" precautionary and safety measures.
Existing and previous risk controls should be included, and then evaluated to see if these
are adequate or if further risk controls are required to demonstrate ALARP. This would
include.
e. Identify each hazard/incident scenario.
f. Assess frequency criteria.
g. Assess consequence criteria
h. Assess .occupied and unoccupied locations as separate criteria
i. Assess Evacuation, Escape and Rescue (EER Facilities and requirements.
j. For higher risks, assess individually
k. Identify and assess the risk control measures proposed to achieve ALARP.
 Arrangements for audit and audit reports with a plan showing the type of audit (internal,
external), how often they will be carried out, In what areas they will be conducted, how
recommendations will be dealt with and actioned, and who will be responsible for completion.
 Having an adequate safety management system in place, including the management of
contractors and sub-contractors. Selection criteria and approved lists of contractors would be
held, together with all returned data from contractors (such as safety questionnaires confirming
competence, insurances, etc.).
 Major accident prevention policies - in the case of safety reports these would need supporting
information from the safety management system
  Identification of the safety critical elements that are in place to manage major accident hazards
(scenarios, possible causes, controls, recovery systems).
 Details of the emergency plan. This would include layout drawings of the installation, showing
locations of all safety and emergency equipment, control points (e.g. control room, radio room,
etc.), isolation and shut-off controls, safe access routes and escape ladders, access to boats and
manning and launch procedures.

4(a) Identify THREE marine hazards associated with all types of Floating Platform Storage
Offloading Units (FPSO’s) (3)

 Breakdown, loss of power or loss of steering. This can lead to drifting, collision, running
aground, etc.
 Anchoring over pipelines, wells and submerged cables. This can lead to damage or rupture of
pipelines, wells or cables.
 Explosion during loading/unloading operations.
 Pollution – spillage, leakage, etc.
 Striking the installation (e.g. by a platform supply vessel in adverse weather).
 Man Overboard (MOB). The personal hazards associated with someone who falls into the water
include: drowning hypothermia being struck by debris or vessel becoming entrapped by debris.

(b) Identify suitable controls that minimize risk when operating Floating Platform Storage
Offloading Units (FPSO’s). (5)

 The vessel must be securely moored with sufficient mooring scope to ensure it does not range
along or away from the berth.
 The mooring scope must also take into account tidal rise and fall, river currents and the possible
effects of passing ships.
 Ensuring hoses are suitable for the product being discharged and the operating pressures they
will be subjected to.
 Ensuring the connections of pipes and hoses to be used in the transfer operation are secure.
Positioning drip trays beneath all connections and ensuring there is close monitoring of
connections during transfer operations.
 Deploying fire wires on the vessel to give tugs a means of moving the vessel away from its berth
quickly if an emergency arises.
 Reducing the risk of static electrical charges occurring on board ship by ensuring all metal
objects are bonded to the ship.
 Due to the possible differences in electrical potential between the ship and the berth, there is a
risk of electrical arcing at the manifold during connection and disconnection of the shore hose
or loading arm. To protect against this risk, there should be a means of electrical isolation at the
ship/ shore interface.
 Fire control measures, such as fire- fighting equipment, should be made ready before transfer
commences.
 Agreement should be reached between ship and shore on a discharge plan which ensures the
vessel is not subject to undue internal stresses as the cargo is discharged. The control room
should monitor flow rates and quantities. This includes alarm systems to indicate when tanks
are nearing their filing point. There are also sensors indicating the trim of the marine vessel so
that adjustments can be made to the ballast of the vessel as required.
  All doors and windows on board the vessel and in buildings at the terminal are to be closed. This
is to ensure there is no ingress of flammable vapor which might build up with the potential of
causing an explosion.
 Adequate venting arrangements should be in place to ensure vapor is dispersed properly and
safely. This will include monitoring wind direction and strength. Low wind speed can be an
added hazard as the dispersion of vapour in these conditions is minimal and it can build up in
dangerous quantities without being apparent. If there is an ignition source nearby, the results
can be catastrophic.
 Venting arrangements should be made for both the recipient tank and the donor tank. The
donor tank will require a volume of air, or more likely inert gas, to replace the volume of
product transferred.
 Once discharge commences, the vessel must be kept within the operating envelope (limits) of
the oil loading arms

5 An oil installation contains a vessel that requires protection from fire exposure in
the form of active or passive fire protection.

(a) Identify TWO examples of passive fire protection to protect vessels. (2)
 Spray- applied coatings
 Blanket/flexible jacket/wrap around systems
 Prefabricated sections such as walls
 Enclosures and casings
 Composites
 Seals and sealants
 Systems (e.g. cable transit blocks, inspection hatches, pipe penetration systems through
bulkheads
(b) Outline why the metal legs of the vessel should be protected. (2)
Protection of the steel from deformation/melting;
To ensure the vessel remains supported;
To prevent the vessel from releasing its contents and to minimize the consequences of a fire.

(c) Outline how a fixed water deluge system could provide fire protection. (2)
There may be an automatic deluge triggered from fire sensitive bulbs (fusible links) or there may be
some human intervention to initiate the deluge; this provides a large cooling medium that prevents the
situation from escalating further and will also starve the fire of oxygen and thus limit the effect of any
fire, radiation and smoke. c) Outline how a fixed water deluge system could provide fire protection. (2)

(d) Identify TWO additional examples of active fire protection. (2)

 Carbon dioxide inerting (such as in electrical switch rooms);

 foam deluge systems (such as for hydrocarbon fires);
 chemical powders; water mist systems and,
 Finally, automatic or manual fire monitors.

Outline the following failure modes that may lead to loss of hydrocarbon containment from
storage tanks/vessels or pipelines:
 (a) creep; (2)
Creep is where a solid material is subject to long term exposure of high stress levels and gradually
deforms in shape or dimension. Creep is exacerbated when the material is also subjected to heat for
long periods of time

(b) Stress corrosion cracking; (2)

Stress Corrosion Cracking (SCC) is where a material is subjected to both stress and corrosion. The
corrosion has the effect of reducing the threshold of the material at a particular point (i.e. it
weakens it), resulting in the stress causing the material to crack at that point

(c) Thermal shock; (2)

Thermal shock is the stress introduced into a material as a result of a sudden and dramatic change in
temperature. The result is that the thermal gradient of the affected area of the material is uneven,
causing stress within the material. The temperature change causes the molecular structure of the
material to expand, but as this expansion is not uniform, the bonds which hold the molecules in
formation are weakened, which may lead to a failure (crack) in the material.

(d) brittle fracture. (2)

Brittle fractures occur very suddenly and without warning, allowing a rapid release of
energy. In simple terms, fracture occurs because the structure of the material does not slip,
either owing to the structure of the material itself or that insufficient time is available due to
the intensity of the load placed on it (operating outside the safe envelope)

7 Outline FOUR types of work activity associated with an oil platform that might require a
permit-to-work AND give a reason in EACH case for the requirement. (8)

 Hot work permit which involves the application of heat or sources of ignition to vessels
or equipment which may contain or have contained flammable vapor. Also for areas in
which there may be a flammable atmosphere.
 Confined spaces used when entry to a confined space is essential for work to be done.
They should specify all of the precautions necessary to ensure that exposure to
hazardous fumes or an oxygen- depleted atmosphere is eliminated before entry to the
confined space is permitted.
 working at height to specify precautions required to fulfill the following requirements:
Protection for the person who will be working at height (fall arrest equipment)
Precautions for the safe rescue of a person should he/she fall
Supervision of the worker to ensure safe working procedures are being followed
Protection from falling objects
Safe access to and egress from the area.
 Isolation to ensure that any equipment is mechanically and electrically isolated before
work commences. A similar certificate may be used to confirm chemical isolation of
plant and machinery. All of these certificates, if used, should be cross- referenced.
8 A large oil company is proposing to build a new oil and gas installation in the North Sea. The
Process Safety Management Team is analyzing past incidents and database records from the
Oil and Gas Industry.

Excluding active and passive fire protection systems, outline physical design features of the
platform that would minimize risk to operating personnel in the event of a major incident. (8)

 Reducing inventories wherever possible.

 Substituting hazardous substances with less hazardous alternatives where possible.
 Minimizing hazardous process conditions where possible i.e. temperature, pressure,
rate of flow, etc.
 Designing systems and processes to be as simple as possible. This will have the effect of
reducing human errors which could create a hazardous event.
 Using fail- safe design features, e.g. a down hole safety valve which requires hydraulic
pressure to open the valve and allow product to flow, but in the case of lack of hydraulic
pressure, the valve closes and product stops flowing
 Minimizing the amount of hazardous material present at any one time
 Replacing hazardous materials with less hazardous materials
 Moderating the effect a material or process might have (reduce temperature or
pressure)
 Simplifying the design by designing out problems rather than adding features to deal
with problems
 Designing in tolerance levels to cope with faults or deviations
 Limiting the effects of any adverse event, e.g. via bunds around storage tanks
 Allowing for human error by designing in failsafe features such as valves which fail to a
SHUT position

9 (a) Identify TWO ways in which vapour clouds can be generated. (2)

 When a large amount of volatile material (e.g. hydrocarbon fuel) is released rapidly into
the atmosphere
 Vapour concentration, confined within a tank, vessel (or building)
(c) Outline how a vapour cloud explosion can be generated. (4)
 Detonation, the reaction zone propagates/ at supersonic velocity, and the principal
heating mechanism of the mixture is shock compression.
 Deflagration, the combustion process is the/ same as in the normal burning of a gas
mixture; the combustion zone propagates at subsonic velocity and the pressure buildup
Is slow.
(d) Identify the physical consequences of vapour cloud explosions. (2)
 Considerable damage
 overpressure,
 fire, explosion
 And resulting debris as airborne missiles.
10 An operator is draining a flammable liquid from process pipework to a metal container.
The supervisor is concerned about the possibility of an electrostatic charge forming and stops
this operation until a risk assessment is undertaken. During this work activity:

(a) identify factors that influence the generation of the electrostatic charge; (4)
 The conductivity of the liquid
 The amount of turbulence in the liquid
 The amount of surface area contact between the liquid and other surfaces
 The velocity of the liquid
 The presence of impurities in the liquid
 The atmospheric conditions. Static build- up is enhanced when the air is dry
(b) Outline practical ways of minimizing the formation of an electrostatic charge. (4)
 Ensuring filling operations do not involve the free- fall of liquids. This will reduce the
amount of splashing taking place.
 Lowering the velocity of the liquid being filled.
 Ensure fill pipes touch the bottom of the container being filled.
 Tanks which have been filled with products that have a low conductivity, i.e. jet fuels
and diesels, should be given time to relax before the process continues.
 Tanks which have been filled with product should not have any ullage (vapour space) for
a set period of time. Nor should any dipping of the product take place, again for a set
period of time.

11 An employee was seriously injured in an accident at work within an oil and gas
installation.

Identify the documented information that might be used by the investigating team to
determine the causes of this accident. (8)

 Victim statements
 Witness statements
 Plans and diagrams
 CCTV coverage
 Process drawings, sketches, measurements, photographs
 Check sheets, permits- to- work records, method statements
 Details of the environmental conditions at the time
 Written instructions, procedures and risk assessments which should have been in
operation and followed
 Previous accident records
 Information from health and safety meetings
 Technical information/guidance/toolbox talk sheets
 Manufacturers’ instructions
 Risk assessments
 Training records
 Logs
  Instrument readouts and records
 Opinions, experiences, observations

A safety management team within an oil and gas installation is expecting

The arrival of contractors. Hazards have already been identified, risks have
Been assessed and contractors chosen based on competency issues.
Outline practical ways of managing contractors:
In relation to provision of training when they arrive for work; (7)
 Contractors must be induced for all health and safety procedures of the operation, and
are required to adhere to employers' working practices and procedures, permit-to-work
systems, etc.
 The contractors must know the dangers of the site or installation.
 Contractors should be made aware that failure to comply with induction training,
employers' safe systems of work, permit procedures, etc, can result in disciplinary
 action being taken against individuals as well as contract penalties for the main contract
management in some cases
 Contractors must be made aware of emergency response tools and equipment.
 Limiting access the contractor has to specific areas
 Giving all of the contractor’s staff a detailed induction
 course on specific c hazards likely to be encountered
(c) During work; (10)
 Ensure a representative of the owner or operator is available to make sure contractors
follow the rules of the installation.
 Ensure all contractor employees know who the site or installation contact person is, and
how they can be contacted.
 Nomination of a site contact for liaison purposes.
 Have good procedures in place that ensure close and safe working with contractors at
all times.
 To establish a plan, and meet regularly to monitor its progress. Make sure all safe
systems of work (method statements, permits-to-work, etc.) are closely followed, and
that any incidents are reported and investigated.
 Checks must be made to ensure the contractor is suitable for the work being
undertaken.
 Once a contractor is selected and engaged, the client should provide an appropriate
level of supervision of the work being undertaken by the contractor.
 Carry out periodic checks during that period to make sure that any safety measures
which have been put in place are complied with.

(c) Upon completion of work.

 Punch lists are produced on completion of contracted work and before handover of
equipment to ensure that the equipment has been accepted by the company.
Particularly where problems may still exist.
  there should be a procedure for handing the site, or part of a site, piece of machinery or
plant, back to the client
 Confirming that all parts of the installation which have been temporarily the
responsibility of the contractor are in full working order and also that any isolations and
barriers have been removed. Any pipework which has been worked on must be pressure
tested to confirm its integrity (usually by using either water or an inert gas).
 Client reviews after completing the work for planning effectiveness of the contractor.

2- Within onshore and offshore installations thermal radiation output modelling is a form
of consequence modelling that helps with risk identification.

(a) Give the meaning of consequence modelling. (3)

 Modelling is a valuable predictive tool used to explore the significance of possible major
hazard scenarios and so help decision making. Apart from the information already
identified above, it also enables
 Identification of the key contributors to explosion risks -this helps prioritization.
 Exploration of the effectiveness of existing preventive and protective measures -which
could help justify the adequacy of your existing controls.
(b) Identify TWO events that produce thermal radiation. (2)
 Fire, explosion.

(c) Identify health effects associated with exposure to thermal radiation.

 Burning of the skin scorching, charring, and possible burns high body core
Temperature.3-a) Give the meaning of a jet fire. (2)
Jet fires (or spray fires) are turbulent diffusion flames that result from the combustion of
a fuel that is under continuous release. The release is usually under some momentum
jetted or sprayed in a particular direction
(c) Give the meaning of a pool fire. (2)
Are turbulent diffusing fires that burn above a horizontal pool of vaporizing hydrocarbon
fuel .where the fuel has no or very little initial momentum (i.e. it is not or hardly
moving).

(c) Outline the consequences of jet fires AND pool fires. (4)

The high temperatures of burning fuels sprayed onto surface scan lead to structural failures and
failure of pipe work and vessels involved, which can lead to escalation of the I, problems.

Process plants contain harmful gases such as hydrogen sulphide. Leak Detection systems are
designed to identify the presence of these gases on the plant.

(d) Outline features of a leak detection system that could minimize risk to workers on the
plant.
 Adequate Number of Detectors and Location The ability to detect may be defeated by
local air flows and the density of the gas.
  Maintenance/Testing Many have failed because of fouling, corrosion, etc. A fault
detection circuit should be incorporated
 Manual Backup Supplement with manual call points.
 Uninterruptible Power Supply In the event of power failure, the protection is maintained
 Minimization of Spurious Alarms If the detector initiates some control action (such as a
shutdown), to reduce the potential for spurious alarms, a voting system can be
incorporated (i.e. several detectors are required to activate to set off the alarm and
subsequent control action), The detectors can be specific to the substance or range of
substances being detected.
 It is important to make sure the detector is calibrated for the hydrocarbons being used.
 It may be appropriate to have a tiered approach, whereby detection of low levels
initiates investigation rather than shutdown.
(e) Identify the information that might be included on a checklist for an investigation
following an accident. (8)
Answered before

(f) A fired heater is used to heat a hydrocarbon fluid. A Forced Draught (FD) fan
supplies the air required for combustion and an Induced Draught (ID)fan extracts the
combustion gases. The cold hydrocarbon flows through tubes within the heater and is
indirectly heated by the ignited fuel. With reference to the diagram below:
(a) Outline reasons for controlling tube metal temperatures within
The heater;
 There are certain situations where creep is a well-known risk factor, such as water tubes in
boilers and furnaces. In these cases a creep failure would present itself as a rupture of the water
tube.
 Is essential to ensure excessive stresses are not placed on boiler tubes during increased cycle
demands. Tube temperature monitoring in the boiler furnace walls, generating tubes, super
heater tubes and reheated tubes can aid with troubleshooting boiler problems, such as
leakages, breaks and blockages in pressurized parts of the boiler and detecting heat-transfer
reduction caused by scale build-up.
(b) If the heater shuts down and the fire goes out, outline the specific operation
that must be performed before fuel is reintroduced into the heater AND
identify consequences if this operation does not take place. (4)
 Before the boiler reintroduced into the heater, hydrocarbon release is recommended to
decrease the pressure inside the heater tubes and also purging for removing any traces of
hydrocarbon
 This will lead to Over- firing the boiler, which is basically allowing the heat flux to increase to a
level beyond its upper Maximum Continuous Rating (MCR), which is set by the manufacturer of
the boiler. This can then have an impact on, amongst other things, the furnace walls and the
surface temperature of the refractory. It can also result in a substantial increase in tube and
membrane operating temperatures, which can lead to a degradation of tube metallurgy and
strength.

Tanker drivers transporting hazardous materials should attend a basic training course
approved by a competent authority.
 (c) Identify the typical content of such a basic training course.
The basic course content includes:

 General requirements covering the carriage of dangerous goods

 The main hazards associated with the carriage of dangerous goods
 Preventative and safety measures regarding various
 Hazards related to the carriage of dangerous goods
 Actions to be taken in the case of an accident
 Marking, labelling, placarding and hazard warning panels
 What not to do as a driver of a vehicle carrying dangerous goods
 Reasons for, and operation of, technical equipment on vehicles carrying dangerous goods
 Precautions to be taken when loading and unloading dangerous goods from vehicles
 Restrictions and instructions on driving vehicles carrying dangerous goods through tunnels

(a) In relation to fire safety, give the meaning of the following terms:
(i) vapour pressure; (2)

 Is the pressure exerted by a vapour in equilibrium with its liquid (or solid) state?
A liquid standing in a sealed container is a dynamic system, and some liquid molecules evaporate to
form a vapour, while some molecules of vapour condense to form a liquid, i.e. equilibrium. The vapour
as would any gas exerts pressure, and this pressure at equilibrium is the vapour pressure.
(ii) Vapour density. (2)

 Vapour density expresses the mass per unit volume, i.e. its weight. It is measured. Relative to
hydrogen

(b) Explain the relevance of vapour density in fire safety. (4)

 Vapour density has implications in container storage and I the' safety of personnel, in that if a
container can release a' dense gas (heavier than air) its vapors will sink. If they are
flammable vapors, they will collect at low level until they reach a concentration
sufficient for ignition to occur. Even if the vapors are non-flammable, they can
accumulate in a lower floor or bottom of a confined space and displace air, with the
hazard of asphyxiation to persons entering that space.
 Consideration of vapour density is a vital factor in deciding where to position gas
detection equipment, general ventilation requirements, etc.

Knowledge of failure modes is vital during initial plant design, safe

Operating procedure development and process operation.
(a) Identify THREE types of failure mode. (3)
 Creep
 Stress
 Stress corrosion cracking
 Thermal shock
 Brittle fracture
(b) Identify factors or conditions that may influence the likelihood of failure modes. (5)
 Initial design of the plant.
  Time
 Temperature.
 Periodic fluctuation in operating pressure.
 Vibration
 Tensile stresses.
 Periodic fluctuation of external loads.
 Material quality/ susceptibility.
 Surrounding environment.

(a) Give the meaning of competence. (2)

Competence can be defined as ‘can be defined as the ability to undertake responsibilities and
perform activities to a recognized standard on a regular basis. It is a combination of skills,
experience and knowledge..

(c) Outline why competence is important within management of change. (4)

 Include expert personnel to review the proposed changes to ensure that they will not
result in any operations exceeding established operating limits.
 Ensure that any proposed changes are subject to a safety review using hazard analysis
techniques (e.g. Hazard and operability studies) to assess the risks.

(c) Poor management of change is often a root cause of major process safety incidents within
the oil and gas industry. In the 21st century:

(i) Identify a major process safety incident onshore where management of change was one of
the root causes; (1)

 ESSO Longford and BP Texas City.

(ii) Identify a major process safety incident offshore where management of change was one
of the root causes. (1)

 Piper Alpha

(a) List the Hazards associated with LNG (2)

 Fire and explosion

Explosion in confined space
Frost bite / Cold Burns
Asphyxiation in a confined space
Terrorism & security threats

(b) Give the meaning of the following terms

 (i) Upper flammable limit – UFL

The highest mixture (maximum concentration) of fuel and air that sufficient to allow combustion to
occur. Above it, the mixture is too rich to burn
  (ii) Lower flammable limit – LFL (2)

The lowest mixture (minimum concentration) of fuel and air that sufficient to allow combustion to
occur. Below it, the mixture is too lean to burn.

Between these limits is the flammable (or explosive) range.

(c) Outline hazards of Low Specific Activity (LSA) sludges AND the Control measure to reduce risks of
worker exposure.

 Hazards include naturally occurring radioactive materials (NORM), e.g. uranium, thorium,
radium, strontium. Which could be inhaled or ingested
 Handling and disposal can cause occupational health and hygiene risks
 Also Pyrophoric iron – spontaneously ignites with air
Control Measure:
 Wearing of correct PPE – Respirator, Monitoring devices and personal sensors, Explosion proof
certified equipment, Safe working procedures, Training, Restricted, controlled areas, Minimize
interference with the environment, eensure that the national and international regulations are
followed (4)

(a) Identify the objectives of Failure Mode and Effects Analysis (FMEA). (2)

 To analyse each component of a system in order to identify the possible causes of its failure and
the effects of the failure on the system as a whole.

(b) Outline the methodology of FMEA AND give an example of a typical safety application. (6)

the methodology of FMEA includes breaking a system down into its component parts and identifying all
possible causes of failure of the component; assessing the probability of failure and its effects on the
system as a whole; identifying how the failures might be detected for example by a sensor; assessing the
probability of failure; allocating a risk priority code to each component based on severity, the probability
of failure and the effectiveness of detection; devising actions to reduce the risk to a tolerable level and
documenting the results of the exercise in the conventional tabular format.

A maintenance worker was asphyxiated when working in an empty fuel tank. A subsequent
investigation found that the worker had been operating without a permit-to-work.

Explain the meaning of the term “Permit to work”. (4)

PTW is a documented control system requiring written confirmation that certain actions have been
carried out to eliminate or control risks before a high risk or non-routine activity is carried out

• Example: Hot work permit for welding

(b) Outline why a permit-to-work would be considered necessary in these circumstances. (4)

a risk assessment of the work to be done would have identified the need for a permit to work since the
activity involved was a non-routine, high risk task in a confined space where the precautions to be taken
were complex, particularly since additional hazards might be introduced as the work progressed and it
was, therefore an activity requiring a structural and systematic approach. Additionally, a permit to work
in such circumstances might also be a legal or national requirement.
(c) Outline Six possible reasons why the permit-to-work procedure was not followed on this
occasion.(12)

 no, or an inadequate risk assessment had been carried out and consequently the potential
hazards had not been identified.

 There could also have been a poor health and safety culture within the organization where
violations were routine and where a permit to work system was considered to be too
bureaucratic and where complying with the terms of a permit prevents a task being finished
quickly particularly when there is pressure to complete

 the difficulty in organizing the required control measures before starting work, particularly if a
competent person was not at hand to authorize the permit;

 the controls to be followed were not described either clearly or specifically;

 The failure on the part of management to stress the importance of using a permit in such
circumstances and ultimately the possibility that the organization had failed to introduce and
operate a permit to work system.

On an oil and gas production platform asset integrity includes testing of safety critical systems such as
fire detector operation.

 Outline additional safety critical systems that may be tested. (8)

Blowout preventers. Used to control blowouts. When a blowout occurs, i.e. there is a sudden surge of
pressure from within the drill hole, the B- O- P is automatically activated by the ensuing pressure,
ensuring that the pressure is contained and the hole is sealed
Fire deluge protection systems.
They can apply a continuous and high volume of water to an area which includes the hazard as well as
possible escape routes for personnel.
Emergency shutdown valves.
a device which is designed to automatically shut down the flow of a fluid when a dangerous situation is
detected. As its name suggests, when such a situation is detected, it automatically shuts down the
process system and thus retains the integrity of the asset.
Fire and gas detection systems
the fire and gas detection systems use two main types of detection devices, one type for fire detection
and the other type for gas detection. The fire detectors are used to detect heat, flames and smoke,
whilst the gas detectors are used to detect flammable and toxic gas as well as vapours.
(a) Give the meaning of safety integrity level (SIL). (2)
Safety integrity levels Is a measure of the dependability of a system or component.
(b) Identify the nominated SILs. (4)
There are generally four levels, each corresponding to a range of "likelihood of failure" targets. SI L 1 will
be at the highest Probability of Failure on Demand (PFD) and SIL 4 the lowest PFD.
(c) Outline the significance of nominated SILs.
(c) The higher the safety integrity level the more critical is the safety function, for instance, trip
systems, fire and gas, HIPS, relief and blowdown systems.
Q1: A contractor is ongoing to start a job in oil & gas plant.
(d) Outline the issues that a Permit-to-work issuer will discuss with him. (20)
Answer
  All who may be affected by the work have been informed.
 The work area has been inspected prior to work commencing.
 All hazards have been identified.
 All health and safety precautions have been defined this may involve consultation with
installation specialists for certain tasks (electrical expeltise, engineer; etc.).
 Any necessary tests have been completed.
 Permit conditions are established.
 The permit is completed with the permit user.
 The precautions specified. In the permit are in piece. Before work starts.
 Change-over (handover) procedures are followed as appropriate.
 The permit is accepted and signed for by the permit applicant.
 All conditions of the permit are maintained throughout the work.
 The hand-back procedure is implemented.

Q2: Identify sources of information that might be used by an investigating team to

Determine the causes of a workplace accident. (8)
Q 4: Safety cases offshore and safety reports onshore have similar components.
(a) Outline the typical content of these similar documents. (4)
(B) Explain why the organization should have such documents. (4)
A) Answer before
(B)
 A safety case/report is a document which provides evidence and information in order to present
a clear, comprehensive and defensible argument that a system is adequately safe to operate in a
particular context
Q5: An operator is draining a flammable liquid from process pipework to a metal container. The
supervisor is concerned about the possibility of an electrostatic charge forming and stops this
operation until a risk assessment is undertaken
During this work activity:

(a) Identify factors that influence the generation of the electrostatic charge. (4)
(b) Outline practical ways of minimizing the formation of an electrostatic charge. (4)

(A)
 The conductivity of the liquid
 The amount of turbulence in the liquid
 The amount of surface area contact between the Liquid and other surfaces
 The velocity of the liquid
 The presence of impurities in the liquid
 The atmospheric conditions. Static build-u p is Enhanced when the air is dry
(B)
 Ensure that filling operations do not involve the free fall of liquids.
 Lower the velocity of the liquid being filled
 Ensure fill pipes touch the bottom of the container being filled
  Tanks which have been filled with products that have a low conductivity, i.e. jet fuels and
diesels, should be given time to relax before the process continues.
 Tanks which have been filled with product should not have any ullage (vapour space) for a set
period of time. Nor should any dipping of the product take place, again for a set period of time.
Q6: Welding is to be carried out on a broken pipe support bracket within a hydrocarbon
Processing plant. The plant does not need to be shutdown to carry out the repair.
Outline factors that would need to be considered before welding takes place. (8)
 Use of hot work permits
 Regular fire safety checks in the hot work area (during and after work),
 Use of burning/welding/soldering equipment only by qualified persons.
 Fire-fighting measures are in place to tackle any fire that may occur
 Area safety inspection to ensure flammable materials removed from the work area or
adequately protected from heat or sparks
Q7: …………..With reference to Non-Destructive Testing:
(a) Explain the meaning of Non-Destructive Testing. (2)
(b) Outline the disadvantages of visual inspection method. (2)
(c) Identify TWO NDT techniques used to determine surface defects. (2)
(d) Identify TWO NDT techniques used to determine sub-surface defects. (2)
A)
 Type of testing for detecting any defect in the material without destroying this material.
Examples (visuals inspection – dye penetrant)
B)
 Surface defect only and surface must be clean and accessible
(C)
 Visual inspection test
 Dye penetrant test
(D)
 Ultrasonic test
 Radiography test
Q9:
(a) Petroleum storage tank fires have been reduced substantially by using floating roofs, but a fire risk
may still exist.
(i) Outline how a fire risk may still exist with floating roof tanks. (4)
(ii) Identify TWO examples of fire protection systems used on floating roof tanks. (2)
i)
 A lightning strike is a massive discharge of electricity from the atmosphere, where the electrical
charge has built up, to the threat from lightning cannot be entirely eliminated, earth.
Particularly with floating roof tanks where vapor is usually present around the rim seal. In these
circumstances, measures to mitigate the consequences of a fire should be provided, including
automatic rim seal fire extinguisher systems.
 The most common fire hazards in above-ground tanks are overfilling._ vent fires and rim-seal
fires on floating roof tanks. These can also give rise to full-surface fires, which are further
divided into obstructed full-surface fires and unobstructed full-surface: fires
ii)
  Fixed foam Installations which spread foam around the rim seal.
 Monitors and water deluge cooling sprays may also be used.
Q10: Outline physical design features of an oil and gas installation that would minimize
Risk to operating personnel in the event of major incident. (8)

Answered before

Q11: A road tanker is being drive from an onshore refinery to petroleum (gasoline)
Station. Outline control measures of the Traffic Management process. (8)
 The area designated for loading and unloading should be situated away from general traffic
routes. It should also be situated on level ground connected between the vehicle and an
earthing point before loading/unloading commences.
 A no smoking policy should be established and maintained on site.
 There should be two opposing emergency exits from the loading/unloading area.
 Vapors which are displaced during the transfer operation should be returned to the donor tank
via a vapour- tight connection line
 The vapour return line should have a different connection fi tting compared with that of the
product transfer hose. This is to misconnection ensure there can be no
 The vapour return line should be connected before the product transfer hose is connected.
 There should be a device on the vehicle which locks the brakes in the ‘on’ position when the
vapour recovery line is connected.
 A competent person should be given the responsibility to monitor all the hose connections
during loading/unloading operations
 Any uncontrolled release of vapour should be recorded in the vehicle log book and reported to
the authorities.
 There should be a pre-formulated spillage plan ready to deal with any spillages, and a spillage kit
at the ready.