Process Safety –Recommended Practice on Key Performance Indicator

7/29/2019 Process Safety Recommended Practice on Key Performance Indicator

1/36

Process Safety Recommended Practice on Key Performance Indicators

Report No. 456

November 2011

I n t e r n a t i o n a l A s s o c i a t i o n o O i l & G a s P r o d u c e r s


2/36

Section 1 The need or process saety Key Perormance Indicators 11.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11.2 Leading & lagging KPIs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

Section 2 Establishing corporate and acility KPIs 42.1 Applying industry recommended practice . . . . . . . . . . . . . . . . . . . . . . 42.2 The our tier approach . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42.3 Corporate versus acility KPIs . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62.4 Identiying critical barriers and selecting KPIs . . . . . . . . . . . . . . . . . . . . 72.5 Data collection, communication and review . . . . . . . . . . . . . . . . . . . . 10

Section 3 Tier 1 and Tier 2 123.1 Denitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123.2 Consequence levels and material release thresholds . . . . . . . . . . . . . . . . 133.3 Normalisation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

3.4 Applicability to Upstream Operations . . . . . . . . . . . . . . . . . . . . . . . 153.5 Applicability to Upstream Activities . . . . . . . . . . . . . . . . . . . . . . . . 163.6 OGP Data Collection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Section 4 Tier 3 and Tier 4 184.1 Tier 3 KPIs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184.2 Tier 4 KPIs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194.3 Selection o Tier 3 and 4 KPIs . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Appendix A: Determining whether to report a recordable Process Saety Event (PSE) 23

Appendix B: Process Saety Event (PSE) consequence and threshold tables 24

Appendix C: Glossary o terms and defnitions 29

Appendix D: List o acronyms 32

Appendix E: Primary reerences and sources 33

In addition to the Appendices above, a supplement to this report is available which lists over sixty exampleso Process Saety Events (PSE) and will be updated with new examples rom companies. It can be down-loaded rom the publications section o the OGP website (http://www.ogp.org.uk )

Table of Contents

Disclaimer

Whilst every eort has been made to ensure the accuracy o the inormation contained in this publication, neither the OGPnor any o its members past present or uture warrants its accuracy or will, regardless o its or their negligence, assumeliability or any oreseeable or unoreseeable use made thereo, which liability is hereby excluded. Consequently, such useis at the recipients own risk on the basis that any use by the recipient constitutes agreement to the terms o this disclaimer.The recipient is obliged to inorm any subsequent recipient o such terms.

Copyright notice

The contents o these pages are The International Association o Oil and Gas Producers. Permission is given to reproduce

this report in whole or in part provided (i) that the copyright o OGP and (ii) the source are acknowledged. All other rightsare reserved. Any other use requires the prior written permission o the OGP.

These Terms and Conditions shall be governed by and construed in accordance with the laws o England and Wales.Disputes arising here rom shall be exclusively subject to the jurisdiction o the courts o England and Wales.


3/36

OGP

1.1 IntroductionAcross the global oil & gas industry,considerable eort has been ocusedon the prevention o major incidents.The International Association o Oil &Gas Producers (OGP) has previouslypublished Asset Integrity the key tomanaging major incident risks (OGPReport No. 415, December 20081)which provides advice on how toimplement an asset integrity manage-ment system or new and existing

upstream assets. It also includespreliminary guidance on monitoringand review, including how to establishlagging and leading Key PerormanceIndicators (KPIs) to strengthen riskcontrols (barriers) in order to preventmajor incidents. This report is intendedas a companion document to AssetIntegrity the key to managing majorincident risks and describes the practi-cal implementation o a KPI system.

The terms process saety and assetintegrity are both used throughoutthe petroleum industry, oten syn-onymously. From the denitions givenhere, there are small dierences inscope as asset integrity can include allstructures in acilities and is not limitedto processes handling hazardous sub-stances. However, it is clear that orthe oil & gas industry the emphasiso process saety and asset integrity isto prevent unplanned releases whichcould result in a major incident. For

this reason, this document is ocusedon KPIs to prevent such releases;however, much o the guidance canbe applied to other aspects o processsaety and asset integrity.

In response to a number o majorincidents such as the disasters in2005 at the US Texas City Reneryand the UK Bunceeld oil terminal,the downstream oil industry has beendeveloping improved process saetyKPIs. Recommendations provided byorganisations such as the UK Health& Saety Executive (UK HSE)2, theUS Chemical Saety and HazardInvestigation Board (US CSB)3 and theIndependent Baker Panel4 reinorcedthe pressing need or improved KPIs.This resulted in signicant eorts bythe American Petroleum Industry (API),the Center or Chemical Process Saety(CCPS)5 and others to develop andpublish guidance on KPIs or compa-nies to manage process plant risks andprevent unintended loss o hazardousmaterials. To ensure the upstreamindustry benets rom these eorts, thisOGP guidance builds a rameworkand denitions based on a recentANSI/API standard on Process SaetyPerormance Indicators or the Refningand Petrochemical Industries (Recom-mended Practice RP 754)6 as well asguidelines on metrics published by UKHSE7, CCPS8,9, and OECD10.

1 The need forprocess safety KPIs

1

Process saetyProcess saety is a disciplinedramework or managing theintegrity o operating systems andprocesses handling hazardoussubstances. It is acheived byapplying good design principles,engineering, and operating andmaintenance practices. It deals

with the prevention and control oevents that have the potential torelease hazardous materials andenergy. Such incidents can result intoxic exposures, res or explosions,and could ultimately result in seriousincidents including atalities, injuries,property damage, lost production orenvironmental damage.

Asset integrityAsset integrity is related to theprevention o major incidents. It is anoutcome o good design, constructionand operating practice. It is achieved

when acilities are structurally andmechanically sound and perorm theprocesses and produce the productsor which they were designed.

The emphasis in this guide is onpreventing unplanned hydrocarbonand other hazardous releases that may either directly or via escalation result in a major incident. Structuralailures may also be initiating causesthat escalate to become a majorincident.

Major incidentAn incident that has resulted inmultiple atalities and/or seriousdamage, possibly beyond the assetitsel. Typically initiated by ahazardous release, but may also resultrom major structural ailure or loss ostability that has caused seriousdamage to an asset (note this isintended to incorporate terms such asMajor Accident as dened by UKHSE11).

Definition


4/36

OGP

Major incidents rarely result rom asingle cause but rather by multipleailures that coincide and collectivelyresult in an exceptional event withsevere consequences. This relationshipbetween sequential ailures o multiplerisk control systems is illustratedin Figure 1 using the Swiss cheesemodel (ater James Reason, 199012and 199713). The same principlesunderpin other similar approaches

such as the bow tie model or layerso protection analysis (LOPA).

Hazards are contained by multipleprotective barriers or risk controlsystems. The barriers representedhere by individual slices o Swiss

Leading indicators

Hydrocarbons orother dangerousmaterial

LOPC event

Major incidentor other consequence

Escalati

onba

rriers

Preve

ntion

barriers

maintain barrier strength, i.e. activities

to maintain risk control systems

Lagging indicatorsmeasure barrier defects (holes),events and consequences

cheese are management systemprocedures, physical engineeredcontainment or other layers o protec-tion designed to prevent incidents.In this guidance we are primarilyinterested in Loss o Primary Contain-ment (LOPC) o hazardous material,which is the predominant cause omajor process saety incidents in ourindustry. Barriers can have weak-nesses, depicted as holes in the Swiss

cheese. The alignment o holes in the

model below represents the ailure oseveral prevention barriers resultingin an LOPC event. In our industry thereare sophisticated controls to detect anLOPC event and mitigate its conse-quences but holes in these escalationbarriers can also align and seriousharm can result rom a re, explosionor other destructive incident.

1.2 Leading & lagging KPIs

2

Figure 1: KPIs applied to the Swiss cheese model(based on the work o James Reason12,13)


5/36

OGP

This model can also be used todistinguish two important types o KPI.Recording the number o LOPC eventsor actual consequences where oneor more barriers ail simultaneously is a lagging indicator. The termlagging indicator may also be used tomeasure the number and size o holesin the barriers to assess the extento weaknesses, deects or ailuresin the risk control system. Whereasmonitoring the strength o the barrier by measuring the companys

perormance in maintaining robust riskcontrols is a leading indicator.

In this guidance, lagging indica-tors are generally retrospective andoutcome based whereas leadingindicators are usually orward-lookingand input based. In principle, mostLOPC events will have no actualconsequences but are still ailuresand thereore lagging outcomes, butlow consequence LOPC events alsoprovide leading inormation whenpredicting the likelihood o majorincidents with serious consequences.Thus the terms leading and laggingare generally useul but companiesneed to be aware that some indica-tors can provide both retrospectiveand orward-looking insights. A goodexample o a type o indicator thatcan be either leading or lagging is anear miss.

Due to the emotional and reputationalimpact o incidents that harm peopleor the environment, companies previ-ously ocused most o their attention onlagging KPIs by recording workorceinjuries or spills to the environment.This reactive mode o monitoring andreview is important. However, a strat-egy o waiting or incidents to happenthen learning lessons aterwards isinsucient when aiming to eliminatemajor incidents. In contrast, the combi-nation o leading and lagging KPIs to

assess barrier strengths and weak-nesses provides the opportunity to bepro-active, i.e. more predictive andocused on prevention. The pro-activeapproach should include KPIs thatassess hard technical barriers suchas engineering design or maintenanceand inspection as well as sot barri-ers such as training and competenceor saety culture and behaviour.

For each critical barrier, the UKHSE recommends a dual assuranceapproach in their guide on develop-ing process saety indicators7. Thisapproach uses a combination oone leading input KPI to test barrierstrength and correlate with onelagging output KPI to track anydeects in the barrier. In this report,we provide guidance on use o bothlagging and leading KPIs, includinguse o dual assurance.

3

Near-miss events a KPI git!A good example o a KPI which is both leading andlagging is the reporting o near miss events. Nearmisses include those events with consequences that donot meet the companys criteria or recordable incidentssuch as a spill o less than one barrel. Near misses alsoprovide simple observations o an unsae condition withno consequences. These are recognised as events whichhad the potential in other slightly dierentcircumstances to result in consequences that wouldhave been recordable, particularly high potentialevents where a major incident would have been arealistic worst case scenario. Thereore, near missevents provide leading inormation on the likelihood oactual incidents and also provide lagging inormationon barrier weaknesses. Near miss investigations cancontribute signicantly to continuous improvement oasset integrity and process saety, whether used toidentiy barrier weaknesses or as a warning o apotential catastrophe.

Why report process saety KPIs?

Preventing major incidentsProcess saety and asset integrity ailures can result inserious harm to people, the environment, property,reputation and nancial stability o a company. Recordingo major incidents and careul analysis o their root causescan provide lessons to prevent recurrence. As this analysisis retrospective and based on relatively inrequent events,companies cannot aord to rely on these lessons alone toprevent major incidents. It is thereore necessary tobroaden the analysis to learn rom events with lessserious outcomes and management system perormanceto pro-actively strengthen the barriers which preventmajor incidents. Process saety KPIs thereore generate arange o relevant data which can be analysed to improve

preventive actions, such as management system revisions,procedural changes, training opportunities, or acilityengineering improvements that aim to minimise andeliminate the potential or major incidents.

Improving reliabilityThe quality and productivity o a companys operations arerefected in its uture protability. Actions to prevent majorincidents go hand-in-hand with steps to make operationsmore reliable, eeding directly into nancial perormance.

Avoiding complacencyThe Baker Panel Report (2007)4 stated The passing otime without a process accident is not necessarily anindication that all is well and may contribute to adangerous and growing sense o complacency. Sincemajor incidents are relatively rare events, it is easy to givepriority to other lower consequence risks in the belie thateverything is OK. KPIs provide a constant reminder oasset integrity, the attention needed on process saetymanagement systems and the warnings rom near missesand less severe incidents.

Communicating perormanceIt is a constant challenge to communicate theimportance o process saety to the workorce.

KPIs provide reassuring evidence o managementocus, transparency and progress which can, inturn, support process saety culture and

behaviours.


6/36

OGP

2.1 Applying industry recommended practiceIn April 2010, API published Recom-mended Practice (RP) Number 7546 onProcess Saety Perormance Indicatorsor the Refning and PetrochemicalIndustries, reerred to here as RP 754.This standard was developed using anAmerican National Standards Institute(ANSI) multi-stakeholder process andwas based on preliminary guidanceon metrics rom both API and theCenter or Chemical Process Saety

(CCPS)8. RP 754 is an importantstandard because it has been globallysupported and adopted by down-stream and integrated oil companies.

As RP 754 is directed at downstreamactivities, OGP has recognised theneed to provide urther guidance tosupport RP 754s applicability orupstream activities and to recommendthis standard to E&P companies world-

wide. Wherever possible consistencywith the language o RP 754 is main-tained within this report, including theterm process saety which as previ-ously noted is taken to be synonymouswith the term asset integrity or thepurpose o KPIs. The complete RP 754is not reproduced here and should bedownloaded by companies rom theAPI website6.

2.2 The our tier approach

2 Establishingcorporate andfacility KPIs

Major incidents are relatively inre-quent so KPIs based only on these rareoccurrences may not yield sucientdata to prevent uture catastrophic inci-dents. However, Figure 1 demonstratesthat major incidents are the result onot one but a combination o ailureso the barriers that are designed tocontrol asset integrity risks. Logic

suggests that the same barrier ailurescausing major incidents also con-tribute to lower consequence eventsthat could have been much worse inslightly dierent circumstances. There-ore KPIs can be developed to gather

a broader set o more requent andstatistically valid data. These includeobservations o unsae conditions,near misses or activations o saetysystems which indicate barrier weak-nesses. The data can also includepro-active KPIs to monitor the extento a companys eort to maintain orstrengthen barriers through application

o its health, saety and environmentmanagement system (HSE-MS). In this

way the extended dataset rom thesemore specic, systematic KPIs canbe used to pro-actively monitor andimprove the most critical saety barri-ers to prevent major incidents. Thus ithas become clear that not one but acombination o measures is neededto monitor barrier perormance withinan asset integrity or process saety

management system. To structurethis combination o measures, OGPrecommends a our tier rameworko process saety KPIs, illustrated byFigure 2. This is also recommended inAPI RP 7546.

4

Tier 1LOPC events of

greater consequence

Leadingindicators

Laggingindicators

LOPC events oflesser consequence

Challenges to safety systems

Operating discipline & management system performance indicators

Tier 2

Tier 3

Tier 4

Figure 2: Process saety indicator pyramid(rom API RP 7546)


7/36

OGP

The our tiers are expressed as atriangle to emphasise that statisticallylarger data sets are available rom theKPIs at the lower tiers. This approachmirrors the now-amiliar personal acci-

dent triangle shown in Figure 3, basedon insurance claim work in 1931 by HW Heinrich14, and rened in 1969 orsaety by Bird & Germain15.

Tiers 1 and 2 are more lagging andcover asset integrity major and lesssevere incidents. For consistency withAPI RP 754 denitions, an incident isreerred to as a Process Saety Event(PSE). The Tier 1 and 2 indicators areully dened with the intent that thesecan be reported at the corporate level

in both internal and external reportsby any company. In order to achieveconsistency and comparability, theindicator denitions have narrowlydened scope and are thresholdbased. A description o Tiers 1 and 2with upstream specic guidance is pro-vided in Section 3. OGP has adoptedPSE at these two tiers to enable bench-marking. Companies may decide tocollect event data beyond the scopeor thresholds dened but should reportany such data separately rom their

aggregate corporate reporting o PSEsto OGP (see Section 3.6).

Tiers 3 and 4 provide more leadingmeasures. The indicators are intendedto be much more specic to a com-panys own management system andoten will be specic to a particularactivity (e.g. drilling) or to an indi-vidual asset, acility or plant. Whilecompanies may decide to aggregate

data rom such indicators, care mustbe taken to ensure that similar acilitiesor activities orm the basis o theaggregation, otherwise comparisonsmay lead to erroneous judgements.Because comparisons are likely to bechallenging, OGP will not benchmarksuch data initially but will encouragesharing o company experience andgood practice using these two tiers.Further inormation and guidance onTiers 3 and 4 with upstream specicexamples is provided in Section 4.

5

Fatalities

Recordable injuries

First aid incidents and near misses

Management system failings/audit findings

Figure 3: Occupational saetyindicator pyramid

The continuous improvementcycleThe concept o continuousimprovement, whether at corporate,business or acility level, is aundamental process or any structuredHSE-MS, which provides theramework to address Process Saety(PS). There are many versions o thecontinuous improvement process

including the Plan-Do-Check- Actcycle, as applied within ISO guidesand standards. The cycle illustratedhere places emphasis on improving themanagement system (including legalcompliance, company standards andlocal procedures) by addressingprocess saety risks through plannedcontrols which are implemented withinday-to-day operations. KPIs,particularly the more leading Tier 3and 4 indicators, underpin the threesteps to monitor operationalperormance, enable internal and

external reporting and then nallyreview outcomes to determine how torevise the management system andembed the continuous improvement.Such a cycle can benet both localand corporate management throughuse o leading indicators ocused onbarriers and lagging indicatorsocused on operational perormance.

HSEMS

PS risks

Barriers

Procedures

Operations

PS KPIs

Reports

Reviews

The continuous improvement cycle linksthree OGP guidance reports. ReportNo. 210 relates to development o HSEmanagement systems16, the startingpoint or the cycle. Report No. 415describes how the HSE-MS addressesasset integrity risks, barriers and

procedures or E&P operations1. Thisreport continues the cycle by providingguidance on KPIs, their reporting andreview.


8/36

OGP

Process saety KPIs to meet the threeneeds above will vary across a com-panys organisation rom an individualacility up to the corporate level. Atthe corporate level, data and otherinormation should be selected care-ully to be representative o the wholeorganisation when compiled andconsolidated to generate meaningulKPIs. The Tier 1 and 2 KPIs are recom-mended here or consolidation atcompany level or corporate reportingagainst all three needs listed above. Incontrast, Tier 3 and 4 KPIs are moreappropriate or monitoring acility

perormance, although some may beconsolidated at corporate level to testmanagement system controls imple-mented across the whole company.

Care must be taken to avoid over-whelming operations with corporateKPIs and then relying solely onthese KPIs because measures maybe overlooked or important controlbarriers that are critical to local

operations. Thus, as illustrated byFigure 4, it is important that additionaldata is collected at lower levels o theorganisation so that perormance to

address specic but critical saety risksor groups o operations with similaractivities, equipment and environmentscan be analysed. Typically this wouldmean that dierent additional KPIs areemployed or activities such as produc-tion, drilling or pipeline operations,either oshore or onshore. Further, atthe acility level, KPIs can be ocusedon more leading KPIs within Tiers 3and 4 to locally assess specicallydesigned technical barriers such asalarm systems, procedural barrierssuch as start-ups, or people barrierssuch as competence assessment.

2.3 Corporate versus acility KPIsAsset integrity KPIs are establishedby companies to meet three primaryneeds:

1. Internal monitoring and reviewo perormance related to themanagement system and otheractions to strengthen processsaety barriers and reduceincidents. KPIs are undamentalto continuous improvement, asillustrated on the previous page.

2. Assess whether the measuredperormance on process saetymeets or exceeds industrynorms by benchmarking KPI

data against industry averagesand by sharing lessons learnedwith other companies. In section3.6 we outline steps being takenby OGP to promote benchmark-ing and learning based on theKPIs in this guide.

3. Provide transparent disclosureo perormance to stakehold-ers such as employees, localcommunities, investors, govern-

mental and non-governmentalorganisations, and the generalpublic. There are manyopportunities or companies

to communicate and engagewith their stakeholders, but oneimportant channel is throughregular, typically annual,reports oten called sustain-ability or corporate citizenshipreports. Through the recentrevision o the publicationVoluntary Sustainability Report-ing Guidance or the Oil &Gas Industry, IPIECA together

with API and OGP have jointlyendorsed the process saety KPIramework or both upstreamand downstream reporting17.

6

Sites,facilities,plant, we

lls,pipe

lines,v

essels

Exploration, productio

n,drilling

Company

Figure 4: Hierarchy o asset integrity KPIs

Data consolidated across a corporationExamples: Tier 1 and Tier 2 PSE , overdue asset integrity/process saety actions rom

corporate audit ndings (Tier 4), implementation o corporate saety initiatives (Tier 4)

Data consolidated within a business activityExample: as above, plus near miss LOPC (Tier 3), demands on saety systems

(Tier 3), Process Hazard Analysis action closures (Tier 4), asset integritytraining (Tier 4), engineering standards implementation (Tier 4)

Data collected in detail by operationsExample: as above, plus corrosion inspection ndings (Tier

3), operational upsets (Tier 3), saety instrumented systemtesting (Tier 4), scheduled maintenance (Tier 4),

competence assessment on saety criticalprocedures (Tier 4)


9/36

OGP

2.4 Identiying critical barriers and selecting KPIsSelecting eective indicators is achallenge, particularly leading Tier 3and 4 KPIs which aim to pro-activelyimprove process saety at the acilitylevel. This requires companies andtheir acilities to develop knowledgeand understanding o the most criticalrisk control barriers, whether thebarriers are acility-specic or applyto groups o similar acilities or evenapply across the whole company.

An approach to identiying appropri-ate barriers and selecting indicatorshas been provided by the UK HSE ina guide on developing process saetyindicators7 and urther developed in aCCPS book on process saety metrics9.Based on these, a 6-step approach isrecommended, as shown in Figure 5and detailed overlea.

Step 1

Step 2

Step 3

Step 4

Step 5

Step 6

Ensure management ownership and establish implementation team

Confirm critical process and integrity barriers to prevent major incidents

Establish industry Tier 1 and Tier 2 KPIs to assess company performance

Select Tier 3 and Tier 4 KPIs to monitor critical barriers at facilities

Collect quality data, analyse performance and use to set improvement actions

Regularly review critical barriers, actions, performance and KPI effectiveness

7

Figure 5: six step approach or selection and review o KPIs


10/36

Proactiv

e

Conse

quen

ce

Hazard

Identifyc

ontrolst

omitiga

te

identified

hazards

and

risks(e.g

.HAZOP

,PHA)

Exter

nal

Industry-

widelear

ning,

riskcont

rolbarrie

rs,KPIs

andgoo

dpractic

e

Reactiv

e

Weakba

rrierside

ntified

fromass

etintegr

ityincide

nts

andhig

hpotenti

alevents

OGP8

Ensure managementownership and establishimplementation team

Ownership o the KPIs by seniormanagement is essential to ensurethat the data is reviewed at a levelwhere continuous improvement actionscan be agreed and actioned, includ-ing investment, prioritisation andresource deployment decisions. KPIsthat do not result in actions to improveperormance are not just a waste oeort, but can mask true perormance.Thereore a rst step is to establisha team typically bringing togetheroperational and saety expertise withmanagement at acility, business andcorporate levels, as appropriate.The KPI implementation team needsto have clear lines o accountabilitywithin the companys managementstructure and should coordinate theimplementation o the next ve stepsas an integral part o managementssaety review cycle.

Establish industry Tier 1 andTier 2 KPIs to assess companyperormance

KPIs need to be selected which arerelevant to the operations o thecompany and refect its perormancein managing major incident risks.The recommended Tier 1 and 2 PSElagging KPIs in Section 3 provideconsistent measures that provide base-line data on industry and companyperormance, and acilitate trendanalysis and benchmarking. Depend-ing on the nature o operational risks,companies may choose to build onand supplement the recommendedKPIs by separately collecting addi-tional data, or example on structuralintegrity ailures which do not involvean LOPC. In general, while Tier 1 and2 PSEs provide baseline perormanceinormation, the number o eventsrecorded is unlikely to be statisticallysucient or specic enough to assessbarrier strength and drive continuousimprovement, and this is a key reasonor implementing Tier 3 KPIs. Typically,Tier 1 and 2 PSEs are established withthe standardised denitions withinand across companies. These twoKPIs should be retained year-on-year

to provide a consistent record o acompanys perormance.

Confrm critical process andintegrity barriers to preventmajor incidents

It is important to determine and annu-ally conrm the risk control barrierswhich are critical or prevention omajor incidents and to ensure that KPIsare in place to measure the eective-ness o these barriers. At acility orcorporate level, there are three typeso inputs which can be used togetherto help identiy weak or critical bar-riers. These inputs are illustrated inFigure 5 and discussed below.

Pro-active input relies uponidentication o hazards andrisks which could lead to amajor incident. Inormation can

be drawn rom recent ProcessHazard Analysis (PHA) and otherrisk assessments related to assetintegrity/process saety, whichwill include the barriers identiedto manage the risks. Pro-activeinput conrms which barriersare in place to control the mostimportant process saety risks andthe management system elementsto maintain and improve thosebarriers.

Reactive input is based upon root

cause investigation o major inci-dents and high potential events ordemands on saety systems that

could, in other circum-stances, have resulted in

an actual incident. Thereview o root causesshould be mapped

against both hardtechnical and sot manage-

ment system barriers to identiythose that are most critical touture incident prevention based

on past incidents, or to identiythe need or new barriers wheregaps exist. Such a review canalso be supported by evidencerom process saety, asset integrityand occupational saety auditndings. At a more detailed level,reactive input identies the holesin barriers.

External input takes account oexperience and best practice riskcontrol systems shared in the oil& gas or other industries, oten asa result o past major incidents.Learning rom others can highlightcritical barriers and oten suggestsKPIs which can be considered inStep 4.

Figure 6: Inputs to identiy critical barriers


11/36

OGP 9

Select Tier 3 and Tier 4 KPIsto monitor weaknesses incritical barriers at acilities

Companies should select and imple-ment appropriate Tier 3 and Tier 4KPIs which will generate statisticallyrelevant perormance data that isspecic to the critical barriers identi-ed in Step 2. Because they need torefect dierent operational activitiesand management systems o the acili-ties, there is a very wide choice o Tier3 and 4 KPIs. In Section 4, exampleKPIs are provided which may provideuseul starting points but companieswill usually need to tailor and evolvetheir Tier 3 and Tier 4 measures assome barriers are strengthened andother weaknesses are identied.

Collect quality data, analyseperormance and setimprovement actions

It is essential that the eort to collectand analyse KPI data is not justabout counting the score but ratherit becomes an integral part o thecontinuous improvement cycle withinthe HSE-MS. In order to have con-dence in the analysis it is valuable toestablish quality assurance processesto veriy the accuracy, consistencyand completeness o the collecteddata. Trending, correlations and otherstatistical analysis should then be per-ormed which takes into account thequality as well as the inherent repro-ducibility o the KPI. The perormancedata, highlighting meaningul change,should be transparently communicatedto management or review resulting inimprovement actions as input to thecontinuous improvement cycle (seeSection 2.3).

Regularly review criticalbarriers, actions, perormanceand KPI eectiveness

It is important to conrm that processsaety KPIs remain ocused on themost important barriers to preventmajor incidents. While some KPIs,particularly the Tier 1 and 2 measures,are intended to be implemented andestablished or long-term review operormance, other KPIs may be usedor a ew years and then evolve toprovide more detailed inormationon barrier strength. It is thereorerecommended that the implementationteam revisit Steps 3 and 4 to ensurethat process saety barriers and Tier3 and 4 KPIs are regularly reviewed,typically annually, as part o manage-ments review o saety actions andperormance. KPIs should be removedor replaced i they do not provideinormation that enables perormanceimprovement or i they monitor abarrier which is no longer critical toaddress.

For example, a acility may choose toestablish a leading Tier 4 KPI to recordthe number o scheduled inspectionand maintenance tasks which areoverdue. Over 2-3 years the indica-

tor may show that perormance hasimproved and is satisactory. However,Step 3 may conrm that the inspectionand maintenance remains a criticalbarrier. In this example, the acilitymay then decide to improve the eec-tiveness o its leading KPI by collectingstatistical data on the number andcategories o saety critical ndingsrom the already tracked inspectionand maintenance tasks. Using thedual assurance approach, the datacould then be correlated annually with

data on PSEs or other events relatedto inspection and maintenance withthe aim o identiying priorities orimprovement o the barrier.


12/36

OGP

2.5 Data collection, communication and review

10

The aim o asset integrity KPIs is tohelp prevent major incidents thatare generally the result o multiple,simultaneous barrier ailures. As suchincidents do not occur very requently,it can take a very long time to gatherstatistically relevant data on majorincidents alone. Thereore, systemsneed to be implemented or consistentcollection and analysis o data andrelated inormation on more than just

major incidents. Companies shouldconsider the ollowing or each KPI:

Engage all parties who will beinvolved in the data collectionand review process to ensure thatthere is common understanding othe importance and value o thedata, and commitment to regularlysubmitting a complete set o datawhich has been checked oraccuracy.

Establish a clear boundary orthe acility, business or companywhich lists all discrete assetswhich will collect data. IPIECA hasprovided guidance on developinga reporting boundary, and recom-mends applying the operationalapproach or collection o Tier1 and 2 data. This approachis based on collecting datarom reporting units which areassets operated by the company(irrespective o the companysownership in the company or joint

venture). Companies should clariywhether any assets operated bya contractor on the companysbehal are to be included.

Ensure that the denition o theKPI is clearly understood and isnot ambiguous. For a new KPI,a period o pilot testing may benecessary. There will always becases where there is debate aboutinclusion o data and thereore amechanism should exist to provideadditional guidance, whenrequired. The set o examplesincluded as a supplement to this

report20 provide a useul reerenceon determining whether an eventshould be reported based on thedenitions in Section 3.

Clariy the scope o the KPI. Thescope should clariy which activi-ties are included or reporting.In Section 3, urther inormationis provided on the E&P activitiesincluded or Tier 1 and Tier 2reporting. Companies may decideto widen the scope o a KPI, butshould ensure that the data systemcan separate out inormationwhich is beyond the guidancein Section 3 in order to preserve

consistency or benchmarkingpurposes.

Communicating the data is important.I the data is communicated well itwill quickly highlight relevant trendsand changes to promote managementreview and action. I communicatedbadly, the presentation o the datamay mask perormance inormationand or even misdirect managementattention. Regular reporting typicallyincludes a combination o graphical

output to show trends, tabulated dataand interpretative text . The concept oa dashboard can be eective, espe-cially when automatically populatedrom an electronic database or plantcontrol system. Typically a dashboardcombines and highlights asset integritytogether with related operational datato quickly show change using traclights, dials, or other icons. For largerorganisations, it will be appropriate tocommunicate the data to various levelso management by consolidating data

in dierent views and degrees odetail. Figure 7 illustrates how dierentdashboards may be stacked in adata system to serve the various needso an organisation.


13/36

OGP 11

Corporate

Business activity

Business unit

Facility

Plant

Shit

Great specicity, more emphasis on Tier 3and 4 KPIs, less aggregation, more dataand greater integration with operationalparameters.

More emphasis on Tier 1 and 2 KPIs,greater aggregation, limited or no detailat acility, plant or shit levels, more text onhigh-level interpretation o data.

Figure 7: Use o dashboards in a larger organisation

Having communicated the processsaety KPI data in a timely manner tothe right audience, the most importantnal step is to put the data to workand strengthen the risk control barriersin the management system. For this tobe part o the continuous improvementcycle, regular review o the data isrequired, typically with a ull annualreview and several interim progressreviews. While the review can ocuson asset integrity perormance, it isgood practice in the annual review to

broaden the range o inputs so that theKPIs are not reviewed in isolation.

Examples o other inputs can include:High-level management system

or specic process saety auditndings

Summary o investigation out-comes and implementation olessons learned rom Tier 1 and 2incidents, or high potential events

Responses to major incidentselsewhere in the industry

Overview o plant reliability andcorrelation with process saety

KPIsChanges to stang levels, saety

critical competencies, training,demographics

Impact o major start-ups/shut-downs, new developments oracquisitions

Regulatory compliance peror-mance or changes

Saety culture surveys or behav-iour based saety ndings

Benchmarking data rom OGP orother associations

Shared good practices rom peercompanies

Proposals or new or modied oreliminated KPIs

While not all o these inputs may berelevant, it is nevertheless important touse such sources o existing data andinormation to support interpretation

and decisions based on the processsaety KPIs. The annual review shouldalso link to the other data needs o thecompany which will normally includeexternal/public reporting to stakehold-ers or regulators and also submissiono data to enable benchmarkingagainst industry perormance norms orcomparison with peers.


14/36

OGP

3.1 Tier 1 and 2 KPI denitionsThe Tier 1 and Tier 2 KPIs countLOPC incidents that are reportableas Process Saety Events (PSEs), i.e.the incident results in any o theconsequences stated in RP 7546. Tier1 PSE records incidents with greaterconsequence and is the most laggingperormance indicator within theour tier approach (Figure 2). Tier 2PSE records incidents with a lesserconsequence. Tier 2 PSEs, even those

that have been contained by second-ary systems, indicate barrier systemweaknesses that may be precursors outure, more signicant incidents.

When used in conjunction with lowertier indicators, the two PSE KPIscontribute to a companys assessmento its process saety and asset integrityperormance and can provide acompany with opportunities or learn-ing and improvement.

The Tier 1 and Tier 2 KPI denitionsare reproduced below directly rom RP754 and list the LOPC consequenceswhich result in a recordable PSE. Thedenitions reer to material releasethreshold quantities, which have beenreproduced in Appendix B. The ulltext o RP 754 should be consultedwhen urther details are required6.

Tier 1 and Tier 2 PSEs have beenadopted by OGP with the intent thatthese KPIs are applied across produc-tion and drilling operations or the oil& gas industry worldwide. Thereore, itis recommended that, where practicalto do so, companies adhere closelyto these denitions. Companies willcommonly provide internal guidance,particularly in order to align denitionswith existing company terminology

and management systems.Appendix A provides a useul fowchart to help determine whether anLOPC is reportable.

3 Tier 1 and Tier 2

Table 1 process saety event defnitions, reproduced rom API RP 754Tier 1 Indicator Defnition and Consequences

A Tier 1 Process Saety Event (PSE) is a loss o primarycontainment (LOPC) with the greatest consequence. A Tier 1PSE is an unplanned or uncontrolled release o any material,including non-toxic and non-fammable materials (e.g. steam,hot condensate, nitrogen, compressed CO

2or compressed air),

rom a process that results in one or more o the consequenceslisted below:

An employee, contractor or subcontractor days awayrom work injury and/or atality;

A hospital admission and/or atality o a third-partyAn ocially declared community evacuation or community

shelter-in-placeA re or explosion resulting in greater than or equal to

$25,000 o direct cost to the CompanyA pressure relie device (PRD) discharge to atmosphere

whether directly or via a downstream destructive devicethat results in one or more o the ollowing ourconsequences:

liquid carryover discharge to a potentially unsae location an onsite shelter-in-place public protective measures (e.g., road closure)

and a PRD discharge quantity greater than the thresholdquantities in Appendix B in any one-hour

A release o material greater than the threshold quantitiesdescribed in Appendix B in any one-hour period

Tier 2 Indicator Defnition and ConsequencesA Tier 2 Process Saety Event (PSE) is an LOPC with lesserconsequence. A Tier 2 PSE is an unplanned or uncontrolledrelease o any material, including non-toxic and non-fammablematerials (e.g. steam, hot condensate, nitrogen, compressedCO

2or compressed air), rom a process that results in one or

more o the consequences listed below and is not reported inTier 1:

An employee, contractor or subcontractor recordableinjury;

A re or explosion resulting in greater than or equal to$2,500 o direct cost to the Company;

A pressure relie device (PRD) discharge to atmospherewhether directly or via a downstream destructive devicethat results in one or more o the ollowing ourconsequences:

liquid carryover discharge to a potentially unsae location an onsite shelter-in-place public protective measures (e.g., road closure)

and a PRD discharge quantity greater than the thresholdquantities in Appendix B in any one-hour period

A release o material greater than the threshold quantitiesdescribed in Appendix B in any one-hour period

Note: Non-toxic and non-fammable materials (e.g., steam, hot water, nitrogen, compressed CO2

or compressed air) have nothreshold quantities and are only included in this denition as a result o their potential to result in one o the other consequences.

12


15/36

OGP

To determine whether an LOPC eventis a recordable PSE at the Tier 1 orTier 2 level it is necessary to collectand analyse data on the conse-quences o the unintended release, asdetailed in Table 1. I the LOPC causesactual harm or damage a atalityor injury, or a re or explosion thenthe level o consequence is relativelystraightorward to determine. In thecase o atality or injury, the severity

criteria are aligned with standardindustry practice or reporting occupa-tional saety perormance in the E&Pindustry, including the annual datasubmission to OGP. Most companiesalso internally capture data on reand explosion damage. While thedirect cost thresholds o $25,000 orTier 1 and $2,500 or Tier 2 in Table1 might appear low consequences orupstream operations, it is important tocapture these events because urtherescalation barriers have ailed to

prevent ignition o the LOPC andcause property damage. When anLOPC alls below the criteria or Tier 1or Tier 2, the event may be reportedor company internal reporting using aTier 3 KPI (i.e. a near miss or demandon a saety system). For convenience,the denitions o consequence pro-vided in the previous sub-section havealso been summarised in Appendix B.

When an LOPC event happens butthere are no or low actual conse-quences in terms o harm to people orproperty damage, it is still importantto to record the event in order to

recognise that at least one barrier hasailed, there was potential or seriousconsequences and that there is anopportunity to learn. For this reason,an LOPC event is also recordable i thematerial is hazardous and the amountreleased is signicant in terms opotential consequences. To determinewhether the LOPC is a recordable PSEat either Tier 1 or 2 level, tables orelease thresholds or dierent catego-

ries o material are included in RP 754and summarised in Appendix B.

A release rom a Pressure Relie Device(including a fare) is not considereda recordable PSE unless the amounto release exceeds a Tier 1 or Tier 2threshold and the release also resultsin one o our actual consequenceslisted in Table 1. O these, liquidcarryover and discharge to a poten-tially unsae location are relativelystraightorward to apply. The conse-quence public protective measureswould only apply to onshore acilitieswith public receptors which could bepotentially exposed to impact romthe release. The consequence o anon-site shelter-in-place may be a moredicult consequence to apply oroshore acilities, and some onshoreacilities. In this situation, a companyshould interpret an on-site shelter-in-place as a complete or partialevacuation o the workorce o theacility. Mustering alone does notconstitute a criterion or a Tier 1 orTier 2 PSE.

3.2 Consequence levels and material release thresholds

13

Primary containmentA tank, vessel, pipe, truck, railcar, or other equipment designedto keep a material within it,typically or purposes o storage,separation, processing or transero gases or liquids. The terms

vessel and pipe are taken toinclude containment o reservoirfuids within the casing and

wellhead valving to the surace.

Loss o Primary Containment(LOPC)

An unplanned or uncontrolled releaseo any material rom primarycontainment, including non-toxic andnon-fammable materials (e.g. steam,hot condensate, nitrogen, compressedCO

2or compressed air)

For drilling operations, any unplannedor uncontrolled release to the surace(seabed or ground level) should beincluded.

Secondary ContainmentAn impermeable physical barrierspecically designed to prevent releaseinto the environment o materials thathave breached primary containment.Secondary containment systemsinclude, but are not limited to, tankdykes, curbing around processequipment, drainage collection systemsinto segregated oily drain systems, theouter wall o double walled tanks etc.

Definition

Concept o an Acute ReleaseTier 1 and 2 both apply the concept o an acute release todierentiate a PSE rom other LOPCs which occur over aprolonged period (such as ugitive emissions) and areunlikely to constitute a major incident risk o a re orexplosion.An acute release o material is dened as LOPC whichexceeds the reporting threshold or a Tier 1 or Tier 2 PSE

within any period o one hour during the event. Acutereleases include but are not limited to equipment andpiping ailures due to corrosion, overpressure, damagerom mobile equipment, sabotage, etc.

For example: Valves being let open

Tanks being overlled

Flare or relie systems not operating as intended

Process upsets or errors that result in processmaterials entering other process containment

systems with no provisions or design considerations Corrosion o a pipe or a gasket ailure where the

release over an hour exceeds thresholds


16/36

OGP

The material categories used in RP754 are based on the classicationswithin the United Nations Recommen-dations on the Transport o DangerousGoods (UNDG)19 commonly used inMaterial Saety Data Sheets (MSDSs).While these classications dier romsome o the other hazardous materialclassications used by the petroleumindustry in some countries, the UNDG

lists represent a common internationalbasis or use in these KPIs. The UNDGlists are comprehensive in terms opure chemicals however or hydro-carbon mixtures, such as crude oil oruels, the UNDG classies fammableliquids in terms o their physicalproperties. Whenever possible, whendetermining whether an LOPC isTier 1 or Tier 2, the hydrocarbons

released should be classied basedon boiling point and fash point. Topromote consistency and or conveni-ence, the tables in Appendix B havebeen supplemented with exampleso hazardous materials common inproduction and drilling operations oreach o the RP 754 material catego-ries.

Total hours worked includes employ-ees and contractors or applicablecompany unctions within the scope oreporting i.e. drilling and productionactivities are included; exploration,construction work hours are excluded.In addition companies may choose touse additional normalization actorssuch as mechanical units, or produc-tion volumes.

Because the requency o PSEs is likelyto be low, care should be taken whenassessing PSER because the rates areonly likely to be statistically valid or

comparisons at an upstream industryor company level. Tier 1 PSER isunlikely to be valid at a acility level,however a Tier 2 PSER is more likely tobe valid or tracking statistical peror-mance at a corporate or acility levelas Tier 2 events are likely to occur witha higher requency.

Tier 1 PSER =

Tier 2 PSER =

x 1,000,000

x 1,000,000

Total Hours Worked (or drilling and production activities)

Total Hours Worked (or drilling and production activities)

Total Tier 1 PSE Count

Total Tier 2 PSE Count

3.3 NormalisationBoth Tier 1 and Tier 2 PSEs can bereported as normalised rates to aidcomparability over time and betweenacilities or companies. As there is nouniormly applicable normalisationactor or process saety/asset integrityindicators based on acility congura-tion, a general consensus was reachedto use worker exposure hours (asused or personal injury rates), as a

convenient, easily obtained actor orboth KPIs. This actor enables OGPto calculate a Tier 1 and 2 ProcessSaety Event Rate (PSER) or annualupstream benchmarking and ulti-mately to benchmark across the entirepetroleum industry with API and otherassociations. The rates are calculatedas ollows:

14


17/36

OGP

3.4 Applicability to Upstream Operations

The Tier 1 and Tier 2 PSEs are limitedto drilling and production activitiesbecause o the inherent potential orLOPC consequences as described inTable 1. The ollowing list describesthose operations that are includedas drilling and production activitiesor the purpose o reporting. This listis aligned with the OGP Health andSaety Incident Reporting SystemUsers Guide18 which is updated

annually.Drilling includes all exploration,appraisal and production drilling,wireline, completion and workoveractivities as well as their adminis-trative, engineering, construction,materials supply and transportationaspects. For this guidance, Tier 1and 2 PSEs are recorded only whenLOPC occurs when operating in holebecause this is consistent with the prin-ciple o including only those activities

connected to the process.For drilling operations, Tier 1 and Tier2 PSEs are excluded or:

Drilling/workover/wireline opera-tions when not in hole (duringsite preparation, rigging up, siterestoration, etc.)

Loss o circulation, loss o drillingmud, well kick or undergroundblowout unless there is an associ-ated LOPC o material (e.g. gas,oil, other fuids or mud) releasedabove ground or above sea-bed

or onto the rig foor. (Note that itis good practice or companies

to report such events using Tier 3KPIs and in particular to iden-tiy, investigate and learn romany such events that had highpotential or a major incident,such a blowout preventer activa-tion on a high pressure well).

Production or this guidance coverspetroleum and natural gas productionoperations, including administrative

and engineering aspects, repairs,maintenance and servicing, materi-als supply and transportation opersonnel and equipment. It coversall mainstream production operationsincluding:

Work on production wells underpressure

Oil (including condensates) andgas extraction and separation(primary production)

Heavy oil production where it isinseparable rom upstream (i.e.steam assisted gravity drainage)production

Primary oil processing (waterseparation, stabilisation)

Primary gas processing (dehy-dration, liquids separation,sweetening, CO2 removal)

Floating Storage Units (FSUs) andsub-sea storage units

Gas processing activities with theprimary intent o producing gasliquids or sale;

Secondary liquid separation(i.e., Natural Gas Liquids [NGL]

extraction using rerigerationprocessing)

Liqueed Natural Gas (LNG)and Gas to Liquids (GTL)operations

Flow-lines between wells andpipelines between acilitiesassociated with eld productionoperations

Oil & gas loading acilities, includ-

ing land or marine vessels (trucksand ships) when connected to anoil or gas production process

Pipeline operations (includingbooster stations) operated bycompany E&P business

Production excludes:

Production drilling or workover

Mining processes associated withthe extraction o heavy oil tarsands

Heavy oil when separable romupstream operations

Secondary heavy oil processing(upgrader)

Reneries

Tier 1 and 2 PSEs are not required tobe reported or exploration (exceptdrilling as noted above), construction,and other unspecied activities aslisted in the OGP Health and SaetyIncident Reporting System UsersGuide18.

At joint venture sites and tolling operations, the company should encourage the joint venture or tolling operation to consider applying Tier 1 and Tier 2 PSE KPIs

15


18/36

All activities related to drilling and pro-ductions operations (as detailed in 3.4above) are applicable to PSE report -ing, including related acility start-upor shut-down operations, relatedbrown-eld construction activities,or decommissioning operations, andevents resulting rom sabotage, terror-ism, extremes o weather, earthquakesor other indirect causes.

Events associated with the ollowingactivities all outside the scope andshall not be included in data collectionor reporting eorts:

Marine transport operations,except when the vessel is con-nected to the acility or process.

Truck or rail operations, exceptwhen the truck or rail car isconnected to the process or thepurposes o eedstock or producttranser, or i the truck or rail car isbeing used or onsite storage;

Vacuum truck operations, except

connected to the process, e.g.onsite truck loading, dischargingoperations or use o the vacuumtruck transer pump;

Routine emissions that are allow-able under permit or regulation;

Oce, shop, warehouse, orcamp/compound building activi-ties (e.g. resulting in oce res,spills, personnel injury or illness,etc.);

Activities leading to personalsaety incidents (e.g., slips, trips,alls) that are not directly associ-ated with onsite response to anLOPC;

Activities resulting in LOPC romancillary equipment not connectedto the process (e.g., small samplecontainers). The exclusion includesuel/oil leaks involving trucks orother vehicles or other mobileequipment not considered part othe process

Quality Assurance (QA), Quality

Control (QC) and Research andDevelopment (R&D) laboratoryactivities (except pilot plant activi-ties, which are within scope orPSE reporting);

Onsite uelling operations omobile equipment (e.g., pick-uptrucks, diesel generators, andheavy equipment).

The term process or production anddrilling operations includes acilitiessuch as production equipment (e.g.,

separators, vessels, piping, heaters,pumps, compressors, exchangers,rerigeration systems, etc.), drillingequipment above ground, storagetanks, ancillary support areas (e.g.boiler houses and waste watertreatment plants), onsite remediationacilities, and distribution piping undercontrol o the Company.

OGP

3.5 Applicability to Upstream Activities

At joint venture sites and tolling operations, the company should encourage the joint venture or tolling operation to consider applying Tier 1 and Tier 2 PSE KPIs

16


19/36

With the issue o this report, OGPsgeneral aim was to identiy a smallnumber o KPIs that were reliable,clearly dened, implementable acrossthe upstream oil & gas industry, and ideally aligned with the downstreampetroleum industry.

The annual OGP benchmarkingcollection o health and saety datanow includes the Tier 1 and Tier 2 PSEKPIs detailed in this guide, which arealigned with API RP 754. OGP alsorecognised the need or companies toadopt leading indicators. Thereore,this guide also promotes the use o Tier3 and Tier 4 KPIs within companies.Numerical Tier 3 or 4 data is not cur-rently requested by OGP as these KPIswill be specic and appropriate to aparticular companys saety controlsand management system and thusunlikely to be comparable to those oa dierent company. In uture years,as the data collection process matures,OGP will encourage companies toshare process saety lessons learnedand best practices related to bothleading and lagging KPIs throughworkshops and similar processes.

Companies have the option to provideadditional inormation on the catego-ries o material released and whetherthe events occurred during normaloperations, start-up, shutdown or othercircumstances. Companies are alsoable to provide a detailed descriptiono any PSE, including causal actorsand lessons learnt, that either involvedor had the potential to result in atali-ties.

Further details o the data collection

process, including instructions, deni-tions and templates, are now availablein the annually published OGP Healthand Saety Incident Reporting SystemUsers Guide18.

The collection o process saety KPIdata is ully integrated with OGPsexisting health and saety data col-lection process. Collection o oshoreand onshore Tier 1 and Tier 2 PSEdata commenced in 2011 (or 2010data). The initial intent is to review andvalidate the data received to ensuresucient consistency and accuracy.Subject to sucient condence in thevalidity o the rst one to two years

o data collection, the data collectedwill be integrated into OGPs annualpublic report on health and saetyperormance indicators or the E&Pindustry worldwide.

The process saety data collection isbased on numbers o Tier 1 and 2PSEs recorded by companies, sepa-rately reported or production anddrilling activities, and sub-divided intooshore and onshore data.

The data is also broken down to

understand the consequences thatdetermined the PSEs, including:

the proportions resulting in harmto people (injuries and atalities)

damage to property (res andexplosions)

releases o hazardous materials(rom primary containment or pres-sure relie device discharge)

OGP

3.6 OGP Data Collection

17

More helpDetermining whether an event is reportable as a Tier 1or Tier 2 PSE can be complex and denitions open tointerpretation. For this reason, OGP has developed asupplement to this report that lists over 60 exampleevents with interpretation. Over time, OGP intends toupdate the list with new examples to aid interpretationo the PSE denitions. The supplement can bedownloaded rom the publications section o the OGPwebsite20 (http://www.ogp.org.uk).


20/36

OGP

Tier 3 and Tier 4 indicators areprimarily designed or monitoringand review o risk control systems (i.e.barriers), especially at the operationallevel. Barriers may be hard physicalbarriers or sot human barriers. Asshown in the Swiss Cheese diagram(Figure 1), hard barriers are intendedto block or respond to LOPC eventsand may include:

prevention controls such asengineering design o containment

systems and automatic distributedcontrol systems

escalation controls such as detec-tion, shutdown and blow-downsystems

mitigation controls such as deluge,secondary containment andautomated emergency systems

Sot barriers are typically managementsystem-related, such as proceduresand processes, or workorce-related,such as training, competence, behav-

iours and culture.

As noted previously, barriers canbe assessed using a combination oleading and lagging KPIs. Tier 4 KPIsare leading and monitor operationalactivity to maintain or strengthena barrier; whereas Tier 3 KPIs aremore lagging and record the numbero actual or near miss ailures o abarrier. In this context, Tier 3 indica-tors are also considered leading whenused as predictive KPIs with respect tomore severe consequences character-ised by Tier 1 and Tier 2 PSEs.

4.1 Tier 3 KPIs

A Tier 3 indicator records an opera-tional situation, typically considered anear miss, which has challenged thesaety system by progressing throughone or more barrier weaknesses toresult in an event or condition with

consequences that do not meetthe criteria or a reportable Tier 1

or Tier 2 event; orno actual consequences, but

the recognition that, in othercircumstances, urther barrierscould have been breached and aTier 1 or Tier 2 event could havehappened.

Tier 3 indicators are intended primar-ily or internal Company use at theacility, business or corporate level,but may occasionally support publicreporting. However, because theseindicators are specic to particular

acilities or company systems, Tier 3

indicators are not generally suitableor company-to-company bench-marking or year-on-year corporateperormance reporting.

Tier 3 indicators are typically basedon more lagging outcomes, i.e.retrospective recording o undesirableevents or ndings. A Tier 3 indica-

tor may be associated with one ormore specic barriers which have anassociated leading Tier 4 indicator toachieve dual assurance (see section4.3 or urther inormation).

Types o KPIs implemented at Tier 3could include numerical data or otherparameters related to:

Demands on saety systems,e.g. pressure relie devices (seeexample)

Sae operating limit excursions(see example)

Primary containment inspection ortesting results outside acceptablelimits

LOPC below Tier 2 thresholds

Near misses with potential orLOPC

Asset integrity/process saetyaudit ndings indicating barrier

weaknessesNon-compliances with asset integ-

rity or process saety voluntarystandards or legislation

The two examples in this sectionare brie descriptions o Tier 3 KPIsprovided in RP 754, which should beconsulted or the complete text. Furtherexamples o Tier 3 KPIs are providedin Table 2 and as a suuplement linkedto this report on the OGP website20.

4 Tier 3 and Tier 4

18

Tier 3 KPI example: Demands on saety systemsThis KPI monitors demands on saety systems designed toprevent LOPC or to mitigate the consequences o an LOPC.A system may include sensors, logic solvers, actuators andnal control devices designed to prevent an LOPC, or itmay include a Pressure Relie Device (PRD) and fare orscrubber that unction together to mitigate theconsequences o an LOPC. All o these elements unctiontogether as a system and when a demand is placed on thesystem, a single event is counted, regardless o the

number o devices that must unction within the system. ADemand on a Saety System is counted, regardless o thephase o operation (e.g. start-up, shutdown, normal,temporary, emergency) when one o the ollowing occurs:

activation o a saety instrumented system

activation o a mechanical shutdown system

activation o a PRD not counted as Tier 1 or T ier 2,with release o material directly to atmosphere

activation o a PRD not counted as Tier 1 or T ier 2,with release o material to atmosphere via adestructive device (e.g. fare or scrubber)

The KPI count is typically segregated by the our types o

demand above. Some companies may nd that a rate odemands per saety system type provides a more useulindicator than a simple count.

A demand resulting rom intentional activation o thesaety system during periodic device testing, or manualactivation as a part o the normal shutdown process isexcluded. A PRD is considered to have been activatedwhen the system pressure reaches the device set pointwhether or not the PRD perorms as designed. Activationo PRDs includes saety valve (SV) lits above the setpoint, rupture disc or pin replacement (except preventivemaintenance) and defagration vent re-seats but excludes

pressure/vacuum (PV) vents (e.g. on tanks) unless thevent ails to unction as intended.


21/36

OGP

4.2 Tier 4 KPIs

A Tier 4 KPI represents perormanceo the individual risk control barriers,or its components, within a acilitysmanagement system, and operatingdiscipline. These KPIs are typicallymore leading and pro-active becausethey refect activities o the companydirectly associated with maintainingand improving its risk control barriers.Measures can be ocused on barrierssuch as:

engineering and inherently saedesign

equipment maintenance, inspec-tion and testing

process hazard and major inci-dent risk assessments

quality o, and adherence to,operating procedures

acility management o change

contractor capability and man-agement

audit improvement actionsasset integrity and process saety

initiatives

workorce and management train-ing and development

technical competence assessmentand assurance

Tier 4 KPIs are more eective whenapplied in combination with laggingindicator inormation. This wouldinclude correlation with Tier 1, 2and 3 data, and particularly when

root-cause analysis provides specicindications o barrier weaknessesrelated to the eective implementationo management system requirements.

Tier 4 indicators are intended primar-ily or use by operators, rst-line

supervisors, engineers and manag-ers at the acility or business levelwhere awareness o specic hazards,detailed understanding o the plantand local ownership o risk manage-ment is most critical. However, a ewTier 4 indicators may be rolled up tobusiness or corporate level to assessmanagement system barriers whichare highly standardised across acompany. Because o specicity toacilities or company systems, Tier 4indicators are not generally suitableor company-to-company bench-marking or corporate perormancereporting.

19

Tier 3 KPI example: Sae Operating Limit ExcursionThis KPI monitors process parameter deviations thatexceed the Sae Operating Limit (SOL) applicable tospecic operations at a acility. This includes dierentoperating phases including start-up, shutdown and normaloperation which may have dierent SOLs or the sameequipment. Figure 7 shows the relationship betweenNormal Operating Limit, High/Low Alarm Limits, and theSOL (or equivalent High-High Level Shut Down) system.Reaching the SOL represents the point beyond whichtroubleshooting ends and pre-determined action occurs toreturn the process to a known sae state. Thepre-determined action may range rom manually executedoperating procedures to a ully automated instrumentbased control system.The Tier 3 KPI counts each event or condition resulting inan SOL excursion (i.e a recorded exceedance o the SOL ina specied time period). A company may want to recordspecic data or inormation about individual SOLexcursions, including operational phase, excursion

duration, material in the tank and, ollowing investigation,root causes o the SOL. A single initiating process event orcondition may result in a number o SOL excursions ordierent equipment (e.g. site-wide ailure o a utility) and

each excursion should be counted separately. A processcondition that hovers near the SOL value or one piece oequipment may result in multiple excursions that should becounted as a single event or condition.

Low level alarm

Normal operating limit

High level alarm

Safe Operating Limit (SOL) or high level shut down

Figure 7 Storage Tank Example o Sae Operating Limit KPI


22/36

OGP

4.3 Selection o Tier 3 and 4 KPIsIt is important to choose Tier 3 and 4KPIs which operators and engineersrecognise as meaningul and appli-cable to the specic barrier systemsin place at the acility. The indicatorsselected should provide actionableinormation which directs activities tourther improve barrier strength andaddresses identied weaknesses.CCPS has provided a comprehensiveselection o possible KPIs or each o

20 management system elements5.This list o KPIs was updated in 2010in their guidelines on process saetymetrics9. In RP 754, API has alsosuggested 10 Tier 4 KPIs6 and UKHSE has illustrated their dual assur-ance concept by providing a selectiono possible leading and laggingindicators or 9 common risk controlbarriers7. Table 2 provided here isupdated rom OGP Report No. 4151taking into account these reerencesand also illustrates the dual assurance

approach advocated by UK HSE7.

As noted earlier, it is recommendedthat acilities determine which barrierswhich are most critical or manage-ment o major incident risk then selectsuitable leading and lagging KPIs oreach critical barrier. Care must betaken to avoid overwhelming sta withtoo many metrics, and thereore com-panies are encouraged to be selectiveand ocus KPIs on barriers which areeither important in terms o mitigating

major risk or because there are knownweaknesses in the barrier that need tobe addressed.

It is important to view risk controlbarriers and KPIs used in the contexto the overall management system andcontinuous improvement. Risk controlbarriers are generally equivalentto management system elements orsub-elements; thereore it is advis-able to align barrier names with theterminology o the companys ownmanagement system. As the systemimproves over time, the KPIs shouldbe reviewed regularly and subjectedto their own continuous improvementcycle to ensure that eort is main-tained on strengthening those barrierswhich are most critical or preventiono major incidents.

20

Selecting leading andlagging KPIs or dualassuranceWhile Tier 4 indicators are clearly leading, it has beennoted that Tier 3 indicators can be considered as eitherleading or lagging depending on how the data is used,e.g. a level alarm going o requently could be aleading indicator o the potential or Tier 1 or 2 eventsor a lagging indicator o maintenance not having beenperormed on schedule. Equally, Tier 2 indicators canbe considered leading relative to Tier 1 or laggingrelative to Tiers 3 and 4.For each critical barrier, those ew o highest concern to

the company or acility, a good practice is to identiyone leading KPI at Tier 4 level and one lagging KPIrom a higher tier. These two matched KPIs can thenbe used in combination to assess the perormance othe selected barrier. This approach is called DualAssurance by UK HSE7 and links a lagging and leadingpair o indicators that can be correlated to statisticallytest whether a specic barrier is getting weaker orstronger.A simple example o dual assurance would be a leadingTier 4 KPI to monitor the percentage against plan ocompleted tests on a acilitys alarm system linkedwith a more lagging Tier 3 KPI which monitors thenumber o alarm system ailures (recorded romtesting, near misses or any actual Tier 1 and 2 events).In combination these two KPIs provide data to assesswhether the ongoing maintenance and testing regimeo saety critical alarms is suciently eective toensure that any holes in the barrier are monitored andminimised to an acceptably low level.


23/36

OGP

Table 2: Examples o risk control barriers and associated dual assurance Tier 3 and 4 KPIs

Barrier/risk control system Example KPI (Tier 3) Example KPI (Tier 4)

Management and workorceengagement (MWE) on saety/asset integrity

Percentage o manager inspections delegatedto subordinates

% o saety meetings not ully attended by staworking that day

Number o barrier weaknesses, includingunsae conditions, identied rom MWE

% o manager inspections o work locationscompleted

Total hours spent on MWE activities bymanagers and by sta

% MWE suggestions implemented

Sta opinion/attitude survey outcomes onhealth o asset integrity/process saety barriers,including leadership, competence, saety cultureand equipment design

Hazard identication and riskassessment (HIRA)

Number o recommendations/actionsunresolved by their due date

Number o actual or near-miss LOPC eventswhere inadequate HIRA was a causal actor

Numbers o P&ID corrections and other actionsidentied during PHAs

Number o planned HIRA completed onschedule

Average number o hours per P&ID orconducting

a) baseline PHAsb) PHA revalidations

Competence o personnel(categorised as employees andsupervised contractors, also a)operators b) rst-linesupervisor, c) managers, and

d) technical authorities)

Number o actual or near-misses, LOPC events,plant trips, equipment damage linked to

a) traineesb) lack o technical understandingc) lack o experienced) inadequate traininge) absence o skills in team

Number o workers in each personnel categorywhose training is overdue

% time that asset integrit y/process saety criticalpositions have gone unstaed

% personnel assessed to be i) partly, ii) ully,and iii) exceeding local competence criteria orall asset integrity/process saety critical roles ineach personnel category

Number and outcome o periodic reviews tocheck accuracy o asset/process knowledge

Operational procedures

Number o operational errors due to incorrect/unclear procedures

Number o operational shortcuts identied bynear misses and incidents

Number o PHA recommendations related toinadequate operating procedures

% o procedures reviewed and updated versusplan

Inspection & maintenance(ocused on equipment criticalto asset integrity/processsaety)

Number o actual or near-miss LOPC eventswhere inadequate inspection or maintenance

Number o non-routine and emergencymaintenance work orders

No. o process leaks identied during operationor downtime

Number o temporary repairs or deerredmaintenance items in service

% o saet y-critical plant/equipment thatperorms to specication when tested was acausal actor

% maintenance plan completed on time

% o planned preventative maintenance versustotal maintenance (including unplanned)

21


24/36

OGP

Table 2: Examples o risk control barriers and associated dual assurance Tier 3 and 4 KPIs

Barrier/risk control system Example KPI (Tier 3) Example KPI (Tier 4)

Plant design Number o incidents or near-misses where

errors in plant design are identied as acontributory cause

Number o post-startup modications requiredby Operations

Number o deviations rom applicable codesand standards

% saety-critical equipment/systems ully incompliance with current design codes

Saety instrumentation andalarms (SIA)

Total number o SIA activations reported byoperations

Total number o SIA aults reported during tests

Alarms per hour

Mean time between alarm activations andoperator responses

Number o individual SIA tests versus schedule

Start-ups and shutdowns (S&S) Number o near-misses or incidents during S&S

Number o deerred start-ups and unplannedshutdowns

% relevant personnel trained on S&S prior tocommencing S&S

% relevant personnel present during S&S versusplan

Management o change(MOC)

Number o actual or near-miss LOPC whereinadequate MOC was a causal actor

% MOCs or which the drawings or procedureswere not updated

Number o emergency or temporary MOCs

Number o planned MOCs perormed and timetaken

% plant changes suitably risk assessed andapproved beore installation

Average time taken to ully implement a change

once approved

Permit to work (PTW)

% incidents/near misses during work coveredby a PTW

% PTWs sampled which ailed to identiy allhazards or speciy suitable controls

Number o PTW issued

Average time per permit spent on writing,reviewing, and approving PTW

Contractor Management

Asset integrity and general saety KPIs orcontractor companies, average or all clientsand when under contract to company

Number and % o open/unresolved contractorsaety suggestions

% required contractor training conducted onschedule

Frequency o, and percentage attendanceduring, contractor saety meetings

Percentage o qualication audits/checks/criteria met prior to entry

Emergency management

Number o emergency response elements that

are not ully unctional when activated ina) a real emergencyb) an emergency exercise

Number o emergency exercises on scheduleand total sta time involved

% o sta who have participated in anemergency exercise

Number o emergency equipment andshutdown devices tested versus schedule

Compliance with standards Number o compliance violations related to

asset integrity/process saety % o existing standards reviewed as per

schedule to ensure evergreen status

22


25/36

OGP

Determining whether to report a Recordable Process Saety Event (PSE)

Event is not a Tier 1 or Tier 2 PSE and not OGP recordablebut the Company may report the event within one of its

internal process safety KPIs (i.e. at Tier 3)

Event is not OGP recordable but may bereportable by the Company as part of a

broader or different KPI

Event is OGP recordable by the Companyas a PSE and should be classified as

either Tier 1 or Tier 2

1

2

3

4

With reference to the six tables in Appendix B, the flow chart recommends fourquestions to ask when determining if a LOPC or PRD activation is recordable as a

Process Safety Event (PSE) for the purpose of OGP benchmarking.

Yes

Yes

Yes

Yes

No

Was the event the result of anLOPC or PRD discharge from part of a

production or drilling process? (See Sections 3.4

and 3.5 and definitions in Appendix B)

Did the event (LOPC or PRD activation)result in an incident with any of the harmful or

damaging consequences listed in Table 1?

No

If LOPC, as noted in Table 2, did theamount of the material released exceed any

threshold in Tables 4-6?

No

No

If PRDactivation, did the

material release (either directly toatmosphere or via flare or other destructive

device) exceed any threshold listed in Tables4-6 as well as any of the four

consequences in Table3?

23

Appendix A


26/36

OGP

Process Saety Event (PSE) consequence and threshold tablesAs described in the report, practicalimplementation o the Process SaetyEvent (PSE) KPIs can be challengingdue to the complexity o applying thehierarchy o Tier 1 and Tier 2 deni-tions and consequences as listed inSection 3.1 o this report, which are inturn reproduced rom the API/ ANSIStandard Recommended Practice(RP) 754: Process Saety PerormanceIndicators or the Refning and

Petrochemical Industries6. Companiesimplementing the Tier 1 and 2 KPIsin this report should use RP 754 as asource document or detailed deni-tions and guidance. However, RP754 was developed or the reningand petrochemical industry, and notspecically or the upstream oil & gasindustry.

In order to gain the KPI consistencyand benchmarking value that tookmany years to achieve or personalsaety, OGP have aligned denitionsin this report with RP 754 but oers

guidance on how to implement the Tier1 and Tier 2 KPIs or recording PSEsin upstream operations. As an aid toimplementation, this Appendix pro-vides urther detail in the orm o sixtables which summarise the hierarchyo LOPC (and PRD discharge) conse-quences and thresholds in RP 754. Thetables are intended to be used to helpcompanies decide whether an LOPCor PRD discharge should be recorded

as a PSE.Table B1 below lists the conse-quences related to harm to peopleo damage to property which wouldresult in a Tier 1 or Tier 2 PSE.However most PSE recorded bycompanies are unlikely to result insignicant acute harm or damage, butinstead result rom an LOPC or PRDdischarge which has exceeded mate-rial release thresholds as describedbelow in Table B2 or B3, respec-tively. The relevant thresholds or theamount o material released are based

on Tier 1 and Tier 2 categories listedin RP 754, which are in turn basedon international UNDG regulationsor transport o materials19. To helpcompanies, examples o materialscommonly ound in upstream opera-tions are provided in Tables B3 toB6. However, companies may needto provide more detailed guidance onhydrocarbon mixtures or other gasesor liquids specic to their operations.

It should be noted that when an eventresults in multiple thresholds exceeded,the PSE should be recorded at thehighest Tier applicable to any one othe exceeded thresholds. A download-able supplement20 to this report maybe downloaded rom the OGP websitethat also provides examples o PSEswhich help demonstrate how thesetables are applied in practice.

Appendix A provides a fow chartwhich may be helpul in understandinghow to use the ollowing six tables.

Table B1 (o 6): Thresholds or LOPC resulting in actual harm or damage

LOPC or PRD discharge is recordable as aPSE when it results in one or more o theconsequences in this table (irrespective othe amount o material released)

PSE Level

Tier 1 Tier 2

Injury to Employee or ContractorFatality and/or Lost Workday Case (daysaway rom work or LTI)

Recordable occupational injury (restrictedwork case or medical treatment case)

Injury to Third Party Fatality, or injury/illness that results in ahospital admission

None

Impact to the CommunityOcially declared community evacuationor community shelter-in-place

None

Fire or ExplosionFire or Explosion resulting in greater thanor equal to $25,000 o direct cost to theCompany

Fire or Explosion resulting in greater thanor equal to $2,500 o direct cost to theCompany

24

Appendix B


27/36

OGP

Table B2 (o 6): Thresholds or LOPC material releases

LOPC is recordable as a PSE, even when noserious harm or damage results, i theamount o material released exceedsspecied thresholds

PSE Level

Tier 1 Tier 2

An LOPC release o a gas or liquid exceedsthe material release threshold quantities inany one hour period

See Tables B4, 5 or 6 or Tier 1 thresholdquantities

See Tables B4, 5 or 6 or Tier 2 thresholdquantities

Table B3 (o 6): Thresholds or PRD discharges

A PRD discharge event is recordable as aPSE i it results in serious harm or damage,or exceeds the material release thresholdquantities while resulting in any o ourlisted criteria

PSE Level

Tier 1 Tier 2

A pressure relie device (PRD) dischargeseither directly to atmosphere or to adestructive device (e.g. fare, scrubber)

Event results in a Tier 1 PSE i theconsequence is listed in Table B1,regardless o the quantity released, or

Event results in a:

liquid carryover, or

discharge to a potentially hazardouslocation, or

on-site shelter in place, or

public protective measures,

and quantity discharged equals or exceedsany Tier 1 threshold in Tables B4, 5 or 6

Event results in a Tier 2 PSE i theconsequence is listed in Table B1,regardless o the quantity released, or

Event results in a:

liquid carryover, or

discharge to a potentially hazardouslocation, or

on-site shelter in place, or

public protective measures,

and quantity discharged equals or exceedsany Tier 2 threshold in Tables B4, 5 or 6

25


28/36

OGP

Table B4 (o 6): Non-Toxic Material Release Threshold Quantities or LOPC

LOPC is recordable as a PSE only whenrelease is acute, i.e. exceeds a thresholdquantity in any one hour period. PSE Tier ishighest o all that apply

Tier 1(Categories below reer to API/ANSI standard RP 754)

Tier 2(Categories below reer to API/ANSI standard RP 754)

Material hazard classifcation(with example materials)

Outdoor release Indoor release Outdoor release Indoor release

Flammable Gases e.g.

methane, ethane, propane, butane,

natural g

Process Safety –Recommended Practice on Key Performance Indicator

Documents

Transcript of Process Safety –Recommended Practice on Key Performance Indicator