|Theme||Visible||Selectable||Appearance||Zoom Range (now: 0)|
Summary bp’s (“the company’s”) wells organization manages its operational risks through what is known as the “three lines of defense” model. This is a three-tiered approach; the first line of defense is self-verification, which wells assets apply to prevent or mitigate operational risks. The second line of defense is conducted by the safety and operational risk function using deep technical expertise. The third line of defense is provided by group audit. In this paper, we discuss the wells self-verification program evolution from its first implementation and share case studies, results, impact, lessons learned, and further steps planned as part of the continuous improvement cycle. The company’s wells organization identified nine major accident risks that have the potential to result in significant health, safety, and environment (HSE) impacts. Examples include loss of well control (LoWC), offshore vessel collision, and dropped objects. The central risk team developed bowties for these risks, with prevention barriers on cause legs and mitigation barriers on consequence legs. Detailed risk bowties are fundamental to wells self-verification, adding technical depth to allow more focused verification to be performed when compared with the original bowties, because verification is now conducted using checklists targeting barriers at their component level, defined as critical tasks and equipment. Barriers are underpinned by barrier enablers (underlying supporting systems and processes) such as control of work, safe operating limits, inspection and maintenance, etc. Checklists are standardized and are available through a single, global digital application. This permits the verifiers, typically wellsite leaders, to conduct meaningful verification conversations, record the resulting actions, track them to closure within the application, and gain a better understanding of any cumulative impacts, ineffective barriers, and areas to focus on. Self-verification results are reviewed at rig, region, wells, and upstream levels. Rigs and regions analyze barrier effectiveness and gaps and implement corrective actions with contractors at the rig or region level. Global insights are collated monthly and presented centrally to wells leadership. Common themes and valuable learnings are then addressed at the functional level, shared across the organization, or escalated by the leadership. The self-verification program at the barrier component level proved to be an effective risk management tool for the company’s wells organization. It helps to continuously identify risks, address gaps, and learn from them. Recorded assessments not only provide the wells organization with barrier performance data but also highlight opportunities to improve. Leadership uses the results from barrier verification to gain a holistic view of how major accident risks are managed. Program evolution has also eliminated duplicate reviews, improved clarity of barrier components, and improved sustainability through applying a systematic approach, standardization, digitization, and procedural discipline.
Abstract Dropped objects are a risk on all drilling operations contributing to a significant number of incidents, numerous fatalities and main high potential incidents. This paper explains what has been done to address this unacceptable risk including the collaborative development of DROPS Recommended Practice, incident review boards and integrated assurance programmes.
Abstract Well barrier verification is having the confidence and being able to prove that "the folk on the rig will do the right thing and the equipment will function as intended when called upon to do so". This paper describes a method of achieving that aim by analyzing well control barrier systems in a logical and complete manner with regard to the technical, operational and organizational elements so that the results can be used as the basis for a straightforward means of barrier verification during operations. BowTie diagrams, while a useful illustrative starting point, are limited in their ability to depict well control barriers as systems consisting of individual elements that interact with each other. Portraying them as systems enables the processes, people and equipment required for effective well control to be analyzed in a way that is both logical and complete. Further examination of the elements reveals the critical aspects that must be checked to verify barrier effectiveness. Operationalising the verification process is done by extending and formalizing established practices of wellsite supervisor oversight and cross-checking complemented with periodic inspections. The analysis is resource intensive because each operational mode must be considered separately to ensure completeness. Once this work is done, general themes within critical aspects emerge that enable the verification tasks to be grouped into a set of logical activities that include: conversations with crew members to verify knowledge, criteria for drills to check on team capability and periodic inspections to ensure equipment integrity. Although difficult to achieve, the process must be carried out in a way that engages the crews in a sense of self-preservation to avoid becoming a box ticking exercise.
Abstract The Operator has long recognized the risks associated with specialist well engineering and wells services software and how insufficient management could have consequences to both safety and the environment. Sawaryn et al. (2003) laid out a set of principles for improving the management and use of Safety-Critical drilling engineering and well services software. Through a series of initiatives, the Operator has developed these principles into a risk based management practice aligned to international standards; IEC 61508 (2010). This has enabled better understanding by global wells and IT on the influence software systems have on group loss of well control risk barriers. It has also enabled the creation of a more robust management framework. A significant development has been to simplify the classification and differentiation between Safety-Critical and Safety-Related systems. It was recognized that applying a broad brush definition of "Safety-Critical" to wells applications created a high burden of responsibility and weakened the definition of Safety-Criticality. For example a system with no human interaction before an action occurs should be managed more rigorously than one whose output can be validated and corroborated. When applying these criteria to wells software it was found that none were Safety-Critical, therefore the scope of this paper is confined to Safety-Related software. A risk based approach has been used to enable easier classification of software, removing some of the ambiguity prevalent in the past. This has reduced the risk for project delivery and IT support operations. Using risk based approach has also allowed a more objective approach to management, enabling better measurement for the controls discussed in this paper. Work in this area is still relatively immature and there remain many challenges. For example, data integrity can be difficult to manage and can weaken controls such as algorithm validation. Additionally complex systems used by wells but owned by other upstream functions can be difficult to manage unless those functions follow the same methodology. This paper outlines the initiatives the Operator has taken to reduce the risk presented by Safety-Related software, highlighting the benefits, challenges and opportunities.
Abstract The IADC safety case template for land rigs is well known within the industry. Many safety cases will be a "living document" used as an integral element of a project or well operations. However, a risk exists that the safety case may be used as a one-off demonstration of HSE management and then put aside. This paper describes the development of a "living" safety case as an approach to assessing the completeness and effectiveness of equipment and systems at a company rather than rig level. The development process involved, first, describing all company land rig operations over the preceding three years. Thereafter hazard and effect registers were compiled, bow-ties generated and matrices of permitted operations constructed. Company equipment and systems of work were then compared with measures identified by the safety case analyses. The comparison process delivered a three-fold benefit. Firstly, it provided a gap analysis tool to identify where controls were assumed rather than present. Secondly, it provided a more detailed specification for the development or revision of safe systems of work. Finally, it provided an assurance framework by which equipment and systems can be assessed on an ongoing basis. The major findings from the exercise identified a greater range of operations than generally perceived within the company. Gaps in standards, procedures and other controls to cover this operational range were identified. The content, clarity and consistency of documents between rigs were highlighted as areas for improvement as was the specification and selection of equipment. The exercise also generated a "generic" safety case document that can be stripped down to an individual rig level for operational use. This offers a wide range of advantages by helping to define required actions for inclusion in general rig management documentation, standard job descriptions and vocational training materials.