100% found this document useful (3 votes)

1K views

Upstream Control of Work BP Procedure June 2020 - Rev B06 - PDF

Uploaded by

Rio Reunarudi

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

100% found this document useful (3 votes)

1K views

Upstream Control of Work BP Procedure June 2020 - Rev B06 - PDF

Uploaded by

Rio Reunarudi

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 361

BP Procedure

Upstream Control of Work

Use and Interpretation of this document

This document is classified as General unless labelled otherwise. It contains BP proprietary information. BP’s Code
of Conduct requires you to protect that information. Refer to the Protecting our Information Policy for more details.
Outside BP, you can only distribute and use this document in accordance with the terms of any agreement under
which it was supplied or received. BP accepts no liability or responsibility for the use of this document outside BP
unless an agreement with BP says otherwise.
This document applies only if it is consistent with applicable legal and regulatory requirements. If you are within BP
and you identify an apparent conflict with those requirements, you should consult BP Legal.
This document has been approved for BP’s purposes only and not to describe or establish an industry standard or
practice. Any recommendations or guidance are to help users to consider and evaluate potential options. Another
approach may be appropriate.
The authoritative, English version of this document is held online in the OMS Library. It takes precedence over any
prior version and any non-English version.
Copyright © 2020. BP p.l.c. All rights reserved.

Applicability: Upstream
Issue Date: 30 June 2020
Issuing Authority: Andrew Collins, Head of Function, GOO
Content Owner: Giovanni Cristofoli, VP Operations, GOO
Unique Identifier: 100340
Revision Code: B06

Page 1 of 361
BP Procedure 100340
Upstream Control of Work

Document Information

Security Classification: General (formally BP Internal)

Next Review Date: October 2021

Revision History

Revision Date Revision Number Approver Revision

30 Jun 2020 B06 Andrew Collins Sixth issue
21 Oct 2019 B05 Andrew Collins Fifth issue
12 Oct 2017 B04 Fawaz Bitar Fourth issue
01 Jun 2015 B03 Steve James Third issue
01 Dec 2014 B02 Steve James Second issue
01 Jun 2014 B01 Steve James First issue

Operating Management System (OMS) – Sub Elements and Group Essentials

OMS Sub Element OMS Sub Element Title Group Essentials

4.5 Control of Work

Reviewers

Name Role Type of Date Reviewed

Review
Steve James Director of Operations (CoW), GOO Recommend June 2020
Joe Trapp Safety Advisor, GPO Recommend June 2020
Don Gates CoW Implementation Lead, GWO Recommend June 2020
Carlos Olarte S&OR CoW Authority, Upstream Recommend June 2020
Liz Randall Upstream Operation Authority, S&OR Recommend June 2020
Ian Pannett VP S&OR (GOO), S&OR Agree June 2020
Giovanni Cristofoli VP Operations, GOO Agree June 2020
David Dickson VP Operations Eastern Hemisphere, GOO Agree June 2020
Neil Loader VP Operations, West & Technical Functions, GOO Agree June 2020
Will Francis Managing Counsel, Legal Agree June 2020
David O’Connor Head of Function, GPO Agree June 2020
Andy Krieger Head of Function, GWO Agree June 2020
Andrew Collins Head of Function, GOO Decide June 2020

Page 2 of 361 Revision: B06

Contents
Page
Foreword ........................................................................................................................... 16
Introduction ....................................................................................................................... 16
1 Scope and exclusions ................................................................................................ 17
1.1 Where this procedure applies ......................................................................... 17
1.2 Where GPO use a contractor’s CoW process ................................................. 17
1.3 Regulatory requirements................................................................................. 17
2 References ................................................................................................................ 18
2.1 Required references........................................................................................ 18
2.2 Informative references .................................................................................... 19
3 Terms and definitions ................................................................................................ 22
4 Symbols and abbreviations........................................................................................ 33
5 BP Requirements – Upstream Control of Work ........................................................ 40
5.1 Adopting this Upstream Control of Work procedure ....................................... 40
5.2 Control of Work requirements ........................................................................ 40
5.3 Roles, responsibilities and delegating authority .............................................. 40
5.4 Transfer between Upstream entities .............................................................. 41
5.5 Bridging documents ........................................................................................ 41
6 Conformance and deviations ..................................................................................... 42
6.1 Conforming with and adopting this Upstream CoW Procedure ...................... 42
6.2 Local implementation ...................................................................................... 42
6.3 Local procedures ............................................................................................. 43
6.4 How to use this Upstream CoW Procedure .................................................... 43
6.5 Deviations ....................................................................................................... 44
7 An overview of the Control of Work process ............................................................ 45
7.1 Who delivers Control of Work ......................................................................... 45
7.2 How we execute work safely ......................................................................... 47
7.3 Templates ....................................................................................................... 50
7.4 Human Performance ....................................................................................... 51
7.5 Simultaneous operations (SIMOPS) ................................................................ 53
8 Control of Work (CoW) process ................................................................................ 55
8.1 Step 1: Planning and scheduling ..................................................................... 56
8.2 Step 2: Risk assessment................................................................................. 59
8.3 Step 3: Prepare worksite and create Control of Work documents .................. 63
8.4 Step 4: Authorise ............................................................................................ 77
8.5 Step 5: Execute ............................................................................................... 79
8.6 Step 6: Monitor ............................................................................................... 86

Page 3 of 361 Revision: B06

8.7 Step 7: Complete ............................................................................................ 89

8.8 Step 8: Learn: learning opportunities and closure ........................................... 93
9 Risk assessment ....................................................................................................... 94
9.1 Risk assessing tasks ....................................................................................... 94
9.2 The process for identifying hazards................................................................. 94
9.3 How to use the hierarchy of controls .............................................................. 95
9.4 How to perform a Level 1 task risk assessment ............................................. 97
9.5 How to perform a Level 2 task risk assessment ............................................. 99
9.6 Risk assessing isolations............................................................................... 104
10 Managing temporary overrides ............................................................................... 105
10.1 Types and methods of temporary overrides ................................................. 105
10.2 Methods of applying temporary overrides .................................................... 106
10.3 Process for managing temporary overrides .................................................. 107
10.4 Safety override risk assessment (SORA) ...................................................... 109
10.5 SORA team ................................................................................................... 110
10.6 Approving a SORA template ......................................................................... 110
10.7 Using a SORA ............................................................................................... 111
11 Operational risk assessment ................................................................................... 112
11.1 When an operational risk assessment is required ......................................... 112
11.2 When an operational risk assessment is not required................................... 114
11.3 How to perform an operational risk assessment .......................................... 114
11.4 How to record an operational risk assessment ............................................. 115
11.5 Timeline to complete an operational risk assessment .................................. 116
11.6 Planned operational risk assessment timeline .............................................. 117
11.7 Unplanned operational risk assessment timeline .......................................... 117
11.8 Approving an operational risk assessment .................................................... 117
11.9 Monitoring operational risk assessments...................................................... 118
11.10 Using existing operational risk assessments ................................................ 119
12 Hot work ................................................................................................................. 120
12.1 Hot work spark potential ............................................................................... 120
12.2 Hot work open flame .................................................................................... 120
12.3 Primary controls ............................................................................................ 121
12.4 Preparing for hot work open flame................................................................ 122
12.5 Executing hot work open flame .................................................................... 122
12.6 For pressurised habitats ................................................................................ 124
12.7 Executing hot work open flame in designated pressurised buildings............ 124
13 Temporary habitats ................................................................................................. 125
13.1 Type 1 – Weather protection habitat ............................................................. 125
13.2 Type 2 – Containment habitat ....................................................................... 125

Page 4 of 361 Revision: B06

13.3 Type 3 – Positive pressure habitat ................................................................ 126

13.4 Designing and building habitats .................................................................... 126
13.5 Using habitats ............................................................................................... 128
14 Isolation management ............................................................................................. 129
14.1 Isolating authorities ....................................................................................... 130
14.2 Designing the isolation and de-isolation plan ................................................ 131
14.3 Documenting the isolation and de-isolation plan ........................................... 133
14.4 Contingency plans ......................................................................................... 134
14.5 Conformant and non-conformant isolations .................................................. 134
14.6 Cross-checking isolations .............................................................................. 134
14.7 Sanction to test ............................................................................................. 135
14.8 Identifying and recording isolation points ...................................................... 136
14.9 Amending isolations ...................................................................................... 137
14.10 Securing isolations ........................................................................................ 137
14.11 Securing isolation lockboxes in US................................................................ 139
14.12 Tagging isolations.......................................................................................... 141
14.13 Personal isolations ........................................................................................ 142
14.14 Process isolation ........................................................................................... 144
14.15 Isolating pressure relief devices .................................................................... 157
14.16 Isolating stored or accumulated mechanical or electrical energy sources..... 158
14.17 Isolating hydraulic systems - pulsation dampeners and accumulators .......... 159
14.18 Electrical isolation.......................................................................................... 160
14.19 Instrument and control isolations .................................................................. 167
14.20 Automation systems ..................................................................................... 167
14.21 Well equipment specific isolations ................................................................ 168
14.22 Requirements for the use of CAT A & CAT B butterfly valves ...................... 169
14.23 Non-diving subsea isolations ......................................................................... 170
14.24 Diving operations isolations .......................................................................... 172
14.25 Boundary isolations and when to use them .................................................. 172
14.26 Cross-site boundary isolations ...................................................................... 174
14.27 Isolating radioactive sources ......................................................................... 174
14.28 Long-term isolations...................................................................................... 175
14.29 De-isolating ................................................................................................... 176
15 Confined space entry .............................................................................................. 177
15.1 Confined space isolation ............................................................................... 178
15.2 Risk assessment of a confined space ........................................................... 178
15.3 Preparing the confined space ........................................................................ 180
15.4 Lighting the confined space .......................................................................... 181
15.5 Confined space ventilation ............................................................................ 182
15.6 Managing entry to a confined space ............................................................. 185

Page 5 of 361 Revision: B06

15.7 Confined space entry attendant .................................................................... 186

15.8 Precautions for water jetting in confined spaces .......................................... 187
15.9 Confined or restricted space register ............................................................ 188
16 Breaking containment ............................................................................................. 190
16.1 Preparing plant for breaking containment ..................................................... 190
16.2 Potential hazards ........................................................................................... 190
16.3 Breaking containment on hydrocarbon or hazardous utility systems ............ 191
16.4 Breaking containment with non-conformant isolations ................................. 191
16.5 Depressurising or draining pressurised vessels, pipelines or pipework ........ 191
16.6 Draining or emptying atmospheric tanks and vessels ................................... 192
16.7 Cleaning and gas-freeing methods ................................................................ 193
16.8 Purging into service....................................................................................... 195
16.9 Broken joint tagging ...................................................................................... 196
17 Working at height .................................................................................................... 198
17.1 Using the hierarchy of fall protection ............................................................ 199
17.2 Requirements for work at height .................................................................. 200
17.3 Requirements for a safe platform ................................................................. 201
17.4 Using personal fall protection systems ......................................................... 202
17.5 Identifying and assessing anchor points ....................................................... 203
17.6 Over side working ......................................................................................... 204
17.7 Putting a rescue plan in place ....................................................................... 205
17.8 Inspecting and maintaining equipment ......................................................... 205
17.9 Dropped objects ............................................................................................ 207
17.10 Fragile surfaces ............................................................................................. 207
17.11 Use of temporary ladders.............................................................................. 208
18 Supplementary certificates...................................................................................... 209
18.1 Isolation confirmation certificate ................................................................... 209
18.2 Ground disturbance certificate ...................................................................... 210
18.3 Lifting plan certificate .................................................................................... 211
18.4 Energised electrical work certificate ............................................................. 213
18.5 Emergency response and rescue plan certificate ......................................... 213
18.6 Abrasive task on live equipment certificate ................................................... 218
18.7 Mechanical seal plugs certificate .................................................................. 219
18.8 Well handover certificate .............................................................................. 219
18.9 Pre-startup certificate .................................................................................... 220
18.10 Ventilation plan certificate ............................................................................. 220
18.11 Pressurised habitat certificate ....................................................................... 220
18.12 Heavy equipment movement certificate ....................................................... 220
18.13 Cross site boundary isolation certificate........................................................ 221
18.14 Leak testing certificate .................................................................................. 221

Page 6 of 361 Revision: B06

19 Purging, leak and pressure testing .......................................................................... 222

19.1 Purpose of leak testing ................................................................................. 222
19.2 Managing leak and pressure testing ............................................................. 222
19.3 Pressure testing ............................................................................................ 223
19.4 Gross leak testing ......................................................................................... 224
19.5 In-service leak testing ................................................................................... 224
19.6 Tightness testing........................................................................................... 224
19.7 Hydrostatic tightness testing ........................................................................ 225
19.8 Pneumatic tightness testing ......................................................................... 226
19.9 Selecting test method ................................................................................... 227
19.10 Selecting test medium, pressures and acceptance criteria ........................... 229
19.11 Designing the test ......................................................................................... 230
19.12 Documenting the test ................................................................................... 231
19.13 Preparation for a leak test ............................................................................. 231
19.14 Checking hardware ....................................................................................... 232
19.15 Executing and monitoring the test ................................................................ 232
19.16 Managing identified leaks ............................................................................. 233
19.17 Depressurising .............................................................................................. 233
19.18 Pipeline pig trap leak testing ......................................................................... 234
19.19 Vessels with engineered closure .................................................................. 234
19.20 Using high pressure gas................................................................................ 234
19.21 Leak testing positive isolations ..................................................................... 237
19.22 Leak testing relief valve flanges .................................................................... 238
20 Plant reinstatement ................................................................................................. 239
20.1 Return to service ........................................................................................... 239
20.2 Witnessed joints ........................................................................................... 241
21 Ground disturbance ................................................................................................. 243
21.1 Ground disturbance preparation and site surveying ...................................... 243
21.2 Excavation design ......................................................................................... 244
21.3 Risk assessment ........................................................................................... 245
21.4 Performing excavations................................................................................. 246
21.5 Inspecting and tagging excavations .............................................................. 248
21.6 Excavation tags ............................................................................................. 249
21.7 Entry to a completed excavation ................................................................... 249
21.8 Reinstating an excavation ............................................................................. 249
22 Special conditions and techniques .......................................................................... 251
22.1 Guardrails and barriers .................................................................................. 251
22.2 Energised electrical work .............................................................................. 255
22.3 Battery systems ............................................................................................ 258
22.4 Cutting pipework ........................................................................................... 259

Page 7 of 361 Revision: B06

22.5 Cutting electrical cables ................................................................................ 260

22.6 Working close to overhead power lines ........................................................ 262
22.7 Engineered scaffolding.................................................................................. 262
22.8 Hot tapping ................................................................................................... 263
22.9 Controlling access to restricted areas ........................................................... 263
22.10 Re-classifying hazardous areas as non-hazardous ......................................... 263
22.11 Entry into machinery enclosures ................................................................... 264
22.12 Digital security on automation systems ........................................................ 264
22.13 Temporarily supported or suspended loads .................................................. 265
22.14 Draining operations ....................................................................................... 265
22.15 Pyrophoric scale ............................................................................................ 266
22.16 Abandoned in place (AIP) .............................................................................. 266
22.17 Working on tank roofs ................................................................................... 267
22.18 Retro-jetting .................................................................................................. 268
23 Managing locked valves .......................................................................................... 269
23.1 Types of locked valves .................................................................................. 269
23.2 Securing locked valves .................................................................................. 270
23.3 Tagging locked valves ................................................................................... 272
23.4 Locked valve movement ............................................................................... 273
23.5 Maintaining a locked valve register ............................................................... 274
23.6 Operational inspections................................................................................. 276
23.7 Interlocked valves and keys .......................................................................... 276
23.8 Maintenance of locked valves ....................................................................... 277
23.9 Modifying a locked valve register .................................................................. 277
24 Gas testing .............................................................................................................. 278
24.1 What checks to do before an authorised gas tester uses a gas detector ..... 279
24.2 How to maintain a gas detector .................................................................... 279
24.3 Limitations of portable gas detectors ............................................................ 279
24.4 Gas alarm limits............................................................................................. 281
24.5 Gas testing when purging and investigating leaks ........................................ 281
24.6 Carbon monoxide .......................................................................................... 281
24.7 Nitrogen ........................................................................................................ 282
24.8 Explosive or flammable limits ....................................................................... 282
24.9 Lower explosive limit and upper explosive limit of common gases .............. 283
24.10 The flashpoint for a liquid .............................................................................. 283
24.11 The narcotic effects of hydrocarbon vapours ................................................ 283
24.12 Toxic gases, vapours and asphyxiants .......................................................... 284
24.13 Hydrogen in analyser houses and systems ................................................... 284
24.14 Atmospheric testing for confined spaces...................................................... 285
24.15 Entry to a confined space with breathing apparatus for testing .................... 288

Page 8 of 361 Revision: B06

25 Leaks and seeps management ............................................................................... 290

25.1 Identifying leaks and seeps ........................................................................... 290
25.2 Managing leaks and seeps ............................................................................ 291
25.3 Classifying leaks and seeps .......................................................................... 291
25.4 Prove the leak or seep is stable. ................................................................... 292
25.5 Tagging and recording leaks and seeps ........................................................ 292
25.6 Monitoring leaks and seeps .......................................................................... 293
25.7 Using a FLIR camera ..................................................................................... 293
25.8 Surveys for methane fugitive emissions ....................................................... 293
25.9 Re-commissioning gas hydrocarbon systems ............................................... 293
26 Self-verification, assurance and audit ...................................................................... 294
26.1 Line personnel carry out self-verification....................................................... 294
26.2 Reviewing self-verification ............................................................................ 295
26.3 Deployed S&OR assurance ........................................................................... 295
26.4 OMS conformance levels.............................................................................. 296
26.5 Audits by Group Audit ................................................................................... 296
27 Performance management...................................................................................... 298
27.1 Dashboards ................................................................................................... 298
27.2 Web based reports........................................................................................ 298
28 Training and competence ........................................................................................ 299
28.1 Training ......................................................................................................... 299
28.2 Competence Assessment............................................................................. 299
28.3 Competence Assessors ................................................................................ 300
28.4 Appointing individuals to Control of Work roles ............................................ 301
28.5 Delegating roles ............................................................................................ 304
28.6 Revoking roles .............................................................................................. 305
Roles and responsibilities .................................................................................. 306
Site Authority (SA) ......................................................................................... 307
Area Authority (AA) ....................................................................................... 309
Issuing Authority (IA) ..................................................................................... 311
Performing Authority (PA) ............................................................................. 312
Isolating Authority (IsA) ................................................................................. 314
Authorised Gas Tester (AGT) ........................................................................ 315
Fire Watcher (FW) ......................................................................................... 316
TRA Facilitator ............................................................................................... 317
Site Electrical Leader..................................................................................... 318
Confined Space Entry Attendant (CSEA) ....................................................... 319
Functional Authorities ................................................................................... 320
Isolator .......................................................................................................... 320
Site Lifting Co-ordinator ................................................................................ 320

Page 9 of 361 Revision: B06

Leak Test SPA ............................................................................................... 321

LOLC Roles ................................................................................................... 322
CRT ............................................................................................................... 322
CoW Certificate Approver and non-eCoW roles ............................................ 323
HITRA tables ..................................................................................................... 324
HSE impacts levels ....................................................................................... 324
Business impact levels.................................................................................. 326
Energy sources ............................................................................................. 327
Risk matrix (Group 8x8) ................................................................................. 329
HITRA approval table..................................................................................... 330
Certificates ........................................................................................................ 331
Link to Isolation confirmation certificate ....................................................... 332
Link to Ground disturbance certificate .......................................................... 332
Link to Energised electrical work (Non-US) certificate .................................. 332
Link to Energised electrical work (US) certificate .......................................... 332
Link to Emergency response and rescue plan (ERRP) certificate .................. 332
Link to Abrasive task on live equipment certificate ....................................... 332
Link to Mechanical seal plug certificate ........................................................ 332
Link to Well handover certificate ................................................................... 332
Link to Pre-startup certificate ........................................................................ 332
Link to Ventilation plan certificate ................................................................. 332
Link to Pressurised habitat certificate ........................................................... 332
Link to Heavy equipment movement certificate ........................................... 333
Link to Cross-site boundary isolation certificate ............................................ 333
Link to Leak test certificate ........................................................................... 333
Checklists.......................................................................................................... 334
Link to Breaking containment checklist......................................................... 335
Link to Confined space entry checklist.......................................................... 335
Link to Confined space entry for water jetting checklist ............................... 335
Link to Ground disturbance checklist ............................................................ 335
Link to Hot work open flame checklist .......................................................... 335
Link to Leak testing checklist ........................................................................ 335
Link to TRA checklist..................................................................................... 335
Link to Line walking checklist ....................................................................... 335
Link to Working at height checklist ............................................................... 335
Link to Over side working checklist .............................................................. 335
Link to Isolation checklist .............................................................................. 335
Link to LTI – Engineering review checklist .................................................... 335
Paper Backup .................................................................................................... 336
Paper backup ................................................................................................ 336

Page 10 of 361 Revision: B06

Safety override risk assessment (SORA) ...................................................... 337

Permit register .............................................................................................. 337
Isolation register............................................................................................ 337
Locked valve register .................................................................................... 337
Site CSE Register .............................................................................................. 338
Applicability guidance for GPO activities ........................................................... 339
Locked valve categories .................................................................................... 340
Hazardous and non-hazardous process fluids and utilities .................................. 345
Tasks that an AA can delegate........................................................................... 346
Measuring airflow through a vessel .................................................................. 347
Temporary Ladders............................................................................................ 349
References ....................................................................................................... 356
Previous Reviewers .......................................................................................... 360

Tables

Table 1 - Flag conditions influencing the likelihood of errors ............................................. 51

Table 2 - CoW requirements to be checked at planning gates .......................................... 58
Table 3 - An overview of Control of Work requirement ..................................................... 63
Table 4 - Minimum task risk assessment approval levels .................................................. 63
Table 5 - Permit 10 life cycle states ................................................................................... 64
Table 6 - Examples of non-permit work ............................................................................. 66
Table 7 - Examples of when SOPs or RAPs may be used without a permit ...................... 68
Table 8 - Examples of when a low risk permit may be used.............................................. 70
Table 9 - Examples of when a cold work permit may be used .......................................... 71
Table 10 - Examples of when a breaking containment permit may be used...................... 71
Table 11 - Examples of when a hot work spark potential permit may be used.................. 72
Table 12 - Examples of when to use a hot work open flame permit ................................. 73
Table 13 - Examples of confined space ............................................................................. 74
Table 14 - Toolbox talk guidelines ...................................................................................... 83
Table 15 - PA Feedback in eCoW ...................................................................................... 89
Table 16 - Risk assessment characteristics ....................................................................... 95
Table 17 - Controls ............................................................................................................. 97
Table 18 - Level 1 TRA process ......................................................................................... 98
Table 19 - Level 2 TRA process ....................................................................................... 100
Table 20 - Mandatory Level 2 risk assessment................................................................ 103

Page 11 of 361 Revision: B06

Table 21 - Managing temporary overrides ....................................................................... 108

Table 22 - When an ORA is required................................................................................ 113
Table 23 - Design and build requirements for habitats..................................................... 126
Table 24 - Requirements when using a habitat ................................................................ 128
Table 25 - Isolating authorities ......................................................................................... 130
Table 26 - IDP design considerations and prompts .......................................................... 132
Table 27 - Minimum process valve isolation standards.................................................... 145
Table 28 - Pulsation dampener non-conformant RA prompt ............................................ 160
Table 29 - Voltage classification ....................................................................................... 161
Table 30 - Minimum electrical isolation standards ........................................................... 162
Table 31 - Commonly used devices for subsea isolations ............................................... 171
Table 32 - Process hazards .............................................................................................. 179
Table 33 - Worksite hazards............................................................................................. 179
Table 34 - Task hazards.................................................................................................... 180
Table 35 - Potential Restricted Spaces ............................................................................ 189
Table 36 - Oxygen end points for purging into service .................................................... 195
Table 37 - Certificate approvals........................................................................................ 209
Table 38 - Selecting test medium, pressure and acceptance criteria ............................... 229
Table 39 - Designated pin flag or marker colours ............................................................. 244
Table 40 - Excavation slope requirements ....................................................................... 245
Table 41 - Guardrails and barriers .................................................................................... 253
Table 42 - Approach boundaries (AC systems) ................................................................ 257
Table 43 - Approach boundaries (DC systems) ................................................................ 257
Table 44 - Managing locked valves .................................................................................. 271
Table 45 - Locked valve categories .................................................................................. 274
Table 46 - Locked valve register ...................................................................................... 275
Table 47 – Confined Space Entry (CSE) criteria ............................................................... 289
Table 48 – Leaks and seeps............................................................................................. 291
Table 49 – Leak classification .......................................................................................... 292
Table 50 – Self-verification, assurance and audit summary ............................................. 294
Table 51 – OMS conformance summary ......................................................................... 296
Table 52 – CoW assessor requirements98 ........................................................................ 301
Table 53 – Role assignment criteria99............................................................................... 303
Table A.1 – R&R Site Authority ........................................................................................ 307
Table A.2 – R&R Area Authority ....................................................................................... 309

Page 12 of 361 Revision: B06

Table A.3 – R&R Issuing Authority ................................................................................... 311

Table A.4 – R&R Performing Authority ............................................................................ 312
Table A.5 – R&R Isolating Authority ................................................................................. 314
Table A.6 – R&R Authorised Gas Testers ........................................................................ 315
Table A.7 – R&R Fire Watcher ......................................................................................... 316
Table A.8 – R&R TRA Facilitator ...................................................................................... 317
Table A.9 – R&R Site Electrical Leader ............................................................................ 318
Table A.10 – R&R Confined Space Entry Attendant ........................................................ 319
Table A.11 – R&R Functional Authorities ......................................................................... 320
Table A.12 – R&R Isolator ................................................................................................ 320
Table A.13 – R&R Site Lifting Co-ordinator ...................................................................... 320
Table A.14 – Leak Test SPA............................................................................................. 321
Table A.15 – LOLC Roles ................................................................................................. 322
Table A.16 - CRT .............................................................................................................. 322
Table A.17 - CoW Certificate Approver and non-eCoW roles........................................... 323
Table B.1 - HITRA HSE impacts levels ............................................................................. 324
Table B.2 - HITRA Business impacts levels ..................................................................... 326
Table B.3 - HITRA Energy sources................................................................................... 327
Table B.4 - Risk matrix (Group 8x8) ................................................................................. 329
Table B.5 - Approval table ................................................................................................ 330
Table C.1 - Isolation confirmation certificate .................................................................... 332
Table C.2 - Ground disturbance certificate ....................................................................... 332
Table C.3 - Energised electrical work certificate (Non-US) ............................................... 332
Table C.4 - Energised electrical work certificate (US) ...................................................... 332
Table C.5 - Emergency response and rescue plan certificate .......................................... 332
Table C.6 - Abrasive task on live equipment certificate ................................................... 332
Table C.7 - Mechanical seal plug certificate ..................................................................... 332
Table C.8 - Well handover certificate ............................................................................... 332
Table C.9 - Pre-startup certificate .................................................................................... 332
Table C.10 - Ventilation plan certificate ............................................................................ 332
Table C.11 - Pressurised habitat certificate...................................................................... 332
Table C.12 - Heavy equipment movement certificate ...................................................... 333
Table C.13 - Cross-site boundary certificate .................................................................... 333
Table C.14 - Leak test certificate ..................................................................................... 333
Table D.1 - Breaking containment checklist ..................................................................... 335

Page 13 of 361 Revision: B06

Table D.2 - Confined space entry checklist ...................................................................... 335

Table D.3 - Confined space entry checklist for water jetting ........................................... 335
Table D.4 - Ground disturbance checklist ........................................................................ 335
Table D.5 - Hot work open flame checklist ...................................................................... 335
Table D.6 - Leak testing checklist .................................................................................... 335
Table D.7 - TRA checklist ................................................................................................. 335
Table D.8 - Line walking checklist .................................................................................... 335
Table D.9 - Working at heights checklist.......................................................................... 335
Table D.10 - Over side working checklist......................................................................... 335
Table D.11 - Isolation checklist ........................................................................................ 335
Table D.12 - LTI – Engineering review Isolation checklist ................................................ 335
Table F.1 - Site confined space entry (CSE) register ........................................................ 338
Table G.1 - Applicability guidance for GPO activities ....................................................... 339
Table H.1 - Locked valve categories ................................................................................ 340
Table I.1 - Hazardous and non-hazardous process fluids and utilities .............................. 345
Table J.1 - Tasks that an AA can delegate ....................................................................... 346
Table L.1 - Temporary equipment examples101 ................................................................ 349
Table L.2 - additional requirements for all temporary ladders101 ....................................... 350
Table L.3 - additional requirements for accessing scaffold101 ........................................... 351
Table L 4 - additional recommendations for accessing scaffold 101 .................................. 353
Table L.5 - Additional requirements for using extension or straight ladders101 ................ 353
Table L.6 - Additional recommendations for using extension or straight ladders101 ......... 354
Table L.7 - Additional recommendations for performing work from a platform ladder101 . 354
Table L.8 - Additional requirements for performing work from a ladder101 ....................... 355
Table M.1 - References ................................................................................................... 356
Table N. 1 - Previous Reviewers of version B05, October 2017 ...................................... 360

Figures

Figure 1 - Core CoW role hierarchy .................................................................................... 46

Figure 2 - Hazard and control format.................................................................................. 49
Figure 3 - Upstream Control of Work (CoW) eight-step process ....................................... 55
Figure 4 - Permit life cycle flow ......................................................................................... 65
Figure 5 - Site visit and TBT flowchart ............................................................................... 80
Figure 6 - Hierarchy of controls .......................................................................................... 96
Figure 7 - Hot work open flame (HWOF) TRA approval flowchart ................................... 121

Page 14 of 361 Revision: B06

Figure 8 - Example of multi-hasp for use on an electrical isolation .................................. 137

Figure 9 - Isolation tags.................................................................................................... 142
Figure 10 - Positive isolation – typical installation drawing............................................... 148
Figure 11 - Valved isolation – double block and bleed isolation........................................ 149
Figure 12 - Valved isolation – single valve isolation .......................................................... 150
Figure 13 - Double block and bleed isolation integrity test (two valves) .......................... 154
Figure 14 - Isolation integrity test (BP-Approved double sealed, single valve) ................. 155
Figure 15 - Single valve isolation integrity test................................................................. 156
Figure 16 - Example temporary guardrail for CSE entry point. ......................................... 187
Figure 17 - Five-part tag for broken joint tagging ............................................................. 197
Figure 18 - Working at height flowchart........................................................................... 200
Figure 19 - Selecting test method ................................................................................... 228
Figure 20 - Example layout for purging and leak testing using temporary equipment ..... 237
Figure 21 - Ground Disturbance overview ....................................................................... 248
Figure 22 - Excavation tags and tag holder ...................................................................... 249
Figure 23 - Marking lines or cable for cutting................................................................... 260
Figure 24 - Tags for locked valves ................................................................................... 272
Figure 25 – Methane lower explosive limit (LEL) and upper explosive limit (UEL) ........... 282
Figure 26 – Lower explosive limit (LEL) and upper explosive limit (UEL) for common gases
................................................................................................................................ 283
Figure 27 – Narcotic effects of hydrocarbon vapours ...................................................... 284
Figure 28 – Atmospheric testing a confined space .......................................................... 287
Figure 29 – An example leaks and seeps tag................................................................... 293

Page 15 of 361 Revision: B06

Foreword

This is the sixth issue of BP Procedure Upstream Control of Work (100340). This BP Procedure
incorporates the following changes:

• Clarifications on use of knowledge base (8.8), isolating to highest reasonably

practicable standard (14) and isolating of radioactive sources (14.27).
• The frequency of long term isolation (LTI) engineering reviews moved to risk based
and using SV protocol.
• New section (17.11) providing more detail in the use of temporary ladders with
supporting details in Table L.1.
• Additional guidance on leak testing with high pressure gas (19.20).
• Clarification on ground disturbance (21) and addition of flowchart to simplify
understanding.
• Self-verification (26) updated include three quality assessment and LTI protocols
• Training and competency (28) updated to provide more specific criteria for
assessors and nomination of roles.
• Annexes updated to align with changes listed above.

Introduction

An effective and systematic Control of Work (CoW) process promotes a work environment
where a task or activity can be completed safely and efficiently, without unplanned loss of
containment and without harm to people or the environment, or damage to plant or
equipment.

BP Procedure Upstream Control of Work (100340) describes how to manage and implement
CoW. It describes how to do this in a standard and structured way that meets applicable group
and Upstream CoW Practices set out in section 2 below. It is intended that BP Procedure
Upstream Control of Work (100340):

• is adopted, over a transition period and following the appropriate Management of

Change (MoC) procedures, across the BP Upstream operating functions to which it
applies, and
• replaces existing local CoW procedures and practices.
By adopting and following BP Procedure Upstream Control of Work (100340), each site will
conform to all the requirements in the group and segment defined practices on CoW that
apply and meet the BP Golden Rules of Safety (or IOGP Life Saving Rules where applicable).

Page 16 of 361 Revision: B06

1 Scope and exclusions

1.1 Where this procedure applies
BP Procedure Upstream Control of Work (100340) applies to the BP Upstream operating
functions: Global Operations Organisation (GOO), Global Wells Organisation (GWO) and
Global Projects Organisation (GPO). It does not apply to Operated-By-Others (OBO)
facilities or to Non-Operated Joint Ventures (NOJVs).
It covers all CoW activities at the following facilities and assets:
• GOO operated sites
• GWO owned rigs and surface equipment
• GWO contractor-operated rigs and equipment unless a bridging document is in
place
• Brownfield projects executed by GPO at GOO operated sites
• GPO controlled sites where the contract strategy specifies using a BP CoW
system, rather than the contractor’s safety management system.

1.2 Where GPO use a contractor’s CoW process

The applicability matrix in Annex G provides guidance on GPO scenarios and whether a
contractor’s or BP’s CoW process would typically be used. Factors to consider in this
decision are as follows:
• Who is contractually in control of the worksite?
• Who is competent to manage the type of risk that is presented by the work?
• How will simultaneous operations (SIMOPS) between the project worksite and a
BP-operated site be managed?
In cases such as greenfield construction work or a BP warehouse that are managed by a
third party, the choice of which CoW process to use is risk based and documented by
the operating entities involved. This decision will be reflected in the contract strategy for
that work and in bridging documents.
When GPO uses the contractor’s safety management system, GPO completes a gap
assessment to Verify that the contractor’s system meets BP’s requirements.
BP monitors contractor performance against BP requirements during work execution
through oversight of the contractor’s self-verification process.

1.3 Regulatory requirements

If BP Procedure Upstream Control of Work (100340) conflicts with any legal and
regulatory requirements, comply with the higher standards.
If BP Procedure Upstream Control of Work (100340) creates a higher obligation, follow
this BP Procedure and comply with legal and regulatory requirements that apply.
BP Procedure Upstream Control of Work (100340) applies globally so it has not been
specifically designed to meet legal or regulatory requirements in any particular
jurisdiction. However, following BP Procedure Upstream Control of Work (100340) will
usually support legal and regulatory compliance in relation to controlling the risks of work
activities (for example application of the As Low As Reasonably Practicable (ALARP)
principle in the UK).

Page 17 of 361 Revision: B06

2 References
2.1 Required references
The following documents are referenced in one or more requirements in this document.
For dated references, only the version cited applies. For undated references, the latest
version of the referenced document (including any amendments) applies.
Hyperlinks are provided to the libraries where the documents are published.

ETP Library
GP 06-29 Corrosion Protection during Hydrotesting
GP 32-20 Site Inspection, Testing, and Commissioning of Plant
GP 32-40 In-Service Pressure Testing – Common Requirements
GP 42-10 Piping Systems (ASME B31.3)
GP 43-46 Guidance on Practice for Pipeline Hydro-test and Pre-
commissioning
GP 43-50 Pigging, Pig Launchers, and Receivers
EP-GIS 62-016 Specification for Ball, Plug, and Other Quarter Turn Valves –Common
Requirements

GOO Library
GOO-OL-PRO-00001 BP Procedure Organisational Learning in GOO (100033)
GOO-GE-PRO-00001 BP Procedure Global Operations Organization: Risk Management
(100243)
GOO-GE-PRA-00001 BP Practice Self-verification in GOO (100536)
GOO-PM-GLN-00011 BP Guide Build it Tight Flange Management Guide (100577)
GOO-OP-PRO-00004 BP Procedure GOO Electrical Safety Rules (100610)
GOO-GE-PRO-00003 BP Procedure Management of Change (100544)

GPO Library
GPO-PC-PRO-00025 GPO Project Services Planning and Scheduling Procedure
GPO-LE-PRO-00001 BP Practice GPO Organisational Learning
GPO-CG-GLN-00009 GPO Joint Integrity Tightness Testing Guide

GWO Library
100023 BP Practice Well Handover
100218 BP Practice Pressure Testing (10-45)
100222 BP Practice Well Barriers (10-65)
100373 BP Procedure GWO Organisational Learning

OMS Library
GDP 4.5-0001 Group Defined Practice Control of Work
500080 BP Practice Management of Lifting Operations and Lifting Equipment
500102 BP Practice Control of Work Integrated Practice
100241 BP Practice Diving
GDP 5.3-0001 Design and Operating Limits

Page 18 of 361 Revision: B06

EP SG 5.3-0003 Design and Operating Limits

100578 BP Procedure Activity Integration

2.2 Informative references

Unless stated otherwise in the content of this document, reference to the documents
below is for information. Specific sections of the referenced documents will be given in
the content of this document if conformance is required.

ETP Library
GP 06-29 Corrosion Protection during Hydrotesting
GP 12-60 Hazardous Area Electrical Installations
GIS 18-023 In-Service Welding and Material Specification for Hot Tap Fittings.
GP 30-47 Alarm System Design and Management
GP 30-81 Safety Instrumented Systems (SIS) Operations and Maintenance
GP 42-32 Flanged Joints - repair
GP 44-40 Design for Isolation of Equipment for Maintenance and
Emergency
GP 44-60 API RP 500 Area classification
GP 44-65 Area classification (IP15)
GP 48-03 Layer of Protection Analysis (LOPA)
EP-GP-28-01 Flexible Hose Assemblies
EP GP 62-01 Valves
EP-GIS 62-016 Specification for Ball, Plug and Other Quarter-turn Valves –
Common Requirements.
GP 44-70 Overpressure protection systems
GP 60-20 Inert gas systems
GP 44-31 Design and Location of Occupied Portable Buildings in Onshore
and Offshore Facilities

OMS Library
GG 3.1-0002 Hazard Identification and Task Risk Assessment (HITRA)
RCD 3.1-0001 S&OR Barrier Families
GG 8.2-0001 Assessment and audit: Self-verification Programmes
RCD 4.4-0001 Group HSE Definitions
GDP 4.5-0002 BP Practice Use of Temporary Ladders

GOO Library
GOO-OP-PRO-00003 BP Procedure Site Manager (OIM/OSM) Appointment (100466).
GOO-LI-PRO-00001 BP Procedure GOO Asset 500 Meter Zone (100657)

GPO Library
GPO-PC-PRO-00025 GPO Project Services Planning and Scheduling Procedure

GWO Library
100251 BP Practice GWO Safety Management System Bridging

Page 19 of 361 Revision: B06

Other references
RD001-SP-GLN-800 Ground Disturbance – Survey & Geospatial Guideline RD001-SP-
GLN-800-00003951

Industry standard
EEMUA 182 Specification for integral block and bleed valve manifolds
for direct connection to pipework
API RP 14C Analysis, Design, Installation, and Testing of Safety Systems for
Offshore Production Facilities
API 6D Specification for Pipeline and Piping Valves
API Standard 609 Butterfly Valves: Double-flanged, Lug-and Wafer-type
OSHA 1910.147 Control of hazardous energy (lockout/tagout)
PAS 128-2014 Specification for underground utility detection, verification and
location
IEC 60038:2009 IEC standard voltages
IEC 60529 Degrees of protection provided by enclosures
IEC 60898 Parts 1 & 2: Electrical accessories – circuit-breakers for
overcurrent protection for household and similar installations
IEC 60947 Part 2: Low-voltage switchgear and control gear - circuit breakers
IEC 60947 Part 3: Low-voltage switchgear and control gear - switches,
disconnectors, switch disconnectors and fused combination units
IEEE C37.13 IEEE Standard for low-voltage AC power circuit breakers used in
enclosures
UL1066 UL standard for safety low-voltage AC and DC power circuit
breakers used in enclosures
UL489 UL standard for safety moulded-case circuit breakers, moulded-
case switches and circuit breakers
NEMA C84.1 American National Standard for Electric Power Systems and
Equipment—Voltage Ratings (60 Hz)
NEMA 250 Enclosures for Electrical Equipment (1000 Volts Maximum)
NFPA70E Electrical Safety in the Workplace
BS EN 795 Personal fall protection equipment. Anchor devices

2.2.1 Additional site or regional documents

To support full conformance with this BP Procedure, the site or region may use
additional site or regional documents to cover the following subjects where relevant.
• Scaffolding
• Ladders
• Chemical risk management (includes: SDS chemical inventory, chemical approval
process and chemical risk assessment)
• Managing asbestos
• Hot and odd bolting
• Hot tapping
• Lifting

Page 20 of 361 Revision: B06

• Manual handling
• Low specific activity (LSA) and naturally occurring radioactive material (NORM) and
radiation source management
• Thermal environment
• Noise management
• Hand-arm and whole-body vibration
• Rope access
• Fatigue management
• Human Performance

Page 21 of 361 Revision: B06

3 Terms and definitions

For the purpose of this BP Procedure, the following terms and definitions apply:

Affected Worker
An employee whose job requires the person to operate or use a machine or equipment on
which servicing, or maintenance is being performed under lockout or tagout, or whose job
requires the person to work in an area in which such servicing or maintenance is being
performed.

Alteration (with respect to section 19)

A physical change in any component that has design implications that affect the pressure
containing capability. This includes modifications that require cutting into or welding onto the
pressure boundary of an existing system.

An alteration includes but is not limited to:

• welding onto a piping system

• installation of a cold work connector.
An alteration excludes:

• replacing gasket and bolts

• replacement of an existing pipe support with a bolted pipe support
• repair of a pipe support that does not involve welding onto the pressure boundary
• replacing a flanged spool or valve with a previously hydrostatically tested
component.

Approve
Confirmation that the content of a document (for example a procedure or risk assessment) is
accurate and meets BP’s needs.

Area
A BP entity-operated and controlled site is split up into areas to manage CoW. Each area is
under the control of a single Area Authority (AA) and is geographically separate so that
SIMOPS with another adjacent area is not an issue for the majority of tasks being executed.

Area Authority (AA)

A central figure in the CoW process who manages, authorises and controls the CoW activities
including SIMOPS in their designated area.

Arc Flash
The rapid release of energy during an arcing fault between electrical conductors.

Auditing
A formal or official examination and verification (for example of a process or task). Auditing
includes monitoring, reviewing and reporting on the audits outcome to the people who can
implement any changes needed.

Page 22 of 361 Revision: B06

Authorise
A formal process to give permission to use a document or process (for example a permit or
previously approved procedure).

Automation systems
Collection of hardware and software that supports the safe, secure and reliable operation of an
industrial process by making data available to personnel and taking pre-configured actions in
response of data inputs.

BP entity
An organisational unit within BP such as GOO, GPO, or GWO.

BP-operated site
A BP site that performs field operations, handling hydrocarbons or operating machinery and
applying BP’s Operating Management System (OMS).

BP Procedure
A document type that contains BP Requirements set out in ‘shall’ statements that focus on
how something in a BP Policy or BP Practice is done.

Breaking containment
The opening of any system for any reason, including inspection, repairs or modifications,
where there is a risk from egress of toxic, flammable or otherwise hazardous materials
(including consideration of pressure, volume and temperature).

Brownfield site
A BP-operated site that has commissioned operating plant or plants, systems, equipment and
facilities where GOO, GWO, and GPO activities can be conducted. A brownfield site is
normally a GOO-controlled site.

Bump Test
The process of briefly exposing sensors in a gas detector (personal and portable) to an
expected concentration of gas that is greater than the alarm set points to check for sensor and
alarm functionality.

Competence
The ability to perform responsibilities to a defined standard and is demonstrated by application
of relevant individuals’ knowledge, skills and behaviours at the required competence profile for
a role.

Confined space
A space that meets all the following criteria:

• is large enough for an individual to enter fully

• has a limited or restricted means of entry or exit
• is not designed for continuous occupancy by the individual.
All confined space entries require permits to be issued in accordance with section 15.

The practice of cutting openings in tanks does not necessarily justify declassifying the
tank as a confined space. The practice of cutting openings in tanks involves assessing
the entry or exit limitations and restrictions before the tank can be declassified.

Page 23 of 361 Revision: B06

Confined space entry (CSE)

Entry occurs as soon as any part of the entrant’s body breaks the plane of an opening into a
confined space.

Control centre
The location from where a site, plant, equipment or facility is controlled, co-ordinated or
monitored.

Controls
The term used by Hazard Identification and Task Risk Assessment (HITRA) to include both
controls and mitigations. Controls are intended to reduce the risk of an event occurring,
mitigations are intended to reduce the impact if the event occurs.

Control of Work (CoW)

An approved management system that is used to control work in a safe manner.

Created opening
Any opening where:

• gratings, handrails, stair treads or kicker plates have been removed from structures,
or
• damaged structures create a potential risk of falls or dropped objects, or both.
This includes equipment removal, hatches, trap doors, manholes, access ways and voids
larger than 0.3m (12in) square.

Critical equipment
Equipment considered to typically be involved in preventing or mitigating scenarios with
unmitigated severities for health, safety and environmental impacts greater than or equal to
level E in accordance with BP Risk Policy and that aligns with the S&OR Group Barrier Families
(RD 3.1-0001).

Designated worker - used in US only

A Performing Authority (PA) who has taken on the additional responsibility to protect the
safety of other workers in their work group. The designated worker verifies any applicable
energy isolation (safe-out) is in place and assumes full responsibility for the safety of the
workers in their group by using their personal lock and allowing them to work under the
protection of their personal lock.

Electronic Management of Change (eMoC)

In the context of this Procedure, eMoC refers to management of change via the application of
the eMoC Tool.

Emergent work
Any new work, as defined by a work management system. Any opportunistic, discovered or
break-in work and any other unscheduled work or activity.

Energy system
Systems that contain energy (for example pressure, thermal, chemical, hydraulic, mechanical,
electrical, potential and pneumatic).

Page 24 of 361 Revision: B06

Energised electrical work

Work or testing that meets either of the following criteria:

• on or in close proximity to exposed energised conductors (>50 V ac or dc)

• involves interaction with equipment where an increased likelihood of injury from an

exposure to an Arc Flash hazard exists.

Exposed (as applied to live parts)

Capable of being inadvertently touched or approached nearer than a safe distance by a person.

General or dilution ventilation

The introduction of outside air into a space through mechanical means such as fans, air
movers or eductors. It is appropriate to manage general air quality, thermal comfort and dilute
non-toxic substances.

GOTCHA
System for retrieving a suspended person.

GOO or GWO or GPO contractor-controlled site

A fabrication or construction yard, contractor workshop or a GPO greenfield site where BP has
authorised the contractor through contractual agreement to execute and manage CoW under
the contractor’s safety management system.

GOO operated site

A site with live hydrocarbon process and utility facilities, or commissioned equipment operated
by GOO.

GPO controlled site

A GPO site where there is no hydrocarbon production and where areas designated as
hazardous hydrocarbon areas are free of hydrocarbon, i.e.:

• a GPO greenfield site during construction through the commissioning phase with
interfaces to live utility systems applying the Upstream CoW Procedure
• a GPO greenfield site within or adjacent to an operating site (for example an
onshore plant expansion until tie-in to existing site operating plant and systems)
• a brownfield site verified hydrocarbon-free and formally handed over to GPO by
MoC, system handover management (SHM) or start-up management certificate.

Greenfield site
A site that is physically separate from a GOO-operated site and has not been subject to
hydrocarbon operations; typically, a construction site.

Gross leak test

Tightness test using air or nitrogen at low pressure to identify large leaks.

Page 25 of 361 Revision: B06

Ground disturbance
A man-made cut, cavity, trench, or depression made in the ground by removing the covering
material (for example earth or concrete) that is:

• deeper than 0.3m (12in) if made with hand tools (for example shovels and spades),
or
• any depth if made with mechanical equipment, or sharp tools (e.g. picks, spikes,
chisels).

Ground fault circuit interrupter (GFCI)

Also called ground fault interrupter (GFI) or residual current device (RCD) is a device that shuts
off an electric power circuit when it detects that current is flowing along an unintended path,
such as through water or a person.

Guarded
Covered, shielded, fenced, enclosed or otherwise protected by suitable covers, casings,
barriers, rails, screens, mats, or platforms to remove the likelihood of approach or contact by
person or objects to a point of danger.

Handover
The detailed review (and communication process) of an operating unit’s status, condition and
ongoing work that is supported with a sign-off document.

Hazard
Condition or practice with the potential to cause harm to people, the environment, property, or
company reputation.

Hazardous area
A location where fire or explosion hazards could exist due to flammable gases or vapours,
flammable liquids, combustible dust or ignitable fibres (refer to GP 12-60, GP 44-60, GP 44-61
and GP 44-65).

Hazardous fluid
Fluid able to cause harm as a result of its physical and/or conditional properties
(e.g. flammable, toxic, high pressure, high temperature).

Hazardous material
Material able to cause harm because of its physical and/or conditional properties (for example
flammable, toxic, corrosive, high pressure, high temperature).

Hot work
Work that involves either creating or using a flame, spark or energy discharge that could act as
the ignition source for a fire or explosion.

Human Performance
Understanding how people interact with each other, plant and processes as part of a system
to help manage risk and keep safe.

Human Factors
Physical, psychological and social characteristics that affect human interaction with plant and
processes.

Page 26 of 361 Revision: B06

Hydrostatic test
Pressure or tightness test using liquid, such as water, as the test medium.

Impact
Estimate of the consequences were a risk event to occur.
The word severity is commonly used in place of impact and has the same meaning in BP
Procedure Upstream Control of Work (100340) and training modules.

In-service leak test

Leak test using the process medium.

Interruption
A break in work (for example for coffee, prayer, smoke and lunch breaks, fire alarms,
suspending work overnight, process upsets, emergency situations or shift changes).

Intrusive
Any action that has the potential to affect the process operation or compromise the integrity of
the system. Examples include:

• applying overrides
• breaking containment (BC)
• exposure to electrical, pneumatic or other energy sources
• opening or breaking seals on any instrument, junction box or equipment
• disassemble for repair or maintenance purposes.
The following are examples of non-intrusive activity:

• line walking, measurement, surveying, drawing checks

• use of surface temperature/vibration probes
• use of cameras or thermal measurement devices
• attaching or detaching tags or labels.

Isolation
The secure and proven separation of plant and equipment from every source of energy
(i.e. pressure, electrical and mechanical).

Job
A series of tasks that are typically performed in sequence to complete a piece of work.

Leak - liquid
A liquid release is classified as a leak if dripping at a rate of four (4) or more drips per minute.

Leak - gas or vapour

A gas or vapour release is classified as a leak if a portable gas detector reads 20% lower
explosive limit (LEL) or more at a distance of 10cm (4in) downwind of the release.

Likelihood
Estimate of the probability or frequency of a risk event occurring.

Page 27 of 361 Revision: B06

Limited approach boundary

An approach limit at a distance from an exposed energised electrical conductor or circuit part
within which a shock hazard exists. This matches the definition of this term in NFPA70E.

Live equipment
Equipment that is in operation and is therefore a source of energy:

• in the form of electricity, process fluids, radioactive sources or hydraulic or

pneumatic pressure
• that could be released or discharged in an uncontrolled manner if an incident
occurred.

Local exhaust ventilation (LEV)

An engineering control to reduce exposures to airborne contaminants such as dust, mist,
fume, vapour or gas in the workplace. An LEV is designed, maintained and tested appropriate
for the task and type of contaminant to be removed at source.

Lock
A mechanical device, either key or combination type, that holds an energy-isolating device in
the safe position, usually to prevent the machine or equipment energising.

Lockbox method
A box that can be locked closed so that the contents inside the box cannot be removed
without first removing a lock or locks. A lockbox is used for lockout and tagout methods to
control the keys for multiple energy sources and multiple workers.

Locking device
A device that utilises a positive means such as a lock, either key or combination type, to hold
an energy isolating device in the safe position and prevent the energising of a machine or
equipment. A locking device is substantial enough to prevent removal without the use of
excessive force or unusual techniques (such as using bolt-cutters or other metal-cutting tools).

Lockout / tagout (US)

Term used in the US and is defined by the Occupational Safety and Health Administration
(OSHA) as:

• Lockout. The placement of a lockout device on an energy isolating device, in

accordance with an established procedure, ensuring that the energy isolating
device and the equipment being controlled cannot be operated until the lockout
device is removed.
• Lockout device. A device that utilises a positive means such as a lock, either key or
combination type, to hold an energy isolating device in the safe position and
prevent the energising of a machine or equipment. Included are blank flanges and
bolted slip blinds.
• Tagout. The placement of a tagout device on an energy isolating device, in
accordance with an established procedure, to indicate that the energy isolating
device and the equipment being controlled may not be operated until the tagout
device is removed.

Page 28 of 361 Revision: B06

• Tagout device. A prominent warning device, such as a tag and a means of

attachment, which can be securely fastened to an energy isolating device in
accordance with an established procedure, to indicate that the energy
isolating device and the equipment being controlled may not be operated until
the tagout device is removed.

Long-term isolation (LTI)

An isolation that is in place with no active work ongoing or planned.

Loss of primary containment (LOPC)

An unplanned or uncontrolled release of material from Primary Containment, including non-
toxic and non-flammable materials (e.g. steam, hot water, nitrogen, compressed CO2 or
compressed air). For more information, see RCD 4.4-0001 Group HSE Definitions.

Management of Change (MoC)

In the context of this Procedure, MoC refers to application of Management of Change
controlled via another central or regional BP Procedure and not the eMoC tool (see eMoC
definition).

May
Designates a permissive statement – an option that is neither mandatory nor specifically
recommended.

Mitigation
A mitigation reduces the impact (severity) of an incident if the top event occurs.

Monitoring
The regular inspection that a responsible and competent person performs to Verify activities
are progressing safely and are on course to meet the objectives and performance targets.

Operating tasks
Tasks performed by employees who run BP facilities and production units that require
interaction with the plant and equipment and are involved in the tasks that Verify ongoing plant
operations (e.g. taking samples or replacing filter elements).

Permit
A detailed document that contains the location, time, equipment to be worked on, hazard and
controls used and the names of those authorising the work and performing the work.

Planning
Identifying and sequencing work including what needs to be done to prepare for and complete
a task or work.

Plant
Land, building, and equipment.

Pneumatic test
A pressure or tightness test using gas, such as nitrogen or air, as the test medium.

Practicable
If a task is capable of being done, physically or using available technology regardless of cost.

Page 29 of 361 Revision: B06

Pressure test
A test performed to Verify the safety, reliability and leak tightness of pressure and piping
equipment. Any new pressure or pipeline systems, or those that have undergone repair or
alteration is pressure tested to the original code of construction.

Procedure
A detailed document, either paper or electronic, that sets out sequential or parallel actions that
employees follow when they are performing a task. Also known as a site or standard operating
procedure.

Process
A detailed description of a management system or a production operation.

Reasonably practicable
That which is, or was at a particular time, reasonably able to be done to ensure health and
safety, taking into account and weighing up all relevant matters including:

• the nature of the hazard or risk

• the likelihood of it occurring
• other risk management measures in place, and
• whether the resources (e.g. time, expertise, available technology), to implement
additional measures are disproportionate with the risk reduction they are
anticipated to deliver.

Regular (where referring to tasks)

Indicates actions that occur frequently enough to confirm the ongoing safety of the workforce.
For some tasks, this might be every year, while for others it could be every few minutes.

Residual risk
The level of risk that remains after risk reduction measures (controls) are taken into account.

Respiratory protective equipment (RPE)

A term covering air-purifying respirators and supplied air or self-contained breathing apparatus
(SCBA).

Restricted approach boundary

An approach limit at a distance from an exposed energised conductor or circuit part within
which there is an increased likelihood of electric shock, due to electrical arc-over combined
with inadvertent movement, for personnel carrying out work. This matches the definition of
this term in NFPA70E.

Review
Checking the accuracy and suitability of a document’s content.

Risk
A measure of loss or harm - or both - to people, the environment, compliance status, group
reputation, assets, or business performance in terms of the product of the probability of an
event occurring and the magnitude of its impact.

Page 30 of 361 Revision: B06

Risk Assessment
Estimating the significance of a risk based on potential Impact and Likelihood.

Roles
The documented description of an individuals functions within a CoW structure.

Role Management System

Web based system for managing CoW role assignment, eCoW user access and competency
records.

Scheduling
Scheduling defines when the task can be done safely and efficiently.

Seep - liquid
A liquid release is classified as a seep if dripping at a rate of less than four (4) drips per minute.

Seep – gas or vapour

A gas or vapour release is classified as a seep if a portable gas detector reads less than 20%
lower explosive limit (LEL) at a distance of 10cm (4in) downwind.

Tell-tale signs of gas or vapour leaks and seeps are sound or smell; use soapy liquid to
locate small pinhole leaks. These can also be detected using a forward looking
infrared (FLIR) camera.

Shall
Designates a BP requirement, and is used in BP requirement documents only if it is
designating a BP requirement.

Shift change
The period during which one work shift stops working and another one starts.

Should
Designates a specific recommendation if conformance is not mandatory.

Simultaneous operations (SIMOPS)

Separate tasks or works that take place at the same time with the potential to impact on each
other.

Single Point of Accountability (SPA)

The person in the organisation who has been appointed as being responsible for the delivery
and performance of a task.

Site
A BP entity-operated and controlled facility or asset. A site is under the control of a single Site
Authority (SA) and is geographically separate so that SIMOPS with another adjacent site is not
an issue.

Site Electrical Leader

The locally appointed electrical person with accountability to Verify and approve electrical CoW
activities as defined by BP Procedure Upstream Control of Work (100340). Typical roles used
are Responsible Electrical Person (REP), Electrical Lead Engineer or Electrical Team Leader.

Page 31 of 361 Revision: B06

Subject Matter Expert (SME)

An acknowledged authority in a particular field.

Site Operating Procedure (SOP)

A site-specific version of a procedure.

Switching programme
A clearly identified sequence of operations on an electrical system that will safely achieve the
required objective while minimising any loss of supply.

System handover
The systematic and integrated approach to managing and completing all project phases
resulting in the handover of a system from one party and its acceptance by another.

Task
An action or series of actions in support of a piece of work.

Task risk assessment (TRA)

A means of identifying work-related hazards, assessing the possibility of those hazards being
realised, and defining the mitigating actions and controls required to reduce the risk.

Tightness test
A test that is performed to ensure overall leak tightness of the system’s mechanical
connections before the process medium is introduced.

Verify
Used when there is a requirement to confirm something has happened or been done. It can
consist of reviewing documents, questioning others or doing visual checks on site.

Verifying implies proving by comparison with an original or with established fact.

Synonyms include establishing, substantiating, authenticating, proving, checking,
testing or validating.

Work
An endeavour made up of several tasks.

Worker
A person who performs work tasks (maintenance or servicing) that would or potentially could
expose the person to the harmful effects of hazardous energy, requiring the equipment being
worked on to be isolated from the sources of hazardous energy. A worker is anyone who
applies a personal lock or tag to an energy isolation device, including a lockbox, if used.

Work planning
A systematic process of identifying and listing the work and determining the resources, such
as people and equipment, and how long activities will take.

Worksite
The location of the work or tasks

Page 32 of 361 Revision: B06

4 Symbols and abbreviations

AA Area Authority

AAA Affected Area Authority

AC Alternating Current

ACGIH American Conference of Governmental Industrial Hygienists

ACT Acceptance Criteria Table

AFAIT Above Fluid Auto-Ignition Temperature.

AGT Authorised Gas Tester

AIP Abandoned In Place

ALARP As Low As Reasonably Practicable

AOM Area Operations Manager

API American Petroleum Institute

APR Air Purifying Respirator

ASME American Society of Mechanical Engineers

ATC Abrasive Task Certificate

ATEX Appareils destinés à être utilisés en ATmosphères Explosives – EU minimum

safety requirements for equipment in explosive atmospheres

BA Breathing Apparatus

Barg Bar gauge

BC Breaking Containment

BDV Blowdown Valve

BIT Build It Tight

BPCS Basic Process Control System

BSEE Bureau of Safety and Environmental Enforcement

CDM Construction and Design Management

CFA Critical Fault Alarm

CHRA Chemical Health Risk Assessment

CO Carbon Monoxide

Page 33 of 361 Revision: B06

CO₂ Carbon Dioxide

CoW Control of Work

CRT Control Room Technician

CSE Confined Space Entry

CSEA Confined Space Entry Attendant

CSO / CSC Car Sealed Open / Car Sealed Closed

DBB Double Block and Bleed

DC Direct Current

DHSV Downhole Safety Valve

DPE Double Piston Effect

eCoW Electronic Control of Work System

ECP Excavation Competent Person

EEMUA Engineering Equipment and Material Users Association

EEWC Energised Electrical Work Certificate

ERRP Emergency Response and Rescue Plan

ERT Emergency Response Team

ESD Emergency Shutdown

ESDV Emergency Shutdown Valve

Ex ATEX certified electrical equipment for explosive atmospheres

F&G Fire and Gas

FLIR Forward Looking Infrared Camera

FW Fire Watcher

GDC Ground Disturbance Certificate

GFCI Ground Fault Circuit Interrupter

GOM Gulf of Mexico

GOO Global Operations Organisation

GPO Global Projects Organisation

GWO Global Wells Organisation

Page 34 of 361 Revision: B06

H&S Health and Safety

H2S Hydrogen Sulphide

HAZID Hazard Identification Process

HAZOP Hazard and Operability Study

HiPo High Potential

HITRA Hazard Identification and Task Risk Assessment

HMA Highly Managed Alarms

HP High Pressure

HP / LP High Pressure / Low Pressure Interface

HSE Health, Safety, and Environment

HVAC Heating, Ventilation and Air Conditioning System

HW Hot Work

HWOF Hot Work Open Flame

HWSP Hot Work Spark Potential

IA Issuing Authority

ICC Isolation Confirmation Certificate

IDLH Immediately Dangerous to Life or Health

IDP Isolation and De-isolation Plan

IEC International Electrotechnical Commission

IPL Independent Protection Layers

IRATA Industrial Rope Access Trade Association

IS Intrinsically Safe

IsA Isolating Authority

LC Locked Closed

LEL Lower Explosive Limit

LEV Local Exhaust Ventilation

LFL Lower Flammable Limit

LIP Local Implementation Plan

Page 35 of 361 Revision: B06

LNG Liquified Natural Gas

LO Locked Open

LO/LC Locked Open / Locked Closed

LoP Layer of Protection

LOPA Layers of Protection Analysis

LOPC Loss of Primary Containment

LP Low Pressure

LPG Liquified Petroleum Gas

LRP Low Risk Permit

L&S Leaks and Seeps

LSA Low Specific Activity

LTEL Long-Term Exposure Limit

LTI Long-Term Isolation

LVR Locked Valve Register

MAWP Maximum Allowable Working Pressure

MCB Miniature Circuit Breaker

MMS Maintenance Management System

MoC Management of Change

MODU Mobile Offshore Drilling Unit

MOV Motor-Operated Valve

MPSOP Maximum Potential System Operating Pressure

MTTR Mean Time to Repair

NEMA National Electrical Manufacturers Association

NFPA National Fire Protection Association

NGL Natural Gas Liquid

N2 Nitrogen

NIOSH National Institute for Occupational Safety and Health

NORM Naturally Occurring Radioactive Material

Page 36 of 361 Revision: B06

NPW Non-Permit Work

NRV Non-Return Valve

NUI Normally Unattended Installation

O2 Oxygen

OEL Occupational Exposure Limit

OIM Operations Installation Manager

OMS Operating Management System

OPPD Overpressure Protection Device

ORA Operational Risk Assessment

OSHA Occupational Safety and Health Administration

OSM Operations Site Manger

OSTL Operations Support Team Leader

P&ID Piping and Instrumentation Drawing

PA Performing Authority

PBU Pressure Build-Up

PCAH Polycyclic aromatic hydrocarbons

PFPE Personal Fall Protective Equipment

PID Photo-Ionisation Detectors

PPE Personal Protective Equipment

PRD Pressure Relief Device

Psig Pounds per square inch gauge

PSV Pressure Safety Valves

PTL Production Team Lead

RA Risk Assessment

RAP Risk Assessed Procedure

RBI Risk Based Inspection

RC Rescue Craft

RCD Residual Current Device

Page 37 of 361 Revision: B06

RMS Role Management System

ROV Remotely Operated Vehicle

RP Recommended Practice

RPE Respiratory Protective Equipment

RPS Radiation Protection Supervisor

RR Residual Risk

RRF Risk Reduction Factor

RV Relief Valve

S&OR Safety and Operational Risk

SA Site Authority

SABA Supplied Air Breathing Apparatus

SBV Subsurface Barrier Valve

SCBA Self-contained Breathing Apparatus

SCF Standard Cubic Foot

SCM Standard Cubic Meter

SCSSV Surface Controlled Subsurface Safety Valve

SDS Safety Data Sheet

SDV Shutdown Valve

SEMS Safety and Environmental Management Systems

SHM System Handover Management

SIF Safety Instrumented Function

SIL Safety Integrity Level

SIMOPS Simultaneous Operations

SIS Safety Instrumented System

SLC Site Lifting Co-ordinator

SME Subject Matter Expert

SMS Safety Management System

SOL Safe Operating Limit

Page 38 of 361 Revision: B06

SOP Site or Standard Operating Procedure

SORA Safety Override Risk Assessment

SPA Single Point Accountable person

SRA Safety Related Alarm

SSV Surface Safety Valve

STEL Short Term Exposure Limit

STT Sanction to Test

SV Self-Verification

SVI Single Valve Isolation

TAR Turnaround

TBT Toolbox Talk

TRA Task Risk Assessment

TRAF Task Risk Assessment Facilitator

UEL Upper Explosive Limit

USCG United States Coast Guard

UPS Uninterruptable Power Supply

UXO Unexploded Ordinance

VAC Volts Alternating Current

VDC Volts Direct Current

VOC Volatile Organic Compounds

VP Vice President

WAH Working at Height

WBE Well Barrier Elements

WHC Well Handover Certificate

WOM Wells Operations Manager

WSL Well Site Leader

Page 39 of 361 Revision: B06

5 BP Requirements – Upstream Control of Work

5.1 Adopting this Upstream Control of Work procedure
Upstream operating functions shall adopt BP Procedure Upstream Control of Work
(100340) (referred to as ‘this Upstream CoW Procedure’ throughout this Procedure).

5.2 Control of Work requirements

The requirements and any associated recommendations for carrying out CoW
activities are set out in sections 5 to 28 of this Upstream CoW Procedure.

5.3 Roles, responsibilities and delegating authority

Upstream site organisations shall be structured to deliver the CoW roles as set out
in this Upstream CoW Procedure.
CoW roles and responsibilities are in Annex A.
On rare occasions, some of the CoW roles and responsibilities may be delegated,
split, or merged. In these circumstances, use an MoC process, and check anyone in
a CoW role is verified as competent.
Any delegating, splitting or merging of CoW roles and responsibilities shall be
subject to agreement by the relevant S&OR Regional Operations Authority and the
entity CoW Director.
The Area Authority (AA) shall be a BP employee or full-time equivalent (FTE)
contractor at the supervisory level.
The following delegations do not require an MoC:
The Area Operations Manager (AOM) may Approve the delegation of Site Lifting
Co-ordinator (SLC) role from Site Authority (SA) to another person who has achieved
the required level of competence, but the SA remains accountable. If delegation is
requested to a position outside the operation’s organisation, then approval will be
required from the VP Operations.
The SA may delegate authority when away from site. Authority can only be
delegated to someone who is competent in the CoW role. Record this delegation of
authority in the shift handover log.
Some onshore facilities do not have the SA on site on a 24-hour basis, so delegation
of authority may be regularly performed. Document this in the local implementation
plan (LIP).
If the SA is off-site and the task requires immediate intervention, the AA shall
contact the SA to discuss the task and seek authorisation or approval through
electronic Control of Work (eCoW) or by email from the SA.
An AA may delegate certain individual tasks to another competent AA or IA.
However, the accountability remains with the AA delegating the task. Tasks that can
be delegated are listed in Table J.1.
The Performing Authority (PA) delegates to another PA with the equivalent
competence if they cannot be present for CoW related activities (e.g. developing a
permit to work or taking part in a task risk assessment).

Page 40 of 361 Revision: B06

5.4 Transfer between Upstream entities

a. Document the handover of any CoW roles and responsibilities in an MoC if a GOO-
operated site, or part of a GOO-operated site, is handed over to a GPO-operated site
and this Upstream CoW Procedure still applies.
b. To transfer any CoW roles and responsibilities to or from GWO, use the well
handover process (see section 18.8 for more detail).

5.5 Bridging documents

a. BP requires that a bridging document be in place if:
a BP contractor carries out work at or adjacent to a facility or asset within the
scope of this Upstream CoW Procedure using the contractor’s safety
management system (SMS), or
the work will not be governed by the BP Control of Work system in place at
that facility or asset.
This bridging document governs the interface between the contractor’s work
management system and BP’s CoW system and requirements.
Examples of when a bridging document is required include the following:
• a GPO-controlled greenfield site when at or adjacent to a GOO-operated site
• a mobile offshore drilling unit (MODU) or jack-up with a GWO interface but no GOO
interface or connection to production or existing platforms (new wells)
• a contractor vessel working within a 500m1 zone of a GOO-operated offshore
facility
• subsea architecture when working on the surface or subsurface.
For more detail on bridging document content, refer to BP Practice GWO Safety
Management System Bridging (100251).
In GPO, complete gap assessments and bridging documents when the contractor’s
CoW process is used. Guidance is provided in GPO-HS-GLN-00013 BP Guide GPO
Personal Safety Guide.
Bridging documents shall include the following:
evidence that the risk assessment has been carried out for the work.
SA authorisation of the bridging or interface requirements, including SIMOPS
and any interface isolations (IDP)
identification of communication requirements (for example regular check-ins)
identified CoW roles and responsibilities, including isolation
CoW isolations and specific controls associated with diving, subsea, and wells
tasks
an assigned, accountable person for the CoW activity
a record of the interfaces and handovers.

Page 41 of 361 Revision: B06

6 Conformance and deviations

6.1 Conforming with and adopting this Upstream CoW Procedure
All sites and projects within the scope described at section 1.1:
determine the timing and implementation plan needed to adopt this Upstream
CoW Procedure in place of existing local CoW procedures
adopt this Upstream CoW Procedure in line with the conformance plan for
OMS Group Essential 4.5.1 and the BP Practice Control of Work (500102).
The implementation plan shall include:
adopting eCoW
authorising this Upstream CoW Procedure to be adopted for use on the sites in
place of the previous local CoW procedures through an LIP described in section
6.2
recording the change through a completed MoC.
The overall time frame for adopting this Upstream CoW Procedure across Upstream
is managed through OMS conformance plans, as adopting this Upstream CoW
Procedure is the required approach for conforming to BP Practice Control of Work
(500102).
The single point accountable person (SPA) role for the management of CoW
process in the BP entities are:
Head of Global Operations Organisation (GOO) with ‘agree’ by the VP S&OR,
GOO.
Head of Global Projects Organisation (GPO) with ‘agree’ by the VP S&OR, GPO.
Head of Global Wells Organisation (GWO) with ‘agree’ by the VP S&OR, GWO.

6.2 Local implementation

Adoption of this Upstream CoW Procedure by all sites and projects shall occur
through an LIP and will be maintained post go-live.
The CoW LIP shall include a direct link (hyperlink) to the Upstream CoW Procedure
in the OMS library and shall not change or replace any of its content.
The LIP is a single document that contains all regional or site-specific CoW
instructions or guidance – or both - which are not in this Upstream CoW Procedure
and may include the following:
logistical requirements (for example location of keys, management of
lockboxes, contact information, location of document storage)
regular delegation of authority
application of CoW roles to local organisational posts
local legislative or regulatory requirements
approved deviations not documented in eCoW
any non-conformance, including any requirements that may form a higher or
different standard
use of local prompt cards, checklists or certificates
location or links to items such as CSE register

Page 42 of 361 Revision: B06

site maps or plans (or links to these) showing the AAs Areas of responsibilities
and the physical limits for each Area.
An AOM will be appointed with regional accountability for the LIP and the GOO
Operations Director (CoW) shall Approve its content.
The region is responsible for keeping their LIP up-to-date. If any changes are
required, they send the proposed LIP to the GOO Operations Director (CoW) and if
Approved, this will be uploaded to the central site.
Regional LIPs are stored centrally and can be accessed here.

6.3 Local procedures

The documents listed as informative references in section 2.2.1 might reference
this Upstream CoW Procedure but shall not contradict it or add additional CoW
requirements.

6.4 How to use this Upstream CoW Procedure

The following approach has been applied through the document.

6.4.1 Bulleting structure

A section of text in black is information, facts, context or explanation. Any bulleting used
without an alphanumeric is expected to be read and understood but does not contain BP
requirements.
For example:
• Example of a non-requirement bullet.
Blue italics provides information that can be helpful.
Any text that is bulleted with either a letter, or a number as a sub-bullet of a letter, is a
BP requirement. Text that is bulleted in this way does not need the word ‘shall’ to be
considered a requirement. All of these bullets are treated as ‘shalls’ unless we
specifically use a ‘should’ or a ‘may’ within the bullet.
For example:
Example of a requirement bullet.
Detail or items forming part of the requirement.

6.4.2 Use of verbs

In this Upstream CoW Procedure, the electronic CoW tool (eCoW) and any associated
supporting and guidance documents, we have used the following verbs in the manner
defined below to help with clarity:
Approve: Used when we expect you to confirm that the content of a document (for
example a procedure or risk assessment), is accurate and meets BP’s needs.
Authorise: Used when you need to give permission to use a document or process (for
example a permit or previously Approved procedure).
Review: Used when we expect you to check the accuracy and suitability of a
document’s content.
Verify: Used when we expect you to do more than just check a document and there is a
requirement to confirm something has happened or been done as well as reviewing
documents. Examples are questioning others or doing visual checks on site.

Page 43 of 361 Revision: B06

6.4.3 Use of superscript

Where a numerical superscript has been added to ‘values’ used in the text, they provide
the source of the referenced value listed in Annex L.
For example:
For stainless steel tanks and vessels, monitor the water used for flushing to Verify it
contains only low levels of chlorides (less than 50 ppm40) to avoid the risk of stress
corrosion cracking of the vessel. Promptly drain and clear water after flushing.

6.5 Deviations
If a site or project asks to deviate from adopting all, or any requirement, of this
Upstream CoW Procedure, the request shall be:
based on a risk assessment, which includes defining and documenting the risk
reduction measures the site or project will apply
submitted by the entity OMS 4.5 SPA to the central CoW team by raising a
deviation request in eCoW.
The Entity CoW Director consults with the Upstream S&OR Operations Authority if
the deviation request also involves a deviation from BP Practice Control of Work
(500102) requirements.
The following shall apply based on the decision of the Upstream Operations
Authority (S&OR):
if the deviation request also involves a deviation from GDP 4.5 CoW
requirements, then the deviation process from the GDP applies and covers
deviation from both BP Practice Control of Work (500102) and this Upstream
CoW Procedure
if the deviation request also involves a deviation from BP Practice Control of
Work (500102) requirements, then the deviation process from the Practice
applies and covers deviation from both the Practice and this Upstream CoW
Procedure
if the deviation request does not involve a deviation from BP Practice Control of
Work (500102) requirements, then the Entity CoW Director considers the
request for deviation and the decision to agree to a deviation or not will be
communicated to the site or project by email. The site or project then updates
the LIP (and sends to central team for approval) and any local procedures,
where applicable, within a reasonable timeframe (typically 90 days).
Agreed deviations are recorded and managed through eCoW.

Page 44 of 361 Revision: B06

7 An overview of the Control of Work process

The CoW process is fundamental to achieving safe, reliable, and compliant operations. If the
principles of CoW are applied, the following are possible:

• planning, risk assessing, and authorising activities will provide a means to safely
execute, monitor and complete work.
• recording and applying any lessons learned and self-verification during the process
will achieve continual improvement of work.
Upstream uses the eight-step process shown in Figure 3.

At every step, it is critical to write and speak clearly and to Verify the quality of documentation.

7.1 Who delivers Control of Work

This Upstream CoW Procedure describes a single and consistent CoW organisation
structure and a hierarchy of roles. Each of the CoW roles are:
held by individuals who are trained and assessed as competent
consistent across Upstream
part of an individual’s overall roles and responsibilities.
The core CoW role hierarchy is shown in Figure 1 with the five core CoW roles as
follows:
The Site Authority (SA):
a) leads CoW and has overall accountability for CoW and for implementing
this Upstream CoW Procedure at the site.
b) verifies adequate and competent resources, including people and
equipment, are in place for every designated site CoW role.
c) verifies everyone involved in CoW on their site conforms to this Upstream
CoW Procedure.
The Area Authority (AA):
a) leads CoW for a designated Area within the site and is responsible for all
CoW activity within that Area.
b) Only one person shall be AA for a specific Area at one time.
c) There can be more than one AA at site who work together with the SA to
manage CoW across the whole site.
The Issuing Authority (IA):
a) helps AAs to deliver the CoW workload and
b) may Verify, issue and close permits when delegated by AA.
The Performing Authority (PA):
a) is responsible for the safe execution of work and for accepting permits
from either an AA or IA.
b) Performs the task or supervises the work party performing the task.
c) May be responsible for more than one task at a time if the AA verifies that
the tasks can be safely managed simultaneously. When making this

Page 45 of 361 Revision: B06

decision, the AA considers factors including the locations of tasks and

whether the PA can conform to the monitoring requirements for each task.
d) A PA usually manages one confined space entry (CSE) or hot work open
flame (HWOF) task at a time. However, this expectation may be relaxed if
the plant is isolated and hydrocarbon-free (for example in a TAR or during
project construction).
e) Operations being executed off-Production Facility on Subsea Infrastructure
tied to the facility shall have the PA at the location of work execution
control (i.e. Inspection, maintenance and repair, or Installation Vessel,
Remotely Operated Vehicle (ROV), AUV).
The Isolating Authority (IsA) is responsible for designing and executing
isolations. There can be multiple IsAs at site, covering the isolation disciplines
as follows:
• Process
• Control - covering instrumentation, control and telecommunications
• Electrical LV1 (low voltage 1)
• Electrical LV2 (low voltage 2)
• Electrical HV (high voltage).

Figure 1 - Core CoW role hierarchy

Supporting Roles
The Upstream CoW Procedure also defines the following supporting roles with specialist
skills that are called on as applicable. There are three types of supporting roles:
eCoW roles (training, competence and assignment managed within RMS)
Field CoW roles (training and competency managed within RMS)
CoW certificate approval roles.
eCoW roles:
a) Authorised Gas Tester 1

Page 46 of 361 Revision: B06

b) Authorised Gas Tester 2

c) Task Risk Assessment Facilitator
d) Functional Authority
e) Isolator
f) LOLC Mover
g) LOLC Data Manager
h) LOLC Operational Inspection
i) Control Room Technician.
Field CoW roles:
j) Authorised Gas Tester 3
k) Fire Watcher
l) Confined Space Entry Attendant
m) Leak Test SPA.
CoW certificate Approver roles:
a) Site Electrical Leader
b) Site Lifting Co-ordinator
c) Site Engineer
d) OSTL.
Details of CoW roles are in Annex A.

7.2 How we execute work safely

This section summarises the risk assessment and work control methods we use to
execute work safely. Later sections of this Upstream CoW Procedure cover these in
more detail.

7.2.1 Risk assessment

Risk assess all tasks before they begin, using one of the following methods:
Task risk assessment (TRA): follow the Upstream Hazard Identification and
Task Risk Assessment (HITRA) process for Level 1 and Level 2 when
performing all tasks. See section 9 for more detail.
Safety override risk assessment (SORA): use this to assess risk when work
involves overriding a safety instrumented protective system and relief valves.
See section 10 for more detail.
Operational risk assessment (ORA): use this to assess risk when operating in
an abnormal operating condition. See section 11 for more detail.
Isolation risk assessment: use Isolation and De-Isolation Plan (IDP) to risk assess
isolation, de-isolation and having the isolation in place. See section 14 for more
detail.
Risk assessed procedures or site operating procedures. See section 8.3.3 and
OMS 4.1 for more detail.
Leaks and seeps risk assessment. See section 25 for more detail.

Page 47 of 361 Revision: B06

Personal dynamic risk assessments based on competence but not necessarily

documented. See section 8.3.2 for examples of non-permit work (NPW).

7.2.2 Task description

When creating the tasks, include ‘what’, ‘where’, ‘how’ and ‘who’ in the
description. For example:
What is the activity and what tools are involved?
Where is the equipment or location?
How will the task be carried out and what is the sequence it will be done in?
Who is involved and what techniques will they use?
A clear understanding of the task and how it is going to be carried out in sufficient
detail, including relevant task steps, is required and helps to:
identify the hazards
understand the scope limitation
identify potential SIMOPS
select the correct TRA team members.
Breaking a task into task steps is required to:
identify the sequence of activities
align hazards and controls to the correct step in the task
define when in the sequence to apply the controls, and
structure the toolbox talk (TBT).

7.2.3 Hazards and controls

Identifying the hazards and consequences in a structured and succinct way will help
develop suitable and sufficient controls. The format for recording hazards is as
follows (see Figure 2 ):
select energy source from the 14 in HITRA
determine the type of hazard as defined by HITRA - Process, Worksite or Task
what: say what the hazard is
where: say where the hazard is
how: say how the hazard can cause harm.
Once you have recorded this information, the control format is as follows
(see Figure 2):
determine the type of control (L1- L6) according to the hierarchy of controls
who: say who you expect to apply the control
what: say what the control is
when: say when it needs to be in place and effective.

Page 48 of 361 Revision: B06

Figure 2 - Hazard and control format

7.2.4 Work control methods

Section 8.3 describes four methods to manage activities:
Permit-managed activity: BP uses the following five colour-coded permit types:
Cold work (CW) is blue
Breaking containment (BC) is black
Hot work spark potential (HWSP) is yellow
Hot work open flame (HWOF) is red
Confined space entry (CSE) is green.
Low risk permits (LRPs): these are used to effectively and efficiently control
regularly executed lower risk tasks (within Area I on the Table B.4 - Risk matrix
(Group 8x8). An LRP may be CW, BC, or HWSP. See section 8.3.4.
Risk assessed procedures (RAPs): used for operational activities that are repeatable,
periodic, and predictable. RAPs are procedures that provide step-by-step
instructions to complete tasks safely. In GOO, these are often called SOPs. RAP
activity can be tracked within eCoW to manage SIMOPS.
SIMOPS
Non-permit work (NPW): used for very low-risk activity that is non-intrusive and
does not require tools or equipment that involves disturbing operating or
process equipment. NPW activity can be tracked within eCoW to manage
SIMOPS.
Habitats: used to create a safe work environment. Habitats can be tracked
within eCoW to manage SIMOPS.

Page 49 of 361 Revision: B06

Temporary equipment: when temporary equipment is kept on site (e.g. lighting

towers, heaters, cranes), that may create a SIMOPS hazard, then these can be
tracked within eCoW.
Road closures: when a road is closed or access restricted, that may affect
emergency response, it can be tracked in eCoW.
Created opening: openings where gratings, handrails, stair treads or kicker
plates have been removed from structures or damage has occurred resulting in
a temporary opening that could present fall or dropped object hazards.
Well handover: where the CoW management of well equipment moves from
one party to another.
Other: all other SIMOPS activities.
These methods are described in more detail in section 8.3.

7.2.5 Worksite visits

Worksite visits are fundamental to the safe planning and execution of work. There
are four types of worksite visits within CoW:
Risk assessment - the TRA team visit the worksite together to identify the task,
worksite, and process hazards involved in carrying out the task at the actual
location. The AA may delegate their role in level 1 TRA site visits to an IA.
Work start - on the day of execution, the relevant individuals (see Figure 5) visit
the worksite before work starts to Verify the conditions are as described on the
permit and to take part in the TBT where necessary.
Monitoring - to Verify that the work is in conformance with the permit and that
no new hazards have emerged. The AA may specify additional monitoring to be
performed by an AA or IA. Gas testing is also considered a monitoring task,
which is completed by an Authorised Gas Tester (AGT).
Work completion - PA and AA (or IA) visit the worksite either together, or
individually, to Verify all work is complete and the site has been left in a clean,
safe and ready to use condition before the permit is moved from complete to
closed.

7.3 Templates
Templates are documents within eCoW that are Approved and authorised for use by
the SA for up to three years.
There are four types of templates:
• low risk permits for tasks with residual risk in risk Area I and meeting the
requirements of section 8.3.4
• permits for tasks with residual risk in risk Area I or II and may have associated
certificates
• isolation and de-isolation plan (IDP)
• safety override risk assessment (SORA).
Templates are controlled and created by a team who have considered their
suitability for repeated use.
A document created from a template is a new document in an Approved state, with
a unique number and all the information from the template.

Page 50 of 361 Revision: B06

The document follows the normal workflow and additional information may be
added.
Create and use templates whenever possible to maintain consistency and deliver
efficiency.

7.4 Human Performance

Human Factors (performance) are the physical, psychological and social characteristics
that affect human interaction with plant and processes.
People will make errors and mistakes, but actions are rarely malicious and usually make
sense to people at the time. Errors and mistakes are typically due to underlying
conditions and systems. Further information can be found on the Human Performance
webpage.
As part of CoW risk assessment processes, it is important to consider how a simple
error or mistake might introduce a hazard or make one of our controls less effective.
Once the possibility of an error or mistake is identified, we need to understand what
factors or ‘flag conditions’ can influence the likelihood and apply controls accordingly.
The Task Improvement Process (TIP) may be used at a planning stage, to help identify
potential errors and factors that could make errors more likely.
Table 1 identifies ‘flag conditions’ which are things which can prompt a person to make
an error or mistake. As with any other control, the hierarchy of controls applies.
eliminating a task altogether may be the most effective way of reducing risk, whereas
any administrative control may also be affected by the potential for human error.
For more information, see the TIP help sheet which provides further information and
suggestions on ways to improve the task and mitigate the risks.

Table 1 - Flag conditions influencing the likelihood of errors

Flag condition Guidance or examples

Steps where errors or mistakes could Do you know which stages of the task could result in a high
be made. consequence event following an error or mistake?
Steps that cannot be done or are Are there opportunities for the person to find a different way?
inefficient to do in reality. Think about a cold, dark night – would it get done?
Unusual, infrequent, unfamiliar or Does the person have the necessary skills, experience and
novel situations. capability?
Boring, trivial or repetitive actions. Could the person ‘switch off’ or do the task on auto pilot? Could
new information or changes be missed?
Difficult system or equipment If the operator went to the wrong plant Area would the labelling
interface, labelling, controls, alarms. and procedure identify that to the operator?
Steps where there might be Time pressure can have a big effect on reliability – could
insufficient time available. perceived or actual time pressure exist?
Complex or difficult to understand Is it clearly understood what needs to be done? Does the
steps. procedure make this clear?
Unclear signs, signals, instructions or Is information from signs, signals, documentation etc. unclear,
other information. missing detail or confusing?
Difficult working environment (noise, Look at how the environment can cause an error. E.g., noise –
heat, cramped conditions, lighting, can reduce communication quality, lighting and line of sight could
ventilation, ease of access). cause someone to miss key information.
Relies on recognising emerging Could the person be engaged in activity and miss a situational
hazard, risk, or change. change?

Page 51 of 361 Revision: B06

Flag condition Guidance or examples

Potential for interruptions or Does the task involve a need for high vigilance or concentration?
distractions. Is the task completed in a busy Area? Can the operator identify
potential interruptions?
Involves multi-tasking. Could the person be distracted by doing something else part way
through task? (e.g., manual filling a tank)
Right tools might not be available or Does the person have all they need close to hand to complete
used. the activity? (e.g., hand tools, procedure etc.)
Relies on good communications, with Could information quality be poor during verbal and written
colleagues, supervision, contractor. communication?

It is also important to consider how Human Factors can influence the quality of the risk
assessment process:
• Place an emphasis on making CoW documentation easy to read and logical
• To help identify hazards, consider asking the following questions:
- What hazards may be present that you may not be able to see with naked
eye?
- What hazards may not be present all the time but affect you only at some
points during the job?
- What hazards may depend on other things happening?
• A team-based approach is required but be aware of group behaviours, where team
members want to adhere to social norms. To help manage these:
- watch for team members just following the leader
- include an expert or independent person who can raise doubts
- offer a second chance to raise concerns at a later time or date
- challenge quieter members of the team to be more vocal about insights,
doubts or concerns.
• Effective communication is a fundamental part of an effective CoW process. To
ensure communication is effective:
- use the phonetic alphabet (e.g. alpha, bravo…)
- apply three-way communication protocol (state, check, confirm)
 Supervisor: ‘Start steam pump XYZ-123.’
 Operator: ‘I understand that you want me to start steam
pump XYZ-123.’
 Supervisor: ‘Correct.’
- for tasks requiring non-verbal communication (e.g. hand signals), Verify
that everyone knows the signals to be used, can demonstrate them, and
all team members have the same understanding of what the signals mean
- encourage two-way, face-to-face communication
- encourage questions, clarification and challenge
- allow sufficient time for communication.

Below are examples of processes currently within Upstream CoW that are designed to
improve human performance and reduce the risk of error:
• preparing permits and IDPs over 2 weeks before the planned start date means
people have the time to do it properly

Page 52 of 361 Revision: B06

• task risk assessments are broken down into task steps to understand how the task
is going to be carried out and to reduce the likelihood of missing hazards
• involving a PA in the risk assessment who is familiar with the task, and visiting the
site, means that all the hazards are more likely to be identified
• only including value adding controls in risk assessments means that people are
more likely to remember and implement the key risk reducing controls
• having simple and clear hazard and control statements means everyone knows
who should be doing what and when to prevent the hazards causing harm
• reviewing workload at the daily meetings reduces the risk of overloading individuals
• having handover and toolbox talk meetings allows you to check the physical and
mental state of people to see if they are fit to perform a task
• discussing only the task steps that are going to be done in a toolbox talk means
that people are more likely to remember and implement the relevant controls
• completing a pre-work start visit allows any new hazards to be identified before
work starts that may have been missed or not there when the risk assessment was
done
• cross checking of isolations minimises the risk of the wrong equipment being
isolated, deisolated, or incorrectly isolated.

7.5 Simultaneous operations (SIMOPS)

Simultaneous operations (SIMOPS) are not just the interaction of large sets of activities,
but also include small, individual tasks at the worksite.
Manage simultaneous operations (SIMOPS) throughout the CoW process by
assessing and resolving any risks from SIMOPS during work planning and
execution, then:
rescheduling the task, or
changing the task scope or controls.
Consider SIMOPS especially during TAR, construction, commissioning, subsea,
wells, and drilling activities due to the volume and variety of work taking place
within an Area.
Examples of SIMOPS are as follows:
• working at height with individuals working below
• lifting operations and any other activity in the same work Area
• breaking containment and hot work
• any work encroaching on exclusion zones created by, for example, lifting, leak
testing and radiation
• combined activities (for example fabrication, welding, rigging, painting, and
cleaning)
• when an Area that is formally handed over to GPO or GWO contains currently
operating process plant and equipment
• when work-over, drilling rig or rig-less activities are close to a fixed facility that is
operational or under construction (for example well clean-up, testing, flaring)
• marine operations within a 500m1 zone of a BP offshore facility

Page 53 of 361 Revision: B06

• subsea operations on a system tied back to the BP facility

• helicopter operations with crane operations.

7.5.1 SIMOPS matrix

For all the local activities with a SIMOPS potential, a matrix may be created which
summarises the interaction between each of the simultaneous activities identified. This
matrix identifies activities that are:
prohibited from being conducted concurrently
allowed to be conducted concurrently
conducted concurrently but subject to specific mitigation controls or conditions.

Page 54 of 361 Revision: B06

8 Control of Work (CoW) process

1 Plan •
•
Accurately define the full scope of work.
Break job down into tasks and task steps.
CoW planning and • Schedule Level 2 risk assessments and isolations.
scheduling • Identify any supplementary certificates required.

2 Risk assess •
•
Visit the worksite to identify hazards and controls.
Apply HITRA hierarchy of controls.
HITRA • Involve the right people in the risk assessment.
• Agree the initial and residual risks using the risk matrix.

• Agree the CoW document pack.

3 Prepare • Verify controls are adequate and deliverable.
Prepare worksite and create • Prepare isolation plan, including overrides and process steps.
CoW documents
• Identify the correct worksite and equipment to be worked on.

• Consider workload and cumulative risk.

4 Authorise • Consider SIMOPS.
Authorisation at daily CoW • SA sets expectations and quality checks a sample of documents.
meeting • Agree the plan for the next day.
• Review emergent work.

• Inspect worksite to verify the TRA conditions are correct.

5 Execute • Issue the CoW documentation.
Issue permit and start work • Hold a quality toolbox talk.
• Stop any unsafe work and manage interruptions.

• Monitor work as agreed in risk assessment.

6 Monitor • Monitor controls identified are in place.
• Monitor isolation integrity.
• Monitor conformance with scope.

• Decide when to suspend a task.

7 Complete • Agree what happens when work is complete.
Suspend or complete work • PA tells AA about the task status when a permit is suspended or
completed.
• Consider de-isolation requirements.

8 Learn •
•
Get feedback from the PA.
Track all actions to completion.
Lessons learned and closure • Update documents and plans with lessons learned.

Figure 3 - Upstream Control of Work (CoW) eight-step process

Page 55 of 361 Revision: B06

8.1 Step 1: Planning and scheduling

Step 1 explains how to plan and schedule CoW activity and helps execute work safely
and reliably.
Planning defines what is to be worked on, the sequence of tasks to be carried out and
the resources required to-do these tasks.
Scheduling defines when a task can be done safely and efficiently (within site
constraints) when it is integrated into a schedule with other activities or tasks.
Planning and scheduling are about delivering an integrated schedule that:
• accurately reflects the tasks to be carried out
• identifies the resources (for example people and equipment) needed to do the work
• assesses the time required to complete the work safely.
a. Integrated and GOO-operated sites follow 100578 BP Procedure Activity
Integration.
b. Greenfield projects may apply 100578 BP Procedure Activity integration, or
GPO-PC-PRO-00025 BP Procedure GPO Project Planning and Scheduling.
c. Where GPO-PC-PRO-00025 BP Procedure GPO Project Planning and Scheduling is
used, the statements with red asterisks (*) in section 8.1 and its sub-sections are
optional.

8.1.1 Planning
The planner breaks the job down into tasks or confirms the breakdown generated
from computerised maintenance management system (CMMS) or a project
planning tool, as applicable.
A job is a series of tasks to complete a piece of work that are typically performed in
sequence.
A task is a distinct activity within a job; that is, distinct enough in terms of work
content, trade skills, or type of risk to merit its own CoW requirements.
When creating the tasks, include ‘what’, ‘where’, ‘how’ and ‘who’ in the
description. For example:
What is the activity and what tools are involved?
Where is the equipment or location?
How will the task be carried out and what is the sequence it will be done in?
Who is involved and what techniques will they use?
The quality of the task description is key to communication, understanding the
scope of the task, and the quality of risk assessments.
Planners shall determine and record in the CMMS or planning and scheduling
system the following:
if the task requires a Level 2 TRA
if the task requires a full isolation. Personal isolations do not need to be
scheduled as specific tasks.
The AA may assist planners in determining the individual CoW tasks needed for
the isolation either during the planning of the job or following development of
the IDP.

Page 56 of 361 Revision: B06

The PA by name or by discipline type responsible for the task (for example
Instrument).
Planners may make these determinations by consulting with others such as the AA,
operations planner, PA, team leaders and HSE advisers or using section 8 and section 9
of this Upstream CoW Procedure.
The planner may use the information in the work pack or detailed job plans held within
the CMMS or provided by a project or vendor to help them answer these questions.

8.1.2 Scheduling
To achieve a robust schedule, the scheduler works with the functional SPAs to
answer the following questions:
Does the schedule identify individual tasks and how they might interact with
one another?
Are Level 2 TRAs scheduled?*
Are isolations scheduled (excluding personal)?*
Are SIMOPS identified?

8.1.3 Reviewing the schedule

The schedule review is not a one-off review but is done whenever the schedule is
changed or when more detail becomes available throughout the schedule
progression to execution.
The AA, working with the operations planner, shall review the schedule throughout
the Activity Integration (AI)* 12-week life cycle and Verify that the schedule provides
for each of the following:
meets the CoW 6 and 2 week execution readiness requirements listed in Table
2, or is managed as emergent work
incorporates sufficient time and resource requirements, including people and
equipment, to:
a) prepare the worksite and CoW documents
b) design and implement isolations
c) engage appropriate specialists and mobilise vendors as applicable
d) gather relevant documents (for example drawings, safety data sheets,
photographs and relevant SHM certificates)
e) complete all other required CoW preparation activities (for example lifting
or emergency response plans)
f) de-isolation and reinstatement of equipment, including line walks, leak
tests.
manages SIMOPS conflicts. The AA identifies any Affected Area Authorities
(AAAs) and agrees with them how to avoid or manage any conflicts
jobs that have been broken down into appropriate and manageable CoW tasks
that allow risk assessments to be carried out at the task level
correctly sequences tasks that depend on each other.
The AA identifies whether the task causes an abnormal operating condition
(described in section 11), and if an ORA is required.

Page 57 of 361 Revision: B06

8.1.4 Emergent work

The need to manage new, emergent or discovered work will inevitably occur. It is work
that is not on the current execution schedule and mainly involves breakdown work.
The SA may allow emergent work that is critical to continued safety, integrity and
business plan delivery to be completed that is not included in the current execution
schedule.
Individuals follow the steps of assessing risk and preparing for emergent work as
they do with any other work.

8.1.5 Activity Integration (AI) and eCoW interface

Primavera (P6) and eCoW are integrated to allow both systems to display schedule and
CoW document status information. This supports optimisation of the schedule.

8.1.6 Schedule execution readiness criteria for CoW

The site team use the planning dashboard in eCoW and P6 to confirm CoW
readiness for activities on the site schedule, focusing on 6 weeks through
execution. Table 2 shows the CoW site execution readiness criteria. The Site
Manager is the Approver of the integrated site schedule at 6 weeks through
execution.

Table 2 - CoW requirements to be checked at planning gates

Six-week execution readiness Two-week execution readiness

Level 2 TRA planned All CoW documents verified

IDP design planned IDP Approved

Page 58 of 361 Revision: B06

8.2 Step 2: Risk assessment

a. Risk assess all tasks using HITRA methodology to:
1. determine the task or task steps to be risk assessed, and how they will be
executed
2. identify hazards and their potential impact (consequence), and
3. determine the initial risk level (Level 2 TRA) based on the likelihood (probability)
of the impact occurring.
b. The initial risk level is then reduced by identifying and implementing controls to give
a resulting residual risk level.
c. HITRA methodology has two levels of risk assessment:
1. Level 1 risk assessments for lower risk activity.
2. Level 2 risk assessments, which are more rigorous and semi-quantitative for
higher risk activity.
More details on how to apply HITRA are provided in section 9.
d. To simplify and highlight task-specific controls, avoid recording site safety standards
as controls in the risk assessment. For example, the following would not normally
be included in the risk assessment:
1. PPE compliance. Detail any special PPE that is required for a task and is not
part of the site standard for plant access in the TRA.
2. Chemical Risk Assessment document
3. jewellery policy
4. hearing protection. However, include additional PPE required for noise
generated by the task.
5. adhering to site rules for driving
6. site drug and alcohol policies
7. controlling vehicles on onshore sites and getting access to hazardous or
classified areas
8. having three points of contact when using stairways or ladders
9. competence of workers
10. Safety Data Sheet (SDS), assessments for materials that are commonly used
on site (e.g. N2, WD40, diesel, crude oil)
11. manual handling assessments for commonly occurring tasks (reference to the
relevant manual handling risk assessment can be included).
e. Where a task based chemical risk assessment is needed to determine chemical
exposure risk and the controls required, the chemical hazard and controls shall be
included in the risk assessment with a reference to the chemical risk assessment
document number.
f. The Chemical Risk Assessment shall be readily available for review by any of the
work crew. Include the controls required by chemical Risk Assessment, SDS, or
manual handling assessments in the TRA.
g. Site safety standards are managed through site induction, signage, self-verification,
and site behavioural safety systems such as IRIS observations and SOC.

Page 59 of 361 Revision: B06

h. The risk assessment team shall focus on key hazards and controls and avoid
cluttering permits and risk assessments with low value controls, expectations of
good workmanship and safe work practices. The PA delivers, or leads the work
party to deliver, good work standards.
Examples of low value controls, good work standards and safe work practices that would
not normally be included on permits:
• following procedures
• generic tripping hazard statements. However, if a specific tripping hazard were
evident, then it is included.
• controls for low-risk, regularly used substances such as common releasing fluids,
sealants and lubricants (for example WD-40 and copper grease)
• duplicated controls
• obvious instructions (for example ‘Tools to be in good condition’, ‘Comply with
LOLER’, ‘Wear PPE’, ‘PPE to be in good condition’, ‘Certified scaffold to be used’)
• see attached chemical risk (or SDS), or manual handing assessment
• escape routes to be always kept clear
• no one crosses barriers without the work party’s permission
• remove barriers at the end of the task
• no smoking, drinking, eating gum, sweets, tobacco, or using lip salve
• always use correct manual handling techniques
• wear the correct gloves
• wear kneepads when kneeling for prolonged periods.

8.2.1 Escalating to a Level 2 task risk assessment

If anyone involved in a Level 1 TRA is not satisfied that the proposed controls will
adequately control a hazard, complete a Level 2 TRA.
Examples of situations that could escalate a Level 1 TRA to a Level 2 TRA include
the following:
the task is new or unfamiliar to the AA, IA, or PA
the task is affected by other activities that increase its complexity
the task site location has restricted access, or associated SIMOPS, or both
non-conformant isolations
additional or increased risks are identified during the Level 1 TRA.

8.2.2 How to use an existing task risk assessment

The preferred method is to use a template. It can be appropriate to copy and reuse an
existing TRA. Once copied, all approvals from the original TRA are removed by eCoW.
For frequently performed tasks, consider creating a permit template instead of copying
an existing TRA. See section 8.3.11.
The AA shall Verify that the TRA is suitable for the new task by:
visiting the worksite with the PA to confirm or update the TRA

Page 60 of 361 Revision: B06

reviewing any feedback or lessons learned on the permit that was copied
verifying the task scope is identical to that described in the TRA, and
confirming the documented hazards and controls are still relevant.
Approvals for Level 1 TRA follow the normal process and may be Approved by the
AA.
For a Level 2 TRA, see sections 9.2 and 9.5, which include a requirement for a new
TRA team to be formed with approval based on the residual risk.

8.2.3 How to Approve a task risk assessment

The risk assessment Approver is selected from the HITRA approval Table B.5
based on the residual risk agreed by the TRA team using the risk matrix in
Table B.4. The Approver shall consider the following when they are approving the
TRA:
Can the task or hazards be eliminated or substituted, or are there engineering
controls that could be applied to mitigate or reduce the level of residual risk?
Apply the hierarchy of controls, see section 9.3
Have task, process, and worksite hazards been documented?
Can the task be conducted safely with the identified controls?
Are the identified controls suitable for reducing the initial risk to the residual risk
rating? See section 9.3.
Are additional capabilities or resources (for example people or equipment)
needed to complete the task?
Have alternatives to further reduce the risk been considered (for example
shutting down equipment, rescheduling the work or carrying out the work
during a turnaround)? Are additional risk assessment techniques required
(for example layer of protection analysis (LOPA), process hazard analysis, major
accident risk and bow-tie)?
Did the TRA team include an appropriate number of competent people and did
they have advice from technical authorities or specialists?
Have contingency and emergency response and rescue plans been
considered?
Have monitoring requirements been clearly specified?

8.2.4 When a purple or blue residual risk is the outcome of a risk assessment
When a task is identified as having a residual risk in the purple or blue C+ area of
the group 8x8 matrix, follow the additional requirements of the entity risk
management procedure.
The facility Risk Champion, Risk Adviser, Risk Tag, or equivalent can provide
guidance on the entity risk management procedure.

8.2.5 How to manage cumulative residual risk

The SA leads a discussion with the team at the daily CoW meeting to decide
whether the overall risk associated with all the tasks to be carried out is
manageable. This is known as cumulative residual risk. The team shall consider the
following:

Page 61 of 361 Revision: B06

Human Factors (for example skills, competence and workload)

SIMOPS and support resources (for example emergency response capability)
overall workload for the team available and if the total number of tasks
scheduled needs to be changed.
Cumulative residual risk includes residual risk from all live CoW documents.
The eCoW-calculated cumulative residual risk provides guidance to help the SA manage
the number of activities planned and SIMOPS. It informs the discussion described above
by highlighting potential changes in the typical risk level associated with CoW on the
site. It is not a definitive measure of the level of risk, nor does it replace any data
reported through the risk management process under OMS 3.1.

Page 62 of 361 Revision: B06

8.3 Step 3: Prepare worksite and create Control of Work documents

The PA and AA work together to agree, compile and draft the documents needed to
perform the task. They request all required supplementary certificates.
The PA and AA review the permit to work to Verify it sufficiently describes the task,
location, start time, duration, and any known risks and limitations.
Table 3 summarises the key requirements for CoW document types and their
approval levels. Table 4 lists minimum risk assessment approval levels.
Roles in Table 4 listed with an asterisk (*), can only Approve if they also hold the
role of a Functional Authority in eCoW.

Table 3 - An overview of Control of Work requirement

RAP LRP CW BC HWSP HWOF HWOF CSE

CW,BC, Non- Hazardous
hazardous area
HWSP area

Integral
Risk assessment Level 2 Level 1 or Level 2 Level 2
in RAP

Risk assessment Integral Select from HITRA approval table based on residual risk
approval in RAP See Table 4 for minimum approval levels

Permit verify N/A AA (SA or IA when delegated by AA)

AA for risk area I

Authorisation AA SA
SA for all other risk areas

Permit re-authorisation N/A SA

Site visit and TBT See Figure 5 - Site visit and TBT flowchart

Permit issue and

N/A AA, or IA when delegated by AA
re-issue

Monitoring As specified in the Permit, SORA, ORA, RAP, or IDP

Isolations Personal Personal or full Full

Table 4 - Minimum task risk assessment approval levels

Wells Wells Operations

SA AOM* VP*
Superintendent* Manager*
Confined space entry HWOF in hazardous Hot tapping Man riding Perforating with non-
area with a primary radio safe guns
control
Abrasive tasks on live HWOF within 11m HWOF in a Fracking or Fracking with
equipment as per (35ft)2 of live hazardous area perforating energised fluids
section 18.6 equipment without a primary or nitrogen
control
Service or hydrostatic Mechanical device or Mechanical device or Coiled tubing
testing using plug as a secondary plug for primary
flammable or toxic barrier that is non- isolation
fluids pressure containing.

Page 63 of 361 Revision: B06

Wells Wells Operations

SA AOM* VP*
Superintendent* Manager*
Personnel basket Inert entry into CSE
on crane

8.3.1 Permit life cycle

The permit life cycle from drafting through to closure consists of 10 states and may
involve the PA, IA, AA, and SA depending on the permit type. The 10 states are
presented in Table 5 and Figure 4.

Table 5 - Permit 10 life cycle states

1 Draft The PA and AA or IA conduct the risk assessment (include TRA facilitator for Level 2).
Anyone who has a CoW role can document the risk assessment and permit requirements
within eCoW.

2 TRA Approved The risk assessment approval is based on the residual risk agreed in the risk assessment,
unless Table 4 sets a minimum approval level.

3 Ready to Verify The PA may draft the permits including any required attachments and then informs the AA
that the permit is ready to Verify and signs the permit in eCoW. The AA can Verify without
this state being used.

4 Verified The AA, IA or SA verifies that all the required CoW documents and supplementary
certificates are in place and Approved before they take them to the daily meeting.

5 Authorised The SA or AA authorises the use of the permit. Table 3 sets out the authorisation level,
which depends on the residual risk level. The authorisation period is based on risk and can be
up to 14 days. The SA may re-authorise the permits for continued use if needed (this is
possible in any permit state).

6 Issued The AA, IA (when delegated), or SA (when delegated), issues or re-issues permits to the PA.

7 Live The PA accepts the permit from the AA or IA or SA.

8 Suspended At any time between live and completed, the permit can be suspended. When this occurs,
the PA specifies a reason in the eCoW feedback box. If the permit is suspended at shift end
the PA states when the permit is next needed.
Permits can also be suspended for the following reasons:
• Within a shift so that a task that needs to interface with another task can be
completed. For example, welding and non-destructive testing of the welds.
• Within shift to suspend HWOF permit whilst BC is live.
• For sanction to test (STT).
• The task is on hold awaiting spares or resources.

9 Completed The PA does this when the task is finished, and feedback has been provided.

10 Closed The AA or IA closes the permit once they have inspected the worksite. Ideally, the
inspection is completed with the PA, however this is not always reasonably practicable and
may therefore be done independently. The AA or IA may delegate the site inspection to a
technician, but the AA or IA is responsible for closing the permit within 24 hours3 of permit
completion.

Page 64 of 361 Revision: B06

Risk assessment
AA and PA conduct TRA during a
Draft site visit.
Any CoW role can record the TRA

Approval is based on residual risk.

TRA approved Unless a minimum approval is set
as per table 4

Permit

PA signs to inform AA that permit is

Ready to verify ready to be verified by the AA or IA

AA or IA verifies. Includes a site visit

Verified if this was not done during TRA
(e.g. TAR)

Suspended and authorisation

expired. Re-authorisation is required
before re-issue
SA authorises HWOF and CSE and
Authorised RA II and above permits, AA may
authorise all others.
Suspended within shift or at shift SA re-authorises all permits
end and permit is within
authorisation period – only re-issue
required.
This allows multiple suspension and
re-issue cycles (e.g. for welding and
radiography repeat cycles)
AA or IA issue permit to PA
Issued following face to face review of
permit content

PA suspends with feedback left Live

No
Is task
Suspended
complete?
Yes

Completed PA suspends with feedback and

completes permit

AA or IA conduct site visit, review

Closed PA feedback and add lessons
learned. AA or IA closes permit

Figure 4 - Permit life cycle flow

Page 65 of 361 Revision: B06

8.3.2 Non-permit work

Non-permit work (NPW) is very low-risk activity that is trusted to each individual’s
competence along with their ability to manage worksite hazards covered by site
safety standards. Non-permit activities shall be non-intrusive, low risk, and not
require tools and equipment that involve disturbing operating or process equipment.
The activity may be tracked to manage SIMOPS, but the tasks are not subject to
any other formal recording.
The relevant AA considers SIMOPS before authorising these activities and may
track these activities using the non-permit function within eCoW.

Table 6 - Examples of non-permit work

The following examples may be managed as non-permit work:

1. Administrative tasks such as checking drawings or documents, taking notes and readings or doing self-
verification checks.
2. Worksite visits (for example for risk assessments, job scoping or visual inspections).
3. Substation entry where there is no risk of injury from live electrical conductors.
4. Housekeeping in plant areas that does not involve powered tools.
5. Using hand-held devices certified for the area of use or intrinsically safe devices, such as cameras, IR
cameras and gas test monitors for detecting leaks.
6. Attaching and detaching tags and labels using side cutters for wire and plastic ties.
7. Checks on equipment such as extinguishers, eye-wash stations, BA boxes, spill kits, first aid boxes and life
belts.
8. Catering and hotel activity.
9. Workshop activities in a non-hazardous area that are covered by workshop procedures.
10. Window cleaning from ground level, excluding situations where working at height would apply.
11. Electrical competent people accessing LV control panels or enclosures for non-intrusive visual inspections in
a non-hazardous area (this provided that the enclosure is engineered to be safely opened without
dismantling, and all live conductors inside are protected to at least IP2X).
12. Operating electrical equipment via control stations provided for that purpose.
13. Infrequent resetting of breakers that have tripped due to overload, provided they are designed to be safely
accessible without dismantling, with no exposure to live conductors.and does not compromise any
applicable hazardous area certficication.
14. Line walking, punch listing and as-building.

8.3.3 Risk assessed procedure

Risk assessed procedures (RAP) are used for operational activities that are repeatable,
periodic, and predictable. They provide step-by-step instruction to complete a specific
task safely and may be the most appropriate way to manage some tasks that do not
require full isolations. Site operating procedures (SOPs) that have been risk assessed are
RAPs.
RAPs shall be:
performed by competent personnel and authorised for SIMOPS by the AA for
the area in which the activity is being carried out
performed using equipment specifically designed for the task (for example
operating drilling equipment or a pig launcher)
tracked using eCoW where a potential for SIMOPS is identified
limited to personal isolations only
assigned a start and finish date

Page 66 of 361 Revision: B06

authorised for use by an AA in their area after they Verify that the RAP is within
its periodic review date, the activity has been planned and SIMOPS considered
used only after the PA has:
a) countersigned the RAP in eCoW each time they start or finish working,
and when a PA hands over to another PA
b) informed the AA or IA when they start or finish work.
supported by a separate TRA if an existing procedure is not already risk
assessed (e.g. manufacture procedure, equipment manuals).
The RAP or SOP covers the risk management of the task and identifies the task
hazards, risks, and controls. It might not fully cover the worksite situational or
process hazards, or risks that might emerge when a task is being performed. In
cases like these, a TBT form is used to cover the worksite or situational risk review.
This allows the PA and work party to:
identify worksite and process hazards
consider SIMOPS, and
Verify the conditions and hazards at the worksite on the day of execution match
those described in the procedure before work starts.
RAPs shall contain the following to assist in SIMOPS management:
a detailed task description
a residual risk number for use within eCoW for calculating cumulative residual
risk
a unique number or identifier and issue and revision dates.
The approval level is either based on residual risk and defined by the HITRA approval
table in Table B.5 or the entity procedure for procedures in OMS 4.1.
Once authorised, the RAP status is then live in eCoW until the PA completes the
work and the AA closes the RAP. When the RAP goes past the set finish date, the
status changes to ‘overdue’.
Individually assess all personal isolation tasks as distinct steps within the procedure.
If a full isolation is required, a RAP shall not be used without a permit to manage the
task. The AA may attach a procedure to the permit.

Page 67 of 361 Revision: B06

Table 7 - Examples of when SOPs or RAPs may be used without a permit

The following are examples of when you may use SOPs or RAPs without a permit:

1. Startup or shutdown of a well.

2. Startup or shutdown of a compressor or pump.
3. Operating valves to control process parameters.
4. Preparing a section of plant using fixed drain and vent systems that does not involve breaking containment.
5. Preparing a section of plant for isolation by connecting hoses to closed drains or vent systems using personal
isolation.
6. Commissioning activities such as loop testing or valve stroking.
7. Normal drilling operations and well interventions.
8. Inspection.

The following are examples of when you shall not use SOPs or RAPs unless they are managed by a permit:

1. Carrying out an intrusive maintenance task on a piece of equipment, unless the equipment is specifically
designed to allow intrusive maintenance during operation (e.g. duplex filters).
2. Preparing a section of plant for isolation by connecting hoses to closed drains or vent systems using a full
isolation.
3. Fitting or removing temporary spool pieces, fittings or blinds (for example for flushing, draining or venting
involving a full isolation).
4. Confined space entry (CSE), hot work open flame (HWOF) or ground disturbance.
5. Working on live energy systems.
6. Any activity requiring a full isolation.
7. A task performed using equipment that is not specifically designed for the task.

8.3.4 Low risk permit

A low risk permit (LRP) effectively and efficiently controls low-risk work. LRPs differ from
other permits in three ways:
• can only be created from a template based on a Level 2 TRA
• used by people who are familiar with the worksite and have a thorough
knowledge of the task
• no worksite visit needed by operations before work starts.
An LRP is a specific version of a cold work, hot work spark potential, or breaking
containment permit created from a template.
To use an LRP, the following conditions shall be met:
only used by people who are familiar with the worksite and have a thorough
knowledge of the task
the task is well defined and easy to identify at the worksite
the task is performed by one main discipline with an additional single
supporting discipline if required. For example, a mechanic removing filters may
need an instrument technician to remove an instrument connection.
at the work start visit, the PA verifies that the task, worksite and process
hazards have been identified, assessed and are appropriately controlled
the PA verifies that there are no SIMOPS issues immediately before starting
the task

Page 68 of 361 Revision: B06

the AA discusses the LRP at the daily CoW meeting if the scope introduces a
SIMOPS risk. An AA or IA can subsequently issue it to the PA.
can be authorised for up to 144 days
can be re-issued within the authorised period
the AA or IA does not need to visit the worksite for LRPs, but they visit a
sample of tasks to Verify permit conditions are as stated. If any change occurs
to the way the task is executed or additional hazards are identified, then the AA
closes the existing LRP and creates a new one.
only full isolations, or conformant personal isolations can be used with an LRP
for LRPs expected to be completed within one shift, the PA may apply personal
isolation if all the requirements of section 14.13 are met
the LRP may be used for up to 4 hours5 after the shift end to accommodate
overtime working on the task. The AA uses the countersignature feature in
eCoW to authorise this extended working.

8.3.5 Using low risk permit templates

A low risk permit template includes an Approved Level 2 TRA.
Review template at the interval set by the SA when they authorised the template
for use. The interval depends on the task risks and likelihood of changes and shall
not be more than 3 years6.
The AA verifies that the TRA selected fully addresses the scope and risks for the
proposed task.
The SA regularly reviews a sample of LRPs using the permit quality assessment
self-verification to Verify quality is being maintained.

8.3.6 Creating a low risk permit template

To create an LRP template, the following conditions shall be met:
The initial risk is in risk area I or II:
a) the residual risk is in risk area I
b) the hazards at the worksite, or worksites, considered for the task are
predictable and stable
c) a Level 2 TRA is used to create the template to Verify that both the task is
suitable for an LRP and the risk assessment is high quality.
Table 8 shows activities that may be considered suitable for an LRP. This is not a
comprehensive list. If the Level 2 TRA concludes that the residual risk is in area I,
then tasks outside of the scope of these examples may be considered.

Page 69 of 361 Revision: B06

Table 8 - Examples of when a low risk permit may be used

The following may be LRP tasks:

1. Overriding a single device for calibration or fault finding is acceptable provided the SORA controls are met
(for example a fire and gas detector or level switch).
2. Checks that do not affect the integrity of the system.
3. Opening of low voltage electrical junction boxes or panels to inspect or test.
4. Opening, but not working on, live electrical junction boxes in hazardous areas that contain only IS circuits.
5. Brush painting where the paint and the area to be painted present low risks.
6. Re-lamping.
7. Maintenance work on office equipment.
8. Using non-certified portable electrical equipment, or other equipment such as cameras and non IS test
equipment in hazardous areas.
9. Scaffolding work (excluding overside working, cantilevered, load bearing, over hazards such as critical safety
systems, rotating equipment, transformers, exhaust ducts and water).
10. Hydrocarbon sampling using a permanent, Approved sample point.
11. BA cylinder refilling operations using Approved and installed filling systems.
12. Workshop activities not covered by workshop procedures.
13. Lifeboat equipment checks (excluding launching lifeboats).
14. Planned maintenance on communications and public address systems.
15. Filter change-outs.
16. Using hand tools on installed and Approved equipment to grease and top -lube oils where considered low-
risk. Low-risk examples include: gearboxes, fin fan louvres, low-pressure utilities and low-pressure
hydrocarbons (<107 barg or 150 psig US). If working on higher pressure hydrocarbon valves consider the
possibility of leaks if the nipple ball does not re-seat.

8.3.7 Cold work permit

Cold work permits are used for tasks that do not include breaking containment or
potential sources of ignition from sparks or open flames. Cold work may involve a wide
range of hazards.
Cold work can involve higher risk tasks. Do not assume that the task is lower risk
because it is being managed using a cold work permit.
Some jobs involving activities in Table 9 may need specialist tools and equipment. Some
of these tasks may have to be covered by hot work spark potential if they involve tools
or equipment that introduce a spark potential.

Page 70 of 361 Revision: B06

Table 9 - Examples of when a cold work permit may be used

The following activities are examples of when a cold work permit may be used:

1. Lifting and rigging operations.

2. Air driven impact wrenches, nibblers or low speed hacksaws (excluding potential hydrogen atmospheres).
3. Pressure testing piping and equipment.
4. Water jetting, wet grit blasting or water cutting.
5. Work with radioactive sources, fixed and mobile.
6. Stripping or disturbing asbestos and other mineral fibres.
7. Work on vessels or equipment contaminated with LSA scale or NORM.
8. Painting operations with brushes or rollers.
9. Removing or installing handrails, gratings, hatches or fixed ladders using cold work methods.
10. Erecting or dismantling scaffolding.
11. Insulation activities.
12. Temporary use of hazardous substances in areas not designed for this (for example cleaning and dosing
tasks).
13. Work near, but not within, the safe clearance distance of overhead electrical cables or other unprotected live
electrical equipment.
14. Electrical work on isolated and proven dead circuits using tools that do not have spark potential.
15. Electrical work with no access to live conductors (for example cable pulling, cable tray installation).
16. Diving activities.
17. Non intrusive ROV activities.

8.3.8 Breaking containment permit

A breaking containment permit highlights the increased risks of tasks that breach the
designed containment envelope on any system, or material.
Highlighting these tasks helps avoid clashes with other work on the facility (that is,
SIMOPS).

Table 10 - Examples of when a breaking containment permit may be used

The following activities are examples of when a breaking containment permit may be used:

1. Opening up any process or plant system where there is a risk from toxic, flammable or other kinds of
hazardous substances.
2. Construction, maintenance, overhaul or repair work involving breaking containment.
3. Spading or blinding and de-spading systems.
4. Sampling hydrocarbon products by any means other than an Approved sample point.
5. Use of equipment or work on small pipework systems, strainers, filters, or valves contaminated with
pyrophoric scale, where water flooding is used as a control measure.

The IsA shall:

understand where and how the BC will take place
demonstrate the isolation, prove zero energy to the PA and attend the initial BC
understand the process and possible process safety implications of the
isolation and be able to implement the contingency plan if there is an incident,
and
be able to contact the control centre from the worksite and the emergency
response teams if required (e.g. through radio contact).

Page 71 of 361 Revision: B06

8.3.9 Hot work spark potential permit

Hot work spark potential permit is for work with equipment and tools that may create
low-energy sparks when used normally or because of errors or malfunctions.

Table 11 - Examples of when a hot work spark potential permit may be used

The following activities are examples of when a hot work spark potential permit may be used:

1. Using mains or battery-powered electrical equipment that is not certified for use in the relevant hazardous
area such as:
a) electrical test equipment and hand-held instruments
b) power tools, including cordless drills, saws, impact wrenches
c) inspection, measurement and survey tools
d) digital cameras, phones, laptops, tablets and similar battery-powered devices
e) Radiography (x-ray source), if battery-powered
f) Scissor lifts and forklifts.
2. Needle guns.
3. Dry grit or shot blasting.
4. Using powered equipment that may generate a friction spark.
5. Work that defeats or removes the Ex protection concept of equipment located in a hazardous area. Examples
include opening of live non-intrinsically safe electrical equipment, or removing pressurised supply to Ex
equipment reliant on pressurisation.
6. Energised electrical work.
7. Proving dead of electrical equipment.
8. Opening live electrical junction boxes where the terminals are exposed to the atmosphere.
9. Using cartridge-operated fixing tools.
10. Operating protected portable diesel engines not tied into fire and gas systems.
11. Using internal combustion engines for portable temporary equipment, such as cranes, compressors, pumps
and generators. These have several features that are considered ignition sources due to:
a) the presence of hot exhaust gases
b) hot surfaces, such as exhaust manifolds and pipework instrumentation and electrical systems
c) potential overspeed due to ingress of flammable atmospheres into the engine’s air intake.
12. Activities that may generate static electricity (for example transfer, draining or taking samples of low
conductivity liquids, manual tank gauging, dry grit blasting, HP/ EHP water jetting, steam cleaning, paint
spraying).
13. Using any other equipment that may generate sparks when it is being operated.

8.3.10 Hot work open flame permit

Hot work open flame (HWOF) is any work with equipment and tools that, when
used within their design parameters, are likely to ignite a flammable or explosive
atmosphere, solid materials, or liquids. While HWOF is live, suspend any breaking
containment on any flammable materials in the same area.

Page 72 of 361 Revision: B06

Table 12 - Examples of when to use a hot work open flame permit

The following activities are examples of when to use a hot work open flame permit:

1. Open flames, including welding, flame cutting, air arcing and soldering.
2. Electrical welding, such as arc, MIG and TIG.
3. Equipment operating above 392°C / 738°F8, except in authorised workshops (for example.electrical induction
pre-heating, stress relieving, using high temperature thermal calibrators or hot-air blowers).
4. Steam generators (unless they are electrical and rated for the hazardous area).
5. Power grinding, air or electrically powered or similar activities that create sparks.
6. Any activity that has the potential to create a continuous or intermittent uncontrolled ignition source.
7. Splicing fibre optics.
8. Use of equipment or work on large pipework systems, heat exchangers or vessels contaminated with
pyrophoric scale.

When the following operations are covered by an SOP, a HWOF permit is not required:
• normal operation of site flares systems and process equipment that are designed
to have open flames as part of their design (for example inert gas generators or
fired heaters)
• lighting of flare systems using installed portable igniters or guns.

8.3.11 Permit templates

A permit template can be created from an existing permit or directly as a template.
A permit template is an Approved Level 1 or 2 TRA and shall:
have residual risk in risk area I or II
be reviewed at the interval set by SA when they authorised the risk
assessment for use. The interval set depends on the task risks and likelihood of
changes and shall not be more than three years.
be verified by the AA that the TRA selected fully addresses the scope and risks
for the proposed task
have a work start visit by the AA or IA and PA to Verify that the task, worksite
and process hazards have been identified, assessed and are appropriately
controlled.

8.3.12 Confined space entry permit

For a description of confined space and how to manage confined spaces see section 15.
Occupational Safety and Health Administration (OSHA) has defined two types of
confined space: those requiring permits and a non-permit required confined space. In
Upstream, permits are used to manage entry to all confined spaces. This means OSHA
requirements are met by operating to the more stringent Upstream CoW standard.
Additional requirements for OSHA permit-required confined spaces may still apply
depending on the circumstance.
Entry to any confined space requires a confined space entry (CSE) permit. It does
not allow any form of work other than entry for visual inspection or atmospheric
testing. Do the following if work in a confined space is needed:
Apply for a permit, to cover the task being executed.
Cross-reference by linking the task permit to the CSE permit using the live-live
permit dependency.

Page 73 of 361 Revision: B06

The AA shall maintain the CSE permit as valid throughout the life of the associated
permit.
When work is complete, the AA shall Verify that all permits to work associated or
linked with the CSE are completed before the CSE permit is signed off by the AA as
closed.
The AGT1 shall record all gas test results on the CSE permit. Repeat these tests
after any interruption to CSE work. If the tests identify any change, the AGT1 shall
stop the work and notify the AA.
An AGT shall continuously monitor the levels of oxygen and flammable or toxic gas
within the confined space.
The gas monitoring is set up by an AGT1or 2 but can be monitored by an AGT3.
The PA is accountable for suspending a CSE permit if unacceptable conditions arise
(for example internal temperatures are too high to work, access needs to be
modified, or the scope of work changes).
If blasting or other activities have created a dust-filled atmosphere, then clear the
confined space of dust before allowing re-entry without respiratory protection.
Each site shall have a CSE register. See section 15.9.

Table 13 - Examples of confined space

The following would typically be considered a confined space:

1. process vessels and exchanger

2. fired heaters
3. road and rail tankers
4. habitats with access or ventilation limitation see section 13 and 15
5. pipelines, pig receivers and launchers
6. silos, vats and tanks
7. floating roofs of hydrocarbon storage tanks
8. sewers and manholes
9. flues, ducts, ceiling voids, box girders and lift shafts
10. trenches and excavations of more than 1.2m (4 ft)9, deep. (if they meet the criteria for a confined space)
11. pits, sumps and culverts
12. voids between modules and in legs on offshore installations
13. vessel or column skirts and crane pedestals
14. flare tips
15. any space or partially enclosed space where there is a risk of death or serious injury from hazardous substances
or dangerous levels of contaminants accumulating, and ventilation is restricted.

8.3.13 Permit dependencies

The eCoW software has a feature to link permits to help manage tasks that need to
be sequenced. This feature is used to avoid human error.
There are three dependency types:
Permit Live - Live: this covers a circumstance in which someone needs to
create a permit that links to another permit. It establishes a rule that the permit
being created cannot go live unless the linked permit is already live. For
example, if the permit being created is for cleaning the internals of a vessel,

Page 74 of 361 Revision: B06

reference it on the CSE permit for that vessel. The permit cannot be issued for
cleaning unless the permit for CSE had already been issued and is live. In this
example, it would not be possible to suspend the CSE permit unless the
cleaning permit had been suspended first.
Permit Live - Not Live: this type of linking works in reverse to that of linking for
Live - Live. For example, if a permit is being created for painting the internals of
a vessel and there is a permit for blasting the surfaces in preparation for
painting, a Live - Not Live dependency may be used so that the blasting and
painting permits cannot both be live at the same time.
Permit Start - Finish: this creates a dependency from the permit being created
to another permit, enforcing a rule that this permit cannot start until the
referenced permit is completed. For instance, if you applied this dependency to
a permit for replacing a nucleonic level transmitter to a vessel, it would not be
able to go live until the permit for vessel CSE had first been completed.
In the case of Live - Live and Start - Finish dependency, the direction of referencing
is critical. It shall always be from the dependent permit to the one it is dependent
upon. For example:
Live - Live the permit for cleaning the internals would be dependent on the CSE
permit.
Start - Finish the permit to replace the nucleonic level transmitter to a vessel
would be dependent on the CSE permit.

8.3.14 How to identify equipment associated with a task

It is essential for effective CoW that you correctly identify field equipment associated
with a task before issuing a permit.
It is good practice to use equipment ID tags for any task. Use them:
if the site labelling or marking systems are missing or not clear
for all new tie-ins to existing systems
if it is necessary to identify redundant equipment.
The equipment ID tag format shall, as a minimum, identify the following:
equipment number
permit or Isolation Confirmation Certificate (ICC) number
the name of the person who placed the tag
the date it was placed.
If access to the worksite is not reasonably practicable before work starts, marked-up
photographs may be used to identify the work location. For example, if the work is going
to be done by a rope access technician, then this approach can be used.

8.3.15 How to Verify CoW documents

The AA, IA or SA verifies that CoW documentation includes the following:
the correct level of TRA has been applied
all the required supplementary certificates are Approved and attached or linked
the date and time when work may start and a time limit that the permit remains
valid

Page 75 of 361 Revision: B06

monitoring frequency requirements as specified in the TRA

a description of the task the team is carrying out and that the permit is not
covering a combination of tasks (that is, the whole job)
a detailed description of the type of task the team is going to perform. This
includes the scope, any tools and equipment they will use, and how they will
do the work.
worksite location
hazards associated with the task, process, and the worksite, with details of the
associated controls in place to manage the risk, including any Emergency
Response and Rescue Plans (ERRP), if applicable
contingency plan
SIMOPS.
All permits including LRPs shall be verified before the two-week planning gate.
Verification requires all supplementary certificates to be attached and Approved.

Page 76 of 361 Revision: B06

8.4 Step 4: Authorise

To control work effectively, it is vital that a structured CoW meeting is held every
day to discuss the previous day’s CoW delivery, current status and authorise the
following day’s activities. The team at the meeting considers the time and
resources, including whether they need specialists to carry out scheduled activities
safely and effectively.

8.4.1 What the AA reviews before the daily Control of Work meeting
All scheduled tasks have verified CoW documents.
Applicable energy isolations and supplementary certificates are in place or planned
before the task starts.

8.4.2 Who attends the daily Control of Work meeting

The SA shall chair the meeting.
As a minimum, the following people shall attend:
AAs.
PAs, when requested by the SA.
The SA may include others as required (e.g. planner, maintenance team lead, HSE
adviser or schedulers).

8.4.3 What the agenda covers

Firstly, this meeting reviews the tasks that were being worked on the previous day.
Outstanding work, required actions and lessons learned will be discussed, including
any impacts these may have on the schedule.
Next, the meeting reviews all work that is scheduled for the following day, including
emergent work and ongoing work to achieve the following:
raise awareness of and manage possible SIMOPS for planned activities
review the cumulative residual risk of the scheduled work and plant operation
identify where countersignatures from an Affected Area Authority (AAA) are
required and inform the AAA
Verify that the PAs are able to oversee the task by checking they are not
assigned to other tasks that might stop them from being able to do this
effectively
review the AA’s workload for the following day to Verify they can manage all
the planned activities
review any opportunities to learn from CoW self-verification checks completed
and feedback from PAs
decide if the tasks can proceed as scheduled or not. The SA takes this decision.
agree and assign self-verification.
The AAAs shall Verify the following:
they have informed everyone working within their area that might be affected
by the adjacent work. This is critical, especially when the task involves hot work
or breaking containment.

Page 77 of 361 Revision: B06

controls are in place and everyone understands the potential impact on their
own tasks
the AAA has signed the permit to record their agreement for the task to
proceed using the countersignature function within eCoW.
The daily CoW meeting also verifies, if applicable, that CoW bridging and interface
requirements are in place for:
handing over a remote area CoW to a GWO or GPO contractor, or
vessels working within an offshore platform’s 5001m zone.
Finally, this meeting is where the SA reinforces expectations and shares
opportunities to learn from self-verification activities. The SA uses information from
management reports and metrics to focus attention on areas that need to be self-
verified.
Examples of meeting format can be found in Upstream Collaboration CoW SharePoint site.

8.4.4 Managing the meeting

Displays, dashboards and summaries are available in eCoW to help the SA conduct a
thorough and efficient meeting.
It is important that the following be reviewed as part of approving the planned work
for the next day:
the graphical overview with filters showing permits, LRPs, isolations, ORAs,
SORAs and any SIMOPS activity such as NPWs or RAPs
the operational dashboard to show overall conformance, metrics and workload
the cumulative residual risk, showing all the residual risks from all live CoW
documents within eCoW.

8.4.5 Authorising permits

The level of authority needed to authorise a permit is set out in Table 3. The AA
may only authorise permits where residual risk is in Area I. All other permits require
the SA to authorise them. Permits are typically authorised before or after the daily
CoW meeting.
Authorisation period is risk based, up to a maximum of 144 days.

8.4.6 Re-authorising permits

The SA is the only role that can re-authorise permits and may do this at any time
and in any permit state. The maximum periods in section 8.4.5b apply.
The SA shall Verify, typically by asking the AA, that any controls are still in place and
SIMOPS conditions are still acceptable before a permit is re-authorised.

Page 78 of 361 Revision: B06

8.5 Step 5: Execute

Clear and accurate communication is important because the control is passing from the
AA to PA when the permit is issued and accepted.

8.5.1 Issue and accept permits

Before starting work and immediately before or after issuing the permit, the AA or
IA and the PA shall Verify:
conditions have not changed since the TRA and permit were being prepared
any controls the permit specifies will be in place before work starts
isolations are in place and meet the requirements of this Upstream CoW
Procedure, checking for positive isolation for HWOF and CSE tasks
pre-requisite TRA controls are in place and fully effective.
Figure 5 identifies when site visits are required.
For low risk permits, the PA shall inspect the worksite and Verify controls are in
place after the permit has been issued.
The AA or IA shall communicate the hazards and controls and any SIMOPS to the
PA before they issue the permit.
The PA shall be a different person to the IA or the AA (that is, a person cannot issue
a permit to themselves).
The AA agrees with the PA which competent person is assigned to fire watcher
(FW), authorised gas tester (AGT) or confined space entry attendant (CSEA).
All Permits may be used for up to 4 hours5 after the shift end to accommodate
overtime working on the task. The AA uses the countersignature feature in eCoW to
authorise this extended working.

8.5.2 Pre-work activities

After a permit is issued, but before the TBT, the PA checks that all equipment,
including task-specific PPE used, is fit for purpose and correctly certificated. For
example:
lifting equipment has no obvious damage and has the correct colour code
load limiting devices and alarms are functional
all loads are checked for potential secondary dropped objects
the proposed users are competent to use all equipment and task-specific PPE
specified in the permit and supplementary certificates.

8.5.3 Work execution

The PA does the following:
monitors the sites whilst they are present or when they visit, if they are the PA
for more than one task. This monitoring is only recorded when specific
monitoring tasks are assigned to PA in the TRA.
keeps the worksite in a clean and safe condition and work within the scope
covered by the permit
verifies the controls specified on the permit are followed

Page 79 of 361 Revision: B06

reports any unsafe work that requires a stoppage to the AA or IA.

Is the task YES PA conducts worksite visit

covered by and TBT on their own. AA
LRP? verifies by sample visits
NO

Is the task
HWOF or
CSE?

NO NO Joint worksite visit and TBT by

Is residual AA and PA for first and
risk in area I?
subsequent issue
YES YES

SA conducts first visit and TBT

with AA and PA. Second and
subsequent can be delegated
to
AA and PA for joint visits

Is the task YES SA may delegate

HWOF or site visit and TBT
CSE? to AA
NO

Is this the first YES

issue of the
permit?
NO

Joint worksite visit

by AA or IA and the PA

Any concerns
from last issue?

Are there any

changes to: YES
Worksite visit by AA or IA and
• Task scope?
PA can be done separately
• PA or work
NO and communicated at permit
crew?
• SIMOPS? issue. PA does TBT, AA sets
• Hazards? monitoring frequency

Figure 5 - Site visit and TBT flowchart

Page 80 of 361 Revision: B06

8.5.4 Toolbox talks

Before work starts, the PA shall conduct a TBT at the worksite with the people who
will carry out the task. The first TBT each day should cover a summary of the overall
permit scope, detailed review of hazards and controls for the next step. For each
subsequent step, another short TBT is required to discuss the hazards and controls
associated with that step. A TBT is also required after breaks (e.g. lunch).
For HWOF tasks in hazardous areas with residual risk in area II or above, the SA
shall visit the worksite with the AA before work starts and attend first TBT. For
subsequent permit issuance, the SA may delegate the site visit. See Figure 5 and
Table 14 for details.
For HWOF tasks in risk area I, the SA may delegate visits to the AA.
For LRPs, the AA verifies the worksite visit and TBT by sample visits.
For risk area I permits the PA and AA, or IA conduct a joint worksite inspection on
the first issue of the permit.
On subsequent permit issue the AA or IA may conduct a site visit separate to the
PA but shall communicate this with the PA at permit issue.
The AA or SA attend any TBT that has residual risk in Areas II or above.
A TBT is a vital part of the process to Verify that everyone understands the scope,
hazards, controls, and monitoring that the TRA covers. The TBT allows the people
involved in the work to:
discuss the scope and approach to the work to Verify that they understand the
task steps, job interruption events and contingencies
raise any concerns about the task, and
identify any hazards that have not been identified in the TRA process.
At this stage, inform the work party about any relevant ERRPs that are in place for
the task and what will be required of them if there is an emergency.
Everyone involved in carrying out the task shall fully understand the TRA. The
conversation shall cover:
the full scope of work
details of the task steps involved
hazards and risks identified for each step in the task
all controls identified, including contingency plans and Life Saving Rules
the isolations in place to control energy sources
any SIMOPS issues identified, and
an individual’s fitness and ability to perform the task (e.g. fatigue, working at
height or access to confined space).
Risk reviews are held when the work stops, and the team checks for new or
changing hazards and risks. Typically, these are the tasks steps, but other risk
review points may be agreed or may emerge while the task is executed.

Page 81 of 361 Revision: B06

The PA keeps the language of the TBT clear and simple, especially for complex
technical tasks. If English is not the work party’s first language, the PA may make a
good-quality translation in appropriate language before work starts. The TBT is
performed at the worksite unless barriers (for example high noise levels) hamper
the discussion.
All attendees of the TBT sign the work party declaration section of the permit to
confirm that they have identified the equipment they are working on and understand
the hazards, and controls.
The PA verifies that when additional people join the work party, they understand the
hazards, controls and supplementary certificates, including ERRP referenced on the
permit. These additional people sign the work party declaration section of the TBT.
The PA verifies the work party declaration form is updated when anyone leaves the
work party.
If anyone at this stage identifies additional hazards or thinks the controls are
inadequate, then the job shall stop. It shall not start again until the AA has reviewed
the TRA and verifies:
the risk assessment is suitable and sufficient and gives permission for work to
continue, or
when additional controls are required and have been put in place, either;
a) record on the paper copy of the TBT with changes signed by the AA.
Typically, these controls relate to housekeeping, weather, or fatigue, or
b) where there is a change in scope or hazards, or a significant change to
controls, the risk assessment is updated, and the permit reissued.
Some example topics to cover as part of the TBT are described in Table 14.

Page 82 of 361 Revision: B06

Table 14 - Toolbox talk guidelines

Item Considerations and prompts

Task scope The task description and what the permit does and does not cover.

Weather conditions Weather and sea state.

Competence and experience.

Familiarity with the installation and system they are working on.
The work party Anyone fatigued or distracted.
Fit and able to perform the task (e.g. working at height or access to confined space).
Expected behaviour and operating discipline (e.g. Line of fire and LSR awareness).

Access, egress, or awkward working position.

Ground conditions.
The worksite Temperature and humidity, if it is relevant to the task.
Lighting.
Location.

Identify the correct equipment.

Plant and equipment Physical condition of the plant and equipment.
status Current operating status of plant and equipment.
Any isolation in place.

Current adjacent Can this task affect other worksites?

worksites Can other worksites affect this task?

Are they in place as stated in the TRA and understood by the work party?
Controls
Review attached certificates (for example ERRPs, lifting plans).

Hold points The task steps and any additional agreed points that allow for hazards and risk review.

If the resources to deliver the ERRP are not available.

Changes in weather and site conditions.
If the task goes outside the permit’s scope.
Interruptions and ‘Stop
An unplanned activity introduces SIMOPS.
the job’ events
Additional hazards that have not been assessed or inadequate controls are identified.
The PA stresses that anyone has the authority and obligation to stop unsafe work or
report unsafe conditions.

Everyone understands the contingency plan and any emergency response plans in place.
Contingency plan Everyone knows the location of emergency response equipment (e.g. extinguishers,
alarm call points, showers, escape sets and muster points).

8.5.5 Displaying a live permit

Work may start once all personnel in the work party have signed the work party
declaration section of the permit.
The PA posts the signed permit in an accessible area that is close to the worksite
where it is unlikely to be damaged and is protected from the weather.
The posted documents at site include supplementary certificates but the other
attachments are at the AA’s discretion.

Page 83 of 361 Revision: B06

8.5.6 How to stop unsafe work and manage interruptions

Documents issued to people carrying out CoW work state:
Everyone has the authority and obligation to stop any work they consider to be unsafe.
Anyone shall stop the task if:
the work scope or worksite conditions change, or new hazards are identified
they think that the permit to work or controls are not appropriate or no longer
apply
the task goes outside the permit’s scope
an unplanned activity introduces a SIMOPS hazard that could affect the task
changes in weather or site conditions that require additional controls.
If anyone stops the task for any of the reasons above, the PA shall immediately tell
the AA.
The AA shall review the task, worksite, and process hazards with the PA. The
permit and risk assessment can be modified and re-Approved to incorporate any
changes or additional risks. The level of approval needed depends on the residual
risk and may mean that a TRA team has to reconvene.
For events that stopped or interrupted the job due to safety concerns:
the PA records this in the eCoW feedback
the SA verifies the events are reviewed and if required they are entered into
IRIS (for example, where BP Golden Rules of Safety or Life Saving Rules where
applicable have been breached).

8.5.6.1 All work interruptions

The PA or delegated work crew member checks that the worksite and tools are left
in a safe and orderly condition. Any tools that are no longer required after the
interruption are removed. This may not be possible in an emergency or evacuation.
The CSEA verifies everyone is out of the CSE and installs a temporary guardrail and
signage to prevent entry to the confined space when the site is not attended.
For CSE, check the continuous gas monitor, or retest the atmosphere, before
entering the confined space again.

8.5.6.2 Short interruptions

For short interruptions (for example for meals, prayers, coffee, smoking, collecting
tools or equipment), the PA shall reassess the site conditions and check that the
controls still apply.

8.5.6.3 Longer interruptions

For longer interruptions (for example site alarms, bad weather), the following shall
happen:
The PA verifies, if safe to do so, that when a task is interrupted, the worksite is
left in a safe and orderly condition and any equipment being used is shut down
or isolated.

Page 84 of 361 Revision: B06

The PA informs the AA when leaving the worksite to determine if the permit is
completed or suspended. The AA may decide the PA does not need to
suspend the permit if the site alarm is confirmed as false.
The PA reassesses the worksite area to confirm that nothing has changed that
impacts the task or worksite safety.
For CSE, the atmosphere is re-tested before access is allowed.

8.5.6.4 Emergency interruptions

For an emergency interruption (for example an emergency muster following a gas
release), the following shall happen:
All equipment is shutdown and isolated if it is safe to do so.
Permits are returned to the AA when it is safe to do so.
The AA suspends active permits after personnel leave the worksite or when
requested to do so by the site incident manager. The ‘Suspend all’ function in
eCoW can be used to do this.
Once the SA has authorised the restart of the work, the AA or IA verifies that it
is safe to restart work after the emergency and re-issues or verifies that
permits are still active.
The PA or delegated work crew member reassesses the worksite area to
confirm that nothing has changed that impacts the task or worksite safety.
When personnel return to a confined space, the atmosphere is verified non-
hazardous before they re-enter.
More details on how to record stop-the-job events are provided in section 8.5.6.

Page 85 of 361 Revision: B06

8.6 Step 6: Monitor

Monitoring or checking the worksite is essential to managing any worksite safely.
How often a task is monitored and the level of verification that might be required
may change depending on the level of risk involved. The frequency and type of
worksite monitoring shall be defined in the risk assessment for the task.
When they are visiting a worksite, the AA or IA shall immediately stop the task and
suspend the permit to work in the following circumstances:
they observe unsafe conditions for the work being carried out
they observe that the work does not conform to the work permit’s conditions
the work crew tells them they have stopped the work because the task is
unsafe
they observe any new SIMOPS risks.

8.6.1 How to monitor tasks managed by permits

The AA or IA visits the worksite to monitor the activity at the frequency recorded in
the TRA. When they have completed a monitoring visit, the AA or IA signs and adds
any appropriate brief comments into the permit’s work monitoring section under the
heading ‘worksite monitoring’.
The monitoring is recorded in eCoW along with any comments.
As part of worksite monitoring, the AA or IA shall Verify the following:
isolation integrity is proven, and zero energy demonstrated
everyone on the work party understands the work scope, the hazards
associated with it, and the controls in place for the task
everyone has signed the work party declaration to say they participated and
understood the TBT
the requirements detailed in the permit are being followed
the task described in the permit is the actual task being conducted
all necessary paperwork has been completed and controls are in place
worksite monitoring has been completed in line with the risk assessment
emergency response requirements are in place, everyone on the work party
understands them, and they have been tested, if applicable
the work party understands the contingency plans
there are no conflicts with SIMOPS activities
site housekeeping standard is good so that additional hazards are not created.
The monitoring frequency is risk based and shall include consideration of the
following:
type, complexity, risk level, SIMOPS and amount of activity in the schedule
CoW incidents, near misses, HIPOs, and self-verification findings for similar
work
PA and work team familiarity with the work and the site or work location.
Consider those new to the site (green or orange hats).

Page 86 of 361 Revision: B06

8.6.2 How to monitor tasks managed by low risk permits

The PA shall monitor the task during execution.
Low-risk activities do not have to have additional monitoring unless a risk
assessment identifies that monitoring is needed.
Self-verification is used to provide sample testing for conformance on these tasks.
Sample around 10%10 of the total low-risk tasks.

8.6.3 How to monitor other Control of Work activities

All the workflows in eCoW (IDP, SIMOPS, Leaks & Seeps, SORA and ORA) have the
functionality to assign and track monitoring.
The type and frequency of monitoring is decided in the risk assessment or by the AA for
each workflow. All monitoring for live or active workflows are brought together by eCoW
under the task monitoring screen where they can be checked and updated.

8.6.4 How to monitor remote and lone working

The AA and the PA who will be the lone worker evaluate the risks associated with
an individual working alone on a case-by-case basis.
All ongoing tasks are recorded at a central location so that all work in progress is
visible to the AA.
The form of the communication protocol and the required numbers of people are
decided during the TRA.
The AA checks the agreed communication protocol before giving permission for
work to start. The PA informs the AA when the task starts, at the frequency
specified in the risk assessment, and when it is complete.
At a change or end of shift, the PA returns the permit to the issuing centre. A
scanned copy may be emailed if it is not possible to visit the issuing centre.
In residual risk area II or above, a second person shall be ready to summon help,
assist – or both – if an emergency happens.
For example, lone workers can sign in and out with security or operations personnel.
The lone worker might be asked to call or visit - or both - the security or operations
contact person to confirm the lone worker is safe.
You can find more about what you need to do in section 8.6.5 Communications
protocol.
You can also find more information on lone working ERRPs in section 18.5.

8.6.5 Communications protocol

Personnel working on their own shall use a communications protocol that includes
the means of communication, the frequency of contact, and main and backup
contacts.
Effective ways of getting help can include telephones, cellular phones, portable two-
way radios, personal alarms, and computer-based systems. The communication
protocol allows a worker who needs help to send a message or signal to someone who
can help him or her.
The AA and PA shall:
discuss and agree how communication will be managed

Page 87 of 361 Revision: B06

test the agreed communication method that will be used to keep in contact
with the lone worker
agree the actions to take if a lone worker needs to be rescued in an
emergency.

Page 88 of 361 Revision: B06

8.7 Step 7: Complete

When any task is finished, the PA:
inspects the worksite to Verify it has been left safe and tidy
returns to the AA or IA at the issuing location to have a face-to-face
conversation. Where a face-to-face meeting is not reasonably practicable, they
may have a telephone conversation, but care is required to make sure the
handover is clear
agrees, with the AA or IA, if the permit is to be suspended or completed.
When suspending a permit, the PA includes the date and time they want it re-issued.
All permits in eCoW contain a section for PA feedback. Table 15 shows the three
feedback options available to complete before suspending or completing a permit.

Table 15 - PA Feedback in eCoW

No issues
Work completed as planned.
Plant is fully restored to normal operating condition.
Site has been left safe and tidy.

Suggested improvements
Job completed and plant is back to normal operating condition.
The worksite has been left in a safe and tidy condition.
Suggestions to improve CoW efficiency or future task execution.

Worksite status is abnormal or job interruptions

The plant is not fully operational and cannot be used.
Events were recorded that stopped or interrupted the job or there were problems with the site’s
condition. Job interruptions that were resolved and allowed work to be completed are still recorded.

8.7.1 Suspending permits

The PA shall suspend permits to work for the following reasons:
shift handover
Work is completed for the day, if it is not a 24-hour operation
Work is partly completed and waiting for a sanction to test (STT)
Work is suspended due to materials or resources not being available (for
example people or equipment)
anyone has identified new or additional hazards that cannot be managed
through the TBT
emergency interruptions or evacuations (for example site general alarm).
When a task is suspended, the PA verifies the following:
the permit and any associated supplementary certificates are returned to the
permit issuing centre because it is important that the PA can discuss the task
progress or completion and hand over the permit in person to the AA or IA.
personal isolations, tags and any personal locks are removed.

Page 89 of 361 Revision: B06

In an emergency or evacuation, the AA shall Verify that all live permits and their
associated supplementary certificates are suspended when personnel leave the
worksite or when it is safe to do so.
The AA or IA shall update eCoW to accurately reflect the works status and decide
which supplementary certificates can be closed, suspended, or kept live.
The AA or IA shall inform appropriate IsAs, especially in the case of breaking of
containment work, so that additional monitoring can take place on valve isolation
integrity.

8.7.2 Re-issuing permits

Before the AA, IA or SA re-issues a permit after work has been suspended, they
shall Verify the following:
the task description is still accurate for the task being done
hazards and controls identified in the TRA are still relevant
any SIMOPS originally identified have not changed
the conditions at the worksite have not changed
feedback from the PA was positive or identified issues have been addressed
the supplementary certificates are valid for the duration of the associated task.
If the AA, IA or SA decides that conditions have changed and the permit is no longer
appropriate, then conduct a new TRA and issue a new permit.

8.7.3 Re-authorising permits

Before the SA re-authorises a permit, they shall:
Verify the same items for a permit re-issue as listed in 8.7.2a
decide on the period of authorisation (up to 144 days).

8.7.4 Closing a permit

The AA or IA visits the worksite after a permit has been completed. They inspect
the worksite area and shall Verify the following:
the task detailed on the permit has been completed
safety systems and the isolation status are the same as recorded in the IDP
linked to the permit
the area has been cleared of any debris and all materials and tools are either
stored in a safe and orderly way or removed from the worksite
fittings and equipment removed or dismantled during the work have been left
in a safe condition
the area has been cleaned as required and any spills and contaminants
removed and disposed of safely.
The AA or IA may delegate the site inspection to a technician, but the AA or IA is
responsible for closing the permit.
The AA may decide a site inspection is not necessary for some non-intrusive LRPs,
(for example using a camera).
The permit shall be closed within 24 hours of its completion.

Page 90 of 361 Revision: B06

8.7.5 Authorising de-isolation

The AA shall:
visit the worksite to Verify that the operating equipment and plant are ready for
reinstatement
review the ICC and Verify there are no other connecting permits to work before
signing off the ICC for de-isolation
inform the relevant IsAs that the equipment is ready for de-isolation.
The de-isolation is done in the order written in the IDP.
Within eCoW, it is possible to release points for isolation or de-isolation to the IsA in
batches, groups, or individually. This may be used when the AA requires verification
that the isolation or de-isolation sequence is done in the order prescribed or where
the AA requires a hold point for an inspection or test.
When changing an isolation from positive to valved, minimise the time between
removing the positive isolation and leak test. Where the time is greater than one
shift, consider pressure build up (PBU) monitoring the valved isolation envelope.

8.7.6 Executing de-isolation

Complete the following before and during de-isolating plant or equipment:
AA to Verify that all work is complete, permits are completed, covers and
safety barriers have been replaced, the plant or equipment has been tested and
inspected
Ex or NEC inspection of equipment in hazardous areas
remove personal locks, where used
if a personal lock has to be cut off because a key is lost or the owner has left
the site, then the SA authorises this using a permit to work
the IsA removes the securing devices and tags in the order described in the
IDP
the relevant IsA signs off each isolation point on the IDP to Verify that it has
been de-isolated.
Once de-isolation and leak testing have been safely completed, the AA verifies that:
the plant or equipment has been de-isolated, tested and line walked
the pre-start certificate is completed, and normal operations can resume.

8.7.7 Crew change and shift handover - PA

To maintain safety and continuity on any job, it is important that shift handovers and
crew changes are carried out effectively.
The outgoing and oncoming PA, and AA or IAs review the permit to Verify that
everyone fully understands it.
The outgoing PA shall suspend the permit and leave the worksite in a safe and tidy
condition. The oncoming PA then accepts the re-issued permit from the oncoming
AA or IA to confirm they accept the task at the worksite.
If the task continues over the shift change, the outgoing PA and AA or IA and the
oncoming PA and AA or IA shall conduct the handover at the worksite.

Page 91 of 361 Revision: B06

The outgoing PA records the status of the task in the paper or electronic handover log.
If the PA who accepted the permit is unable to carry out their agreed duties, another
PA may take over responsibility for the permit at any time by using the take over
responsibility function within eCoW.
A PA may hand over to a new PA during the shift without stopping the job using the
take over responsibility function in eCoW. The new PA agrees the handover with
the AA and records this by signing the work party declaration section of the permit.

8.7.8 Crew change for AA or SA

The oncoming AA or SA reviews all live permits in their area of accountability. The
oncoming person takes over responsibility for any live permits by using the ‘take
over responsibility function’ within eCoW. This takeover function may also be used
at any time to transfer responsibility to another AA or SA.
The outgoing person documents all CoW-related information (for example the status
of locked valves and isolations) in an electronic or paper-controlled shift handover
log. This provides a detailed account of all work.
The outgoing person details the permit status to the oncoming person as part of the
detailed handover process.
The detailed handover is done verbally (e.g. face to face, via an online call or by
telephone).
During this handover, discuss the following:
the status of all ongoing permits, isolations, RAPs, ORAs, locked valve
changes, and overrides and inhibits
any work stoppages that have occurred during the shift
any SIMOPS
changes in worksite conditions, controls in place, or monitoring requirements.
The oncoming AA assesses if they need to visit the worksite to check that the
controls in any particular permit are adequate (for example for activities with residual
risk in Area II and above).
If the oncoming AA decides they need to visit the worksite, then they suspend the
permit until they have inspected the worksite. They sign the permit only when they
are satisfied that the controls are adequate.

8.7.9 Retaining documents

Control of Work documents are retained by eCoW for 5 years11. This is performed
automatically by the archiving process within the software.
The AA verifies the following:
paper permits and attached supplementary certificates such as lifting plans,
ICCs, and excavation certificates are retained for one month unless local
regulations require a longer period (see LIP).
if the paper backup system is used, CoW documents are not retained by
eCoW. These documents have to be retained in hard copy for five years.
on OSHA sites in GOM, CSE permits and TBT paper records are kept for one
year so the confined space programmes can be reviewed.

Page 92 of 361 Revision: B06

8.8 Step 8: Learn: learning opportunities and closure

Once a task is completed, it is important that any learning opportunities, including all
instances of work being stopped, are recorded and any necessary improvements
are incorporated into the process.
The AA reviews PA feedback (see section 8.7) and decides on the best way to
handle improvements. The AA then does the following:
within eCoW, raises and tracks an action for improvements that are local and
concerned with the CoW process
verifies actions are recorded in the local action-tracking tool for improvements
outside the CoW process
creates a knowledge item in eCoW linked to a system, equipment, location, or
document.
The SA verifies the Knowledge Base in eCoW is maintained to systematically
capture useful information about the site and enable visibility at point of use.
Examples of items that might be included are; passing valves, access restrictions, or
CSE access requirements.
The SA verifies learning opportunities with the potential to make a significant
contribution to safe, compliant or reliable operations are communicated to the
entity’s Organisational Learning Specialist or Advisor, either in-region or above-
region.
The operating entities (GOO, GPO, and GWO) operate formal organisational
learning procedures, based on GDP 2.4-0001, as follows:
• GOO-OL-PRO-00001 BP Procedure Organisational Learning in GOO (100033)
• GPO-LE-PRO-00001 BP Practice GPO Organisational Learning
• 100373 BP Procedure GWO Organisational Learning
The preferred way to Verify people can become aware of, implement – and continue to
implement – lessons learned, is to codify them within OMS by updating existing BP
Practices and BP Procedures.
The SA shares CoW opportunities to learn with the workforce and verifies that they
are applied at their site by:
confirming that any areas that need action are assigned to personnel with the
authority to resolve them in a timely fashion
monitoring and tracking each action to Verify it is closed.

Page 93 of 361 Revision: B06

9 Risk assessment
9.1 Risk assessing tasks
Hazard identification and task risk assessment (HITRA) is the BP method for
systematically examining an individual task to:
• identify the hazards
• evaluate the risks, and
• specify appropriate controls for each hazard.
Risk assess all tasks using the HITRA Level 1 or Level 2 risk assessment methods:
Level 1 TRA is the minimum level of risk assessment required for any task.
Level 2 TRA is for higher level of risk, or more complex tasks, or both.
TRAs include task-specific ERRPs that require an action or actions over and above
normal operation emergency alarms and site ERRP.
The HITRA process uses the concept of residual risk to decide whether the task can be
safely executed and who will Approve a risk assessment or authorise a permit.
Throughout this Upstream CoW Procedure, we use the term approval for risk
assessments and authorising for permits.
Residual risk is defined as the level of risk that remains after controls are taken into
account. The risk matrix shows five risk areas and the HITRA approval table shows
who is the Approver for each risk area; see Table B.4 and Table B.5.
If the proposed task has a residual risk in area IV, C+ or V, then the work shall not
progress. Follow the requirements of the appropriate entity risk management
procedure to manage these risks.

9.2 The process for identifying hazards

The risk assessment team do the following:
visit the worksite together to identify the task, worksite, and process hazards
involved in carrying out the task at the actual location. They consider the
characteristics listed in Table 16
use a systematic method of identifying hazards, using the HITRA 14 sources of
energy (see Table B.3) to reinforce their personal knowledge and experience;
they may use a prompt card to help
make sure they fully understand the task and its implications
identify specific hazards associated with adjacent plant and equipment and to
any activities taking place or planned to take place that could affect the task
they are assessing
list the controls needed for each hazard or risk they have identified by applying
the hierarchy of controls L1-L6
consider the full task or set of task steps required to execute the work scope
consider the methods they will use to execute the task or tasks
identify risk review points or hold points that will help the work crew focus on
the hazards associated with the task step and identify and assess any new or
changing hazards.

Page 94 of 361 Revision: B06

Table 16 - Risk assessment characteristics

Characteristics Examples

The characteristics of the plant and systems directly Quality and type of process inventories in equipment and
involved. pipework.
Pressure, noise, temperature and thermal environment,
vibration, stability, voltage, hazardous substance (e.g.
benzene, H2S, mercury, LSA scale, sand, wax, and
sludge).

The sensitivity of the location on the site or installation HVAC intakes, flare header, explosive store, control
(that is, how close it is to other critical plant or systems). room, NGL separator, risers, small bore pipework, ESDV,
potable water systems, structural support members, and
tankage.
Fire and gas detection and deluge systems.
Environmental risks in the area (for example, drains,
open scuppers and water courses).

Critical activities necessary to perform the task. Lifting, draining fluid, inerting, isolation, proving dead,
flushing, entry into confined spaces, working at height,
electrical testing, transporting materials, equipment and
wastes, using power tools, hot work, grinding, bolting,
and using cables and hoses.

Human Factors involved in the task. Personnel experience and competence and the
environmental conditions and performance pressures
that workers might experience. In assessing the
potential for human error in carrying out a task, consider
if the written procedures, communications and the
layout and labelling of controls and equipment are clear
and adequate.

The possibility of the task being affected by Access, egress, muster points, and SIMOPS.
simultaneous activities within the task or by other
unrelated tasks taking place nearby.

The failure of equipment. Consider the equipment failing, Chain block, rigging, hoses, joints or seals.
including catastrophic failure, under load test, or during
lifting operations.

Equipment condition and status. Wind-milling of fans such as HVAC and fin fans.

When a site visit is not reasonably practicable (for example, for TAR preparation or
project design) the PA, AA, or IA can perform TRAs based on drawings, models, or
images of the facility. In these circumstances, visit the site to Verify hazards,
controls, and site conditions before the permit is signed off as verified.

9.3 How to use the hierarchy of controls

When selecting controls, it is important to consider how effective each control will be
when it is applied. More than one control may be needed to reduce the risk associated
with a task.
Use the hierarchy of controls in Figure 6 to select one or more control measure.
To follow the hierarchy of controls, consider the controls in each category. Begin
with L1 and move through to L6 in accordance with Table 17.
As controls are identified, the TRA team considers the interdependencies of the
controls and the impact to overall task risk.

Page 95 of 361 Revision: B06

Moving down the hierarchy of controls from L1 to L6, controls become less
effective and less reliable. As a result, controls in categories L5 or L6 (or any
combination of these) cannot move the residual risk more than one box on the risk
matrix for either impact or likelihood.

Figure 6 - Hierarchy of controls

Page 96 of 361 Revision: B06

Table 17 - Controls

Category Description Guidance

L1 These remove the hazard, eliminate the This is the preferred solution but check that
associated risk, and are the most effective it does not introduce a new hazard.
controls.

L2–L3 These controls are preventative and primarily These can also reduce likelihood. Even with
reduce the impact of the risk. a number of controls it is unusual to credibly
reduce either the impact or likelihood by
more than one order of magnitude (i.e. one
box on the matrix).

L4–L5 These controls are mostly protective and have a It is unusual that the likelihood can be
limited ability to reduce impact, as they primarily moved by more than one box on the matrix.
reduce likelihood. If a number of controls have a common
failure (e.g. the people involved) then this
limits the credit that can be claimed.

L6 These controls are task-specific PPE above the As these controls are heavily influenced by
site safety standard that could reduce the Human Factors, even multiple L6s are
likelihood or consequences of exposure. unlikely to lower the risk significantly,
therefore when using these controls, limit
resulting movement on the risk matrix to no
more than one box.

9.4 How to perform a Level 1 task risk assessment

Level 1 TRA is a detailed review of the task and task steps at the worksite that
identifies hazards involved in completing the task. It considers the task, worksite,
and process hazards. Record the selected controls in the Level 1 TRA, which is part
of the permit to work.
If more than one team is performing the task, a PA representative from each team
shall be part of the risk assessment.
The PA and AA or IA, with other key personnel involved in the task contributing as
needed, shall conduct the Level 1 TRA at the worksite by doing the following:
identifying the risks associated with the hazards by using their collective
knowledge and experience of the task, process, and worksite
This includes identifying the scope, methods, equipment, and tools to be used.
identifying the controls to control or mitigate the risks they find
documenting the risk assessment findings in the TRA form, including the
hazards and controls, as discussed by the PA and AA during the worksite visit.
With the controls in place and using the risk matrix, the AA shall:
use their judgment to select the residual risk level, and
record the residual risk level and Approve the TRA if the risk level falls in risk
area I on the risk matrix.

Page 97 of 361 Revision: B06

Examples of tasks that may be carried out using a Level 1 TRA are as follows:
• Radiography. Verify that the source is not strong enough to set off or interfere
with other nucleonic instruments.
• BC work on isolations that conform to the isolation requirements in this
Upstream CoW Procedure
• Category 1 lifting operations
• Erecting, dismantling, or modifying scaffolding that is not over side or
connected to live plant piping or equipment
• Installing or removing insulation or cladding
• Connecting and disconnecting hoses to low hazard systems
• Flushing and purging at low pressures, less than 107 barg (150 psig)
• HWOF in a non-hazardous area (that is, an area free of hydrocarbon and
hazardous materials).
Confined spaces free from hydrocarbon and located in a non-hazardous area require a
Level 2 TRA.

Table 18 - Level 1 TRA process

Using eCoW
Step What to do
Using paper TRA forms
1 Answer the questions opposite. Do we fully understand the task and how it will be
carried out?
Does this task have to be done?
Does it have to be done at the proposed time?
2 Break down the work scope into tasks to carry out See section 8.1.1 of this Upstream CoW Procedure.
TRA at task level.
3 Determine the level of risk assessment required for See section 9 in this Upstream CoW Procedure or
each task. ask the AA.
4 A Level 1 TRA that has been previously completed TRA search features in eCoW.
for this task can be used. If one does exist,
Verify the task, worksite, and process conditions are
applicable and (where applicable) update it to reflect
the current conditions.
5 Visit the worksite to conduct the Level 1 TRA. Make notes on a blank or partially completed L1
form and then transfer to eCoW.
Alternatively, transfer manually to the paper L1 form.
6 Identify all the hazards associated with the task, Select the energy source and type of hazard
worksite, and process using the 14 HITRA sources (Process, Task or Worksite).
of energy. Record what the hazard is and how it causes harm.
Discuss and consider the potential risks (hazard Provide some detail about where the hazard is
impact and likelihood of it happening) associated located or coming from.
with the identified hazards. Record the sources of energy.

Page 98 of 361 Revision: B06

Using eCoW
Step What to do
Using paper TRA forms
7 Identify and specify the additional controls that can Record the controls that are being used. Use the
be applied to mitigate or eliminate each hazard HITRA hierarchy of controls in section 9.3 to select a
identified. Use hierarchy of controls to help select type of control.
the strongest controls. Write the control in simple language stating who
Consider what can go wrong and have controls to does what and when.
mitigate as a contingency (e.g. having spill kit A control is typically an observable action.
available, knowing which ERRP to follow, and
Provide enough detail but keep it simple and clear.
knowing which emergency shutdown procedures
are required).
8 Evaluate the residual risk. This is the risk with Use the 8x8 risk matrix in eCoW to select residual
controls in place and site safety standards being risk. When you hover your cursor over each box a
followed. summary of the HSE and business impact table and
the likelihood of it occurring appears.
Use the HSE and business impact table and 8x8
matrix in Table B.4
First, select the impact (consequence) on the HSE
and business impact table (A-H) and the likelihood
(probability) of the risks occurring.
Plot the impact level versus likelihood figure on the
risk matrix to get a residual risk figure.
9 Record the residual risk figure on the Level 1 TRA eCoW automatically transfers the residual risk
form. selected on the matrix to the L1 form.
Manually record the residual risk on the Level 1 TRA
form.
10 If anyone involved in the risk assessment is not Examples of situations that would escalate a Level 1
completely satisfied that the proposed controls will TRA to a Level 2 TRA are listed in section 8.2.1
adequately control a hazard, complete a Level 2
TRA.
11 Select Approver for the TRA based on residual risk. eCoW automatically assigns approval level based on
residual risk agreed in step 8.
Use the HITRA-approval table to select the correct
Approver based on residual risk agreed in step 8.
12 Approve TRA. Using eCoW the Approver approves the Level 1
TRA.
The PA signs when they accept the permit with the
RA included.
The Approver signs the Level 1 TRA form.

9.5 How to perform a Level 2 task risk assessment

Complete a Level 2 TRA when a task involves hazards or complexities that require a
more detailed assessment. All TRAs require input from those who will be
performing the task or from people who have the equivalent skills, knowledge, or
experience.
Level 2 TRAs can also require input from experts from outside the normal site or
installation team.
Supporting documents are used to help identify hazards and controls. Examples
include isolation plans, ventilation plans, lifting plans and ERRPs. These documents
may be in draft form at this stage.
For tasks identified with an initial risk in risk area IV or above, the TRA facilitator
shall be independent of the AA’s area and the team performing the task that
requires the Level 2 TRA.
Examples include an HWOF not meeting the five primary risk controls, or abrasive
task on live equipment.

Page 99 of 361 Revision: B06

Minimum TRA team is AA or delegate, PA and facilitator. It is essential that the

team has the skills and knowledge for the scope being assessed, and has
engineering, HSE or technical input as required.
The AA may be facilitator for risk III or below but there still has to be a minimum of
three and the AAs core role is to facilitate.
If the Facilitator is the AA, then the TRA team still requires operational input from a
person who is experienced with the area. Typically, another AA, SA, IA, or
Production Team Leader (PTL), or equivalent operational roles in GWO, or GPO. The
expectation is that signing in CoW will have three separate names, typically AA, PA
and Facilitator.
During the TRA, the team shall consider and agree answers to questions that will
cover the task thoroughly. The TRA checklist in Table D.7 contains example
questions.
Once team members are familiar with the scope of the task to be carried out, the
team lists all the significant hazards for each task step. They do this by group
discussion, with the facilitator making sure that each team member has enough
opportunity to express their views.
The facilitator verifies that the TRA team follows the HITRA process described in
Table 19.

Table 19 - Level 2 TRA process

Using eCoW
Step What to do
Using paper TRA forms
1 Answer the questions opposite. Do we fully understand the task and how it will be
carried out?
Does this task have to be done?
Does this task have to be done now?
2 The AA appoints a TRA facilitator for the risk Select a user who is a TRA facilitator from the Risk
assessment meeting and process. The facilitator Assessment Team dropdown menu.
gathers relevant documents (e.g. TRA documents, Record the name of the TRA facilitator on the Level 2
drawings, safety data sheets, photographs, TRA form.
procedures, historical information on incidents,
CoW lessons learned and previous TRAs).
3 The Level 2 TRA team is a minimum of three Select and record all users participating in the TRA
including the facilitator. The facilitator assembles a from the Risk Assessment Team dropdown menu.
team including the AA or delegate and PA, and Record all users participating in the TRA on the Level
verifies they understand the process and the 2 TRA form.
objective of the TRA. The AA attends risk
assessments for HWOF or CSE and where the
initial risk is in Area III or above.
The team includes people with the experience,
skills and competencies it needs. The team
collectively has knowledge of the scope of work
and any specific tools or equipment to be used. For
example, for a risk assessment involving diving and
subsea tasks, team members would include a
diving supervisor or subsea competent person.
4 TRA team members visit the worksite and confirm Make notes on a blank or partially completed Level 2
they understand the work area’s layout and the TRA form and then transfer to eCoW.
potential worksite and process hazards. They Alternatively, transfer manually to the paper L2 form.
consider the characteristics in Table 16.

Page 100 of 361 Revision: B06

Using eCoW
Step What to do
Using paper TRA forms
5 The TRA members do the following: Use the eCoW functionality to record the task steps.
• Review the information provided such as CoW Write task steps on the Level 2 TRA form.
documents that could include policies and
procedures, other risk reviews (for example,
HAZOPS or HAZIDS, audit reports, inspection
reports, lessons learned, HiPo / MiA /HVL
announcements and the Level 1 TRA, if one
applies).
• Document their feedback from the worksite
visit.
• Break the task down into task steps.
6 A Level 2 TRA that has been previously completed TRA search features in eCoW.
before for this task can be used. If one does Copy from existing controlled paper documents.
exist, re-check the task, worksite, and process
conditions and (where applicable) update it to
reflect the current conditions.
7 TRA team identifies all the hazards associated with Record what the hazard is and how it causes harm.
each task step using the 14 HITRA energy sources Provide some detail about where the hazard is
(including SIMOPS). located or coming from.
Select the sources of energy.
8 TRA team identifies the risks associated with the Use the 8x8 HITRA matrix in eCoW to record initial
hazards. risk level for each hazard.
Evaluate the impact (consequence) and likelihood Record impact (consequence) letter and the likelihood
(probability) of the identified risks occurring by (probability) number on the Level 2 TRA form for each
using the impact level matrices. Consider the hazard.
impact in the following categories:
• The health and safety of everyone, whether or
not they are directly involved in the task.
• Environmental.
• Business.
9 TRA team specifies the additional controls using Record what controls are being used. These shall
the hierarchy of controls to eliminate, reduce, or relate to one of the six hierarchy of control levels.
mitigate the initial risk. Consider any Use the HITRA hierarchy of controls in the Upstream
interdependencies of the controls and their impact CoW Procedure to select a type of control. See Table
on the overall risk. 17.
Consider what can go wrong and have controls to Detail how the controls need to be implemented.
mitigate as a contingency (e.g. having spill kit This relates to an observable action. Provide enough
available, knowing which ERRP to follow, and detail to communicate the following: where, when,
knowing which emergency shutdown procedures who, or required limits.
are required).
10 TRA team evaluates the residual risk for each Use the 8x8 risk matrix in eCoW to select residual
hazard. The identified residual risk figure has the risk. When you hover your cursor over each box, you
identified additional controls in place. get a summary of the HSE and business impact table
and the likelihood of it occurring.
Use the HSE and business impact table and 8x8
matrix in Table B.4
First, select the impact (consequence) on the HSE
and business impact table and identify the impact
level from A-H with controls in place.
Identify the likelihood (probability) of the risks
occurring.
Plot the impact level versus likelihood figure on the
risk matrix. This then provides a residual risk figure.

Page 101 of 361 Revision: B06

Using eCoW
Step What to do
Using paper TRA forms
11 TRA facilitator records the residual risk figure for eCoW automatically transfers the residual risk
each hazard on the Level 2 TRA form. selected on the matrix to the Level 2 TRA form.
Manually record the residual risk on the Level 2 TRA
form.
12 TRA facilitator selects Approver for the risk eCoW automatically assigns approval level based on
assessment based on the highest residual risk. the highest residual risk. Check Table 4 for minimum
approval levels
Use HITRA approval table and Table 4 to select the
correct Approver based on residual risk.
13 When the Level 2 TRA is completed, all team Each team member signs in eCoW.
members sign the TRA form, by hand or Each team member signs the Level 2 TRA form.
electronically, to indicate they agree the content.

14 Approve TRA. Using eCoW, the Approver approves the Level 2

TRA. If the Approver wishes to recommend changes
or additions, they can return TRA to the team for
reassessing.
The Approver signs the Level 2 TRA form.

Page 102 of 361 Revision: B06

Table 20 - Mandatory Level 2 risk assessment

Assess the following tasks using a Level 2 risk assessment:

(asterisk items may be covered by a functionally Approved RAP)
1. Lifting over or in close proximity to live equipment.
2. Lifting live equipment or pipework.
3. Category 3 lifts.
4. Temporarily suspended or supported loads where a fatality is a credible consequence (see section 22.13
Lifting operations involving lifting personnel including man-riding*.
5. Non-conformant isolations (within IDP).
6. Tasks that use a mechanical device for a secondary isolation.
7. Hot work open flame work in CSE, hazardous or hydrocarbon containing areas, including working on or
near (within 11m or 35ft2) live equipment.
8. Confined space entry (the level of TRA for work inside the confined space depends on the task).
9. Cutting installed electrical cables that cannot be positively identified as defined in section 22.5.
10. Introducing an HP to LP interface.
11. Ground disturbance where there are or might be underground services.
12. Working over water (where the water constitutes a hazard) or near unprotected edges where there are no
fixed access platforms, walkways or installed certified scaffolds.
13. Working at height where there are no fixed access platforms, walkways, or installed certified scaffolds or
other safe platform as defined in section 17.
14. Erecting, dismantling or modifying scaffolding where site conditions (see section 17) require considering
additional hazards (e.g. over side, over live equipment or close to bare electrical conductors).
15. Hot tapping.
16. Installing engineered clamps.
17. Working with any material that has the potential for concentrations to be greater than any statutory
occupational exposure limit.
18. Working with asbestos (except non-friable asbestos jointing removal or disturbance, which may be Level 1
TRA).
19. Diving operations.
20. Hot and odd bolting.
21. Using explosive.
22. All subsea isolations (within IDP).
23. Overriding interlocked systems using the master key.
24. Use of drones (e.g. for inspection purposes).
25. Creating a low risk permit template.
26. Breaking containment when the isolation envelope contains a valve that is known to pass.
27. Working on a pressurised accumulator.
28. Working close to energised overhead powerlines.
29. Created openings where criteria defined in section 22.1.6 are met.
30. Fracking*.
31. Perforating.
32. Coiled tubing*.
33. Slip and cut drill line*.
34. BOP nipple up/down*.
35. Riser handling*.
36. Well flow back using temporary equipment*.
37. Wellhead or Xmas tree change*.
38. Leak testing or purging using; temporary equipment, gas cylinders, quads, or pumps, or a specialist
contractor.

Page 103 of 361 Revision: B06

9.6 Risk assessing isolations

Isolation, like all other activity, is risk assessed. All stages of the isolation process
shall be covered. See section 14 for details.
One of the following documents may be used to record the risk assessment:
an IDP using the add risk function to record the additional hazards and controls
before the action or isolation step it applies to
a SOP where the hazards and controls are explicit
an existing procedure where the risk assessment is covered in a permit
a permit that has a Level 1 or a Level 2 TRA included (for example inserting a
spade or blind).
Include the isolation execution risk assessment as part of the isolation procedure,
IDP, or permit, so a second or separate risk assessment is not needed.
See section 14 for detail on completing isolation design and execution.

Page 104 of 361 Revision: B06

10 Managing temporary overrides

A temporary override is any action or system that inhibits a protective device from performing
its function while the equipment or facility being protected remains in service. A protective
device may provide safety, environmental or commercial protection. This section describes the
process for managing temporary overrides in Upstream.

Historically, overrides have also been referred to as bypasses, inhibits, or defeats.

An override might be applied to:

• enable device calibration or maintenance

• enable proof testing (without the function activating)
• continue operation with faulty equipment failed to the tripped state
• continue operation with faulty equipment failed but showing the normal operating
healthy state.
• temporarily suppress function for startup
• a device or piece of equipment that is temporarily not in use (e.g. TAR, or
redundant equipment).

10.1 Types and methods of temporary overrides

• Instrumented layers of protection (LoP)
• Pressure relief devices
• Startup using engineered switches or interlocks.

10.1.1 Instrumented layers of protection

Managing the overrides of LoPs including inhibiting or overriding signals associated
with the following:
safety instrumented functions (SIF)
control system LoPs
SIS or BPCS interlocks
highly managed alarms (HMA) (see GP 30-47 Alarm System Design and
Management for definition of HMAs)
fire and gas functions
hazardous area equipment purge systems
devices defined in the local regulations, including subsea BSEE, API RP 14C,
and USCG.
Most of the above functions are normally defined in the layers of protection analysis
(LOPA), but there are exceptions. Some sub-categories of highly managed alarms are
allocated in alarm rationalisation reviews, and fire and gas (F&G) functions are not
normally credited with reducing risk in a LOPA. Safety-related alarms are a subset of
highly managed alarms.
The hazardous area certification of some equipment relies on purge systems to prevent
gas ingress into the enclosure which may contain spark producing components (e.g. gas
chromatographs and HV motors).

Page 105 of 361 Revision: B06

10.1.2 Pressure relief devices

Override management is used for isolating, disabling or removing a pressure relief
device (PRD) when an alternative relief route with full capacity cannot be provided.
PRD include pressure relief valves, bursting disks, blowdown valves,
depressurisation valves and vacuum breakers.

10.1.3 Startup or engineered equipment interlocks

Startup overrides are designed to be automatically removed when process conditions are
healthy or when they time out (for example low level trip on separator commissioning).
Engineered equipment overrides are designed to allow the manual bypass of a
protection device for a short period of time and are typically provided with a visual
indicator (e.g. coloured light). Engineered equipment overrides include fire suppression
on machinery enclosures.
You do not need to record the use of these as an override in eCoW. These types of
overrides are managed using a SOP or instructions, unless they are used outside of their
design intent. An example would be intentionally extending the time before the override
is automatically removed when an ORA or MoC, or both is required, in addition to an
override in eCoW.

10.2 Methods of applying temporary overrides

1. Override switches (for example, key switches and HMI software buttons)
2. Forced (over-written) software values
3. Temporarily wired links or ‘jumpers’
4. Blocking the view of ‘line of sight’ F&G devices
5. Faulty, or impaired transmitters, or valves
6. Valve jammers
7. Startup override without auto-timer resets
8. Calibration or maintenance of a transmitter
9. Disabling alarm activation
10. Using hand jacks or hand wheels on actuated valves
11. Using bypasses around actuated valves
12. Placing LoP process controllers in manual
13. Pinned pneumatic or hydraulic safety relay
14. Isolations valves for safety devices (for example, SCSSV, level safety bridles,
pressure safety instruments)
15. Three-way valve on SSV/SDV/BDV (trapped pressure)
16. Sensing line selector valves for PSHL testing
17. Fusible caps on SSV
18. Where we do not have 100% backup, isolation valves on inlet or outlet of:
a) pressure relief valves
b) bursting discs
c) vacuum breakers

Page 106 of 361 Revision: B06

d) depressurisation or blowdown valves.

19. Disabling or isolating pilot valves on relief devices
20. Temporary use of SIS transmitters for control or control transmitters for SIS
function.

10.3 Process for managing temporary overrides

The following four steps are used:
• risk assess
• authorise their use
• apply overrides
• review active overrides.
a. The application of a permanent override is not covered by this section, an eMoC is
required for such cases.

10.3.1 Risk assessing temporary overrides

All overrides shall be recorded in eCoW and risk assessed to consider the risk of
both; operating without a protective device in place, and the unplanned activation of
a protective device.
The risk assessment is conducted using a SORA (Level 1 or 2) if the override is
expected to be in place for less than the maximum duration defined in Table 21.
c. If the override is expected to be in place for longer than the maximum duration or is
in place and exceeds the maximum duration manage the risk using an ORA.
When assessing the risk of applying an override, use Table 21 to determine the
level and timing of SORA (or ORA) required. If the override is to be applied by
modifying SIS logic, an eMoC is required, in addition to the SORA, even if
temporary. The override is recorded in eCoW.
An override applied using software in a DCS system such as ABB, Emerson, or
Honeywell, is considered an override and not a logic change.

Page 107 of 361 Revision: B06

Table 21 - Managing temporary overrides

LOPA Risk Level of SORA

Type of protection function Maximum duration
reduction factor required

IL 3 SIF
1000 < RRF ≤ 2 MTTR12 (or 7days, whichever is the
10,000 note 1 lower figure) specified.
IL 2 SIF
100 < RRF ≤ 1000 2 MTTR12 (or 7days, whichever is the
lower figure) specified.
IL 1 SIF 10 < RRF ≤ 100 2
ESD systems, Red S/D, Yellow S/D,
Blowdown and F&G actions and
multiple F&G detectors in a single fire N/A 2 713 days
zone
note 2

Safety Related Alarm (e.g. flare pilot

failure)
1< RRF ≤ 10 1 713 days

Other Highly managed alarms (CFA and

MA, single F&G detectors in one fire N/A 1 713 days
zone) note 3

Temporary decommissioned equipment No max duration, review every

N/A 1
note 4 9014 days

SIS protective function IL0, or a Control

loop layer of protection (BPCS)
1 < RRF ≤ 10 1 713 days

No max duration, review every

Other trip functions with no IL rating N/A 1
9014 days

Notify applicable BP GOM

GOM - devices defined in the local
N/A 2 Adviser within 12 hours15.
regulations Maximum duration defined by
regulatory agency.
Pressure relief devices
All 2 713 days
without 100% duty standby
Notes:
1. A Level 2 SORA can be used in this case to manage the risk associated with losing one channel while testing only.
If you have a fault or failure and wish to override the complete SIF to re-start or continue operations, then because
this is an IL3 with a high level of risk reduction, you should implement an ORA rather than a SORA.
2. ESD – emergency shutdown.
Red S/D example: platform abandonment
Yellow S/D example: complete process shutdown – delay and then blowdown
F&G action example: deluge activation, shutdown
Multiple detectors means: one or more inputs or outputs where the design function is compromised e.g. If a Fire
and Gas system needs 6 out of 9 detectors active in a fire area. In this example isolating more than 3 detectors
would compromise the design and require a SORA
3. CFA – Critical Fault Alarm. Examples include: UPS status, fire pump availability warning, refuge pressurisation
alarms.
MA – Mitigation Alarm. Examples include: F&G detection, safety shower activation, collision detection.
4. Where equipment is out of service and the override protection is not required because the hazard is not present,
for example:
• Process equipment where hydrocarbon has been removed (e.g. TAR)
• Where equipment is isolated/made safe and is going to be permanently decommissioned/removed, but
formal MoC is yet to be completed.

Page 108 of 361 Revision: B06

10.3.2 Authorising use of temporary overrides

Every override is recorded in eCoW and authorised for the expected time that the
override will be in place.
The CRT may authorise the override record for up to one shift (Level 1 SORA).
The AA authorises all overrides with Level 2 SORAs and Level 1 SORAs that are in
place for longer than one shift.
Within the authorisation period, an override can be applied or removed as required.
Record application and removal in eCoW.
If the override is required for an activity covered by a permit, IDP, or SOP, then link
or attach these documents to the override.
When the override needs to be in place beyond the maximum allowed duration of
the SORA, an ORA needs to replace the SORA and be attached to the override.
Where there exists a regional requirement to notify regulatory advisors, the AOM
shall Verify that this has been completed within the required timeframe.

10.3.3 Applying a temporary override

The physical application and removal of the override is recorded within eCoW.
If the override is physically applied by anyone other than the CRT, they may record
this using the counter signature in eCoW.

10.3.4 Reviewing temporary overrides

The CRT verifies that any live overrides are recorded in the shift handover.
The SA reviews the status of overrides to re-evaluate the overall risks and identify
any additional hazards that might be present due to a change in operational
conditions or project activities. This is completed weekly using dashboards and
recorded in the SA log.
The Site Engineer should lead an engineering review to identify overrides that are
used frequently (that is, more than once a month) to help identify and resolve root
causes (for example problematic sensors). This is typically completed every 90 days.
These reviews are not recorded in eCoW.

10.4 Safety override risk assessment (SORA)

A safety override risk assessment (SORA) is a systematic risk management process that:
evaluates the risks associated with applying an override
evaluates the risk of unplanned activation of the device
defines the controls to be in place while the override is applied to sufficiently
control the residual risk and continue operating.
There are two types of SORA used in CoW:
Level 1 for lower risk overrides (e.g. protective functions with no or low risk
reduction credited in LOPA).
Level 2 for higher risk overrides (e.g. ESD system override).
SORA templates should be prepared, Approved and authorised by the site for
expected activities such as planned maintenance or operational activities.

Page 109 of 361 Revision: B06

For unforeseen activities where a SORA does not exist and cannot be created due
to time or resource limitations, create an ORA using the unplanned ORA timeline
defined in section 11.7.
A SORA template can only be used to manage the overriding of more than one
device if all the devices:
perform the same function on the same piece of equipment
have the same hazards and require the same controls.
If the SORA exceeds, or is predicted to exceed, the maximum durations stated in
Table 21, replace it with an ORA.
It is common for SORAs to be refreshed when HAZOP and LOPA are revalidated.

10.5 SORA team

The Level 1 SORA team is a minimum of 2 people, typically the AA and CRT.
The Level 2 SORA team shall include the following as a minimum:
an experienced Engineer (Leader)
AA or CRT or preferably both
a Discipline engineer with experience of the equipment or process being
overridden (e.g. Process, Instrument and Control, or Electrical)

10.6 Approving a SORA template

The SORA is Approved according to the residual risk.
In addition to the normal considerations covered in section 8.2.3, the Approver shall
consider the following questions before approving the SORA:
What is the justification for not isolating or shutting down the equipment, plant,
or facility?
Has the risk assessment sufficiently addressed the risk associated with
operating without the protective device?
Has the risk assessment sufficiently addressed the risk of an unplanned
activation of the device whilst it is being overridden (e.g. with effective
controls)?
After the SORA has been Approved, the SA uses eCoW to authorise its use as a
template. The SA may delegate this to the AA for Level 1 SORAs. The SORA
template can be authorised for up to 36 years.
Follow the additional requirements of the entity risk management procedure when
an override with a residual risk in the purple or blue area of the Group 8x8 matrix is
identified.
The facility Risk Champion, Risk Adviser, Risk Tag, or equivalent can provide
guidance on your entity risk management procedure.

Page 110 of 361 Revision: B06

10.7 Using a SORA

All SORAs are created from authorised templates. When attaching a SORA to an
override you can:
• select a SORA that is already live and attached to another override, or
• create a SORA by adding a SORA from a template.
Before using an authorised SORA template, the AA or delegate (SA, IA or CRT),
signs to Verify the following:
Site conditions have not changed
the controls still apply
the SORA includes any known lessons learned
the cumulative residual risk associated with other live CoW documents
including SORA or ORA, has been considered.

Page 111 of 361 Revision: B06

11 Operational risk assessment

Operational risk assessment (ORA) is a systematic risk assessment process completed by a
team and led by the SA or delegate to assess an abnormal operating condition.

The ORA determines:

• if it is safe to operate or continue operating with the abnormal operating condition,

and
• the controls required to reduce the residual risk to an acceptable level for the
continued operation.
An ORA records that the abnormal condition has been assessed and mitigated, and acts as a
bridge until the abnormal condition is:

• resolved or fixed
• Approved as part of a design change (MoC), or
• removed, (for example by isolating or shutting down).

11.1 When an operational risk assessment is required

ORA are required for abnormal conditions listed in Table 22.
Operating control systems, automation systems, telecoms systems and SIS with
faults or failures in fault-tolerant (for example, dual redundant) sub-systems and
infrastructure. Examples of sub-systems and infrastructure are: communications
networks, power supplies and controllers.
Although, these systems can appear to have a degree of redundancy, there are often
common cause failures that are not immediately obvious and that can give rise to
operational or process safety risks.
Regulatory devices covered by subsea Bureau of Safety and Environmental
Enforcement (BSEE), API RP 14C, and United States Coast Guard (USCG) that need
to be operated in an abnormal condition.
Where there exists a regional requirement to notify regulatory advisors, the AOM
shall Verify that this has been completed within the required timeframe.

Page 112 of 361 Revision: B06

Table 22 - When an ORA is required

1 Operating a plant, equipment or systems:

• without safety or protective functions (not covered by a live Approved safety and operational risk
assessment (SORA)

• with any part of a safety critical element that fails to meet its designed performance standard

• that does not meet design, performance, integrity, or regulatory standards.

Examples include the following:

• Machinery over-speed. • Navigational aids. • Fire suppression systems

including monitors, halon, and
• Blowdown and flare systems. • Ballast systems. automatic sprinklers.

• Interlocks. • Mooring systems. • Building pressurisation systems

(HVAC).
• Failed or passing wellhead • Loss of data or
master valves or well diverter communications ESD systems. • Emergency lighting.
or shutdown valves not
meeting performance standard • Shutdown control systems. • Emergency generation and UPS
for closure time.
• Differences between mud • Passive fire protection.
• Pressure relief devices. separator indications and in-line
measurement. • Fire water systems.

• Defective containment system • Deluge systems.

(hydrocarbon and non-
hydrocarbon). • Lifeboats and life rafts.

• Emergency escape systems.

2 Abnormal operation or deviations not covered by Approved SOPs that can create significant operational, safety
and environmental risks.

3 Changes to organisational capability that can compromise the safe operation of the facility. Examples include
the following:

• Reduced emergency response • Minimum staffing. • Shortage of key personnel or

capability. skill.

4 Operating the plant and equipment with known integrity defects that affect the design boundaries, for
example:

• Reduced pipe wall thickness • Passing valves • Leaks (not covered by leaks and
seeps).

5 Overriding instrumented protection functions beyond the durations stated in Table 21

6 To replace a timed out or expired SORA.

7 Applying an isolation that causes an abnormal operating condition.

Page 113 of 361 Revision: B06

8 Isolating all or part of an automation system that creates or has the potential to create an abnormal condition.

9 Operating the plant or equipment outside the safe operating envelope but inside the safe design envelope
(refer to GDP 5.3-0001 - Design and Operating Limits).

10 A deviation or failure to meet a performance standard, known as a FOP, and where operational personnel have
to actively manage the deviation or fault.

11 Using a master key on an interlocked valve sequence or leaving an interlocked sequence in an abnormal
position for an extended period of time (96 hours18).

11.2 When an operational risk assessment is not required

Examples of when an ORA is not required include the following:
abnormal conditions that only have potential to create commercial risks, except
when required to replace a timed out or expired SORA
overdue or deferred maintenance
loss of redundancy of equipment
instead of an MoC process
amending an Approved procedure
assessing whether to put redundant equipment into operation.
An ORA is not needed if a FOP that relates to historical performance shows that:
the associated functional technical assessment has been completed
this assessment concludes that no ongoing action to manage the identified
issues is needed.

11.3 How to perform an operational risk assessment

The ORA identifies the difference in risk that results from continuing to operate with the
identified fault or abnormal operating condition present compared to the risk present for
the normal operating case.
The ORA is divided into four parts:
• the normal operating case (refer to, for example, operating design parameters and
equipment performance standards)
• the abnormal condition
• the risk assessment
• plan to return to normal operations.
A competent team of at least three people with relevant skills and experience shall
complete the ORA. The relevant skills and experience consist of:
leader (SA or delegate: for example, Well Site Leader (WSL) or PTL)
AA or Operations representative and
experts from relevant fields, such as an HSE adviser and engineer or engineers
from a relevant discipline.

Page 114 of 361 Revision: B06

During the ORA, take account of any other live ORAs and SORAs that might affect
the condition you are considering. Take account of any other site scheduled
activities or faulty or weakened safety barriers as these could influence the risk
assessment. Review relevant information (for example operational procedures,
P&IDs, LOPA, HAZOP, MAR, organisational charts and trip registers) and use
quantified data where it is available to aid in assessing risk.
Identify controls using the hierarchy of controls.

11.4 How to record an operational risk assessment

Follow these steps to record an ORA:
Specify the location of the abnormal event.
Create a title (that is a short and clear description of the condition).
Describe the normal operating condition.
Describe the abnormal condition.
Explain and record why the equipment concerned is not being shut down or
isolated.
Describe the history and any sequence of events that led to the abnormal
condition arising. Document any relevant history associated with the site, plant,
equipment, or device that the ORA affects.
Identify the normal operating risk using the 8x8 matrix. This is the risk
associated with operating the equipment or system, assuming it operates
according to the original design, with trips functioning correctly, alarms
working, and procedures being adhered to.
Identify the original design intent of the equipment or system, including its
original purpose and the hazards it is designed to manage. HAZOP and LOPA
studies may help to determine this normal operating risk. In the absence of
applicable information, the ORA team engages discipline engineers to provide
technical input.
Identify the most credible worst-case event that the item is designed to protect
against. Evaluate multiple failure scenarios, if applicable.
Describe why the normal operating risk level was selected.
The risk assessment team record in eCoW the name of team members and
their role in the ORA process (for example AA or discipline engineer).
Perform the risk assessment. For the abnormal condition or conditions that are
being risk assessed, identify what has failed or may fail, the impact
(consequence) that this has and the hazards and risks it presents. The risk
assessment includes a reference to the barrier that has failed or may fail.
Evaluate impact (consequence) and likelihood (probability) in the same manner
as for the normal case. The impact is unlikely to have changed but the
likelihood usually changes due to the failed barrier.
Use the 8x8 risk matrix to assess the initial risk for this case and record this for
the abnormal condition.
Use a barrier model by doing the following:
Identify an initiating event for the scenario to occur.

Page 115 of 361 Revision: B06

Identify all other failures that need to occur at the same time for the stated
scenario to happen (these are the barriers). Barriers include those that occur
before and after the initiating event.
Evaluate the likelihood (probability) of the initiating event occurring and of each
barrier failing. Ask the process safety or discipline engineer for information and
use the experience and judgement of the risk assessment team members.
Select a suitable overall likelihood score and provide the reason for selection.
Identify all potential controls that could reduce:
the impact (consequence) on continuing operations
the likelihood (probability) of the problem affecting continuing operations; for
each identified control, state whether it will be implemented or not.
Choose the controls that will be used and assess the residual risk for each of these
using the 8x8 risk matrix.
For each control being implemented, state how this will happen. For example, if a
technician is expected to monitor a parameter and take action, then a procedure will
have to be effectively implemented or monitoring will need to be managed using
eCoW.
The overall risk is selected by eCoW using the highest residual risk for the selected
controls.
Specify the date the abnormal condition was found.
Specify the expected date for the abnormal condition to be removed.
Record the team’s recommendation and, if applicable, the plan to resolve or remove
the identified fault. This is at a high level and simply states the activity or action
required to allow the ORA to be removed. It does not need to contain details of
project work or engineering work needed to do this, but it requires a reference
number for the maintenance work order, IRIS event or MoC.
Attach link or reference any supporting materials used (for example P&IDs, HAZOP,
MAR/MAH, design case or safety case information, organisational charts,
operational procedures).
Record any monitoring requirements with how often this needs to be done.
The team agrees the risk assessment by signing in eCoW.
The ORA is Approved based on the highest residual risk in line with the HITRA
approval table.
The SA authorises the ORA for up to 90 days16, at which point it becomes live and
any monitoring requirements start.

11.5 Timeline to complete an operational risk assessment

The timeline to complete an ORA varies depending on:
• the complexity of the risk assessment
• the availability of people to complete the risk assessment process, and
• the level of approval needed for the ORA.

Page 116 of 361 Revision: B06

11.6 Planned operational risk assessment timeline

If a planned activity or isolation is going to create an abnormal operation, then
complete an ORA before the task is verified at the two-week gate.
The risk assessment is Approved based on residual risk.
The ORA is authorised by the SA to meet the schedule date of the activity or
isolation.

11.7 Unplanned operational risk assessment timeline

In cases of an immediate threat to process safety, integrity or production, the SA
may decide to continue operating under abnormal conditions without first fully
documenting the ORA process based on an initial risk analysis. Examples of this
would be using existing controls or adding controls to mitigate or eliminate the initial
risk. If the SA decides to continue operating under abnormal conditions, do the
following:
The SA gives an initial approval based on information and expertise available at
the time. This approval is recorded on a draft ORA within eCoW along with a
clear rationale for the decision.
The SA discusses the preliminary ORA with the AOM as soon as reasonably
practicable and gains approval.
The ORA is fully documented, including all applicable data, as soon as
reasonably practicable, but no later than 72 hours17 after the initial approval. The
documented ORA will include approval from relevant Subject Matter Experts
(SMEs).
The ORA is Approved in line with the HITRA approval table.
If during the process, purple or blue C+ initial risks are identified, the SA, in
combination with the AOM or relevant entity manager, will decide whether to
continue to operate while the risk assessment is being completed, or to shut down
and isolate.
The SA immediately discusses any potential initial approval and reason for not
shutting down with the site team. This can be recorded on the first page of a draft
ORA within eCoW. The SA then adds a countersignature to this draft as
confirmation of initial approval.
This draft forms the basis of the full ORA once completed.

11.8 Approving an operational risk assessment

The level of approval required for an ORA is based on residual risk, in line with the
HITRA approval table.
When approving the ORA, the Approver shall Verify if:
operating condition complies with regulatory requirements
the validity period to operate in an abnormal situation is suitable based on the
risk assessment, and
the remedial plan to resolve the root cause of the abnormal operating condition
is suitable.
After the ORA has been Approved, the SA authorises its use.

Page 117 of 361 Revision: B06

Approval of ORAs for purple and blue C+ risks (risk matrix areas IV or V) can take
some time, as they require review and input from various personnel. Pending
approval of these high-risk ORAs, the SA can issue the ORA, providing this has
been Approved by the relevant AOM. In this instance, approval consists of an
electronic countersignature in eCoW or email from the AOM.
This is a pragmatic solution to help complete the ORA approval process and shall
not be used to shortcut or delay the approval process.
Follow the additional requirements of the entity risk management procedure when
an abnormal operating condition with a residual risk in the purple or blue area of the
group 8x8 matrix is identified.
The facility Risk Champion, Risk Adviser, Risk Tag, or equivalent can provide
guidance on your Entity Risk Management Procedure.

11.9 Monitoring operational risk assessments

All ORAs are listed in eCoW. The software helps the AA track all actions associated
with each ORA, including actions:
required to support close-out or resolve the original fault condition
identified as a result of verification, and
to Verify controls are in place and effective.
Confirm in eCoW any monitoring requirements that are agreed in the risk
assessment which:
remind the user when to monitor
record completion of the monitoring using an electronic signature.
The SA shall review active ORAs weekly:
consider the cumulative risk of all active ORAs
Verify that monitoring is being delivered as planned
Verify plans are in place and progressing to correct the root causes
document any deviations in validity or scope, or changes to the controls
identified in an ORA.
The AOM re-authorise all ORAs for continued use every 90 days16. When the 90-day
authorisation occurs, the AOM shall:
consider the cumulative risk of all live ORAs and SORAs and the status of the
remedial plan to correct the root cause of an abnormal operating condition
consult the OSTL as part of the 90-day review to gain the wider context of
cumulative risk that may exist due to inspection, maintenance or MoC status
review the monitoring records and any completed self-verification checks to
Verify that the controls agreed in the risk assessment are being delivered and
are effective.
See the overview graphics in eCoW for all ongoing activity.

Page 118 of 361 Revision: B06

11.10 Using existing operational risk assessments

The eCoW system contains Approved ORAs for similar abnormal operating
conditions. This allows ORA teams to copy these or modify them provided they
have been reviewed and risk assessed. Risk assessment teams shall:
Verify the conditions are the same and defined controls still apply
review any previous lessons learned
require the necessary re-approval based on the residual risk level and re-
authorisation by the SA.

Page 119 of 361 Revision: B06

12 Hot work
Hot work (HW) is a task or activity that involves using or creating an open flame, spark or
energy discharge that could ignite a fire or explosion, or both.

BP policy is to avoid hot work in hazardous areas and on or near live equipment
wherever reasonably practicable. It is the role of engineers and planners to plan the
work to minimise the need for hot work and provide effective alternatives during the
design and planning phase.
A hot work permit is needed for work involving any open flame or spark potential
devices.

12.1 Hot work spark potential

Hot work spark potential (HWSP) is a task or the temporary use of equipment that
has the potential to generate sufficient heat or sparks to ignite flammable materials
or atmospheres.
A HWSP permit is used to manage the hazards and controls associated with a task
of this type in any area. Hazardous and non-hazardous locations require this permit
to sufficiently control potential hazards from SIMOPS or other flammable materials
in these areas.
The risk assessment will decide if the atmospheric monitoring is required and define
type and frequency. BP recommends that continuous atmospheric monitoring in the
form of fixed or personal monitors be used for the duration of the task in hazardous
locations.
Continuous monitoring is recommended based on historic incidents in which
flammable material entered the work area.

12.2 Hot work open flame

Before agreeing to allow hot work open flame (HWOF) work in a hazardous area or
within 11m (35ft)2 of any live equipment, the SA and AA shall follow the hierarchy of
controls to Verify that HWOF is the only way the work can reasonably be done.
When they have considered all the alternatives and conclude that HWOF work is
still needed, the SA verifies the following:
Hazardous area - Level 2 TRA is completed (or level 2 template used) and at
least one primary control is mandatory with the AOM as minimum approval. If
one of these five primary controls has not been applied, then the VP Operations
or VP Wells is the minimum approval level.
Non-hazardous area, but within 11m (35ft)2 of live equipment, the Level 2 TRA
shall consider flammable materials within the 11m (35ft)2 and use appropriate
controls. This may include a primary control. The AOM is the minimum TRA
approval level.
Non-hazardous area – minimum Level 1 TRA with approval based on residual
risk.

Page 120 of 361 Revision: B06

12.3 Primary controls

Schedule the task during a planned shutdown or during TARs when the site has
been depressurised, isolated, and is free from:
hydrocarbons
flammable and toxic materials or atmospheres, or both.
This is a HITRA elimination control measure.
Remove the equipment that requires HWOF tasks to a location outside the
hazardous area.
This is a HITRA elimination control measure.
Perform the task in a pressurised, designated workshop on the site that has been
specifically designed for hot work, with standalone gas detection and shutdown
systems.
This is a HITRA engineering control measure.
Use alternative cold work engineering solutions.
This is a HITRA elimination, substitution or engineering control measure.
Use a pressurised habitat conformant with section 13.3.
This is a HITRA isolation control measure.

Figure 7 - Hot work open flame (HWOF) TRA approval flowchart

Page 121 of 361 Revision: B06

12.4 Preparing for hot work open flame

Apply the following requirements:
Alternatives to avoid hot work are considered and documented in the TRA.
Equipment is positively isolated, depressurised, and verified as hydrocarbon-
free after cleaning, purging, or flushing, as applicable.
The TRA covers the following points as a minimum:
a) SIMOPS
b) Isolation and de-isolation requirements
c) Process hazards and plant stability
d) Stored energy from associated process systems.
Potential fuel sources or combustible materials have been:
a) identified
b) isolated
c) removed from the immediate worksite.
Continuous gas monitoring for LEL, is required for all HWOF activities.
The TRA and permit to work identify ERRPs, emergency response personnel,
and equipment specific to the HWOF task.
The number of personnel involved in the task is minimised.
The length of exposure time is reduced by planning the task effectively and
efficiently.
When welding the TRA shall Verify:
a) exposure to any welding fume released is adequately controlled using
engineering controls (typically Local Exhaust Ventilation (LEV))
b) suitable controls are provided for all welding activities, irrelevant of
duration or location
c) where engineering controls alone cannot control exposure, then suitable
RPE will be used to control risk from any residual fume.
For more information, see external regulator guidance (e.g. LEV guidance HSG258)
RPE guidance HSG53, IARC monographs on evaluation of carcinogenic risks to
humans. Volume 118.

12.5 Executing hot work open flame

Before executing HWOF, do the following:
1. Consider SIMOPS and stop any conflicting tasks (for example BC).
2. Verify all other areas that the HW can affect (for example a work area
immediately below) are cleaned and free from combustible materials, open
drains or seal pots are plugged or filled with water or covered with a fire
blanket.
3. For drainage gullies that are impractical to fully cover, test for the presence of
flammable gases and vapours before a HWOF permit is issued.

Page 122 of 361 Revision: B06

4. Do an initial gas test in the area where the work is to be done before issuing
the permit. Test again immediately before starting work to Verify the LEL is
below 1%18.
5. Monitor atmosphere continuously throughout the hot work task.
6. For gas cylinders:
a) Place them remotely from the worksite and Verify they are fitted with
certified flash back arrestors and isolating valves, complete with pressure
gauge.
b) When they are not being used, isolate them and depressurise hoses.
c) Obtain agreement from the fire team or ERT on where to site them.
d) Segregate hoses and inspect for leaks before and after they are used.
7. Inspect welding equipment and leads before they are used.
8. Identify potential sources of releases and leak points close to the HW location
(for example valves, flanges, vents, drains). In checking local flanges, consider
if you need to remove lagging boxes to do a gas test.
9. Consider using flame-retardant barriers around and under the HW location to
contain any sparks that the work generates.
10. Make sure everyone involved is familiar with the emergency response plan.
11. Check that atmospheric monitoring and fire extinguishing equipment is
available.
12. The PA to Verify a fire watcher is present to monitor hot work whilst work is
ongoing and for 3019 minutes after work is completed.
13. Provide safe access and egress to enable people to escape from the location
quickly and safely if conditions suddenly change.
14. Make the fire team aware of the location of any pressurised cylinders used in
HW tasks.
15. Tell relevant people (e.g. control room, ER team) when HWOF is starting.

12.5.1 Fire watcher at hot work open flame

A fire watcher shall be present during the execution of HWOF activities and stop
hot work operations if unsafe conditions develop.
The fire watcher shall do the following:
Raise the alarm if there is a fire, incident or hydrocarbon release.
Monitor the worksite to Verify that safe conditions are being maintained during
hot work operations.
Read, understand and adhere to the TRA and permit requirements.
Agree with the AA and PA how to communicate the start of an HWOF task,
during breaks and when the task is completed.
Demonstrate understanding of their emergency duties including atmospheric
monitor alarm activation points, and the action to take if the alarm activates.
The fire watcher shall Verify the following:
Suitable firefighting equipment is available, certified and ready to use.

Page 123 of 361 Revision: B06

Flammable materials have been cleared away from the worksite.

Drains remain covered and sealed while the task is being carried out.
Sparks and weld spatter are contained within the habitat.
They know where the following are:
a) the nearest manual alarm call point
b) the emergency shutdown button
c) the emergency shutdown for portable engine-driven equipment such as
generators and compressors.
Continuous gas monitoring is completed as defined in the permit.

12.6 For pressurised habitats

The AA completes an inspection of the habitat and all auxiliary equipment every
shift before work starts to confirm they meet requirements.
The AGT 1 or 2 performs gas detection and verifies it is below 1% LEL18 at the
suction hose entry point, and then any AGT monitors for gas continuously.
If the habitat is in use for an extended time, the AA determines the periodic
inspection requirements during the risk assessment, typically weekly and records
completed inspections on the permit.
The AA verifies the positive pressure habitat air supply inlet is located as close as
possible to or within a non-hazardous area.

12.7 Executing hot work open flame in designated pressurised buildings

Where specifically designed pressurised workshops or modules are used for HWOF
tasks, the AA verifies the following as part of the permit control:
The workshop or module pressurisation is maintaining the design positive
pressure.
The gas detection and shutdown system is operating as designed.
Module penetration seals are in place.
It is a designated non-hazardous area and recorded as such on the hazardous
area drawing.
The level of risk assessment used will depend on the task being carried out.
The ventilation is adequate for the task being executed.

Page 124 of 361 Revision: B06

13 Temporary habitats
A habitat is a temporary construction used to protect people, a worksite, or both, from
weather and interference from surrounding processes or tasks. Temporary habitats are made
from scaffold framing and lightweight fabric walls and lightweight fabric roof or similar
materials.

Avoid breaking containment within any habitat where reasonably practicable.

If BC cannot be avoided, then specifically identify the hazards and controls in the
task risk assessment.
Avoid flanges or valves or other potential areas of hydrocarbon release on live
equipment within any habitat where reasonably practicable.
If flanges or valves or other potential areas of hydrocarbon release are contained
within a habitat, then identify specific hazards and controls in the TRA.
Do not require their own permit but are included in the permit for the task.
Habitats used for hot work should be made from flame retardant materials.
There are three types of temporary habitats, which the following three sections detail.

13.1 Type 1 – Weather protection habitat

This is a sheeted structure (usually scaffolding). It has a significant opening or
openings to provide full and free airflow (usually with one open side) and has the
following characteristics:
protects people and equipment from the weather
can be used to store equipment
can be in any area but shall not enclose any equipment, flanges or valves
cold work or HWSP may be done under a permit.
May be tracked for SIMOPS in eCoW.

13.2 Type 2 – Containment habitat

This enclosed habitat provides containment of the working area preventing the escape of
sparks and protection from surrounding plant conditions and weather. Containment
habitats:
shall be ventilated with a minimum of 2020 air changes per hour either by natural
ventilation or mechanically assisted with air movers for general ventilation purposes.
may be used for cold work or HWSP activities in a hazardous area and for HWOF in
non-hazardous areas.
may be used in hazardous area for HWOF during TAR if the plant or site is shut
down, depressurised and drained or vented (may not be proven hydrocarbon free).
may be tracked for SIMOPS in eCoW.

Page 125 of 361 Revision: B06

13.3 Type 3 – Positive pressure habitat

The controlled overpressure within the habitat provides a barrier preventing the ingress
of hydrocarbons or other hazardous gases during hot work operations.
Type 3 habitats are for HWOF activities in a hazardous area.
They are tracked in eCoW.

13.4 Designing and building habitats

Follow the requirements marked with a ‘’ in Table 23 when designing and building
a habitat.

Table 23 - Design and build requirements for habitats

Habitat type
Design and build requirements for habitats
1 2 3
1 Pressurised habitat certificate is required. 
2 There are adequate openings or natural ventilation to avoid the possible build-up of
 
dangerous gases. Consider if the prevailing wind direction can maintain a good airflow.
3 Exits are marked clearly outside and inside the habitat, capable of being opened from either
  
inside or outside and open to a safe area.
4 AA checks the Internal lighting levels are suitable to perform the task safely.   
5 Consider use of local exhaust ventilation where hazardous substances will be used or
generated inside the habitat to control exposures below the occupational exposure limit
(OEL) (e.g. welding, cutting, chemical application).
Required performance of general or local exhaust ventilation is determined based on the  
nature of the contaminant to be diluted, or removed at the point of generation, and the
environment into which the contaminant will be exhausted. Consult Industrial Hygienist for
technical requirements.
6 Air movers are sealed into the structure of the habitat and there is no opportunity for short
 
circuiting air movement.
7 The habitat can be kept at suitable internal temperature for people working inside it taking
 
account of both internal and external thermal loading it (e.g. climate control is considered).
8 The type, location, and number of detectors are selected to cover detection in the inlet duct,
 
within and around the habitat.
9 Decide if the proposed habitat is a CSE as defined by section 15.  
10 Where reasonably practicable doors have windows or means of seeing access route.  
11 The exhaust vent is located away from the inlet to provide adequate air circulation.  
12 Auxiliary equipment is certified for use in the hazardous area.  
13 Constructed from fire retardant materials to prevent hot materials escaping the habitat. 
14 The habitat material, including the floors, sides, and roof, is non-combustible and prevents

hot materials getting out from the habitat.
15 If the distance between the habitat walls and hot work is less than1.5m (5ft)21, protect the
 
habitat wall with fire blankets.
16 A local gas detector monitors the air supply from a safe zone. 
17 Gas detection within the inlet duct is located in a section of the duct that is positively
pressurised and triggers closure of the duct and prevents any hydrocarbons from entering 
the habitat.

Page 126 of 361 Revision: B06

Habitat type
Design and build requirements for habitats
1 2 3
18 The habitat is pressurised with circulating air from a safe zone away from harmful fumes,
taking into account the wind direction and release sources. Air for the inlet duct is from at 
least 5m inside a safe zone.
19 Designed to maintain a positive pressure. This is between 25-50 Pa or 0.1-0.222in water
gauge. Manometer installed at entrance outside the habitat and a pressure alarm that is set 
to provide an audible signal at 25Pa or 0.1 in water gauge (it needs a time delay, typically 10
seconds, to avoid spurious alarms when access doors are used).
20 If access or walkways are obstructed, suitable barriers and warning signs are erected.   
21 If the completed habitat is going to be CSE, and the habitat cannot be completed from the
outside:
 
• the permit to build the habitat shall be specific about when work stops, and
• a CSE permit is required to complete construction.
22 Any flammable materials are removed from around and under the habitat before work starts.  
23 Protect inlet and outlet ducts and make sure they aren’t blocked.  
24 Habitats are designed and erected by specialist habitat suppliers or trained competent

people.
25 A competent person inspects the habitat and its auxiliary equipment to Verify that it is fully

operational and meets requirements and any applicable country regulatory requirements.
26 Verify the following:
• Gas detection starts an audible and visual alarm.
• The pressurisation air pump is only isolated on gas detection in the inlet duct. 
• All non-hazardous area rated equipment within the pressurised habitat, as well as
services and supplies to the habitat, are isolated.

27 The AA completes the habitat certificate to confirm the habitat choice and suitability and

identify potential hazards.

Page 127 of 361 Revision: B06

13.5 Using habitats

Follow the requirements marked with a ‘’ in Table 24 when using habitats.

Table 24 - Requirements when using a habitat

Requirements when using a habitat Habitat type

TRA - where this is a control in risk assessment 1 2 3

1 Track the habitat in eCoW using the SIMOPS feature – include its unique number on the

permit.

2 Atmospheric testing is performed before anyone enters the habitat.  

3 An ERRP is in place.  

4 The risk assessment determines the maximum number of people allowed in the habitat for
 
emergency response purposes.

5 The habitat is maintained, along with any auxiliary equipment, and a competent person
TRA 
inspects it weekly for as long as it is in place.

6 Verify the effectiveness of any general and local exhaust ventilation before the task starts
 
and periodically during the task. Consult Industrial Hygienist for technical requirements.

7 Monitor the concentration of hazardous substances inside the habitat to assess personal
 
exposures. Consult Industrial Hygienist to establish acceptable limits.

8 CSE certification and controls, including gas test, are in place before entry. CSE only

9 The entry attendant is able to communicate with those inside the habitat and be outside
TRA 
the habitat whenever it is occupied.

10 The entry attendant monitors the positive pressure using a slanting pipe fluid manometer

and a pressure alarm that is set to provide an audible signal at 25Pa23 when fitted.

11 There are at least two people in the habitat, with one as fire watcher.  

12 There are no gas cylinders inside the habitat.  

13 Remove all hoses and torches from the habitat during breaks and on task completion.  

14 Monitor inlet and outlet ducts and make sure they are not blocked; consider using guards. TRA 

15 Put signs on both ends of the ducts with ‘For Habitat Use – Do Not Remove’. TRA 

16 Have a foam extinguisher inside and dry powder extinguisher outside the habitat.
CO₂ and dry powder extinguishers can be asphyxiants inside habitats and shall only be  
used if specifically covered in the risk assessment.

17 A pressure-set firewater hose with spraying nozzle is laid out from the nearest hydrant and
the fire watcher is able to easily operate the hose from outside the habitat.
 
If firewater is not available or cannot be used due to ambient conditions, the risk
assessment shall specify a suitable fire response plan and equipment.

Page 128 of 361 Revision: B06

14 Isolation management
By conforming to this isolation management process, equipment and plant will be safely and
reliably isolated, de-isolated, reinstated and restarted.

The intent is always to reduce risk to as low as reasonably practicable (ALARP). Isolations are
designed to the highest isolation standard, considering overall risk and cost. This means in
many cases the isolation is to a standard above the minimum set in Table 27 & Table 30. For
example, where the table specifies a single valve isolation but there is a double block and
bleed which can be easily used then to meet the intent of ALARP, use the DBB.

Where the standards in Table 27 & Table 30 cannot be met this is managed as a non-
conformant isolation.

The isolation process consists of the following key activities:

• Reviewing the task to be carried out under isolation so that the isolation design
envelope is suitable for the full scope of the task.
• Designing and risk assessing the isolation and de-isolation to the highest
reasonably practicable standard and in conformance with this Upstream CoW
Procedure.
• Preparing for the isolation, which can include depressurising, de-energising and
releasing stored energy, draining, venting, purging and washing out.
• Reviewing the impact of any nearby work or operations on shared systems.
• Including contingency plans.
• Isolating equipment and plant, which can include providing suitable access and
egress.
• Proving isolation integrity – zero energy and proving dead.
• Monitoring isolation integrity during task execution.
• Partially de-isolating to facilitate testing (STT).
• Leak testing.
• Full de-isolation.
• Reinstatement.
The isolation and de-isolation plan (IDP) is the foundation for safely and efficiently managing
isolations and de-isolations. The IDP is effectively a combined isolation and de-isolation list,
procedure and risk assessment.

a. Manage and risk assess isolations using an IDP as an integrated document covering
isolation and de-isolation points, actions to implement and the risk assessment.
b. Occasionally, when it is not reasonably practicable to use an IDP as an integrated
document (for example the effort involved in copying an existing large isolation
procedure is significant), it is possible to use two documents, as follows:
1. an IDP to record isolation points
2. risk assessment and implementation actions recorded in a procedure explaining
how to execute the isolation and an integrated or attached risk assessment.

Page 129 of 361 Revision: B06

c. Approval of the IDP or procedure means that the content has been risk assessed as
Level 1 TRA. Where a Level 2 TRA is required, this shall be attached and separately
Approved based on residual risk.
d. IDPs, or SOPs where used, shall include plant preparation and all the steps needed
to execute the isolations and de-isolations in the correct sequence. Examples
include removing blanks or caps ≤ 50mm (≤ 2in) for gas testing, venting, draining or
fitting hoses needed to implement the isolation.
e. Develop an IDP for all full isolations. They are stored in eCoW and can be reused
provided the AA has verified and Approved them. The AA may delegate verification
to an IsA if the isolation involves a single discipline and is simple in nature.

14.1 Isolating authorities

There are five types of isolating authorities (IsAs) as follows:

Table 25 - Isolating authorities

Extent of authority level

Low voltage Low voltage

Isolating authority High voltage
Process isolations equipment for non- equipment for
types equipment*
electrical work* electrical work*

Process

Instrument *** ** **

Electrical LV1

Electrical LV2

Electrical HV
* Defined in section 14.18 and Table 30
** Limited to control and instrument systems up to 240 V ac or 120 V dc24.
*** 19mm (3/4in) max pipe, tubing and valve size and <50 barg if the task involves breaking containment.
*** Pneumatic and hydraulic supply and return lines to instruments or actuators (excludes scope with accumulators, PSVs,
pumps etc).

Where IsAs are not assessed as technically competent on all equipment in their
respective isolating authority type, the extent of authority shall be managed by a
local process and documented in the LIP.
IsAs are responsible for the following:
Designing IDPs in their specific discipline to meet the requirements of this
Upstream CoW Procedure. When required, IsAs may consult with others such
as discipline engineers to help with isolation design.
Implementing isolations in accordance with the IDP.
Demonstrating isolation integrity to the PA before work begins (e.g. spades in
place, valves closed, bleeds effective or proving electrical equipment is dead at
point of work).
Demonstrating zero energy immediately before breaking containment.
Monitoring the integrity of isolations throughout their life cycle.
De-isolating in accordance with the IDP.

Page 130 of 361 Revision: B06

Isolation and de-isolation may also be conducted by a discipline Isolator. However, if

an Isolator performs these actions a discipline specific IsA cross-checks

14.2 Designing the isolation and de-isolation plan

The IsA shall consider the following when designing an IDP:
Selecting the highest reasonably practicable isolation standard. In making this
choice, consider if implementing the higher standard results in greater overall
residual risk.
For example, additional risk from gaining access, increased workload, lifting,
breaking containment.
The order of implementing the isolation and de-isolation of points.
For example, isolation of pressure safety valves (PSV) downstream block valve is the
last point isolated and is the first to be de-isolated.
High Pressure/Low Pressure (HP/LP) interfaces and how to manage the risks
associated with them.
Proving dead or zero energy.
Breaking containment on small bore pipework.
People’s access and egress needs while implementing isolations.
Monitoring points are accessible whilst the isolation is being implemented and in
place.
Whether a site will be unmanned with isolations in place.
Selecting isolations as close as reasonably practicable to a vessel or worksite,
to maximise integrity and make it easier to monitor the work.
When the risk assessment determines that executing the isolation close to the
vessel or worksite introduces a greater risk, then design the isolation with the
isolation points further away from the worksite. Document this as a hazard with
mitigating control in the TRA. Examples would be because of access, lifting
over live equipment or the method of isolation.
The risk of the isolation being in place.
Draining, flushing, purging or venting equipment.
Specific requirements for vents and nozzles associated with CSE.
The ability to prove isolation integrity prior to removing a positive isolation.
Requirements for LV or HV electrical isolation and de-isolation.
Any changes to the equipment to enable the isolation or de-isolation.
A contingency plan in the event of any isolation failure.
Functional testing requirements and the need for sanction to test.
Leak testing and reinstatement.
If the isolation would create the need for an ORA.
Isolations on small bore piping can carry the equivalent hazards of larger
pipework. When designing isolations for breaking containment on small bore
piping and tubing, assess the hazards associated with the type of fluid and
pressure. In particular, assess the potential consequences from the released
volume if the isolation fails.

Page 131 of 361 Revision: B06

Use the IDP considerations and prompts in Table 26 to help with the design.

14.2.1 Approving an IDP

The AA shall consider the following when they are approving the IDP:
Has the isolation been designed to the highest isolation standard so far as is
reasonably practicable?
When the IDP contains a non-conformant isolation, Verify the non-conformant
risk assessment team included an appropriate mix of people with relevant
competencies, including technical authorities or specialists where needed.
Verify the IDP is suitable for the task identified in any linked permits and can
deliver any controls or requirements identified in the permit TRA.
Verify the IDP does not create an abnormal condition, or where it does, a
suitable (e.g. scope and duration), Approved ORA is attached.
Has the IDP applied the hierarchy of controls? see section 9.3.
Have monitoring requirements been clearly specified?
Can the isolation be conducted safely with the identified controls?
Are the identified controls suitable for the identified scope?
Have contingency and emergency response and rescue plans been
considered?

Table 26 - IDP design considerations and prompts

IDP design considerations and prompts

Process conditions Isolation location

• Pressure and temperature stability. • Access and, or egress.
• Gas and, or liquid ratio. • Number of persons at risk.
• Flashing fluid. • Size of pipework.
• Toxics (e.g. hydrocarbons, H2S). • Potential leak volume.

Isolation integrity Checks whilst performing isolation

• Potential dead-legs. • Likelihood of significant vibration.
• Potential for enhanced corrosion. • Valve position indicators - are they accurate and easy
to read?
• Pipework support adequate.

Equipment and process Equipment

• Types of valves available. • Blockage of vents, drains or both.
• Can valve integrity be tested? • Over pressurisation or overfilling.
• False result from valve integrity test. • Hydrostatic load on pipe work and vessels.
• Likelihood of blockages (e.g. wax, debris, fluid • Vacuum effects within vessels or equipment during
solidifying). draining.
• Valves or obstructions (e.g. NRV, control valve, • Design capacity of any flaring, venting or draining
strainer) between the isolation valve and the vent or systems.
drain valves. • Gaskets containing asbestos.
• Any history of leakage (e.g. passing valve lists or • Working on threaded connections such as threaded
lessons learned records). plugs whilst equipment is pressurised.
• Can pressure be locked-in? • Bleed and drain hose implications (e.g. HP/LP
• Likelihood of reverse flow. interface, overfill of sumps or liquids to the flare
• Possible migration from other systems. system).

Page 132 of 361 Revision: B06

• Electrical trace heating.

Process Process
• Volatile vapours released from a liquid. • Pyrophoric scale in systems that contain H2S.
• Formation of an explosive atmosphere. • Explosions and fires caused by the sudden mixing of
• Disposal of fluids, (e.g. contaminated water). water with hot oil.
• Valve freezing or embrittlement effects on steel pipe • Static electricity as an ignition source or cause of
work due to auto-refrigeration. electric shock during steam cleaning or high-
pressure water jetting if equipment is not earth
• Incompatible chemicals (e.g. acid and water). bonded.
• Chemical reactions between cleaning materials and • Possible asphyxiation through personnel exposure to
a tank or its fittings (e.g. acidic cleaning fluid nitrogen or other asphyxiates.
attacking a blanking spade installed for isolation).
• Accidental spillage and freezing effects of liquid
nitrogen.
• Temporary connection of equipment or services for
return to service (e.g.N2 bottles, quads or bulk
systems).

14.3 Documenting the isolation and de-isolation plan

The IsA shall document the following when developing the IDP:
All points of isolation and de-isolation including the associated methods.
Hazards and controls.
Action steps for prove dead or zero energy checks, or confirmation of actions
(e.g. a spare PSV is lined-up, or export operations are not planned for the
duration).
Action steps are used:
a) to identify where a permit is required for intervention activities such as
removing blinds to fit tapped flanges and hoses for draining or flushing
activities
b) to cover removal/fitting hoses, blanks, blinds, caps where the person
executing the isolation is competent and local contracts allow these
activities
c) for operational verification steps such as confirming a spare PSV is lined-up
before starting to isolate, or export operations are not planned for the
duration of the isolation.
Contingency plan (see section 14.4).
Actions to Verify isolation integrity such as PBU monitoring or inspection.
Tests required to confirm the integrity of the equipment before re-energising or
introducing process or utility fluids.
All items that are moved from normal operational positions for example:
a) the addition or removal of pressure gauges, bleeds, drains, hoses
b) removal of caps, plugs or blanks
c) alarm and trip overrides
d) software defeats, keys and maintenance overrides
e) operational steps such as venting, draining, depressurisation and flushing
f) testing or sampling for hazards

Page 133 of 361 Revision: B06

g) locking valves or placing control of safety valves in manual

h) removing restriction orifices
i) installing or removing temporary spools, and
j) high voltage bus bar or circuit earths/grounds.
Isolation drawings (PIDs, electrical line diagrams or loop drawings), sketches or
photographs providing enough detail to accurately and clearly show how the
system is going to be isolated.
The AA verifies the accuracy of isolation documents used.
If an isolation point in the IDP cannot be isolated or an action cannot be
implemented, then it is recorded in the IDP by the IsA, with a comment to explain
the reason.
The IDP process meets the requirements of OSHA 1910.147 Control of hazardous
energy (lockout/tagout).

14.4 Contingency plans

In the event of isolation failure once the isolation is in place, the contingency plan
addresses the following:
the location of the applicable ESD facilities
the location of additional valves and the expected specific actions to be taken
by, for example IsA or CRT, and which operating procedures to follow.
spill containment
how to respond to a loss of primary containment.
When creating a contingency plan, consider credible failures that are impacted by
such things as how long the isolation will be in place, process stability, volume of
material involved, volume of material before next possible isolation, temperature
and pressure, location of other equipment and hazards.

14.5 Conformant and non-conformant isolations

Isolations that meet the standards detailed in section 14, Table 27 or Table 30 are
classed as conformant. Isolations that do not meet these standards are classed as
non-conformant.
Complete a Level 2 risk assessments for all non-conformant isolations, irrespective
of when they are identified. Approval is based on residual risk.
The primary intent is to determine the additional hazards and the additional controls
required when relying upon a potentially less secure and less reliable method of
isolation than the CoW isolation standards in Table 27 and Table 30.
The SA is responsible for managing the non-conformant isolations using the
dashboards and to decide if engineering solutions are needed to correct repetitive
non-conformant isolations.

14.6 Cross-checking isolations

To reduce the risk of human error, all full (non-personal) isolations and de-isolations
(including STT) should be cross-checked by a different person.
An AA, IsA or Isolator can cross-check. However, if an Isolator has applied the
isolations, then this shall be cross-checked by an IsA of the correct discipline.

Page 134 of 361 Revision: B06

Cross-checking consists of the following physical checks:

Correct equipment (e.g. pump, switchboard) has been selected.
Correct isolation or de-isolation point as identified on the IDP.
Correct method of isolation (for example isolator open or blank fitted).
Correct isolated or de-isolated state as identified on the IDP.
Isolation is secured or removed.
Tags are correctly fitted and legible, and or removed.
Human error can occur to anyone at any time and cross-checking can mitigate
against this. However, for low impact (consequence) activities only, the IsA and AA
may decide that cross-checking is not required for selected isolation points.
The following isolations may be considered for isolation or de-isolation without
cross-checking:
Non-hazardous utilities such as water or air at low pressure <10 barg (150
psig)25.
Low volume of utilities such as diesel, hydraulics and lube oil.
Low-pressure <10 barg (150 psig)26 and low volume process fluids.
Switched isolations of low voltages where activity does not require access to
exposed electrical components (e.g. changing fan belts, changing light bulbs,
changing HVAC filters) Clearly tag the isolations.
Isolation of voltages up to and including 50 V ac or 120 V24 ripple-free dc
Low volume is less than a process safety tier 2 event as defined in API RP754 table 2.
A link to this can be found in BP Record-Group HSE definitions RCD 4.4-0001
Cross-check all isolations not included in 14.6e.
A discipline IsA shall cross-check all isolations applied by an Isolator.

14.7 Sanction to test

Use sanction to test (STT) when there is a requirement to temporarily de-isolate part
or all of an isolation so that a test or task can be completed to Verify:
the integrity of equipment, in the case of a leak test, or
the result of maintenance (for example to test the seal condition on a pump).
STT allows for the temporary reinstatement of power or the moving of valves to
perform the test.
These movements require strict control. The AA shall Approve and record all
movements in the IDP.
STT is normally applied for tests lasting less than one shift. However, if STT is
extended for longer than one shift, oncoming and outgoing AAs, IsAs and PAs shall
perform a specific handover.
The PA, working with the AA and IsA, identifies the need for an STT as early as
possible in the planning process so that it is considered when the IDP is being
designed.
The cycle for STT shall be as follows:
The AA and IsA agree the isolation points to be temporarily de-isolated.

Page 135 of 361 Revision: B06

The IsA checks the integrity of the isolation before making any changes.
The AA suspends all other permits linked with the work or cross-referenced on
the ICC. All other permits to work on the isolated system are suspended for the
duration of the test.
The AA decides if there are any additional monitoring requirements for the STT
and includes them in the STT permit.
The AA authorises de-isolation for STT.
The IsA de-isolates the points identified for STT and updates the IDP.
Troubleshooting can take place while under the STT using personal isolations
within the envelope of the original ICC. Include troubleshooting tasks in the STT
permit.
The PA is issued with a new permit to carry out the STT work – cross-
referenced to the ICC.
The IsA monitors isolation integrity as detailed in the risk assessment
throughout the test period.
After the STT work is completed, the PA returns the permit to AA following
suspension or completion.
The AA requests the IsA to replace isolations if the test is unsuccessful; these
shall be isolated to the previous standard. If the test is successful, the IsA
moves the STT isolations to, or verifies they are in, the final position.
The AA signs off the ICC as complete when all isolations have been signed to
confirm they are in the final positions.

14.8 Identifying and recording isolation points

Identify all isolation points using a unique sequential number that is detailed on the
IDP.
For overlapping isolations where some isolation points are common to more than
one isolation, these points shall have a separate locking device and tag for each
isolation.
Include marked up drawings as follows:
Highlight each isolation point with a unique isolation point number.
Where helpful, highlight the pipework and equipment that form the isolated
envelope.
The colour code used for marking up drawings for process isolations and control
hydraulic or pneumatic lines is:
red for valves isolated closed or spades or blanks inserted
green for valves isolated open
blue denoting a bleed point.
The colour code used for marking up drawings on electrical isolations is:
red for isolation point closed (i.e. energised) or circuit reconnected
green for electrical isolation point opened (i.e. de-energised) or circuit
disconnected
yellow to indicate application of an earth or ground.

Page 136 of 361 Revision: B06

14.9 Amending isolations

The amend isolation process is used in circumstances where the original design is
not adequate or applicable or there is a change in current conditions.
For example, the isolation envelope needs to be extended after installation because of
a passing valve.
Suspend all work under the isolation before the amend isolation process is used.
No work shall take place under an isolation in the Amend state.
The AA may authorise the amendment of any isolations in any state.
Following the amendment of the design, the approval and authorisation process
follows the same rules as a normal isolation:
Changed design for every discipline is signed by the relevant IsA.
AA Approves the overall changed design.
Any new points are authorised for isolation, confirmed and cross-checked (if
cross-checking is required).
Points authorised for de-isolation are confirmed and cross-checked (if cross-
checking is required).
The AA signs to complete the amendments. This puts the isolation back to the state
it was in and the normal workflow can resume.
eCoW will display a warning message for any permit being issued against the
amended isolation to alert the IA or AA that there have been changes to the design of
the isolation

14.10 Securing isolations

The IsA or Isolator shall secure isolations using a locking device (lockout) and tag
with a yellow isolation tag. Use locking devices that are substantial enough to
prevent unapproved or accidental removal (a minimum of 25kg (50lb)27 break
strength).
If isolation points are used for more than one IDP, they shall have a separate locking
device and isolation tag for each.
When using padlocks, the IsA shall:
follow the local implementation procedure, to manage locks and keys
record individual key numbers for each isolation point on the IDP.
Isolation locking devices could be of the multi-hasp type to allow each work party to
apply locks and to cover multiple isolations on the same energy source. If this is not
reasonably practicable, a lockout box might be used.

Figure 8 - Example of multi-hasp for use on an electrical isolation

Page 137 of 361 Revision: B06

14.10.1 Securing process isolations

Lock or immobilise process isolations to prevent unauthorised operation using one
of the following methods:
Wire locking loops that require considerable effort to force the valve from the
locked position, such as Pro-Lock. In US, the Occupational Safety and Health
Administration (OSHA) requires a padlock to be used and this can be fitted to
the Pro-Lock.
BP recommends using yellow coloured Pro-Locks to give additional indication
and consistency with the yellow isolation tag.
Padlock and chains that would take considerable effort to force the valve from
the locked position. The AA shall secure and manage the keys using either a
master key cabinet or individual key safes and a system of record.
Specifically designed valve isolation devices where wire locking loops or chains
are ineffective.
Specifically designed tamper-proof valve interlocks. The AA shall control
activation of the interlock, using the master key held at the site.
If the IsA needs to isolate a valve that cannot be locked or immobilised using one of
the four methods above, the Isolator or IsA may:
remove the valve handle, if this is reasonably practicable, or
use a suitable fitting to prevent the valve from moving.
Secure and record LO/LC valves if they form part of an isolation. This is a
requirement even if they are not moved to implement the isolation. Update the
LO/LC register whenever any LO/LC valve is moved.
Pneumatically and hydraulically operated valves that fail closed shall have any stored
energy removed and their control lines physically disconnected so that no stored
energy is present in accordance with section 14.19.
Where it is not reasonably practicable to disconnect the hydraulic or pneumatic lines
the following shall be applied as a minimum:
Pneumatic supplies and returns to/from instrumentation and control equipment
(for example actuated valves, analysers, purge systems) shall be:
a) isolated as close as possible to the device to be worked on (that is, either
at a local isolation valve, at the nearest header offtake or and the
distribution manifold) and
b) vented using regulator drain or vent ports.
Hydraulic supplies to actuated valves shall be isolated as close as possible to
the device to be worked on; in conformance with Table 27 (SV, DBB or positive
isolation).
Record supply and return isolation lines as separate isolation points in the IDP.
Pneumatically and hydraulically operated valves that fail open shall not be used for
isolation. If no other alternative is reasonably practicable, and they are prevented
from moving, they can be used and classed as non-conformant.
Electrically operated valves shall have the power supply isolated (as per section 14.18)
and hand-jack manually locked.
If the valve cannot be physically immobilised, it shall not be used for isolation.

Page 138 of 361 Revision: B06

It is not necessary to lock bleed valves, as they need to be opened periodically to

check the integrity of the isolation. These bleed points still require isolation point
tags stating within the comments box that they are a bleed.

14.10.2 Securing electrical isolations

Lock or immobilise electrical isolations to prevent unauthorised operation.
If fuses or links form part of the isolation device, the IsA shall provide a secure
means of storing the fuses or links after removal.
For work involving multiple work parties, each work party shall be able to apply an
individual lock; alternatively, a lockbox or multi-hasp can be used.
An isolation device may have a withdrawable element that exposes energised
conductors, parts or equipment when the withdrawable element is removed. In this
case, access to the exposed conductors, parts or equipment shall be securely
blocked (for example by locking ‘closed’ the bus bar and circuit shutters mounted on
the fixed portion of a switchgear cubicle).
An isolation tag shall be fixed to each electrical point of isolation.

14.10.3 Using lockout and tagout in US

Lockout is when a lockout device is installed on all sources of hazardous energy so that
it cannot be disconnected unless the lock is forcibly removed.
Tagout is defined as installing a tagout device on all sources of hazardous energy, such
that operation of the disconnecting means is prohibited.
In US, conformant electrical isolations are secured by lockout.
The lockout device shall include:
a lock (either keyed or combination)
a method of identifying the individual who installed the lockout device.
Electrical isolations secured by tagout only, are treated as non-conformant and
controlled as per section 14.5. In this case, the non-conformant isolation Level 2 risk
assessment identifies additional safety measures to mitigate the lower standard of
securing the isolation (meeting requirement of OSHA 1910.147).

14.11 Securing isolation lockboxes in US

For US sites, personal locks and lockboxes are used in addition to the BP labelling
and securing devices.
When working under the energy isolation all workers shall be protected by their
own personal lock, or locks, or the personal lock or locks of their designated worker.
The designated worker shall keep the key to the lock or locks prior to issuing the
permit. The PA or a worker may be the designated worker.

14.11.1 Before starting the task detailed in the permit

Complete the following prior to issuing the permit:
Isolator attaches their device locks to the isolated equipment.
Workers physically Verify the isolation and zero energy state.
Workers affix their personal lock or locks and tag onto the appropriate energy
isolation device, or devices, or lockbox.

Page 139 of 361 Revision: B06

Workers initial and enter time on the work party declaration.

Any worker has the right to apply their own personal lock and is responsible for the
safekeeping of their key.

14.11.2 Methods of using locks and lockboxes

For each task, it shall be clear which of the following three methods will be used.
Only one method per task is allowed.
Method 1 – personal locks only
a) Each worker places their personal lock, or locks, directly on the energy
isolation device, or devices.
Method 2 – using a lockbox
a) Isolator places the device lock key, or keys, in the lockbox that pertains to
that isolation.
b) Isolator secures the lockbox with the operations control lock and a tag
describing the work, date and ICC number to the lockbox.
c) Workers affix their personal lock on the lockbox with a tag that includes
the name of the person or group applying the tag and a contact method.
Method 3 – working under PA personal lock
a) A worker or workers can agree to work under a designated worker
personal lock.
b) The designated worker affixes their personal lock and tag onto the lockbox.
c) Designated workers initial next to each of their worker’s name on the work
party declaration.
A worker can choose to work under their PA. If this method is chosen, a worker
cannot assume they can work under their PA/designated worker’s personal lock.
There shall be a mutual agreement between the worker and the PA/designated
worker and the PA/designated worker initials next to the worker’s name on the
work party declaration.

14.11.3 End of shift

At the end of a shift, the worker or workers, and the PA shall complete the
following:
The PA notifies the AA or IA that work is completed.
The PA and workers remove their personal lock, or locks, and sign off the work
party declaration prior to closing or suspending the permit.
In situations where the permit scope is incomplete or equipment is inoperable,
before suspending or completing the permit, the worker or workers, or PA – or
all of these – complete the following:
a) On the lockbox, or energy isolation device (or devices), replace personal
locks with:
1) the control lock, or craft lock or both, and
2) tags.
b) There may be more than one control lock and craft lock.

Page 140 of 361 Revision: B06

c) The PA shall notify the IA or AA that the job is incomplete and one or more
control locks, or craft locks – or both – have been attached to the lockbox.

14.11.4 Sanction to test with locks and lockboxes

For interruption of energy isolation for temporary testing, follow the steps below:
The IsA will notify the PA and Verify all Affected Workers and non-essential
personnel are clear of the area.
Workers and PA will remove personal, control and craft locks from the lockbox
and sign off the work party declaration.
When the testing or repositioning is complete, the Isolator or IsA will need to
re-establish energy isolation and achieve safe energy state. The PA and IsA
Verify integrity of the energy isolation and then re-apply locks as appropriate.

14.11.5 De-isolation with locks and lockboxes

When the work is completed, all workers and the PA shall:
remove their personal locks and control or craft locks (or both types of lock)
sign-off the work party declaration.
The PA verifies that all personnel in their group have completed the work party
declaration by initialling next to each worker’s name on the work party declaration.

14.11.6 Removing an absent worker’s personal or craft lock

Authorisation for removing a personal lock of a worker who is not available is
controlled through a permit. The Health and Safety Site Lead shall be part of the RA
team.
To remove a personal lock of a worker who is not available, the AA shall:
Verify that the worker is not in the work area
Verify the safety and integrity of the equipment to be re-energised before
removing the lock and isolation tag
make all reasonable efforts to contact the worker and contact their supervisor,
or supervisors, to inform them that their personal lock and isolation tag has
been removed (or that they failed to sign out)
Verify that the worker is informed that their personal lock and tag has been
removed before the worker resumes work.

14.12 Tagging isolations

Identify all isolation points, including bleeds, using the standard BP Upstream
isolation tag.
If the valve is a single valve with 2 seats but one actuating device (e.g. handle or
wheel), then treat it as a single valve and one isolation point.
If a valve has two actuating devices operating separate seals, treat these as
separate isolation points.
The isolation tag includes a clear ‘Do Not Operate’ warning and can withstand the
environment to which they are exposed.

Page 141 of 361 Revision: B06

They have the following information from the IDP printed on them:
Point number.
ICC number.
Equipment number.
Isolated state.
Reason for isolation.
Point-specific comments.
Self-verification is used to confirm that the tags are legible and that locks are in
place and in good condition.

Full Isolation Personal Isolation

Figure 9 - Isolation tags

14.13 Personal isolations

Personal isolations can be used for operational and maintenance tasks where the
PA is also the Isolator or IsA and where the isolation is required for no more than a
single shift.
A personal isolation can be extended for up to 4 hours5 if the PA works beyond the
shift to complete a task. If the requirement for isolation goes beyond one shift (plus
four hours possible extension), then it is replaced by a full isolation.
Personal isolations shall conform to the following:
Designed and implemented by an Isolator or IsA of the correct discipline.
Either the Isolator or IsA (as relevant) is present at all times when the task is in
progress or the isolation is in place. The Isolator or IsA may leave the worksite
for short interruptions such as meal breaks, provided the isolation is left in a
safe condition, with all covers, caps, blanks or barriers in place.
The isolation is risk assessed as low risk (i.e. risk Area I in the risk matrix) and
identified in a permit, LRP or RAP.

Page 142 of 361 Revision: B06

There may be situations where the task associated with the isolation has a residual
risk greater than area 1. 14.13c(3) refers to the isolation only.
Process isolations meet the process isolation standard detailed in Table 27.
Electrical isolations meet the electrical isolation standard detailed in Table 30.
The process for non-conformant isolations cannot be applied for personal
isolations.
Isolation points are identified and clearly documented in the permit, IDPs,
procedures, or on up-to-date marked-up drawings such as P&ID, electrical line
diagrams, instrument loop diagrams, sketches, or photographs.
The isolation envelope should be small and manageable, with no more than
two valve isolations and a drain or vent, and one electrical isolation. The valve
isolations could be single valve (SVI), double block and bleed (DBB) or a
combination. For example:
a) two SVIs
b) two DBBs
c) one SVI and one DBB
All isolations should be visible to the Isolator or IsA from the task location. The
only exception is the electrical isolation.
Type 1 locked valves cannot be moved under personal isolations, except where
conducting online testing as per section 23.4.3.
Isolation integrity is proven before starting the task.
Before authorising a task involving a personal isolation, the AA confirms that
the individual performing the isolation is competent to complete the task and
the isolation.
The Isolator or IsA tags each isolation point using yellow personal isolation tags
handwritten with isolation point, isolated state, name of isolator and date.
The Isolator or IsA locks isolation points using a tamper-proof method such as
locks, locked chains or security seals such as Pro-Locks.
Personal isolation shall not apply to isolations that require multiple discipline
isolation points unless the following requirements are met:
All the isolation tasks included in a permit, LRP or RAP are risk assessed as risk
area I.
The PA is competent to perform all the isolations included in the task, such as
process, electrical or instrument isolations.
Examples of where a personal isolation, instead of a full isolation, could apply are:
replacing filters or duplex filters, after proving the filters' isolation integrity
low-voltage maintenance tasks
vent and drain hose installations
repairing, replacing, troubleshooting and function testing instrument devices
and valve actuators
replacing and troubleshooting automation systems.
Electrical personal isolations are not allowed on:

Page 143 of 361 Revision: B06

high voltage equipment

safety systems (e.g. fire and gas or emergency shutdown (ESD) panels or
sections of these) where the isolation would inhibit operation of part, or all, of
the safety system
equipment fed from more than one source.
Personal isolations are allowed on one or more inputs or outputs provided the
design function is not compromised (e.g. If a Fire and Gas system needs 6 out of 9
detectors active in a fire area, personal isolations can be used to work on up to 3,
leaving 6 operational).
When closing a permit, the AA shall Verify the personal isolation has been removed
and the plant line-up is correct.

14.14 Process isolation

Process isolation is defined as the separation of plant and equipment from every source
of energy in such a way that the separation is secure (for example by means of an air
gap, a spade or a closed valve).
The following shall not be used for isolation:
PSVs
Control valves
Non-return valves (check valves)
Deck seals
Globe valves.
Category A type butterfly valves, as defined in API Std 609
Category B type butterfly valves, as defined in API Std 609 (in process or
hazardous utility fluid)
Fail last valves
Pneumatically and hydraulically operated valves that fail open. If no other
alternative is reasonably practicable, and they are prevented from moving, they
can be used, but the non-conformant process is used.
Steam traps
Any other valves that are not capable of providing a reliable seal due to their
design or condition such as a damaged seal.
Globe valves and butterfly valves are intended for controlling function and might not
provide adequate isolation after being in service for a period of time. Globe valves and
butterfly valves are not intended to be used for tight shutoff applications.
Three-way ball or plug valves may be considered for isolation if there is no other
alternative, but these are considered non-conformant and the IDP shall be explicit
on how to manage and identify the open and closed ports.
Emergency Shutdown (ESD) actuated valves shall only be used in valve isolation
service when:
the valves are fail closed and confirmed as in the closed position
the integrity of the ESD valves has been proven, and
one of the following applies:

Page 144 of 361 Revision: B06

a) the valves are designed to be manually disabled and locked closed, or

b) the valve actuator energy sources, electrical, pneumatic or hydraulic, have
been isolated and disconnected as per section 14.10.1.
Electrically operated valves shall have the power supply isolated (as per section
14.8) and hand-jack manually locked.
If an electrically operated valve cannot be physically immobilised, it shall not be
used for isolation.

14.14.1 Process isolation standard

Table 27 details the minimum process isolation standard and is used as the
decision tool for designing an isolation.
The following are considered when designing process isolations:
Hazardous nature of the fluid (e.g. fluid type and toxicity). See section 14.14.2.
Operating conditions (for example volume, pressure and temperature).
Process equipment, pipeline and pipework layout.
The consequence and contingency plan if the isolation were to fail.
SIMOPS.
Document the maximum potential system operating pressure (MPSOP) in either of
the following:
Controlled process design documentation (as per EP SG 5.3-0003 Design and
Operating Limits Table 6 -1):
a) process flow diagrams, process data sheets, P&IDs
b) documented and Approved safe operating limits (SOL).
If a change to the MPSOP is required, an Approved eMoC is required.

Table 27 - Minimum process valve isolation standards

Maximum potential system operating pressure ≤ 10 barg > 10 barg ≥ 50 barg

Is the maximum pressure the system can be exposed to in service. (150 psig) and (725 psig)
(150 psig)
This may be the MAWP, SOL or design pressure but is more likely < 50 barg
to be limited by installed layers of protection (e.g. PSVs HP trips), (725 psig)
pump or compressor limitations or by field depletion.
≤60°C >60°C (140°F) and ≥100°C (212°F)
Maximum operating temperature
(140°F) <100°C (212°F) Or AFAIT

Process fluids and hazardous utilities V = SVI V = SVI V = DBB

I = SVI I = DBB I = DBB
Non-hazardous utilities V = SVI V = SVI V = SVI
I = SVI I = SVI I = SVI
Isolation for small piping (that is diameter nominal (DN)20 or nominal pipe size (NPS) ¾’ nominal bore and smaller diameter),
including instrument tubing, shall meet the minimum requirements of this table where the system design allows.
Where it is not possible to meet the above requirements, the isolation shall conform to the Single Valve Isolation (SVI)
requirements of this Upstream CoW Procedure (see section 14.14.7) and the risks associated with the isolation shall be
managed in the risk assessment for the task (either in a permit or IDP).
An isolation method that cannot meet the isolation standards in this table is classed as non-conformant. If this occurs,
follow the process described in section 14.5 conformant and non-conformant isolations.
I Valving required to allow intrusive maintenance without V Valving required to allow the installation of
positive isolation (if positive isolation presents a greater risk). blank flanges and spades (positive isolation).
AFAIT Above fluid auto-ignition temperature.
Source: Extract from BP Practice Control of Work Integrated Practice (500102)

Page 145 of 361 Revision: B06

14.14.2 Hazardous and non-hazardous systems

Systems are designated as either hazardous or non-hazardous depending on their
physical or conditional properties, or both (examples are shown in Table I.1).
Designation of hazardous shall be based on an assessment of the physical
properties or conditions present during the isolation or de-isolation.
Typically, this assessment is completed during design and evaluates operating
conditions and physical properties in recognition of the isolation philosophy
(e.g. isolating under full operating mode versus isolating under shutdown conditions).
Physical properties may include:
a) flammability
b) toxicity
c) radioactivity.
Conditional properties may include:
a) pressure
b) temperature
c) energy
d) electrical
e) mechanical
f) hydraulic
g) pneumatic
h) chemical
i) gravitational
j) vacuum.
Non-hazardous utilities in contact with a hazardous fluid or into which a hazardous
fluid might leak (e.g. through an exchanger tube leak) are classified as hazardous.
Seawater, hypochlorite, and other systems subject to sea pressure on marine
systems are treated as hazardous.

Page 146 of 361 Revision: B06

14.14.3 Positive isolation

Positive isolation is the most secure method of process isolation. It shall be
achieved by either of the following:
Removing a pipework section and bolting, clamping or fitting blank flanges
rated for full line design pressure to the live ends.
Witnessed insertions by:
a) inserting between bolted or clamped flanges, a blind plate or spade
b) replacing a spacer (slip ring) with a blind plate or spade, or
c) swinging a spectacle plate.
When installing any of the above, new gaskets shall be installed rated to the pipe
design specifications, both upstream and downstream.
Rated blinds shall, where reasonably practicable, be installed at the flange closest to
the vessel, tank or equipment being isolated.
Rated in this context means the same specification as the pipework.
For positive isolation leak testing requirements, see section 19.21.
Apply positive isolation for the following:
Confined space entry, including all process and ancillary service lines.
Long-term isolations.
Isolations involving HP/LP interfaces where there is a potential risk of over
pressurising an LP system.
New pipework tie-ins to existing plants that are not yet commissioned.
Boundary isolations.
Tasks that include a primary source of ignition (for example work on
hydrocarbon systems involving an HWOF).
Process fluids at or above their auto-ignition temperature.
When carrying out breaking containment tasks, which result in open ended
pipework or equipment being left dependent on valve isolation, for longer than
one shift.
If positive isolation cannot be achieved and double block and bleed (DBB) is
identified as a lower risk option or the only reasonably practicable means of
isolation, class it as non-conformant.
When planning isolations for remote sites or Normally Unmanned Installations
(NUIs), consider positive isolation for any isolation left in place when these sites are
unmanned.

Page 147 of 361 Revision: B06

Figure 10 - Positive isolation – typical installation drawing

14.14.4 Isolating to achieve positive process isolation

When applying positive isolations, valved isolations may be required to allow breaking of
containment and subsequent installation of the positive isolation.
Isolations that are applied to allow blank flanges or spades (positive isolation) shall
meet the standards identified in section 14.14.1 and Table 27.
There are two options for managing the positive isolation:
Applying a positive isolation using a single IDP:
a) The valves upstream and downstream of the positive isolation are isolated
and recorded in the IDP.
b) A permit is issued for applying the positive isolation.
c) The positive isolation is recorded as a separate isolation point in the IDP.
Use the amend isolation feature in eCoW to do this.
Applying a positive isolation using two IDPs:
a) The isolation valves are isolated and recorded in the IDP number 1.
b) A permit is issued for applying the positive isolation.
c) IDP 2 is used to record the positive isolation
When designing the positive isolation consider both the ability to prove isolation
integrity before application of the positive isolation, and also prior to removal of the
positive isolation.

14.14.5 Double block and bleed

Double block and bleed (DBB) is classified as the next highest level of process
isolation, after positive isolation, and the highest level of valve isolation integrity.
Use any of the following three methods for DBB isolation:
Closing two block valves in series with a vent connection in the interconnecting
pipe.

Page 148 of 361 Revision: B06

All block valve types that conform to this subsection are further described in EP GP
62-01 Valves.
An integral body (or manifold) having two isolating valves and a vent valve.
For more information on valves that are suitable for this application, refer to EEMUA
182 Issue Specification for Integral Block and Bleed Valve Manifolds for Direct
Connection to Pipework.
Single valves of a type that provides a double seal in a single body and with a
bleed between the seals.
Conventional cavity relieving ball valves are not designed to be the only valve in a
DBB isolation as they cannot provide double isolation and bleed function. They can
be used as part of the isolation but will only receive credit as one valve.

14.14.6 Creating DBB isolations with double piston ball valves

Double piston ball valves, sometimes referred to as double piston effect (DPE) ball
valves, may be suitable for use as both valves in a DBB isolation. However, they
shall only be used if specifically designed for this purpose.
If designed for this purpose, double piston ball valves require a robust testing process
each time they are used as part of a DBB isolation, to prove the effectiveness of the
seals. Therefore, where no alternative exists, a ball valve with one or both seats as
DPE shall only be considered as both valves in a DBB isolation if:
SMEs have verified and documented that the valve has been designed and
tested for this purpose, and
the valve is seat-tested in situ following the sequence defined in EP GIS 62-016
Specification for Ball, Plug, and Other Quarter Turn Valves – Common
Requirements.
Definitions for valves that are designed to meet these specifications can be found in
API 6D Specification for Pipeline and Piping Valves.
EP-GIS 62-016 Specification for Ball, Plug, and Other Quarter Turn Valves –
Common Requirements section 15.1 and/or API 6D Specification for Pipeline and
Piping Valves, (24th edition) provides requirements for design and testing.

Vent or drain Vent or drain

P E

Bleed

Legend
Process Equipment and piping Pressure
P E system to be isolated indication

Figure 11 - Valved isolation – double block and bleed isolation

Page 149 of 361 Revision: B06

14.14.7 Single valve isolation

Single valve isolation (SVI) is classified as the lowest level of valve isolation integrity.
SVI consists of closing a single valve. Additional security can be achieved by closing
several valves in series, but the absence of a bleed or vent in the intervening
volume means they are classed as SVI. This kind of isolation may pose a hazard
from trapped pressure due to thermal expansion.

Vent Vent

P E

Legend
Process Equipment/piping Pressure
P E system to be isolated indication

Figure 12 - Valved isolation – single valve isolation

14.14.8 Other isolation devices

Non-vented devices shall not be used as primary isolation devices.
Use of novel isolation methods such as gel injection, frozen plugs, mechanical plugs
may be considered where no other reasonably practicable option exists. Their use is
a non-conformant isolation and shall be covered by a level 2 TRA, approved by VP
operations and supported by an approved engineering assessment (e.g. E.Q, or
MoC).
Devices such as mechanical plugs, frozen plugs or inflatable devices (e.g. bags,
balloons, bladders) may be used as vapour or liquid seal, if the following
requirements are met:
They are downstream of an isolation valve or positive isolation.
A Level 2 TRA has been completed and approved by the AOM.
Vapour barrier is recorded as a control on the risk assessment.
The hazard of ejection and line of fire is included as a minimum on the risk
assessment.
A mechanical seal plug certificate is used.
Monitor and control the pressure differential across these devices.
Regularly monitor devices that are provided with vents, vent lines, or both, to Verify
that the vent has not been compromised by cold temperatures, restricted or blocked
by debris. The risk assessment will specify how regularly this has to be done.

Page 150 of 361 Revision: B06

14.14.9 Integrity testing valve isolations

Integrity testing is Verifying that the isolation does not pass and is conducted when
isolating the equipment. Once the isolation is in place, conduct PBU monitoring of the
isolation as described in section 14.14.12.
It is important to understand the two main ways that a valve provides isolation:
Passive sealing action: valves that rely primarily on the presence of differential
pressure to create a seal; for example:
• trunnion mounted ball valve
• floating ball valve
• slab type gate valve
• parallel slide gate valve.
Positive sealing action: valves in which the sealing force is applied mechanically
as part of valve operation; for example:
• parallel expanding type gate valve
• split wedge gate valve
• ‘orbit’ type ball valve
• expanding type plug valve
• ‘wedge’ plug.
Additional information can be found in EP GP 62-01 Valves.
To prove isolation integrity, the Isolator or IsA shall perform integrity tests before
confirming the isolation is in place for each isolation point.
Figure 13, Figure 14 and Figure 15 include generic procedures for testing SVI and
DBB isolations using integrity tests. The minimum duration of the integrity test
depends on the size of the isolated cavity being monitored, the precision of the
gauge being used to monitor pressure and the leak rate detection precision
required.
When testing for integrity, it is best practice to test with the process medium and in
the normal direction of flow.
Pressure gauges normally give accurate indications only over the middle part of their
range and gauges designed to measure high pressures often give poor response at
low pressures. A lower range gauge will typically give a more accurate reading of
PBU, but caution is necessary to protect the gauge from excessive pressure
(e.g. pressure limiting device).
Separately test the integrity of both valves and seals.
The bleed valve is closed between periodic integrity checks unless the risk
assessment indicates that keeping the bleed valve open is a safer alternative. The
bleed valve shall vent to a safe location, either to atmosphere or to a closed vent or
flare system.
The PBU duration tool can be used to estimate the minimum duration for PBU
integrity testing gas-service.
An observable pressure rise (e.g. using an analogue pressure gauge of a suitable
range), or leakage during the integrity test indicates that the valve is passing fluids.
Corrective actions can sometimes eliminate valve seat leakage (for example

Page 151 of 361 Revision: B06

opening and closing valve, flushing valve, greasing valve). Test the isolation integrity
again following any corrective action.
If the valve continues to pass fluids, use an alternate isolation design (e.g. additional
isolation valves, positive isolation, and revised isolation boundary). If an alternate
isolation design is not reasonably practicable, then the isolation is classed as non-
conformant; include the risks of working downstream of the leaking valve in the risk
assessment.
Any decision to break containment when the isolation envelope contains a valve
that is known to pass shall be managed using a Level 2 TRA.
For isolations in gas service, the results of the PBU integrity test may be used to
estimate the leakage rate and potential hazard distances in support of the risk
assessment (e.g. using the CoW leak dispersion estimator tool).
For isolations in flashing liquid service, the CoW leak dispersion estimator tool may
be used to estimate hazard distances associated with flashed vapour provided the
liquid leakage rate is estimated or measured.
The CoW leak dispersion estimator tool shall not be applied to gas or flashed
vapours that are denser than air.
The risk assessment shall consider the following:
Fluid characteristics:
a) Flammability and auto ignition temperature
b) Toxicity and other hazardous characteristics for personnel exposure
(e.g. asphyxiation)
c) Vapour pressure
d) Density.
Source conditions:
a) Operating pressure and temperature
b) Potential for leakage rate to increase quickly (seat erosion).
Local environment:
a) Distance to ignition sources
b) Ambient conditions (wind speed, ventilation rate, temperature)
c) Potential for escalation to nearby equipment.
Contingency:
a) Availability of additional upstream isolation points
b) Volume contained within the isolation.
Calibrated pressure gauges or pressure recording devices being used for valve
integrity testing shall either be rated to maximum operating pressure or fitted with
overpressure protection (e.g. gauge saver. note: Snubbers provide pressure spike
protection, not overpressure protection). Check the pressure testing equipment
before use to Verify that they are of the correct range, and calibrated. Check all
bleed points being used for integrity testing for fouling or blocking, because any
restrictions or blockages may give false results.

Page 152 of 361 Revision: B06

When applying isolations across an HP/LP interface, prove the integrity of the HP
side of the isolation to confirm that the LP downstream system cannot be over
pressured.

14.14.10 Integrity testing flare, vent and drain valves

When a single flare, vent or drain valve forms part of an isolation, it may not be possible
to test the valve integrity.
Use a risk assessment to manage the hazards and controls in place for working on a
valve where the integrity has not been verified.
If the following criteria are met, then the risk assessment can either be included as
a task step within the IDP or a hazard in the TRA for the task:
Valve does not have any known integrity issues.
The flare, vent or drain system maximum potential system operating back
pressure in normal and emergency operation is less than 10 barg (150 psig)26.
The risk assessment identifies a contingency plan.
The valve may be classed as non-conformant and the non-conformant process
followed.

Page 153 of 361 Revision: B06

Isolation integrity test for double block and bleed (two valves)

Key
V1 - First (upstream) isolation valve from live system.
M1 - Live side-monitoring point (pressure gauge or vent/drain).
V2 - Second (downstream) isolation valve from live system.
M2 - Monitoring point between valves and break point (pressure gauge or vent/drain).
B - Bleed point between the isolation valves.

Procedure
1. If possible, Verify tappings at M1, M2 and B are not blocked and pressure gauges, where installed, are
operating.
2. Close downstream valve V2 and secure in closed position.
3. Record pressure at monitoring points M1 and M2.
4. Vent/drain section of line to be broken and monitor at M2 until the pressure is zero.
5. Close vent/drain at break point and monitor at M2 for a minimum of 10 minutes28 or use PBU tool to set time.
No pressure build-up at M2 indicates the integrity of the downstream valve V2.
6. Close upstream valve V1 and secure in closed position.
7. Record pressure at M1 and B.
8. Vent/drain between V1 and V2 (B) and monitor at B until pressure is zero.
9. Close vent/drain (B) and monitor at M1 and B for a minimum of 10 minutes28. No pressure build-up at B
indicates integrity of upstream valve V1.
10. Leave vent/drain (B) in closed position to allow further monitoring.

Isolation summary
Both block valves are now closed and secured. The bleed valve is closed but not locked. It is possible for pressure
to build up between the two block valves so it is essential to regularly monitor the isolation; you may fit a suitable
calibrated pressure gauge to the vent to monitor for any pressure.

Figure 13 - Double block and bleed isolation integrity test (two valves)

Page 154 of 361 Revision: B06

Isolation integrity test for BP-Approved double sealed, single valve

Key
M1 - Live (upstream) side monitoring point.
M2 - Monitoring point between valve and break point (downstream).
C - Cavity drain (between seals).

Procedure
1. If possible, Verify tappings at M1, M2 and C are not blocked and pressure gauges, where installed, are
operating.
2. Close isolation valve and secure in closed position.
3. Record pressure at M1, C (in cavity) and M2.
4. Vent/drain downstream section of line to be broken and monitor pressure at M2 until pressure is zero.
5. Close vent/drain at break point and monitor at M2 and C for a minimum of 10 minutes28 or use PBU tool to set
time. No pressure build-up at M2 and no pressure fall-off at C indicates integrity of downstream seal.
6. Record pressure at M1 and C.
7. Vent/drain off fluid in cavity (between seals) and monitor at C until the pressure is zero.
8. Close cavity vent/drain (C) and monitor at M1 and C for a minimum of 10 minutes28. No pressure build-up at C
indicates integrity of upstream seal.
9. Leave vent/drain C in closed position to allow further monitoring.

Isolation summary
The double sealed, single block valve is now closed and secured. The bleed valve is closed but not locked. Any fluid
passing through the upstream seal will be detected at the cavity drain C. It is essential to regularly monitor the
isolation; a suitable calibrated pressure gauge may be fitted to the vent to monitor the pressure.

Figure 14 - Isolation integrity test (BP-Approved double sealed, single valve)

Page 155 of 361 Revision: B06

Isolation integrity test for single valve isolation

Key
M1 - Live (upstream) side monitoring point.
M2 - Monitoring point between valve and break point (downstream).
Procedure
1. Verify tappings at M1 and M2 are not blocked and pressure gauges, where installed, are operating.
2. Close isolation valve and secure in closed position.
3. Record pressure at M1 and M2.
4. Vent/drain downstream section of line to be broken into and monitor at M2 until pressure is zero.
5. Close downstream vent/drain and monitor at M2 for a minimum of 10 minutes28 or use PBU tool to set time.
Zero pressure build-up at M2 indicates integrity of single valve.
6. Leave downstream vent/drain at break point in closed position to allow further monitoring.
Isolation summary
The single isolation valve is now closed and secured, and the downstream vent/drain is closed. Any fluid passing
through the single valve seal would be monitored at the frequency agreed in the risk assessment.

Figure 15 - Single valve isolation integrity test

14.14.11 Process isolation integrity on unmanned sites

People may not be permanently present on normally unmanned installations (NUIs) and
remote unattended sites whilst an isolation is in place.
In these circumstances, the first people to return to the facility shall confirm
isolation integrity before continuing work on the isolated equipment.

14.14.12 Monitoring process isolation points

Monitor the integrity of each isolation point to detect any leakage or deterioration
that may be caused by for example, vibration, disturbance, or changing pressure
upstream.
Monitoring shall include checking zero energy through bleed valves or pressure
build-up, or both.
The IsA shall specify the frequency of PBU monitoring for each bleed valve in the
IDP. For each isolation, there shall be a minimum of one monitoring point.
An Isolator or IsA records the PBU results in eCoW.

Page 156 of 361 Revision: B06

For each isolation, as a minimum, complete the PBU monitoring before work starts
on the isolated system and at least once per shift for all isolations that are Live in
place (LTI are risk based. See section 14.27).
PBU checks are typically not needed when a system is positively isolated.
If zero PBU is not achieved when monitoring the integrity of an isolation, consider
additional actions, such as maintaining or exercising isolation valves and carrying out
further integrity tests.

14.14.13 Pressure build up (PBU) equipment

The choice of equipment used for PBU tests may affect the accuracy of the tests
and the time taken to conduct them. The equipment needs to accurately reflect the
pressure, be of a suitable pressure range and sensitivity, and allow safe attachment,
pressurisation and depressuring after use.
Typically, the equipment would use one of three options below:
A pressure gauge attached to a suitable flange or screwed fitting (e.g. rated and
sized for the equipment they are being attached to).
A procured, purpose made system such as the Crystal XP2i with snap-tite quick
connect fittings.
A fabricated rig with the ability to attach to flanged or screwed fittings and with
the facility to safely depressure if necessary, after use.
Good practice when choosing a suitable gauge suggests either:
Choosing one that is rated 30% higher than the normal operating pressure of
the system being tested. This allows for protection of the gauge while
maintaining a reasonable accuracy, or
Using a lower rated gauge that is protected by an engineered overpressure
device. This will allow a more accurate identification of PBU.
Some of the modern digital gauges can work accurately over a much wider range
(e.g. Crystal system).

14.15 Isolating pressure relief devices

Only remove or isolate pressure relief devices (relief valves, rupture discs or
vacuum breakers) by applying the following hierarchy of controls:
During a plant shutdown where positive isolation and zero energy is proven.
System isolated, depressurised and thermal relief provided where required
(Verify relief requirements with process SME).
The standby relief valve (100% capacity) is brought into service to allow
removal of the duty valve.
Providing adequate alternative relief path – documented through an Approved
SORA.
Using a SORA with additional controls that demonstrates the relief capacity
available is adequate (reference or attach any Approved engineering
calculations).
Removal whilst the pressure hazard exists and no SORA available use an
Approved ORA.

Page 157 of 361 Revision: B06

If a thermal relief is provided on an isolated system that still contains hydrocarbons,

a SORA attached to the override shall cover its use as a control.
Where a site has spared (100% capacity redundancy) relief valves, the spare or
standby shall be online before taking the duty relief valve offline.
The position of the isolation valves around duty and standby relief valves are as per
the P&ID. The inlet to the spare valve may be open or closed depending on the
design and if credit has been taken during LOPA.
The changeover of relief valves is a critical activity and shall be controlled by an
interlock system or an Approved IDP or SOP detailing the sequence of valve
changeover and integrity verification.
Use the locked valve register to record any movement of locked valves associated
with spared relief valves that have been moved whilst switching from duty to
standby relief valves.
The movement of the locked valves around spared relief valves do not have to be
marked up on P&IDs.

14.16 Isolating stored or accumulated mechanical or electrical energy sources

To avoid any accidental movement of machinery or sudden releases of any form of
mechanical, electrical or pressure energy, safely release or discharge and then
isolate all identified energy sources.
Batteries remain live and cannot be easily discharged. Follow section 22.3 for any
work on battery systems.
For hydraulic, pneumatic and process-powered machinery, isolate the source of
energy.
Isolate engine-driven machinery by shutting off the engine fuel supply and then
isolating all the starting systems. Make safe electrically driven machinery by
switching off the power supply to the motor and then isolating all electrical supplies.
For beam pumps, when working within or around the pump structure, immobilise
the horse head and counterweight.
Safely release residual mechanical, electrical or pressure energy as follows:
Mechanical: run down high and low speed-rotating elements, release springs
and charged springs within electric circuit breakers.
Electrical: discharge capacitors and isolate. Follow section 22.3 for any work on
battery systems.
Hydraulic: depressurise accumulators and pressurised pipework.
Pneumatic: depressurise the system.
Services: depressurise, vent, purge or drain steam, gas or fuel.
Even if machinery powered systems are disconnected or engines and motors are
prevented from starting, there may still be a foreseeable risk to people working on
the machinery if it were to move. If this may happen, fit a device such as a properly
engineered chock or wedge to lock the machinery in a safe position.

Page 158 of 361 Revision: B06

14.17 Isolating hydraulic systems - pulsation dampeners and accumulators

Whenever reasonably practicable, depressurise all pipework and the pre-charge of
any accumulators within the isolation envelope.
If an accumulator cannot be isolated or the risk of depressurising is higher than
working on the pressurised accumulator, complete a Level 2 TRA. The TRA shall
determine the residual risk of keeping the unit at pressure whilst the task is being
executed and consider, as a minimum:
the history of the unit (for example maintenance, previous failures)
stored energy risk versus the execution of an isolation envelope
how close the task is to the accumulator, and
the duration and frequency of the task.
For example:
• During drilling operations, the rig pump pulsation dampener (pre-charged to
approximately 900psi with nitrogen) is not to be bled down when work is needed
on the rig pump fluid ends. The Level 2 TRA considers if maintenance has been
completed to reduce probability of the diaphragm rupturing. Typically, pulsation
dampener diaphragms are changed out annually during continuous drilling
operations and every two years on warm-stacked rigs.
• If an isolation envelope includes a pulsation dampener containing a pre-charge
pressure, then the Level 2 TRA evaluates the residual risk of leaving the pulsation
dampener at pressure, while removing, cleaning and reinstating the pump suction
strainer. The pulsation dampener does not have adequate isolation and it is not
possible to provide positive isolation due to the existing pipe configuration

Page 159 of 361 Revision: B06

Table 28 - Pulsation dampener non-conformant RA prompt

Risk assessment discussion points – for a non-conformant isolation containing stored energy within a pulsation
dampener.

Hazards to consider Controls to consider

Failure of the pulsation dampener bladder causing a Maintenance - Confirm the pulsation dampener and bladder
sudden release of stored energy into the isolation have preventative maintenance routines established in the
envelope while work is being carried out on the CMMS and that they have been maintained accordingly.
isolation envelope. Pulsation dampener bladder failure – Confirm there is no
The hazard identifies what the pre-charge medium is and history of failure with this or similar pulsation dampener
how it will cause harm to people or plant. For example, bladder type and duties. If there are any known failures, then
nitrogen may asphyxiate people working on the isolation the task shall not continue.
envelope and those in the surrounding area.
A sudden release of pressure could harm people working Can positive isolation be safely applied and removed to
on the isolation envelope and anyone nearby. minimise the exposure time of the stored energy?
Consider other media (for example hydrocarbons). Consider how long the isolation will be in place. Minimise the
duration (for example by having like-for-like replacement
Failure of pulsation dampener bladder causing a
available, or tools and equipment ready at the worksite).
slow release of stored energy while work is being
carried out on the isolation envelope. Consider the amount of stored energy in relation to the
The hazard identifies the pre-charge medium and how it isolation envelope and how to reduce the associated risks. Is
will cause harm to people or plant. For example, the task taking place close to the stored energy? If so, do not
nitrogen could asphyxiate people working on the work on the pulsation dampener or connecting pipework.
isolation envelope. Monitor pulsation dampener pre-charge pressure for a defined
period, (for example one hour before confirming the ICC is in
Consider other media (for example hydrocarbons). place), to Verify no pressure reduction. Work shall not
continue if any pressure decay is observed.
Can additional relief paths (open ends) be considered to
reduce the pressure effect during sudden failure?
Are there any other barriers between the stored energy and
the work face that could reduce the effect of failure of the
pulsation dampener? For example, is the accumulator part of a
pump seal arrangement?
Erect barriers and warning signs around the worksite,
particularly focusing on open ends, to restrict entry.
Consider the need for oxygen monitoring if the dampener pre-
charge is an asphyxiant.
Consider ventilation or draining.
Consider the cumulative risk of numerous pulsation
dampeners within one isolation envelope.

14.18 Electrical isolation

An electrical isolation is achieved by disconnecting all sources of electrical energy from
equipment to create an adequate air gap that can be secured to prevent the equipment
being energised.
All electrical work shall, where reasonably practicable, take place when the
equipment is isolated in accordance with this Upstream CoW Procedure.
Where it is not reasonably practicable to isolate electrical equipment in accordance
with this Upstream CoW Procedure, energised electrical work shall conform to
section 22.2.
The term electrical isolation is applicable to all equipment where electrical energy
may be present. The isolation of electrical energy to instrument and control
equipment shall be regarded as electrical isolation and performed in accordance
with this section 14.18.

Page 160 of 361 Revision: B06

All references to Electrical IsA in this Upstream CoW Procedure apply equally to
Instrument IsA when performing electrical isolation for control and instrument work
activities as detailed in Table 30.
IEC 60038 and NEMA C84.1 use different classifications of voltage. For the
purposes of this Upstream CoW Procedure, the classification in Table 29 is used.
For Trinidad, Low voltage is: up to and including 600 Vac, or 1000 Vdc. High voltage
is: above 600 Vac, or 1000 Vdc

Table 29 - Voltage classification

Voltage classification34 Voltage range

ELV (extra low voltage) Up to and including 50 V ac or 120 V ripple-free dc

LV (low voltage) Up to and including 1,000 V ac, or 1,500 V dc

HV (high voltage) Above 1,000 V ac, or 1,500 V dc

14.18.1 Electrical isolation standards

Table 30 details the minimum electrical isolation standard, depending on isolation
type and voltage. If the equipment is able to provide a higher level of isolation, then
apply the higher standard.
Table 30 can be supplemented with equipment-specific procedures where required.
If the standard in Table 30 cannot be met, the isolation is classed as non-
conformant. If this occurs, follow the process described in section 14.5.
Individually isolate auxiliary circuits on major items of equipment for control,
indication and protection purposes. Examples include motor heaters, heat tracing,
lube oil heaters, starter motors, indicators and annunciators.
For any work (non-electrical or electrical) that requires electrical trace heating
isolation, the isolation shall be designed, risk assessed, conducted and tested by an
IsA Electrical LV2.

Page 161 of 361 Revision: B06

Table 30 - Minimum electrical isolation standards

Minimum Disconnect and

Voltage35 Isolation Label
Work activity prove isolation Earth Secure
level standard or Tag
IsA Level integrity

≤1000 V ac Full or
Non-electrical LV1 Yes Yes Yes
(1500 V dc) personal

>1000 V ac
Non-electrical HV Full Yes Yes Yes
(1500 V dc)

< 50 V ac Full or
Electrical LV2 Yes Yes
or dc personal

≥50 V ac or
dc
Full or
Electrical LV2 Yes Yes Yes
personal
≤1000 V ac
(1500 V dc)

>1000 V
Electrical HV Full Yes Yes Yes Yes
(1500 V dc)

Electrical
<50 V ac or Full or
(instrument Instrument Yes Yes
dc personal
and control)

Electrical ≥50 V ac/dc

Full or
(instrument <240 V ac Instrument Yes Yes Yes
personal
and control) (120 V dc)

14.18.2 Electrical disconnections

Disconnect the equipment, using one of the methods in listed in 14.18.2c from
every source of electrical energy before working on, or near, any part that is live or
is likely to be live.
Disconnect all ungrounded conductors. This includes ungrounded neutrals.
Additionally, where the work creates an ignition risk in hazardous areas, grounded
neutrals are disconnected. Where there is no facility to do so, the task is risk
assessed to agree controls to manage the risk of not disconnecting.
The point of disconnection shall be an air gap that can be secured in the open
position for example:
Racking a breaker or contactor out to create an air gap from the bus bar.
Fuse withdrawal.
Opening a link or disconnect terminal.

Page 162 of 361 Revision: B06

Cable disconnection. If cable disconnection is used to achieve neutral isolation,

see section 14.18.2.1 for additional precautions.
Removing a plug from a socket.
Using an isolator, switch, MCB or MCCB designed to an appropriate standard
for example:
• IEC 60898 Parts 1 & 2: Electrical accessories – circuit-breakers for
overcurrent protection for household and similar installations.
• IEC 60947 Part 2: Low-voltage switchgear and control gear - circuit
breakers.
• IEC 60947 Part 3: Low-voltage switchgear and control gear - switches,
disconnectors, switch disconnectors and fused combination units.
• IEEE C37.13: IEEE Standard for low-voltage AC power circuit breakers
used in enclosures.
• UL1066: UL standard for safety low-voltage AC and DC power circuit
breakers used in enclosures.
• UL489: UL standard for safety moulded-case circuit breakers, moulded-
case switches and circuit breakers.
• Other isolation standard Approved by the Site Electrical Leader.
Electrical work on control and instrument equipment <50V ac or dc, that does not
meet the standards in section 14.18.2c.6 (e.g. older types of disconnect terminals)
may be used if Approved by the Site Electrical Leader.
Electrical control devices such as push buttons or selector switches shall not be
used as a means of disconnection.
Electrical control circuits or devices shall not be used as the means of isolation for
the equipment they control.

14.18.2.1 Disconnection of neutrals

Neutral conductors are to be considered as live conductors. Depending upon the
earthing/grounding arrangement and condition, it is possible that neutral conductors may
be at any potential between earth/ground and line voltage. In some circumstances,
neutral conductors may appear to be at earth/ground potential, but disconnection may
remove the neutral connection to earth/ground. This may result in the neutral voltage
rising to a hazardous voltage.
When isolating a neutral, the isolation should be achieved via a disconnecting device
(see section 14.18.2), and then proving dead.
When a neutral disconnecting device is not installed and disconnection is achieved
by manual/physical cable disconnection, the following additional precautions shall be
taken before disconnection:
Treat as Energised Electrical Work if line voltage is >50V – see section 22.2.
Risk assess using an Energized Electrical Work Certificate, detailing the
following method:
a) Identify the location of the system neutral-earth connection
b) Prove dead all conductors (line and neutral)

Page 163 of 361 Revision: B06

c) If the neutral disconnection has the effect of separating any part of a

neutral-earth/ground circuit, then:
Verify that there is no current flowing in the neutral, for example using
a clip-on ammeter.
Install temporary earth/ground connection(s) to maintain earth/ground
connection (see section 14.18.5 for installing earth/ground
connections). An earth/ground connection is required between the
point of disconnection and any potential source of supply.

14.18.3 Cable disconnections

Where equipment has been isolated and removed, the risk of potential re-
energisation of the cable is mitigated as follows:
Where reasonably practicable, terminate the cable in a suitable termination box,
otherwise, the disconnected cable may be left capped, taped or ‘bagged’ in the
field, with the conductors either insulated or connected together to
earth/ground.
When the cable is going to be disconnected for more than one shift, record the
disconnection as an isolation point in the IDP.
Cable disconnection using a single IDP:
a) The electrical supply is isolated and recorded in the IDP.
b) A permit is issued for disconnecting the cable.
c) The disconnected cable is recorded as a separate isolation point in the IDP.
Use the amend isolation feature in eCoW to do this.
Cable disconnection using two IDPs:
a) The electrical supply is isolated and recorded in the IDP number 1.
b) A permit is issued for disconnecting the cable.
c) IDP 1 moved to ICC 1 for isolation in place.
d) IDP 2 for cable disconnection and permit 2 issued.
e) IDP 2 moved to ICC2 for isolation in place for cable and electrical supply.

14.18.4 Proving electrical isolation integrity

a. Treat all electrical conductors as live until proven dead.
b. Prove electrical isolation integrity for all isolations before work begins as follows:

14.18.4.1 Isolation integrity for non-electrical work

This type of isolation is only for work where there is no risk of contact with electrical
conductors.
Prove the isolation integrity by one or both of the following methods:
Visual confirmation of the isolation local to the equipment (such as a plug
removed from its socket, physically traceable to the equipment). This is
regarded as effective if the disconnection is made secure to prevent re-
energisation.
Demonstrating the isolation by operating a push button or other normal
operating controls. This is a positive demonstration using the following method:

Page 164 of 361 Revision: B06

a) Prior to isolation, the equipment should be energised (e.g. running or

otherwise visibly energised).
b) The equipment is then isolated and tested by attempting to start it (with all
stop controls and interlocks, or any other overriding control function in a
position to allow starting).
c) Following successful demonstration of the lack of start, leave all stop
controls and interlocks in position that will prevent starting.
If neither method can be achieved, use the isolation standard for electrical work, or
treat the isolation as non-conformant.

14.18.4.2 Isolation integrity for electrical work with proving dead

This type of isolation is used where there is a risk of contact with electrical
conductors, or where this Upstream CoW Procedure requires a ‘positive isolation’,
the electrical isolation shall be done to this standard.
The electrical IsA shall prove the isolation integrity by completing all of the following
steps:
demonstrating the points of isolation to the PA
demonstrating correct identification of equipment and isolation point by either
of the following methods:
a) Visual confirmation of the isolation local to the equipment (such as a plug
removed from its socket, physically traceable to the equipment).
b) demonstrating that:
• the isolation point, interconnecting cable, and equipment are
identified by unique, and permanently-fixed tag numbers,
• the tagging correlates between the isolation point, both ends of
the cable, and the connected equipment, and
• the tagging matches the tagging on the interconnection drawing.
proving dead at the point of isolation in cases where:
a) the air gap provided by the isolating device is not clearly visible, and
b) equipment design provides access through an engineered feature (e.g. this
may include a panel door but does not include equipment dismantling or
deconstruction).
proving dead at the point or points of work; the PA shall witness this test or
prove dead themselves (if they are competent to do so) before starting work on
any conductor.
Use an Approved live line tester to prove dead.
Prove the tester both before and after use.
Prove dead the conductor between circuit and earth or ground. Where there is
a neutral or the system is unearthed or ungrounded, also prove dead the
conductors between all of the circuit conductors.
After testing with an applied voltage, discharge a conductor to earth using
Approved discharging equipment. Once discharged, the conductor shall again
be proven dead.

Page 165 of 361 Revision: B06

Include proving dead activities as actions in the IDP. If the task of proving dead
at the point of work is covered by a separate permit, then include reference
number of the permit in the IDP.
An IDP with appropriate controls or a hot work spark potential permit shall
include proving dead of equipment.

14.18.5 Earthing or grounding

The term ‘ground’ tends to be used in US, and ‘earth’ used elsewhere. For the purpose
of this section, the terms are considered to mean the same.
Apply earths to electrical equipment in the following circumstances:
Prior to working on HV electrical conductors.
Prior to working on LV electrical conductors where there is a danger of re-
energisation (for example becoming charged from another source such as by
electromagnetic induction).
To discharge capacitors.
Include earths in the isolation design and record on the IDP. They are normally
applied at the isolation point. However additional local earths may be required if the
point of work is remote from the point of isolation.
Only apply earthing devices after all isolation devices have been opened and after
the circuit has been proven dead where practicable. In cases where the earthing
device is a ‘facility integral within arc-rated switchgear’, voltage indicators can be
used instead of proving dead.
If the electric circuit can be energised from more than one source, apply earths
between the point of work and each source.
Where equipment is earthed via a switch or circuit breaker, lock the earth
connection, where practicable. Apply the lock to operating handles or mechanical
trip push buttons.
An earthing notice shall be posted at the point where an earth connection has been
applied.
Use specifically designed earthing devices or leads to apply earth connections.
Avoid contact with conductors during application of earthing devices, for example
by:
using earthing devices integral within arc-rated equipment
using earthing bonds with insulated handles
where required to make bolted connections, first apply a temporary earth hook,
with insulated handle, to earth the conductors before completing the bolted
connection using insulated tools.
The earthing devices shall be rated for the available fault duty where the conductors
or circuit parts being de-energised could contact other exposed energised
conductors or circuit parts.
For switchgear, the correct operation of the earthing or grounding device, where
permitted by design, is visually confirmed after either applying or removing the
device.
Make the earth connection before attaching the earth bond to the conductors.

Page 166 of 361 Revision: B06

14.19 Instrument and control isolations

Instrument isolations may include process and electrical isolations and shall conform
to the associated standards as detailed here and in sections 14.14.1 and 14.18.1.
It is good practice to isolate all voltages wherever reasonably practicable. However,
the approach shall minimise overall risk and in the case of systems <50 V29 ac or dc,
this may be delivered by working live.
The following shall be applied as a minimum:
Isolate all pneumatic supplies to instrumentation and control equipment (for
example actuated valves, analysers, purge systems) as close as possible to the
device to be worked on (that is, either at a local isolation valve, at the nearest
header offtake or the distribution manifold).
Disconnect and tag the supply tubing at a suitable location.
Isolate all hydraulic supplies to actuated valves as close as possible to the
device to be worked on.
Disconnect, cap and tag the supply tubing at a suitable location.
Where hydraulic supplies to actuated valve disconnection is not reasonably
practicable or where it introduces a higher risk (e.g. due to contamination, air
ingress) then either:
a) use a double block and bleed configuration on the hydraulic supply, or
b) class the isolation non-conformant.
When a DBB isolation is required (see Table 27), it is permissible to use a
combination of the pipe-class isolation valve at the process line/equipment and
valves/manifolds local to the instrument.
When a DBB isolation is required (see Table 27) but not available, it is
permissible to use single valve isolation for small bore (≤ 20mm, ¾in30) piping
and tubing connections to instrumentation provided that all risks are addressed
in the task risk assessment or the IDP.
When you need to test, or work on, or close to energised instrumentation
circuits, consider and control the following hazards:
a) Electric shock from instrumentation circuits operating <50 V29 ac or dc is
relatively low risk and work may proceed without an energised electrical
work certificate
b) Ignition from an accidental spark
c) Injury from an electric arc is low. However, the individuals carrying out the
work shall be competent and use Approved test equipment and tools
d) Process upset or trip during the work.
When removing instruments, use rated caps, plugs or blanks on open
connections.

14.20 Automation systems

Electrical isolation of automation system components and sub-systems shall be
performed following the principles detailed in section 14.19. Isolations will normally
be performed using plugs, fuses, MCBs or MCCBs.

Page 167 of 361 Revision: B06

An ORA shall be carried out when isolating all or part of an automation system that
creates or has the potential to create an abnormal operating condition.

14.21 Well equipment specific isolations

For all isolations on well equipment, BP Practice Well Barriers (10-65) (100222) shall
be followed.
A well barrier is an envelope of one or more dependent well barrier elements (WBEs)
that prevent fluids from flowing unintentionally from the formation or well into another
formation or to the surface.
Isolation of the well from the process plant shall be controlled through an IDP and
ICC and will include the flow line isolation valves and, where applicable, the wing
valve (e.g. where there are no plans to remove it). Hydraulic supplies or control to
the upper master valve (SSV) and the downhole safety valve (SSSV) are normally
handed over to GWO and not included in the ICC.
This isolation is implemented and controlled by GOO. It is normally removed when
the activity has concluded and the well has been handed over back to GOO, except
for some well intervention activities requiring the well to flow back to the plant. In
these cases, the sanction to test (STT) process is used to request and authorise de-
isolation.
The operation of the Christmas tree and wellhead valves that are not part of the IDP/ICC
because they need to be operated during well intervention shall be managed through a
risk assessed procedure for the task. These are typically the swab valve, the upper
master valve and the lower master valve but can also include wing or annulus valves for
specific GWO activities.
Valves requiring prompt access for emergency or operational purposes during well
work activities do not require to be locked. In such a case, the following shall be
applied:
Document in the permit or RAP the operational steps for these valves.
The operator of the valves is competent in the task and the requirements in the
permit or RAP.
Tag the specific valves involved in the emergency/operational process to
remain open or closed during the task execution.

14.21.1 Breaking containment in well operations

In well operations, the isolation methods for breaking containment are applied and
verified to their respective acceptance criteria table (ACT) described in BP Practice
Well Barriers (10-65) (100222).

14.21.2 Mud pits and rig floor isolations

For isolations and de-isolations required for CSE to a mud pit, the following shall be
done:
Develop an IDP that identifies all isolation and de-isolation points, including fluid
transfer and supply lines.
When the IDP cannot meet the CSE requirements of section 15 of this
Upstream CoW Procedure, classify the isolation as non-conformant.
Record and monitor the isolations integrity as defined in the IDP.

Page 168 of 361 Revision: B06

For isolations required for rig and drill floor operations involving multiple energy
sources such as electrical, hydraulics, air and drilling fluids, you shall:
identify during risk assessment the mud systems and fluids content to be
isolated
include all isolation points for a full isolation in an IDP
include all isolation points for personal isolations in a RAP or permit.

14.21.3 Slip and cut activities in global wells operation

When a drilling line needs be replaced due to fatigue, a new line is unspooled from
the storage reel and slipped through the crown block, traveling block sheaves and
draw works spool. The excess is cut off and discarded.
During this operation, the driller has sole control of the draw works. The slip and cut
isolation method and task execution strategy are defined in the RAP by GWO in the
region for each type of equipment. This usually involves the AA, WSL and Wells
Superintendent.
The minimum isolation requirement for this task to prevent unwanted draw works
rotation is personal isolation, and can include:
disabling control screens/ select stand-by mode or equivalent
switching to slip and cut mode, or Movement Inhibiting Procedure as a way of
preventing unwanted movement
isolating associated energy sources, utilizing personal isolations placed by the
respective Isolator discipline.

14.22 Requirements for the use of CAT A & CAT B butterfly valves
When there is no alternative to using butterfly valves due to rig, or marine vessel
design, use a risk assessment to manage the hazards and controls in place for
working on equipment that includes CAT A or CAT B butterfly valves as part of an
isolation.
If the following criteria are met, then the risk assessment can either be included as
an action within the IDP or hazards and controls in the TRA for the task:
The system pressure is less than 1026Bar (150 psig).
The butterfly valve does not have any known integrity issues and isolation
integrity can be proven. The method of proving integrity will be identified by an
action if the butterfly valve is incorporated within an IDP or as a specific control
within a TRA if used as part of a personal isolation.
PBU monitoring is identified within the IDP, permit, or LRP.
The risk assessment includes a contingency plan, which will be identified
within the TRA when a butterfly valve is used for a personal isolation or as part
of the contingency plan in step 4 of an IDP when a butterfly valve is used
within a full IDP.
The TRA covers the hazardous nature of the fluid (e.g. fluid type and toxicity).
When butterfly valves are used for isolation of a system containing sea water,
potable water, or sewage grey water, and when the risk assessment includes the
criteria described in 14.22.(b) 2-5 above, a limit of <50 barg31 can be applied.

Page 169 of 361 Revision: B06

14.23 Non-diving subsea isolations

Isolations for non-diving subsea operations differ from topsides isolations. The risk
assessment shall consider the consequence of both ingress of seawater as well as
discharge of the process fluid to the environment.
Subsea Well P&A activities, deconstruction and decommissioning may require
permanent modification or long-term isolations. Any isolation shall be compliant with
the isolation requirements established by this document (including long term
isolations). This applies to all Upstream operating functions (GWO, GPO, GOO).
GWO breaking containment isolations shall be managed under the applicable BP
Practice Well Barriers (10-65) (100222).
All subsea isolations shall be Level 2 risk assessed, as part of the IDP. Isolation
requirements described are for CoW activities occurring downstream of the wing
valve on the subsea tree to the pipeline pig trap. Examples of operations that
require isolations are as follows:
Removing a jumper.
Horizontal or vertical tree choke change-out.
Subsea control module change-out.
Removing pressure caps from a subsea manifold.
Removing or replacing (or both removing and replacing) ancillary subsea
equipment (e.g. flow meters, chemical injection meter valves, logic caps).
Removing control flying leads (includes chemical, hydraulic and annulus
monitoring lines).
The requirements for tree cap removal isolations are defined in BP Practice Well
Barriers (10-65) (100222)
Typical subsea isolation arrangements in BP subsea fields are listed below. For each
one, the approval is based on the residual risk identified during the Level 2 TRA:
• Double block (both tested) with pressure monitoring.
• Double block (both tested) without pressure monitoring.
• Single valve isolation, with two valves in series (one not tested).
• Single valve (tested).
• Tested combinations of self-sealing poppets and valves.
• Tested pressure plugs.
• Tested pressure caps.
• Tested debris caps.
Table 31 shows the common valve types that may be considered for isolations
when the Level 2 TRA risks are Approved.

Page 170 of 361 Revision: B06

Table 31 - Commonly used devices for subsea isolations

Type Intervention

Slab/gate All

Ball All

Needle All

Poppet SCM, flying leads

All = All interventions including breaking containment of main process piping.

SCM, flying leads = Removal of subsea control module or flying leads for non-hazardous
fluids.

The valve shall be manual, locked-out actuated fail ‘as is’, or a locked-out actuated
failed closed type.
In subsea isolations:
Non-return valves, check valves, and choke valves shall not be used for
isolation to prevent fluid movement.
Dummy hot stabs shall not be used for isolation, unless the design of the hot
stab sealing system meets the requirements of the fluid to be isolated.
The acceptability of valves being used for subsea isolation depends on the level of
residual risk identified during the Level 2 TRA. To determine the level of residual
risk, consider the following:
Failure rates on valve failures shall be based on industry/vendor data.
Valves that are actuated remotely and fail in a closed position can be software
inhibited within the master control system provided an increased likelihood of
failure is considered.
Valves that have been tested but are subsequently opened and closed one time
prior to performing an intervention may be considered as isolations providing an
increased likelihood of failure is considered.
Testing of isolations with a reverse differential pressure test will only be
acceptable for positive sealing valves (i.e. if the seal is mechanically energised
such as needle valves).
Trapped pressure between two isolation valves at a pressure higher than the
fluid being isolated may decrease the likelihood of failure of the isolation when
only one valve can be tested in the direction of flow. However, the risk
assessment shall be based on only single valve isolation.
Certain valve types may be subject to unseating after testing because of
changes in pressure within the valve cavity or, for hydraulically actuated valves,
changes in hydraulic pressure. Interventions planning would take this into
account and address this risk through a procedure.
The following minimum testing requirements shall be considered:

Page 171 of 361 Revision: B06

Two independent isolations shall be established before intrusive works can

commence and where possible, both are tested in the direction of potential
hazard flow. This can be achieved with either a positive or a negative test.
The required differential test pressure is the maximum that may exist between
the ambient pressure and the internal process fluid during the intervention. The
differential test pressure is established taking into account changes as a
consequence of temperature effects, shutdowns, startups, and varying
operating conditions.
If an isolation cannot be tested to the maximum differential pressure, the test
is conducted to the highest practical differential pressure at the time of the test
in the direction to which it could be exposed. The theoretical effect of
increasing the differential pressure on the sealing performance shall be
accounted for when assessing the acceptability of a lower differential pressure
test.
The allowable pressure test acceptance criteria shall be defined for each
assembly or defined for individual tests required on a variety of components or
features. Refer to BP Practice Well Barriers (10-65) (100222) and BP Practice
Pressure Testing (10-45) (100218) for specific acceptance criteria.

14.24 Diving operations isolations

Diving operations have specific isolation requirements; for more information refer to
BP Practice Diving (100241).
If you are supporting a diving operation, you shall do the following, as far as is
reasonably practicable:
Remove all hazardous materials from inside the system that is being worked
on.
Put mechanical barriers in place to isolate the system satisfactorily from any
potential source of energy.

14.25 Boundary isolations and when to use them

The term boundary isolation is often used to describe the complete isolation of a process
unit at the battery limit. In Upstream, a boundary isolation can also mean the isolation of
one or more systems within the process unit.
Boundary isolations are typically used for large-scale plant maintenance shutdowns or
TARs.
Boundary isolations may be used when the full inventory of hazardous materials
(see Table I.1) are removed or evacuated from the complete system within the
boundary isolation.
The boundary positive isolation may be used as the main isolation to enable multiple
tasks to be executed efficiently under the boundary control.
When boundary isolations are applied and used, they shall conform to the following:
They are positive isolations.
The full inventory of hazardous process fluids, or hazardous utilities fluids have
been removed from the complete system.
Tasks within an existing boundary isolation are assessed to help decide if
additional isolation is required (for example if there is potential of trapped

Page 172 of 361 Revision: B06

pressure within the systems). When this is the case, raise a separate ICC for
the task.
Isolations for CSE within the boundary isolation meet the requirements in
section 15 of this Upstream CoW Procedure and are positively isolated with
their own ICC.
Leak testing within the boundary isolation meets the requirements of this
Upstream CoW Procedure.
They cross-reference all related permits to work and additional ICCs within the
boundary isolation to the boundary ICC.
Only remove boundary isolations when all work within the boundary is
completed.
If work on a piece of plant or equipment within the boundary isolation is to be
suspended, a separate specific isolation is applied, and an ICC confirmed and in
place before the boundary isolation is removed. Examples of plant and
equipment in this situation could be piping, vessels, mechanical or electrical
equipment or valves. An example of having to suspend work would be due to
waiting for spares to arrive.
Verify that any equipment within the boundary isolation is left in a safe
condition and isolations in place meet the isolation standard.
Include the integrity monitoring and verification checks of isolations in planned
visits where a boundary isolation includes:
a) an NUI, or
b) remote unattended sites, or
c) both.
The frequency and requirements of the monitoring shall be included within the
IDP and risk assessment
Assess any additional tasks on systems or equipment that are already part of a
boundary isolation to consider any requirements for applying additional
isolations and controls.
In practice, the geographical area of a boundary isolation may contain live
pipework, such as utility systems that feed the adjacent plant. Clearly mark
these areas with live pipework and make sure everyone working in the area is
aware of it.
If a positive boundary isolation is not achieved, the isolations within that system are
required to conform to the process isolation standards in Table 27. If isolations do
not conform with these standards, follow the non-conformant process.

14.25.1 Boundary isolations with active bleed (e.g. TARs)

For TARs only, when using a boundary isolation on a system within the process
unit, and when it is not reasonably practicable to use positive isolation, credit may
be given for DBB if all the following requirements are met:
The bleed is left open to a safe location. In this context, a ‘safe location’ is one
that has minimal potential for back pressure or contamination.
14.25.1(a)1 above intends to minimise the risk of the downstream valve in the DBB
arrangement, seeing any pressure rise due to an excursion in the system being used as

Page 173 of 361 Revision: B06

a vent location (e.g. use a flare system which is designed to operate at low pressures
even when another system is venting into it).
The bleed is monitored to Verify that zero energy is reaching the downstream
valve in the DBB arrangement.
All other necessary controls are in place to manage hazards associated with the
work that is going to take place downstream of the DBB (e.g. full inventory
removed, flushed and purged, atmospheric monitoring, area barriered off,
drains covered, fire watcher).
Work taking place downstream of the DBB is not CSE, or HWOF.

14.26 Cross-site boundary isolations

On some sites pipes, cables, drains or communication connections cross the site
boundaries (BP or third party). If an isolation is required on any of these systems, they
are classed as cross-site boundary isolations.
If a cross-site boundary isolation is required, a formal process for communicating
and controlling the isolation shall be used and a cross-site boundary certificate
completed. Either party shall request, in writing, the other for cross-site boundary
isolation.
The isolation shall conform to both parties’ CoW procedures. Both sites have
previously agreed and documented the details of these, typically in contracts or
agreements. Each party will apply a lockout device as specified in their CoW
procedure. The isolation will remain in place and be revalidated by both parties until
both sites Verify and certify that the required work is complete, in a safe condition
and the system may be de-isolated.
The cross-site boundary isolation certificate does not authorise work. All work shall
be controlled through the site’s CoW system.

14.27 Isolating radioactive sources

Radioactive sources are sometimes used within instrumentation on BP facilities.
Sources consist of radioactive samples contained in a shielded box. Typically, the sample
itself is a small piece of radioactive substance encased in double-wall stainless steel
cladding, resembling a medicinal pill in size and shape. The source may be locked out for
testing and maintenance only, by dropping a metal shutter over the “window” of the
box.
Sites that use radioactive sources shall have the risks associated with the source
managed by a competent person, typically known as the radiation protection
supervisor (RPS).
The IsA Instrument, shall design and implement the IDP.
The RPS shall:
countersign the IDP to verify it meets relevant radioactive source legislative
requirements
be present when a radioactive source is isolated in the field, to verify IDP
conformance.

Page 174 of 361 Revision: B06

14.28 Long-term isolations

Long-term isolations (LTIs) are defined as those isolations that no longer have work
performed against them but are required to remain in place.
Isolations are moved to LTI if they are in place with no active or scheduled work.
Before moving an isolation to LTI, the AA shall do the following:
Record why the item is being isolated for a long-term period, for example:
a) waiting on parts or materials
b) equipment is being taken out of service for a period
c) the equipment is redundant, abandoned-in-place or awaiting demolition.
Consider the effect of the LTI on preservation of equipment (for example anti-
condensation heaters for motors, loss of trace heating in sub-zero conditions,
standing alarms, corrosion inhibition, inerting or barring over of rotating
equipment).
Consider the risks associated with PBU frequency checks when in LTI. For
example:
a) Was there any evidence of PBU whilst the isolation was ‘live’?
b) Has there or is there likely to be any significant changes in process
conditions while the LTI is in place (e.g. temperature, pressure, flow rates,
specific gravity)?
c) Is the isolation non-conformant?
Record how long the isolation is expected to be in place before it can be
de-isolated, or work can re-start on it.
Verify that the permit assigned for the work is closed.
Verify that any positive isolations have a broken joint tag to show joint make-up
was torqued and leak tested.
The ICC is then moved to LTI where it will remain in the LTI database until it is
re-activated.
Positively isolate any LTI.
Where positive isolation is not possible, the LTI is classed as non-conformant and a
Level 2 TRA carried out to determine and manage the associated risk.
LTIs that remain in place shall undergo an engineering review after 180 days.32 The
requirements for further reviews are risk based with a minimum of annually. This
reviews the effectiveness of isolations in place, considers how risk may change
over time and considers if the isolation can be replaced by application of a
permanent modification, controlled by an eMoC. The review is led by the Site
Engineer, involving relevant discipline engineers, and SA or AA. It is not a field
inspection of the isolation but a review of the list of LTIs to review risk and possible
engineering solution to remove.
The IsA shall complete an LTI field verification every:
90 days33 for non-conformant isolations
365 days33 for conformant (positive) isolations.
The LTI field verification is checking each isolation point and confirming:

Page 175 of 361 Revision: B06

the tag is legible and attached

the isolation is in the correct state
PBU checks detailed in IDP have been completed
PBU checks are typically not needed when system is positively isolated.
The LTI database in eCoW is up-to-date, with verification records correct using
signatures tab in IDP.
Before moving an isolation from LTI to isolation in place (for example to authorise a
permit to work), the AA verifies:
all isolation points are in place
zero energy by conducting a PBU check
integrity of electrical isolation at point of work as per sections 14.18.4.1 or
14.18.4.2.
These verifications can be recorded using the countersignature feature within eCoW.
LTIs created during commissioning shall be documented as part of the
commissioning, energisation and isolation procedure of equipment and plant and
then transferred into eCoW before handover to GOO.

14.29 De-isolating
The AA specifies an appropriate set of pre-startup checks in accordance with section 20.
Before authorising de-isolation, the AA verifies:
all permits linked to the IDP are completed
there are no SIMOPS that could introduce significant hazards
a worksite visit has been completed to confirm that the operating equipment or
plant is ready for de-isolation, including:
a) confirmation of plant integrity before removing isolations
b) consideration of the effects of removing the isolation and re-starting plant
on other isolations and systems
c) consideration of substances that can build up behind the blank or spade if
a valve leaks
d) Checking of vents or drains before the spade or blank is removed. If a leak
is detected behind the isolation, shut the vent or drain and stop work until
a safe system for the removal is in place.
there are no other permits linked to the ICC before authorising de-isolation
an Ex or ATEX inspection has been completed for electrical equipment in
hazardous areas if any work may have affected an equipment’s hazardous area
protection integrity.
that de-isolation is carried out in accordance with the IDP.

Page 176 of 361 Revision: B06

15 Confined space entry

BP policy is to avoid confined space entry (CSE) wherever reasonably practicable. It
is the role of those planning the work to minimise the need for CSE and provide
alternate means of performing the work.
CSE occurs as soon as any part of the entrant’s body breaks the plane of an opening
into a confined space.
A space is classed as confined if it meets all the following three criteria:
is large enough for an individual to enter fully
has a limited or restricted means of entry or exit
is not designed for continuous occupancy by the individual.
Table 13 has examples of confined spaces.
Not every excavation or enclosed space is a confined space. Use the CSE register
to check if an enclosed space is a confined space or not. For excavations, the
ground disturbance certificate states if the excavation is a confined space or not.
A confined space may also have the following characteristics:
• it has physical and mechanical hazards or internal configurations or obstructions
that could cause someone to be trapped or asphyxiated.
• it contains or has the potential to contain a hazardous atmosphere.
• it contains a material that has the potential to engulf a person who enters the space
(for example a molecular sieve or a catalyst).
• it has an internal configuration such that the person who enters it could be trapped
or asphyxiated by inwardly converging walls or by a floor that slopes downwards
and tapers to a smaller cross-section.
• it is not designed for people to enter and work in regularly. For example, a food
storeroom would be designed for regular entry, but a boiler or crankcase would not.
• it is designed to store bulk cargo products, enclose materials and processes or
transport products or substances. However, employees may need to enter these
spaces occasionally for inspection, maintenance or cleaning.
• it does not have enough natural ventilation for someone to breathe normally.
• before someone can safely work in it, it requires forced mechanical ventilation for
general ventilation purposes, or LEV where tasks in the confined space generate
contaminants.

Page 177 of 361 Revision: B06

15.1 Confined space isolation

Positively isolate the confined space by disconnecting, blinding, or spading from any
live energy source including all permanently connected utilities, completely
protecting against the release of energy and material into the space.
Positively isolate all electrical sources of energy to the confined space.
Remove or positively isolate any nucleonic devices before allowing a CSE.
Consider the isolated position of vents, nozzles and drains as part of the risk
assessment. For example, they may need to be left open while a level bridle is
drained and removed, but isolated (blanked or blinded) once the bridle is taken away
to reduce the risk of any other materials inadvertently entering the space.
Any rotating or reciprocating moving equipment inside the confined space shall be
electrically isolated and made secure against unplanned movement.
For GWO mud pits or tanks, pump pits, sumps, drains, or other utility systems
where a positive isolation is not reasonably practicable, conduct a Level 2 TRA and
have an IDP identifying all isolation points, including fluid transfer and supply lines or
ducts.
When valve isolations cannot meet the standards in Table 27 and Table 30, they
are classed as non-conformant; monitor them for integrity over a period defined in
the isolation plan.

15.2 Risk assessment of a confined space

Confined space entry shall have:
a Level 2 TRA for entry to a confined space
a separate TRA for each task to be executed within the confined space; these
can be a Level 1 TRA or Level 2 TRA depending on the task
a specific ERRP, see section 18.5.7 for more details
Live-Live link in the eCoW system so that the task permit cannot be issued
unless the CSE permit is live.
The risk assessment shall:
consider the hazards listed in sections 15.2.1, 15.2.2, 15.2.3 below
in combination with the TBT, be suitable and sufficient for all entrants to
understand the hazards and controls associated with working in the confined
space.
Where sites require specific additional training for entrants, this shall be detailed in
the LIP.

Page 178 of 361 Revision: B06

15.2.1 Process hazards

Table 32 - Process hazards

Process

1 Toxic substances in hazardous concentrations (e.g. hydrogen sulphide (H2S), benzene, hydrocarbon, mercury
vapours, welding fume that remain from the process or enter from outside the confined space).
2 Flammable gases, vapours and liquids from inside the confined space, from outside it, or both.
Consider the density of the contaminants that may accumulate in low points.
3 Gas or vapour emitted from scale or sludge, particularly resulting from mechanical disturbance during access
or cleaning or due to the heat from welding operations.
4 Gases from fire protection systems such as CO₂ or halon.
5 Naturally occurring radioactivity: A Radiological Protection Supervisor checks any confined space that might
normally contain NORM.
6 Pyrophoric scale formed in systems.
7 Residue or sludge removal considering (e.g. biological contaminants, combustible materials, toxic gases or
vapours, paints (cadmium), plating (chromium, nickel, copper, and zinc), degreasers, NORM, moulds).

15.2.2 Worksite hazards

Table 33 - Worksite hazards

Worksite

1 Mechanical equipment in the space.

2 Ingress of steam, hot water or other liquids that can cause scalding or drowning.

3 Nearby deluge system activating.

4 Noise and communication difficulties.

5 Access and egress for both work and rescue.

6 Vessel boots and sumps containing liquid that anyone could fall into.

7 Temperature.

8 Inadequate visibility: provide lighting to allow anyone wearing full PPE can find his or her way between the
worksite and the exit without difficulty.
9 Electric shock or ignition of flammable gases from portable lights, tools, static electricity or associated
electrical equipment.
10 Poor access and egress restricting movement for normal work and escape. Individuals will need to be able to
enter and leave the CSE opening comfortably while wearing PPE.
11 Fumes entering the space (for example from drain or vent systems).

12 Obstructions and tripping hazards inside vessels and on access or egress routes. Where they cannot be
eliminated, mark them and, if possible, shroud them so that the work party, wearing full PPE for the task, will
recognise their location and the nature of the hazard.
13 The routing of items such as cables, ducts, hoses within the vessel and does not obstruct access, egress or
work at the worksite.
14 Falling objects or excavations collapsing due to inadequate shoring.

15 Exhaust gases drawn into the confined space from prime movers or heating equipment.

Page 179 of 361 Revision: B06

15.2.3 Task hazards

Table 34 - Task hazards

Task

1 Ergonomic hazards associated with awkward working positions.

2 Vibration from hand power tools.

3 The possibility of static electricity build-up.

4 Injury from mechanical equipment such as mixers, conveyors.

5 Noise from ventilation equipment, adjacent processes or the task being undertaken.

6 Introduction of flammable products such as aerosol dye penetrants used in non-destructive testing.

7 Gas, vapour or fumes produced by operations being carried out in the confined space such as welding and
cutting, brush and spray painting and the use of adhesives, penetrants and solvents.

8 Compatibility between worksite hazards and PPE (e.g. use of Self-contained Breathing Apparatus (SCBA) and
limited access).

15.2.4 Oxygen hazards

Dangerous situations can arise from oxygen-enriched atmospheres. Take
precautions to avoid oxygen enrichment. In particular:
keep oxygen cylinders outside the confined space where reasonably practicable
isolate oxygen supplies outside the confined space during work breaks
remove hoses supplying oxygen from the confined space during work breaks
never use oxygen to sweeten or enrich the atmosphere of a confined space
adequately ventilate the confined space at all times.
The specific dangers of working in oxygen-enriched atmospheres cannot be over-
emphasised. Oxygen enrichment can happen by oxygen supplies leaking or by oxygen
building up during oxygen-rich flame cutting processes.
Enrichment of only a few percent will make materials that would normally only burn
slowly or with difficulty, burn fiercely – with catastrophic results for people in the
confined space.

15.3 Preparing the confined space

Preparations shall include:
emptying the space of its normal contents and then purging it of residue by hot
or cold water flushing, nitrogen purging, steaming, or chemical cleaning, or
other Approved methods.
air-purging the space of potentially harmful gases prior to entry, except for
intentionally inert atmospheres.
placing ‘Danger – Confined Space Do Not Enter’ signs and guardrails at
entryways and placing air movers in accordance with a ventilation plan.
disconnect, blind, isolate or remove any temporary hook-up or purge
connection to the confined space (except for intentionally inert atmospheres).

Page 180 of 361 Revision: B06

atmospheric testing by an AGT1 to CSE entry criteria defined in section 24.

keeping access and egress ways unobstructed. Do not use them for objects
such as hoses and cables.
having an Approved ERRP available at the TRA. Any specialist recovery
equipment required is available and ready to use.
protecting all electrical supplies, tools and lighting with earth limiting circuit
breakers, RCDs or GFCIs.
avoiding placing transformers within a confined space as they have significant
stored energy.
providing the CSEA with an emergency shutdown (ESD) button that is within
arm’s reach when blasting or jetting equipment is used.

15.4 Lighting the confined space

When lighting is required, either provide two independent sources of lighting, or one
with a battery backup to allow evacuation of the CSE in the event of power failure.
Before a confined space has been declared gas free, use torches that are suitable
for the area classification (zone 0 or class 1 zone 0 or class 1 division 1103).
When the confined space has been certified gas free (<1% LEL18) and is being
made ready for work either use:
Lighting (at voltage <50 V ac or dc, air driven), provided it meets the following
criteria:
a) Certified for zone 1 or class 1 zone 1 or Class 1 Division 1103.
b) At least one light has a battery backup, or a certified flashlight provided as
a backup.
c) Cables that are suitable for the duty and mechanically protected.
d) All supply transformers (or AC to DC power supplies) are placed outside of
the confined space.
110 V / 120 V lighting may be used if Approved by the Site Electrical Leader,
provided it meets all of the criteria in 15.4c.1plus the following:
a) The cables and light fittings are not installed in entry ways being used for
access or egress to the confined space unless suitable protection is
provided.
b) Cables, cords and lights are secured to prevent damage or submerging in
liquids.
c) Voltage levels are limited to 120 V ac grounded neutral (US) /110 V ac
supplied via a centre tapped earthed transformer.
d) The circuit inside confined space has ground fault circuit interrupter (GFCI)
or residual current device (RCD) personnel protection (where voltage levels
to earth have been reduced by using a centre taped earthed transformer
with double pole protection.
e) Inspect cables and lights before use. Immediately de-energise and remove
any damaged equipment.

Page 181 of 361 Revision: B06

15.5 Confined space ventilation

General or dilution ventilation can be provided by natural airflow or mechanical airflow
pushing air into a confined space. LEV is a system which relies on mechanical extraction
airflow.
For work inside a confined space, where actual or potential atmospheric hazards
exist, a ventilation plan, Approved by the HSE team is required.
Dilution ventilation can be used for maintaining the oxygen levels, the thermal
environment and for non-toxic contaminant dilution.
The TRA shall consider LEV to remove hazardous substances at source for any
tasks conducted inside the confined space (e.g. welding, cutting, chemical
application).
When considering the ventilation method, take account of the following:
The layout of the space.
The position of openings.
Air flow restrictions.
Equipment components in the confined space (for example brackets, trays,
pipes).
Maintenance or construction materials erected in the confined space (for
example tube and clamp scaffolds, scaffold boards).
Obstructions in the make-up air manway (for example the attendant, weather
enclosures around manways, local exhaust ducts, welding cables).
Insufficient number of make-up air man-ways. It is best to have at least one
makeup air manway for each air-moving device.
Local exhaust ventilation (LEV) and/or respiratory protective equipment (RPE)
may be required for certain tasks generating toxic substances in the confined
space
The effectiveness of the ventilation system is verified before entry to a confined
space, at the start of the task and periodically for the duration of the task. The
verification includes:
Airflow checks using an anemometer and calculation that air changes are
adequate for general ventilation
Capture hood face velocity checks using an anemometer and, where
reasonably practicable, system pressure checks, for LEV utilised as a control
measure for tasks in the confined space.
Measuring the concentration of hazardous substances in the confined space.
Once established, maintain ventilation in the confined space throughout the
operation, except as required:
for atmospheric testing
by agreed operational requirements such as welding where the airflow from
the ventilation may affect the weld quality.
Pressurised air or oxygen shall not be used directly to ventilate a confined space.

Page 182 of 361 Revision: B06

15.5.1 Mechanical ventilation

Some confined spaces require mechanical ventilation to provide sufficient fresh air to
replace the oxygen that is being used up by people working in the space, and to dilute
and remove gas, fumes or vapour produced by the work. This can be done by using
blowers, fans, ejectors or eductors to provide an adequate supply of fresh air to replace
the used air.
Draw fresh air from a point where it is not contaminated by used air or other
pollutants.
Route extract ventilation away from possible sources of re-entry, and to a place that
will not create additional risks. In all cases trunking, hoses or ducting are introduced
at, or extend to, the bottom of the vessel to help remove heavy gas or vapour and
for effective circulation of air.
Airline or trunking shall not, where reasonably practicable, hinder access to or
egress from the space.
Set up ventilation in such a manner that it will not push or pull contaminants such
as:
gases or vapours circulated from the confined space
exhaust fumes from generators, air compressors and vehicles
atmospheric bleeds
gases and fumes from hot work outside the vessel (e.g. metal fumes, carbon
monoxide)
paint and cleaning solvent vapours
silica, or dust from adjacent blasting operations
lead from paint removal work
asbestos or insulation work
nearby process sources.
Verify any contaminants remaining in the recirculated makeup air are <10% OEL104.
Ventilation equipment shall have the appropriate classification for the hazard or
hazards of the space and location used.
Equipment used in a hazardous atmosphere shall be bonded and grounded (earthed)
as necessary to prevent the accumulation of static electricity.
For ventilation system design, consider the following:
Keep duct runs as short as possible. Long runs of duct reduce airflow.
Airflow losses can be minimised by using smooth ducting with large radius
bends (elbows). However, flexible ducting is more commonly used for
temporary ventilation systems. Flexible ducting tends to collapse at sharp
bends therefore make this duct run as straight as possible.
Fans are often hung on vessel flanges with wire. The short-circuiting of airflow
that results when air passes through the gap between the fan and the flange
can be eliminated by tightly securing the fan with a bolted clamp or by sealing
the gap with tape.

Page 183 of 361 Revision: B06

Where the fan is air powered, it shall be driven by an air supply independent of
that used for air-powered tools. If this is not reasonably practicable, Verify the
air flow is adequate to operate the tools and the fan.
Numerous workers using air-powered equipment driven by the same compressor or
source can slow down the fan.
These factors can result in a reduction of air pressure at the air moving devices by as
much as 50%. Guidance on measuring the airflow can be found in Annex K.
For complicated spaces where several pockets of gas or vapour might collect, a
more complex ventilation system may be needed to provide thorough ventilation.
Forced ventilation or ventilation providing a combination of exhaust and supply of
fresh air may be more effective.
Periodic checks of pressure and airflow are made to Verify the efficiency of the
ventilation system.
The following types of areas do not typically require the use of mechanical ventilation:
• Large, open roof tanks.
• On top of floating roof tanks.
• Open top excavations.
• Open top valve/line pits.
• Large exchanger shells.

15.5.2 Local exhaust ventilation

Local exhaust ventilation (LEV) may be required for removal of hazardous
substances generated at source inside the confined space. Consider LEV where:
air contaminants are hazardous to health
dusts or fumes are generated
emission sources are near the workers' breathing zones
there are only a few emission sources.
There may not be enough room to have multiple LEVs. If this is the case, then use
general ventilation, but the workers will have to wear RPE to remove toxins (e.g.
from welding).
The LEV design depends on the contaminants and the task being managed and shall
consider the following:
A hood that captures the contaminant at the source. The hood size and air
velocity at hood depend on the task and contaminant (for example welding with
airflow of 0.5m/sec (100 ft/min)36 at the duct capture hood).
Ducts that transport hazardous substances through the system. The transport
velocity is sufficient for the contaminant to be removed.
An air cleaning device that removes the contaminant from the moving air in the
system.
Fans that move the air through the system.
An exhaust through which the contaminated air is discharged.
Once established, maintain LEV in the confined space throughout the operation,
except as required:

Page 184 of 361 Revision: B06

for atmospheric testing, or

by agreed operational requirements such as welding where the airflow from
the ventilation may affect the weld quality.
For more information on LEV use see regulatory guidance (e.g. HSG 258 LEV
guidance and welding fumes)

15.5.3 Cold work in confined spaces

Ventilation airflow for cold work in a confined space shall be considered acceptable
if it is between 8 and 2037air changes per hour. During the risk assessment, decide
the exact airflow considering the size of space, work to be carried out, and number
of people who will be in the space, and available airflow as key factors.

15.5.4 Hot work in confined spaces

As a general guide, 2037 air changes per hour, or a full air change every 3 minutes, is
recommended to control potential build-up of non-hazardous gases, vapours or
other contaminants.
For HWOF, 57m3/min (2,000 ft3 /min)38 of air from a clean source is recommended
for each welder or HWOF worker. Adequate ventilation shall be provided even if
welders are using respiratory protective equipment (RPE).
The optimal air change rates, in a and b above, may not be possible because of
equipment limitations (for example very large size) or task considerations (for
example interference with welding inert gas). The ventilation plan shall use other
controls to provide adequate protection of the workers such as respiratory
protection, local exhaust ventilation, continuous gas monitoring and monitoring for
hazardous substances.
While HWOF is being carried out in a confined space, LEV is used to extract fumes
and shall have a minimum airflow of 0.5m/sec (100 ft/min)36 at the duct. The duct is
positioned between 1 and 1.5 duct diameter from the hot work.

15.6 Managing entry to a confined space

The AA shall normally act as supervisor for a CSE and Verify conformance to this
procedure.
Where local regulations require, a supervisor with specific CSE competence would
manage the CSE and in this case would not need to be an AA (e.g. OSHA
regulations in GOM).
Everyone entering a confined space shall do the following:
Understand the conditions required by the CSE permit and any associated
permit to work.
Know and recognise the hazards they may face during entry, including signs or
symptoms, and consequences of exposure to any hazard.
Inspect, test and properly use equipment and protective devices.
Comply with any personal exposure monitoring requirements.
Maintain communication with the confined space entry attendant (CSEA) to
enable the attendant to monitor the individual’s status.
Alert the attendant if an unsafe condition exists or when symptoms of
exposure appear.

Page 185 of 361 Revision: B06

Leave the confined space as soon as possible when:

a) ordered by the CSEA
b) the individual recognises the warning signs or symptoms of exposure, or
c) an unsafe condition arises.
When a task is complete the AA and PA shall Verify that no tools or equipment
associated with that task have been left inside the confined or restricted space.
When all tasks associated with a CSE are complete and before completing the CSE
permit, the AA shall Verify that no personnel, tools or equipment have been left
inside the confined space.

15.7 Confined space entry attendant

The AA verifies that the CSEA understands their duties and is competent to perform
them.
The AA decides if more than one CSEA is required for additional entry and exit
points. In these cases, maintain radio communication to update the active CSE log.
The CSEA shall not:
Attempt a rescue themselves; they call the emergency response team who will
provide the emergency response by executing the emergency response and
rescue plan.
Enter the confined space.
Leave their post whilst anyone is inside the confined space, unless they
formally hand over the role to another CSEA. In this case, the incoming CSEA
signs the CSE permit.
The CSEA shall:
Prevent unauthorised personnel from attempting a rescue.
Attend the TBT before work starts.
Maintain an accurate count of all persons in the space as follows:
a) Use an active CSE log or tagging system to record and track people who
enter or leave the confined space. Use a log or tagging system for each
entry and exit point to the confined space.
Using photo ID cards on a tally board are the preferred option for use in a CSE entry
log.
b) Verify that any person entering the space has been signed on to the CSE
permit and CSE entry log.
c) Display the CSE entry log or tally board near the entry point.
Put in place temporary guardrails and signage to prevent unauthorised entry if
any entry or exit point is left unattended (see Figure 16).
Mark airlines or safety lines, or both, so that each individual inside the tank is
clearly identified if a problem arises.
Be aware of the hazards that personnel may face when entering the space,
including the mode, signs or symptoms, and consequences of exposure to any
hazards or fatigue.

Page 186 of 361 Revision: B06

Monitor conditions and activities inside and outside the space to decide if it is
safe for personnel to enter.
Where a mechanical ventilation system is specified in the CSE permit, Verify it
is working.
Keep personnel inside the space under effective surveillance and maintain
effective and continuous communication with them during entry by one or
more of the following methods:
a) Line-of-sight (not always possible).
b) Voice contact (allowing for distance and ambient noise).
c) Radio with agreed periodic contact.
d) Pre-arranged signals on devices such as air klaxons or whistles.
e) Pre-arranged lifeline signals.
f) A distress signal unit.
Immediately order evacuation of the confined space if:
a) anyone notices anything that is not allowed in or near a confined space
b) exposure to a hazard affects anyone’s behaviour
c) a situation happens outside the confined space that could endanger those
inside
d) anyone detects an uncontrolled hazard inside the confined space – once
the entrants have been evacuated, the CSEA shall also leave the worksite
e) new hazards arise that are not identified in the permit or if the permit
scope or conditions change.
Only allow authorised persons to approach or enter a confined space while
entry is under way.
Be equipped with a device, such as a radio or telephone, to call for help rapidly
if anyone inside gets into trouble.
Understand the ERRP and their role within it.

Figure 16 - Example temporary guardrail for CSE entry point.

15.8 Precautions for water jetting in confined spaces

The following shall be considered:
Provide the CSEA with an emergency shutdown (ESD) button, that is within
arm’s reach, for the water jetting equipment.
Personnel shall not climb through vessel openings used for high-pressure
hoses because there is a risk of hypodermic injury from pinhole leaks. Where
this cannot be avoided (for example single access vessels), provide suitable
protection to reduce the risks associated with leaking hoses.

Page 187 of 361 Revision: B06

Plan the vessel entry to have points, nozzles or manways of adequate size
available for ducts, hoses and cables.
The method of draining jetting water and removing debris from the vessel to
minimise manual handling risks, or using non-manual means of removal
wherever possible.
Provide intercom communications between the jet operator, CSEA and pump
operator for all work in confined spaces.
Use the water jetting checklist before work starts.
Limiting water wash temperature to a maximum 60°C (140°F)39
Risk of ignition caused by static electricity by:
a) earthing or bonding all equipment to the tank or structure being washed
b) using conductive and electrically continuous hoses.
Respiratory and dermal risk from spray, or atmosphere containing dislodged
biological and chemical matter.

15.9 Confined or restricted space register

The confined space register provides consistency in deciding if an area is a confined
space or not. It is a list of decisions made by a multi-disciplined team regarding the
status of a space. It is helpful when there might be some uncertainty or ambiguity (for
example vessel skirts, ceiling voids or culverts).
When it is clear that a space is classed as a confined space (for example process
vessels or columns), it does not need to be listed individually in the CSE register.
There are three possible types of area that might be worked within:
• Open spaces where access is not a major hazard.
• Confined spaces as per BP definition managed with a CSE permit.
• Restricted space managed with a permit covering the task being executed.
A restricted space has these criteria:
• Is large enough for an individual to enter and perform assigned work.
• Has limited or restricted means of entry or exit.
• Is not designed for continuous occupancy by the employee.
• Has adequate ventilation and does not have significant hazards within it.
Under OSHA, this is termed as a non-permitted confined space if it meets all four of
these criteria.
In Upstream a restricted space is managed using a permit for the task but does not
require a CSE permit.
It is important to understand that a restricted space may become a confined space
managed with CSE permit if there is inadequate ventilation or a significant hazard occurs
within it.
Table 35 shows examples of potential restricted spaces and hazards which may make
them a confined space.

Page 188 of 361 Revision: B06

Table 35 - Potential Restricted Spaces

Potential restricted space Hazards which may require a CSE permit

A space protected with systems to inhibit the activation Known leak or ventilation not operating as designed.
of suppressant systems allowing persons to enter for SIMOPS creating hazards.
inspection purposes (e.g. a turbine enclosure, generator
module, air compressor module).

Ceiling and floor voids in an office building or control Known leak of hazardous material, SIMOPS creating
room. hazards.

A vessel or column skirt that has more than one access SIMOPS creating hazards.
point and has no joints or valves or other sources of
process or utility leaks within the skirted area.

Fin fans with mesh or wire open caging that offer free Known leak of hazardous material from tube or header
flow of air for ventilation. Access is available via an box. Ventilation restricted say by scaffolding. SIMOPS
engineered access point or removable panel and creating hazards.
provides usable access point. This point is easily
accessible from work area and there are no baffles or
dividing partitions between work area and access. The
access or egress does not compromise the ERRP.

Page 189 of 361 Revision: B06

16 Breaking containment
16.1 Preparing plant for breaking containment
Use a permit, IDP or RAP for all plant preparation work covering draining and
flushing of vessels, equipment or pipework. Use a marked-up P&ID to clearly
communicate the scope.
The breaking containment (BC) shall include a contingency plan; see section 14.4.
If BC involves cutting piping or equipment, see section 22.4.
Where a task includes both breaking containment and spark potential activities (e.g.
replacement and testing of an instrument), two choices are available:
Use either a BC permit which includes the hazards and controls for the spark
potential activities, or
two permits linked together, one breaking containment and the other, a hot
work spark potential permit.
The most efficient method would use the single BC permit, as SIMOPS can be
adequately managed using the BC permit with the spark potential controls.

16.2 Potential hazards

Consider the following potential hazards when planning these activities:
Work on pipework or vessels contaminated or potentially contaminated with
pyrophoric scale. Pyrophoric scale can form in systems that can contain H₂S.
If these systems are subsequently opened and the scale is exposed to currents of air,
the scale could ignite. The pyrophoric scale is made safe by constant and thorough
wetting until either the scale is removed, or the system is closed.
Residual hazardous substances (e.g. hydrocarbons, benzene, mercury).
Chemical reactions between cleaning materials and a tank or its fittings (for
example: acidic cleaning fluid attacking a blanking spade installed for isolation).
Leakage or the collapse of a tank or its supports caused by a reaction with
cleaning materials, excessive weight of wash solutions or if vacuum conditions
are created.
Spillage during draining or flushing that will have an impact on the environment.
The possibility of radiological contamination from LSA scale or NORM.
Gaskets containing asbestos. Handle and dispose of these in line with the
guidance in regional procedures for managing and working with asbestos.
Explosions and fires caused by the sudden mixing of water with hot oil. This
can happen during steam cleaning or when hot oil is being put into systems
that have just been steamed or flushed with water and have not been
thoroughly drained and dried.
Static electricity as an ignition source or electric shock during steam cleaning or
high-pressure water jetting if equipment is not earth bonded.
Possible asphyxiation if people are exposed to nitrogen.
Accidental spillage and freezing effects of nitrogen.
Trapped pressure or vacuum.

Page 190 of 361 Revision: B06

Position of workers when operating valves or conducting intrusive work,

keeping people out of the line of fire.

16.3 Breaking containment on hydrocarbon or hazardous utility systems

Immediately before BC, the PA shall Verify that the break point is being monitored
for any toxic materials identified in the TRA (for example benzene, hydrocarbons,
mercury, NORM).
Immediately before BC, the IsA and PA both Verify the integrity of the isolation, as
follows:
An IsA confirms that the system has been successfully depressurised and
proves the integrity of the isolation to the PA before work starts.
The IsA shall be present, with direct communications to the control centre,
during the initial BC and any other step of the task that the AA designates as
critical.
The PA applies five-part tags described in section 16.9, to all mechanical joints
on piping and small bore tubing systems in hydrocarbon or hazardous utilities
that are to be disassembled (see Table I.1).
Positively isolate open-ended pipework or equipment being left dependent on valve
isolation for longer than one shift.
Use direct reading instruments to monitor for hazardous substances on breaking
containment (e.g. benzene). Use RPE until there are consecutive readings showing
levels are below that requiring RPE.

16.4 Breaking containment with non-conformant isolations

Consider the following questions during the non-conformant risk assessment for the
IDP:
Does the valve leak rate affect the worksite or cause additional hazards for
personnel or plant?
What controls can be applied to control the risks to plant and personnel from
any potential leakage during BC?
Can the leakage rate be monitored and attended during the period of BC?
What controls can be applied to capture any leakage and safely dispose of it
from the worksite?
If the leakage rate suddenly increases, is a contingency plan in place to make
the equipment safe?
For example, a contingency plan can include an emergency isolation method or how
to shut down a system or plant.

16.5 Depressurising or draining pressurised vessels, pipelines or pipework

Take the following precautions when depressurising or draining pressurised
hydrocarbon and chemical containment systems:
Isolate the system from fluid pressure and inventory when it is being emptied.
Review the appropriate chemical risk assessment and safety data sheet.
Safely relieve the pressure and drain the system. Verify the residual pressure
within the system as being atmospheric before BC.

Page 191 of 361 Revision: B06

Depressurise systems containing gas to a closed system or to a vent or flare

header that is designed to accept such gas. If possible, venting to flare is
preferred.
Only depressurise gas systems to the atmosphere under strictly controlled
conditions. The AA, or delegate, instructs anyone working downwind of any
drainage or venting operation to leave the area.
All hot work (HW) shall stop within the potentially affected area.
Where required apply F&G overrides only in the immediate area of the BC.
If suitable facilities exist, drain liquid residues to a closed system. If this is not
possible, estimate the quantity of liquid remaining in the system. Provide
catchment facilities that will take at least this quantity. Then, drain the liquid
carefully by opening a flange at a low point in the system. Position yourself so
as not to be exposed to unexpected pressure or force and take precautions to
prevent the spread of any accidental spillage.
Consider if it is possible for dead-legs to exist in the system. Flushing such
traps with water will remove residual liquids if there are no flanges or
connections.
Remove oil-contaminated or soaked lagging material from hot equipment, as it
is prone to spontaneous ignition.

16.6 Draining or emptying atmospheric tanks and vessels

Use the following good practice when emptying atmospheric tanks and vessels
being prepared to change contents, inspected, repaired or modified, or before being
dismantled:
Before emptying any tank or vessel, refer to the as-built engineering drawings.
These drawings show in detail the internals of the tank or vessel. This will help
decide how to drain and isolate the tank or vessel.
For example, it might be assumed from the outside that a bottom offtake of a vessel is
flush, but the drawing might show that the off-take is raised internally.
Empty storage tanks and vessels by initially using the normal off-take lines,
until suction is lost. Transfer the contents to another suitable tank or to a
mobile tank, if appropriate.
When emptying and draining, take care to avoid pulling a vacuum. This can
occur if the atmospheric or vacuum vents are blocked, or by excessive lowering
rates through large diameter lines.
Once suction is lost through the normal off-take, removal of the residual liquid
contents might need to be done with a portable pump operating through an
open manhole, using the tank water drain valve or by water-flotation, taking
appropriate precautions against spillage.
Consider the hazards of using portable pumps in an area likely to be
contaminated with flammable vapour. Use appropriately sited, air-powered
pumps.
Dispose of residual liquids and sludge in the correct manner according to the
requirements of pollution-control legislation.

Page 192 of 361 Revision: B06

16.7 Cleaning and gas-freeing methods

After depressurising and draining, residual hydrocarbon liquids, vapours, and gases
are removed before further work can proceed. Various media can be used to do
this, but choices are usually limited by what is available at the work location.
Direct reading instruments specific to the residual hazardous substances removed
from the vessel are used to assess concentrations of hazardous substances in air
following remote cleaning and gas freeing, or before the confined space is entered.
Additional purging may be required to bring hazardous substance concentrations
down to an acceptable level.

16.7.1 Water flooding

Cold water is usually the most readily available way to clean a tank or vessel. It is
reasonably effective at displacing hydrocarbons, although it does not easily remove
sludge or oils trapped in complex pipework or vessel internal structures.
For stainless steel tanks and vessels, monitor the water used for flushing to Verify it
contains only low levels of chlorides (less than 50 ppm40) to avoid the risk of stress
corrosion cracking of the vessel. Promptly drain and clear water after flushing.
Before flooding a tank or vessel with water, confirm that its supporting structure
can take the weight. Provide adequate run-down and draining facilities as large
volumes of water might be needed for these operations.
To avoid a static charge building up when using this method, add water via the base
of the tank or vessel. If using a hosepipe, keep the velocity low until the end is
submerged and earth or ground the nozzle. Flooding with water cannot be relied on
to remove all petroleum vapour, liquid, or solid residues.
It is possible to carry out HW on the external surface of a water-flooded tank or
vessel without further removing internal hydrocarbon residue if the work is:
below the water level, and
managed by a Level 2 risk assessment.
Water used for displacing and removing liquid hydrocarbons could be heavily
contaminated after use. Dispose of any contaminated water in an environmentally
responsible manner.

16.7.2 Inert gas

Nitrogen (N₂), Carbon Dioxide (CO₂), or combustion gas (N₂/CO₂ mixture) may be
used to displace hydrocarbon gas and vapour, if they are available in sufficient
quantity. This method might be useful if it is inappropriate to introduce water into a
system in case it damages the tank or vessel. When injecting such mixtures, Verify
that localised freezing of, for example, valves or gauges is not induced due to
excessive injection rates.
Take care with systems that might contain pyrophoric scale from high-sulphur
bearing hydrocarbons. If such scale is subsequently exposed to the air, it can rapidly
ignite. Water sprays may be used to prevent this, as they will keep the scale
constantly wet.
There are two options for displacing hydrocarbon gas and vapour with inert gas:
Continuously purge with inert gas until the concentration of flammable vapour
is less than 50% LEL41 (2.2% by volume for methane) in the emerging mixture
of flammable and inert gas.

Page 193 of 361 Revision: B06

Purging with inert gas using ‘purge cycles’ following a pressurise –

depressurise – pressurise process until the concentration of flammable vapour
is less than 50% LEL41 (2.2% by volume of methane) in the emerging mixture
of flammable and inert gas.
Purge cycles can be a preferred method if there is no suitable route that will provide
efficient continuous purging, or when dead legs are part of the purge
When using purge cycles, consulting with a process engineer may help to estimate
the volume of inert gas required. Normal flammable vapour monitoring devices will
not work accurately in atmospheres that are deficient in oxygen. This means
specialised equipment is needed to accurately measure the LEL.
The vessel or tank is normally purged again with air to displace the inert gas. This
shall be done if there are plans for people to enter the vessel or tank.

16.7.3 Steam
At some sites, steam might be available for purging and cleaning vessels, tanks, and
pipework. Steam is the most effective of the common media for this purpose. It
shall be used at low pressure, not exceeding 1barg(14.5 psig)42.
Open or closed steaming may be used as follows:
Use open steaming if the tank or vessel and its associated system is fully open
to the atmosphere.
Use closed steaming for closed vessels and their associated equipment. During
this operation, raise the temperature to allow volatile liquids to vaporise and
disperse, along with the bulk of the steam through a condensing system. This
allows the heavy constituents to flow freely and they can be drained off with
the condensed steam from the base of the system.
For all but the largest vessels and tanks, steam is needed to raise the external
surface temperature to at least 95°C (203°F)43. Steaming continues until the
condensate flowing from the vessel is substantially free of hydrocarbon.
Steam may be used for process vessels, small storage tanks, and medium-sized
insulated tanks. It is essential that, after closed steaming, adequate provision be
made to prevent damage due to a vacuum being drawn by condensation of steam.
In large tanks, the rate of condensation of steam is such that adequate purging is
not possible.
After steaming, cool down the equipment with copious quantities of water. This
additional wash helps to remove residual hydrocarbons.
If residual material is left on the tank or vessel surface after prolonged steaming, it
might still give-off vapour if heat (for example burning or welding) is applied to it. In
such cases, cold cutting may be used or keep the internal surface thoroughly wet
during the heating operation.
All temporary steam hoses being used shall be electrically bonded and earthed.

16.7.4 Air
If it is not reasonably practicable to use any of the above methods, air may be used
directly to ventilate equipment and remove hydrocarbon vapour.
If using air to ventilate equipment, pump out as much oil and sludge as possible
before opening the tank or vessel. If reasonably practicable, use forced ventilation
so that flammable vapour is cleared in the shortest possible time. During this

Page 194 of 361 Revision: B06

purging operation, the flammable range will be passed through, presenting an

explosion hazard if an ignition source is nearby.
Verify all electrical equipment is suitable for use in a Zone 1 hazardous area or it’s
isolated.
Air movers are most effective when fitted at the roof or top manhole to pull air in at
low level. Temporary trunking may be needed to achieve high-level disposal. To
minimise the amount of gas or vapour escaping when opening the lower manhole
door, keep the air movers running to get a slightly negative pressure before opening
the lower manhole door.
Vapours escaping from any opening in the equipment being purged can create a
flammable concentration in bunded or confined areas. Manage this hazard by
barriering-off the area and removing any sources of ignition or HWSP devices. The
recommended safe practice is to remove the vapour by air movers attached to the
roof manhole.
When natural draught ventilation is being used during periods of calm weather, be
aware that vapour released from tanks can travel considerable distances without
dispersing. Therefore, consider the wind direction and the risk to adjacent
operations, premises or the public.
As pyrophoric scale can be present within tanks or vessels that have contained sour
crude or products, continuously wet internal surfaces from one or more water fog
nozzles inserted into the roof opening as follows:
Turn on the fog nozzles first and then open the air movers afterwards.
Open a shell manhole after about five minutes of operation, when the internals
are thoroughly wet.
With the air movers still in operation, remove the fog nozzles and dislodge
loose scale with high-pressure water streams.
When using this method, earth the water nozzles.

16.8 Purging into service

Before re-introducing hydrocarbons into a system, it is important to remove oxygen to
reduce the likelihood of a flammable atmosphere.
When purging into service, add inert gas to the system until the percentage of
oxygen is decreased to the point where any mixture would not be flammable. To
provide a safety factor, continue purging to a point at least 2044% below the
flammable limit, See Table 36 below.

Table 36 - Oxygen end points for purging into service

Purge Medium CO2 N2 CO2 N2

Percentage below Percentage purging end points with

which no mixture is flammable 20% safety factor
Combustible
% oxygen % oxygen % oxygen % oxygen

Hydrogen 5.9 5.0 4.7 4.0

Carbon Monoxide 5.9 5.6 4.7 4.5

Methane 14.6 12.1 11.7 9.7

Page 195 of 361 Revision: B06

Purge Medium CO2 N2 CO2 N2

Percentage below Percentage purging end points with

which no mixture is flammable 20% safety factor
Combustible
% oxygen % oxygen % oxygen % oxygen

Ethane 13.4 11.0 10.7 9.8

Propane 14.3 11.4 11.4 9.1

Butane 14.5 12.1 11.6 9.7

Isobutane 14.8 12. 11.8 9.6

Pentane 14.4 12.1 11.5 9.7

Hexane 14.5 11.9 11.6 9.5

Gasoline 14.4 11.6 11.5 9.3

Ethylene 11.7 10.0 9.4 8.0

Propylene 14.1 11.5 11.3 9.2

Cyclopropane 13.9 11.7 11.1 9.4

Butadiene 13.1 10.4 10.5 8.3

Benzene 13.9 11.2 11.1 9.0

16.9 Broken joint tagging

Complete the following for all disturbed joints:
The PA uses a five-part tag to identify broken joints and to help Verify that they
are reinstated, and their integrity is confirmed once all work is complete.
Record the status of all broken joints in the system handover management
process or an equivalent local system. The removed parts of the tags are kept
for 1 month to confirm the joint status.
Leave the remaining part of the tag to allow the integrity of the reinstated joint
to be monitored during startup. This is removed by operations when the plant is
back up to its normal operating conditions and the joint has been periodically
monitored for a minimum of two days.
Consider tagging critical neighbouring joints that have not been broken but that
could be affected by the reinstatement activity.
GOO uses a five-part tag (see Error! Reference source not found.). In GPO and
GWO-controlled sites, the local CoW implementation procedure may specify an
alternative tag.

Page 196 of 361 Revision: B06

Section or tab completed by…

This is removed by operations when the

plant is back up to its normal operating The person leak The person
The person The person
conditions and the joint has been testing breaking the
tightening the joint making the joint
periodically monitored for a minimum of (SPA or IsA) joint
two days.

Detached by operations and returned to Return to AA or SHM owner or PA return to AA or SHM owner or
AA or SHM owner or certification lead certification lead certification lead

Figure 17 - Five-part tag for broken joint tagging

Page 197 of 361 Revision: B06

17 Working at height
Working at height (WAH) means work in any place where, if precautions were not taken, a
person could fall a distance liable to cause personal injury. This includes:

• work above ground or floor level

• anywhere a person could fall from an edge, through an opening or fragile surface
• anywhere a person could fall from ground level into an opening in a floor or a hole
in the ground
• over-side working, which is work outside the perimeter of fixed handrails or work
during which anyone could fall into water.
Work at height does not include:

• a slip or a trip on the level, as a fall from height has to involve a fall from one level
to a lower level
• gaining access to or exiting any work location at height when using a staircase or
permanent ladder with guard hoops.
Avoid work at height as far as is reasonably practicable.
If work at height is unavoidable, the AA shall Verify that:
fall restraint or fall arrest equipment is used for working at elevations of ≥2m (6
ft) where there is no fixed access platform, walkway, or an Approved scaffold
with regulation guardrails, handrails and standing surface
the work is risk assessed before it starts, in line with Figure 18
all reasonably practicable precautions are taken to prevent anyone from falling
from height a distance that can cause injury, including the adoption of a
hierarchy of fall protection when considering risk
the equipment used to work at height is appropriate to prevent a person, or
equipment falling or injuring anyone.
Where the risk of people or objects falling remains, risk assessments shall define
controls to minimise the distance and impact (consequences) of such falls.
Collective measures (for example guardrails, nets, mats, inflated devices) are preferred
over personal protective measures (for example fall arrest equipment).
OSHA requires employees in general industry workplaces on a walking-working
surface with an unprotected side or edge that is 1.2 m (4 feet)45 or more above a
lower level is protected from falling by one or more of the following:
1. guardrail systems
2. safety net systems, or
3. personal fall protection systems, such as personal fall arrest, travel restraint, or
positioning systems.
Some fall arrest systems require 2m (6ft) to operate. Consider this when selecting a fall
protection method.

Page 198 of 361 Revision: B06

17.1 Using the hierarchy of fall protection

The following are examples of how the hierarchy of fall protection is applied for WAH:
• Permanent fixed access (e.g. walkways and gantries) is the first level in the
hierarchy of fall protection. This is appropriate where people need regular access
for routine maintenance. If this measure has been taken to avoid falls, other
measures (e.g. example nets) may not be necessary.
The PA shall Verify additional controls are in place if a guardrail has been temporarily
removed or if the area is being inspected before it is used for the first time. For
example, when installing walkways on a NUI, restraint devices or other suitable
personal fall protection equipment and additional supervision would be needed.
• Erecting temporary working platforms is the second level in the hierarchy of fall
protection. This includes scaffolding (which has its own risk implications in the
construction phase), cradles, aerial lifts, and self-powered work platforms or mobile
platforms.
• Using work positioning is the third level in the hierarchy of fall protection. If neither
of the first two options are reasonably practicable, then personal suspension
equipment, work positioning techniques, or work restraints may be used.
• Using fall arrest equipment to catch a falling worker is the fourth level in the
hierarchy of fall protection. It is often difficult to accurately predict the level of risk
to the worker during the operation. The seriousness of a fall depends on:
- where they fall
- any obstructions they hit when they fall, and
- how easily other workers can rescue them.

Page 199 of 361 Revision: B06

YES Work from the ground

Can you avoid
(e.g. use extendable tools,
working at height?
lowering light masts).
NO

Use a collective fall protection

system (e.g. air bags, safety nets).

NO YES Can collective

Can the fall be L2 TRA* and task- measures be used (e.g.
prevented? specific ERRP guardrails, nets, mats,
required inflated devices)?
YES NO

Employ personal fall protection

equipment (PFPE) to set up fall
arrest or work positioning

Can safe platforms NO

be used (e.g. Employ PFPE to set up work
scaffolds)? restraint

YES

Perform task from safe working

platforms with guardrails

*Competent scaffolders and rope access

specialists may be covered by a Level 1 TRA.
See sections 9 and 17 for more details.

Figure 18 - Working at height flowchart

17.2 Requirements for work at height

Before any work at height can proceed, the SA or AA when delegated shall Verify
that:
Either:
a) a safe platform with guard or handrails that a competent person has
verified, is in place. This can be a permanent fixed access or a temporary
work platform; or

Page 200 of 361 Revision: B06

b) a form of personal fall protection is being used including one or more of

the following:
Work restraint
Work position
Rope access
Fall arrest equipment
When using the work restraint, work position, or fall arrest equipment, a
competent person has visually inspected the equipment being used.
Consideration has been given to whether the PA and work party are medically
fit for working at heights (e.g. any known heart disease, vertigo, fear of heights,
temporary work restrictions, disabilities, fatigue, injuries), which may put them
at risk while working at height.
Any damaged or activated equipment (e.g. used fall arrest equipment), has
been taken out of service.
Fall arrest equipment has:
a) a suitable anchor, preferably mounted overhead
b) full body harness using double lanyard, double latch self-locking snap
hooks at each connection
c) synthetic fibre lanyards
d) shock absorber.
Fall arrest equipment will limit free fall to 2m (6ft) or less.
Personnel are competent to perform the work.
The PA may use the checklist in Table D.9.

17.3 Requirements for a safe platform

To determine if a platform for working at height is safe, the PA verifies that it meets
the following criteria:
Is stable, strong and rigid enough for the purpose it is being used or intended
for.
Is resting on a stable and sufficiently strong surface.
Is wide enough for people to walk over, use any necessary equipment or
materials, and work safely on.
Suitable and sufficient edge protection is in place to prevent risk to others, such
as toe-boards, typically a minimum of 0.1m (4in)46 high.
Does not have any openings that people, materials or objects could fall through
and injure someone, or damage equipment.
Is constructed, used, inspected, and maintained to prevent, so far as
reasonably practicable, anyone slipping or tripping, or being caught between it
and any adjacent structure.
Is prevented by appropriate devices if it has moving parts, from moving
inadvertently during work at height.

Page 201 of 361 Revision: B06

Is fitted with a suitable guardrail that is high enough to prevent anyone falling
and is a minimum of 0.95m (37in)47 high, with the maximum gap between the
guardrails of 0.47m (18in)48. As a minimum, it can withstand a load of at least
90kg (200lb)49 applied in any direction on the top rail.
Is in good metallic contact with the structure, or is earthed in order to mitigate
the risk of electric shock caused by:
a) lightning strike
b) electric tools or lighting that is not reduced low voltage, or RCD/GFCI
protected
c) ignition when carrying out static generating activity.
If a platform meets all of the above criteria, work may be carried out from the
platform without using work equipment to make it safe.
If a platform does not meet all of these criteria, complete a Level 2 TRA to identify
any further controls required.

17.4 Using personal fall protection systems

Personal fall protection systems include work restraint, work positioning (including rope
access and positioning techniques), fall arrest, or rescue systems.
The AA verifies the following criteria are met before personal fall protection is used:
The hierarchy of fall protection has been applied.
A risk assessment has demonstrated that work can, so far as is reasonably
practicable, be performed safely while using the system.
The person who is using the system has been trained in how to use it and
enough people in the work area are trained in how to use the equipment,
including how to rescue someone if they fall.
The fall protection system is securely anchored.
The various components of the system are strong enough to support all known
loads and a competent person has inspected them.
A suitable ERRP is in place.
The PA checks the manufacturer’s instructions to decide if the system is compatible
with other equipment being used.
All equipment that is used in the personal fall protection system is strong enough to
withstand any forces placed on it and have an adequate safety margin.
The PA verifies equipment safe working loads (or minimum static strength), working
load limits, and maximum or minimum rated loads.

17.4.1 When to use work restraint

Work restraint is a technique that uses personal fall protection equipment to prevent a
person from entering an area where a risk of falls from height exists.
It works by tethering the individual by an anchor point and line in such a way that they
cannot reach an exposed edge from which they could fall. Work restraint techniques are
very effective and often used to prevent personnel from falling when working at height
on open decks, roofs, or platforms.

Page 202 of 361 Revision: B06

17.4.2 Using work positioning

A work positioning system enables a user to work supported in tension or suspension in
such a way that a fall is prevented or restricted. An example would be a bosun’s chair.
The PA shall only use work positioning systems if it includes a suitable back-up
system for preventing or arresting a fall (for example a fall arrest system).
The advantage with work positioning is that people are free to use their hands.

17.4.3 Rope access techniques

Rope access techniques allow access to structures or equipment that are otherwise
inaccessible or unsafe to access using conventional techniques.
Rope access comprises a personal fall protection system that specifically uses two
static, separately secured sub-systems and can be used for work positioning systems.
One of the sub-systems is the means of support. The second is a safety backup for
getting to and from the place of work.
Fundamental to this technique is the concept of the static ropes, where the user moves
up and down the ropes rather than the rope moving with the user. If the rope moves
with the user, it is not rope access but work positioning.
Rope access personnel shall be trained and competent to Industrial Rope Access
Trade Association (IRATA) or Society of Professional Rope Access Technicians
(SPRAT) standards, with at least one of the team competent to Level 3.
The PA verifies that anchor lines do not come into contact with sharp or abrasive
edges.

17.4.4 Fall arrest

Fall arrest is the most common form of personal fall protection equipment (PFPE) as it is
simple to operate and requires minimal equipment and limited training. Fall arrest is a
technique that stops a falling person under safe conditions.
High attachment points are designed into the fall arrest harness, keeping the
individual upright in the harness if they fall, even if they are unconscious.
The PA shall Verify that a fall arrest system incorporates a suitable shock absorber
to limit the force to the wearer’s body if they fall. This could be either a shock
absorber lanyard or inertia reel, but never both.
In many situations, a combined fall arrest and work positioning approach may be
required.
For example, a worker might need fall arrest equipment to access the worksite and
then convert to work positioning to carry out the task. Alternatively, they could be
relying on a work positioning lanyard for primary support, but still have a fall arrest
system attached for backup. If they are using work positioning equipment for support,
they can rely on the attachment to prevent them losing their balance or falling.
In situations where the work method requires employees to detach and re-attach at
height, always use a dual lanyard system with at least one connection point
maintained.

17.5 Identifying and assessing anchor points

The user needs to identify and assess potential anchor points to Verify they are
suitable and secure.

Page 203 of 361 Revision: B06

Use specifically designed and suitable anchor points where they are available (refer
to BS EN 795 Personal fall protection equipment. Anchor devices or equivalent
standard). When these are unavailable, consider the following when selecting an
anchor point.
Anchor points can generally be classed as tested, structural or certified. As a
minimum, test these items annually. Structural items are usually capable of
performing beyond the requirements of BS EN 795 Personal fall protection
equipment. Anchor devices (that is, metallic anchor devices capable of
withstanding a shock load of 12kN (2700 lbf) 50 and non-metallic anchor devices
capable of withstanding a shock load of 18Kn (4047 lbf).50
Process piping may be used for anchors if it meets the following criteria:
a) Process piping that is ≥ 0.15m (6in)51 outside diameter with less than a
6.5m (20ft)51 span between vertical or horizontal supports, with a wall
thickness ≥ 6mm (0.25in)51 may be used for anchors without having to
consult an engineer.
b) An engineer shall Approve process piping that is < 0.15m (6in)51 outside
diameter, or any process piping with < 6mm (0.250in)51 wall thickness
before it can be used as an anchor.
Do not attach anchors to:
a) any thin wall gas or flare lines
b) non-metallic lines
c) instrument or H₂S lines
d) cable trays or uninspected handrails
e) insulated lines.
Handrails can only be used for anchoring if they have been checked by a
competent inspector and deemed suitable for the proposed task.
Do not anchor to scaffolding unless a competent scaffolding inspector has
Approved its use for anchoring.
The PA shall Verify that, where reasonably practicable, anchor points are
chosen at or above waist height.

17.6 Over side working

The following shall apply when there is a potential for a fall to water:
a life jacket is used for working outside of guardrails.
in cases where the life jacket hinders the ability to work safely, conduct a risk
assessment before authorisation is given to remove the vest and, as a minimum,
requires the person to remain 100% tied off.
maintain communication throughout the duration of the job, including the use of
radio communications. Consider using personal locator beacons.
when over side working in darkness cannot be avoided, include controls for
adequate lighting of the worksite and a rescue strobe light for the worker.
adequate clothing suitable for the possible weather extremes.

Page 204 of 361 Revision: B06

a task specific ERRP is in place and sufficient personnel trained to use any rescue
equipment or techniques relied upon. Consider sea drift in the ERRP.
rescue craft (RC) in the water or available to be deployed where allowed by local
regulations or the risk assessment.
standby person positioned with a good line of sight to monitor activity.
notify the standby person and Rescue Craft (RC) of any vessel movements in and
around the installation 500m1 zone, and any activities on or around the installation
which could have an impact on the over side work.
consider the following hazards in addition to any task-specific hazards in the risk
assessment:

1. Outfalls 8. Vapours (e.g. produced water

treatment)
2. Vents (e.g. process)
9. NORM
3. Aerials and wireless masts
10. Crane operations
4. Inlets (e.g. fire pumps)
11. Marine vessels
5. Overboard dumps
12. Diving operations
6. Exhausts (e.g. lifeboats)
13. Process conditions
7. Sea and weather conditions

People planning to work off step ladders close to overboard or over deck handrails
can elevate themselves to a level which constitutes a risk of falling over the handrail.
This can be controlled by erecting scaffold at the handrail to prevent falls, thus
avoiding the need for additional controls (e.g. rescue craft).

17.7 Putting a rescue plan in place

The PA shall put a rescue plan in place if people are working at height and it is
possible that they might fall and be suspended or fall overboard. This is an integral
part of the emergency control procedures.
See section 18.5.8 for detail on ERRP content. For an ERRP certificate see Table C.5.
The PA shall do the following:
confirm the correct PPE for working at height is in place before any working at
height can start.
confirm that all the rescue equipment detailed in the rescue plan is ready for
immediate use.
confirm the emergency rescue team know the location of the work party.
stop work if ERRP resources are no longer available, for example:
a) if the ER team has been called to an incident
b) manning levels are such that not all tasks can be supported
c) Emergency Response and Rescue Vessel (ERRV) cannot continue to
support overboard work due to sea conditions or other priorities.

17.8 Inspecting and maintaining equipment

a. The SA shall Verify that all work restraint, work positioning, and fall arrest
equipment is controlled by a competent person or persons. This competent person

Page 205 of 361 Revision: B06

is usually called a working at height equipment controller or rigging loft controller

and is responsible for:
1. visually inspecting the equipment regularly
2. issuing and controlling lifting equipment
3. inspecting and maintaining all work restraint, work positioning or fall arrest
equipment, and
4. maintaining a record of and issuing all work restraint, work positioning or fall
arrest equipment to competent personnel.
Harnesses used by painters can become contaminated by paint which might affect the
fibres of the harness.
b. Each item of equipment shall also be marked with a unique identification number so
that it can be traced back to its point of origin.
c. Test certificates and examination reports shall be available for audit at the site or at
a central control point.
d. Working at height equipment controllers or rigging loft controllers, fulfil inspection
and maintenance duties for the most frequently used type of equipment (that is, fall
arrest). However, competence requirements may specify that specialist equipment
such as rope access, require a specialist contractor’s competent person to take fulfil
these duties.

17.8.1 Pre-use checks (non-recordable)

The user of any equipment is responsible for physically checking it before use.
Immediately withdraw equipment with any defect from service, and either tag as
unusable or destroy it. The following are examples of common defects:
Cuts, tears, abrasions, mould, or undue stretching.
Alterations or additions.
Damage due to deterioration.
Contact with fire, acids, or other corrosives.
Distorted hooks or faulty hook springs.
Tongues unfitted to the shoulder of buckles.
Loose or damaged mountings.
Non-functioning parts.
Wearing or internal deterioration in the ropes.
Manufacture’s tag missing or illegible.
The PA verifies these checks have been completed and equipment is safe to use.

17.8.2 Inspections (recordable)

An appointed competent person shall:
inspect harnesses and lanyards every 12 months52
inspect inertia reels or other specialist working at heights equipment as defined
by the manufacturer’s or specialist contractor’s guidance
inspect all equipment before it is returned to storage

Page 206 of 361 Revision: B06

maintain a record of all inspections.

For frequently used lanyards, the suggested inspection frequency is at least every
three months. This is particularly important if equipment is used in arduous
environments (for example: demolition, steel erection, scaffolding, steel skeletal
masts, towers with edges and protrusions).
To reduce the risk of damage to lanyards and shock absorbers due to grit blasting
operations, keep all lanyards and shock absorbers away from grit blasting work.

17.9 Dropped objects

By applying the hierarchy of controls, dropped object risks are minimised.
For example, through design, selection of equipment or tools with restraints, worksite
layout and housekeeping.
If hazards cannot be eliminated, then before approving the risk assessment, the
Approver shall Verify that controls will protect the personnel and equipment below.
L4 controls are preferred, as in examples below, instead of relying on L5 and L6
controls.
Use tools and equipment Approved for work at height, including the appropriate
lanyards and tool bags.
Secure all materials stored at height so that any unintended movement does
not dislodge them and cause an object to fall.
Use mats where there is the potential for small items to fall through grating.
Use netting where there is potential for objects to fall outside of guardrails.
Install toe-boards where a scaffolding platform is used.
To keep people out of the line of fire, the PA shall put in place exclusion zones
around any area where there is a risk of dropped objects.
The following represents good practice for tool lanyards and attachment points:
Tools used at height are attached to a tool bag or the work location via a
certified tool lanyard. As such, tooling shall be manufactured and supplied with
tested and certified lanyard attachment points.
The lanyard attachment point on the tool allows the tool to be used effectively.
The length of lanyard wire is appropriate to the unhindered function of the tool.
Any retention that is fitted to power tools is not solely secured to the power
cable or air hose.
The standard use of wrist lanyards is discouraged. However, it is recognised
that they may be appropriate to specific tasks (e.g. within confined spaces).

17.10 Fragile surfaces

Avoid working on fragile surfaces where reasonably practicable, because some
materials (for example, asbestos and various plastics) are particularly brittle and may
shatter without warning.
When working on, or passing across, fragile roofing materials, use crawling boards
that span across joists so that the person’s weight is on the board, never on the
fragile roof sheeting. Use at least two crawling boards, one to support the person
whilst the other is moved to a new position.

Page 207 of 361 Revision: B06

17.11 Use of temporary ladders

The minimum safe working requirements for the use of temporary ladders (e.g. those
not affixed permanently to a structure) are described below. This includes scaffold
ladders, extension or straight ladders and folding or step ladders. See BP Practice Use of
Temporary Ladders GDP 4.5-0002.

17.11.1 Hierarchy of controls for temporary ladders

Apply the following hierarchy of controls when considering mechanisms for
accessing and egressing elevated work sites:
Bringing the work to ground level and eliminating the need to access and
egress heights.
Using an existing permanent structure.
Engineering controls consisting of temporary equipment to reduce the risk of a
fall occurring, in order of preference shown in Table L.1

17.11.2 Use of temporary ladders

For installation and use of all temporary ladders follow requirements in Table L.2.
When accessing scaffolding follow requirements in Table L.3.
The recommendations in Table L 4 should be used when accessing scaffolding.
When using extension or straight ladders follow requirements in Table L.5.
The recommendations in Table L.6 should be followed when using extension or
straight ladders.
The recommendations in Table L.7 should be used when performing work from a
platform ladder.
When performing work from a ladder follow the requirements in Table L.8.
Ladders with exposed aluminium, or aluminium alloy with an aluminium content
greater than 10%53 shall not be used in hazardous areas due to ignition risk from
frictional or thermite sparking

Page 208 of 361 Revision: B06

18 Supplementary certificates
Supplementary certificates are documents that provide additional information on hazards
and controls to support a risk assessment and permit to work. They are created and
Approved by people who have specialist knowledge and competence in the subject.
Supplementary certificates are developed along with the permit to work during the
planning and preparation steps.
The AA, or delegate, shall not issue a permit unless all selected certificates are
Approved and attached.
Table 37 lists who can Approve each type of certificate.
Isolation Confirmation Certificates (ICCs) are linked and not attached because they
are created within eCoW.

Table 37 - Certificate approvals

Certificate Approver

18.1 Isolation confirmation AA

18.2 Ground disturbance Discipline engineers and OSTL, or delegate

18.3 Lifting plan Site Lifting Co-ordinator

18.4 Energised electrical work (non-US) Site Electrical Leader

18.4 Energised electrical work (US) Site Electrical Leader

Emergency response and rescue plan

18.5 Emergency response leader or local equivalent.
(ERRP)

18.6 Abrasive task on live equipment OSTL, or delegate

18.7 Mechanical seal plug VP ops for an isolation (AOM when used as vapour or liquid seal)

18.8 Well handover Well Site Leader and SA

18.9 Pre-startup SA, or Project Manager or TAR Manager

18.10 Ventilation plan HSE

18.11 Pressurised habitat Vendor trained habitat inspector, or AA

18.12 Heavy equipment movement OSTL

18.13 Cross-site boundary isolation SA

18.14 Leak testing Leak testing SPA

18.1 Isolation confirmation certificate

An IDP records the status of all isolations throughout the life cycle of the isolation. It also
records the signatures of the IsAs who have confirmed the status of the isolations at any
time during the life cycle. Once an isolation is in place, an ICC is created from the IDP by
eCoW.
Full isolations are managed using an IDP and personal isolations can be detailed on
drawings attached to an IDP or permit. See section 14 for details.
The ICC, linked to all relevant work permits, is the principal means of control once
isolations are in place and performs the following functions:

Page 209 of 361 Revision: B06

Identifies the plant concerned and the reasons for isolation.

Records isolation by disciplines.
Records the complete list of isolations including the identification of valve,
blinds, blanks, and equipment tag numbers and specific electrical and control
information.
Records bleed points for checking valve integrity.
The IsA does not need to amend the ICC when bleed valves are moved to execute PBU
monitoring.
Confirming that the isolations are in place.
Authorising any temporary de-isolations and isolations for STT.
Authorising and recording de-isolation when the task is complete.
Attach a marked-up P&ID, electrical single-line drawing and electrical schematics or
other suitable drawing to the IDP. Attach the Level 2 isolation risk assessment,
when required for a non-conformant isolation.
For well handover between GOO and GWO, control the isolation of the wellhead
valves and flowline isolation valves from the piping system or process plant using an
ICC. The ICC is used in conjunction with a well handover certificate to manage the
handover to and from GWO.

18.2 Ground disturbance certificate

Ground disturbance is a man-made cut, cavity, trench, or depression made in the ground
by removing the covering material (for example earth or concrete) that is:
• deeper than 0.3m (12in)54 if made with hand tools (for example shovels and
spades), or
• any depth if made with mechanical equipment, or sharp objects (e.g. picks, spikes,
chisels, earthing or ground rods).
All ground disturbances shall have a ground disturbance certificate (GDC).
Risk assess ground disturbance using a Level 2 TRA unless the GDC verifies there
are no hazards from underground services and the excavation is not considered a
CSE.
The ground disturbance certificate, attached to the permit, identifies the following:
Underground hazards (for example buried services such as process, electrical,
and communications) and subsequent isolations of these services.
Controls to prevent collapse or ground movement.
Any requirements for gas testing.
Any requirements for signs, barriers and lighting.
Required inspections and frequencies.
Means of accessing or egressing the excavation.
The ground disturbance certificate shall include verification from any relevant
discipline engineers (for example electrical, instrument, control or communications).
If there are no underground services and the excavation is not a confined space, a
Level 1 TRA is acceptable.

Page 210 of 361 Revision: B06

18.3 Lifting plan certificate

All lifting operations follow the requirements set out in BP Practice Management of
Lifting Operations and Lifting Equipment (500080). Lifting operations include:
mechanical lifting or lowering operations
rigging operations
heavy transportation (using multi axle trailers) as part of a lift
push and pull activities performed in onshore, offshore, marine or subsea
environments (e.g. jack up module and pull onto barge or extendable forklift).
For lifting operations to be done safely and in compliance with legislation and in
conformance with BP requirements, it is important that key personnel are familiar
with the requirements of their site’s lifting procedure.

18.3.1 Planning a lift

Before starting a lift, an Approved lifting plan shall be in place.
Category 1 plans may be valid for up to 6 months55.
Category 2 and 3 are task-specific.
Lifting plans:
are developed by a competent person with input from those involved in the
operation before it is Approved
document how to do the lifting operation, including a diagram showing location
and type of lifting equipment
record any task-specific hazards or controls to be included in the TRA
identify the equipment, personnel, resources, controls, and actions needed for
the lift
consider the deck or ground strength
identify SIMOPS and barrier requirements.

18.3.2 Lift plan content

Before using a lift plan, the AA verifies it includes the following:
Name and job title of person producing the lift plan
Site name and location of lift
Lift category
Title describing the lifting operations
Load weight
Weight of lifting tackle (and hook block – onshore only)
Load centre of gravity
Number of personnel, roles, and level of supervision
Method of communication
Method statement or step-by-step procedure
Lift plan drawings and additional pictures or sketches if they aid understanding,
showing pick-up and set-down locations, including slew path and direction

Page 211 of 361 Revision: B06

Lifting over live equipment criteria, if applicable

Detailed safe operating limits of the lifting equipment (capacity charts or
curves)
Crane capacity at selected (worst case) radius and crane utilisation percentage
Applicable approval, review, and authorisation names, dates, and signatures
References to associated documentation (for example pre-lift readiness check
sheet, risk assessment, contingency plan, rescue plan and permits
The placement of lifting equipment and potential consequences of catastrophic
failure or unintended motion of the load or equipment, with particular attention
to areas where people congregate
Assessment whether to use tag lines, including their hazards and limitations
Lifting equipment or tackle list or sketch for non-pre-slung loads
Pad eye and shackle details for non-pre-slung loads
Engineering calculations (for example contingencies or uncertified steelwork
criteria)
Load integrity and dropped object inspections
Wind and weather limitations of cranes and the load’s sail area
A definition of the exclusion zone to keep people out of the line of fire.

18.3.3 Lifting over or in close proximity to live equipment

Lifting over or close to live equipment means any lifting operation that poses a process
safety risk to live equipment from any or all of the following:
the load
lifting appliances
lifting accessories
Close means it is within a distance that either the load or lifting equipment (such as a
crane boom) could fall on live equipment.
Complete a Level 2 TRA for lifting over or close to live equipment, regardless of lift
category, and consider the following:
1. no reasonably practicable alternative exists
2. an operational contingency plan is in place
3. risks are reduced to as low as reasonably practicable.
The operational contingency plan shall define the potential worst-case
consequences of a dropped object or catastrophic failure of the lifting equipment,
and detail:
the controls to be taken before the lift, and
the emergency response actions required.

Page 212 of 361 Revision: B06

18.4 Energised electrical work certificate

See section 22.2 for Energised Electrical Work.
The energised electrical work certificate(EEWC) is used to document the specific
hazards associated with the electrical energised work aspects of the task (see Table C.3
and Table C.4). The certificate is Approved by the SEL and can be used as an input to
the TRA, to Verify all appropriate hazards have been considered. The TRA will also
assess other hazards associated with the task that may not be specific to the electrical
energised work. The TRA records all hazards and controls associated with the energised
work and the task. It is not acceptable to cross-reference the EEWC instead of recording
all the hazards and controls.

18.4.1 Using energised electrical work certificate

The HWSP permit to work shall be supplemented by an energised electrical work
certificate.
This certificate may be re-used for regularly executed tasks, if the task is the same
and hazards and controls fully cover the scope and are still applicable.
When an EEWC is reused, the PA and AA check that it is appropriate for the
proposed work before Verifying and accepting the permit.
Annex C shows two energised electrical equipment certificates:
Table C.3 shows an EEWC for non-US sites.
Used in non-US sites, typically where IEC standards are adopted.
Table C.4 shows a US EEWC.
Used in US and any site that uses US standards.

18.5 Emergency response and rescue plan certificate

Each site shall have standard or general ERRPs that meet the requirements for
response and rescue to most parts of the facility.
These shall be available and used for all permitted tasks, but they do not have to be
attached to each permit.
Any rescue facilities mentioned in the ERRPs shall be available on site (e.g.
equipment and competent rescue personnel).
If a standard site response plan does not cover the scope or manage the risks of a
planned task, then create a task-specific ERRP. Include internal and external
drawings or sketches of the confined space, where applicable. If access is
restricted, test the ERRP physically to Verify it would work before the work begins.
The ERRP shall cover rescuing, recovering, and treating casualties.
The ERRP shall be:
reviewed during risk assessment
Approved
in place before work begins
discussed at TBT.
The ER team leader, or their equivalent, Approves all ERRPs. In doing this, the team
leader confirms that the ERRP meets the needs of the task. The AA may also
contribute to developing an ERRP as appropriate and authorise its use.

Page 213 of 361 Revision: B06

Before issuing a permit with a task-specific ERRP requirement, the AA shall contact
the emergency response and rescue team to confirm they are available and agree
the emergency communication method.
Attach the task-specific ERRP to the permits.
It is good practice to perform emergency response and rescue drills for each plan or
scenario regularly and at least every six months or in line with local regulations,
whichever is more stringent. This is to confirm that everyone who is likely to be
involved in an emergency response understands his or her roles, responsibilities, and
response actions.

18.5.1 Creating an ERRP

To create an ERRP, first risk assess the intended task to identify what can
potentially go wrong and therefore what contingencies, in the form of controls, are
needed in the ERRP.
The ERRP needs a title, ERRP number and worksite location to indicate the relevant
task and area. It also includes an activity ID and permit number if they are different.
Next, the certificate defines the key hazards associated with the task (e.g.
hydrocarbon release, fire).

18.5.2 Team members

Populate the certificate with the ERRP team roles including any specialist skills or
standby requirements. Add a contact method for each of the members.
Where relevant, this section of the certificate includes external emergency services
if they form part of the ERRP. Include contact details and a person nominated to
notify and liaise with them if necessary. Consider notifying emergency services
before a task takes place and providing relevant PPE for them.
For confined spaces, over side working and unguarded lone working at height, a
standby person is required. In other situations, the need for a standby person is
determined during the RA. The standby person shall be:
appointed and briefed on responsibilities
physically on site and in visual contact with work party at all times free of other
assigned duties
clear about their role in the event of an emergency
capable of stopping the job if there is a communications failure or other unsafe
situations.

18.5.3 Communication
Include in the ERRP the method of communication between the standby and the
workers, in addition to the method between the standby and the ERRP team.

18.5.4 Emergency response and rescue method

Complete this section with the step-by-step actions to be taken by the ERRP team
(and others) in an emergency, as follows:
What are the response triggers (e.g. plant or site emergency, significant change
in the hazardous substances within a confined space or injury where workers
cannot exit on their own)?

Page 214 of 361 Revision: B06

Who has the responsibility to monitor the task and raise the initial alarm, who
will they tell and how (e.g. standby to contact AA or control room)? Define
communication methods between all parties and test them before the task
begins.
Who will take ownership of that response and make decisions on the next
steps? This may be the ERRP team leader but can also be the incident
response manager for larger incidents.
What are the potential next steps likely to be? These may include dealing with
the problem (e.g. stop leak, put out fire), dealing with its effects (e.g. evacuate
employees and visitors, search and rescue, provide first aid) and the order in
which they will take place. There may be more than one set of options
depending on the impact of the incident. Examples include:
a) While working in a CSE, a separate full site emergency may require
complete evacuation and site muster, whereas an injury within a CSE itself
will require the CSE evacuation and muster.
b) Following an injury within an excavation, if an excavation has partially
collapsed, the safety of the ERRP team needs to be considered, before
they effect a rescue. However, if the injury is unrelated to the integrity of
the excavation, then the team may decide it is safe to effect the rescue or
provide first aid.
Assign actions to individuals or roles. This will differ for the type of emergency.
It may include firstly evacuating the immediate area of other personnel. Then, it
may involve Verifying, where reasonably practicable, that any hazards that may
have caused the emergency, have been removed or reduced to allow the ERRP
team to safely perform their duties. Other examples include:
a) When rescuing a person suspended by fall arrest equipment, members of
the team may need to set-up anchor sling and deploy GOTCHA rescue kit
with the intent of reducing suspension trauma.
b) When rescuing an injured party from a confined space, team members
may need to test the atmospheric conditions, or define the injury – or do
both of these – before deciding if they can treat the injured party within the
space or effect a rescue first. They may also need to decide if external
medical assistance is required.
c) If a lift over live equipment fails, team members may raise the evacuation
alarm. Operations may check for musters and consider shutting down the
surrounding equipment.
Define equipment to be used. The equipment shall be ready and available for
use before the task starts.
If any of the equipment or members of the ERRP team become unavailable, for
any reason, stop the task until the equipment or personnel are available. If the
task is in a confined space, suspend all other permits associated with the
confined space.

18.5.5 Additional information

The additional information section of the certificate allows for any additional
information that is not already included. Examples include the following:
diagrams of a CSE identifying where people will be working and including the
location of hazards and potential escape routes

Page 215 of 361 Revision: B06

diagrams depicting location of people WAH and where rescue equipment may
be mounted
diagrams of evacuation routes and muster points (if necessary)
flowcharts to help with decision making during an emergency response
additional information about specialist equipment to be used
checklists specific to the emergency.
An area has been provided on the certificate for recognition of any attachments. It
may be easier to add as an attachment rather than include it in the additional
information section of the form. This could be particularly useful for more
complicated tasks that may require detailed information, gathered from a variety of
sources.
Examples of additional information and checklists can be found in Annex D.

18.5.6 Approval
The ERRP certificate is Approved by the ERRP team leader, or site equivalent role,
confirming that:
the content is suitable and accurate
all personnel are competent and capable
any equipment mentioned is available and tested and that all ERRP members
understand their duties.
The ERRP team leader shall also notify any other relevant parties (for example HSE
team lead, marine team).
The AA authorises use of Approved ERRP.

18.5.7 Emergency response and rescue plans for confined space entry
If a standard site response ERRP is not adequate for the risks of a planned CSE
task, create a task-specific ERRP and document for the CSE. Include internal and
external drawings or sketches of the confined space. If access is restricted,
physically test the ERRP to Verify it will work before the work begins.
Consider how many other CSE type activities are ongoing and if the ERT can
manage all of them.
The ERT shall attend the confined space worksite during work activity if the ERRP
calls for it.
When the emergency response team is not available, the permit shall be suspended
and the entry points to the CSE physically blocked off to prevent entry.
Where the ERT does not need the emergency response team to assemble at the
confined space worksite, they shall be ready to mobilise at short notice if a rescue is
required.

18.5.8 Emergency response and rescue plans for working at height

If this site standard response is not adequate for working at height, create a task-
specific ERRP for recovering personnel working at a height.
The ERRP shall cover situations where people cannot descend from fixed or
temporary structures or equipment without help and include arrangements to lower
or recover them to ground or deck level by other means.

Page 216 of 361 Revision: B06

The ERRP shall cover rescuing a person left suspended in either fall arrest, work
positioning or rope access equipment and consider the risk of suspension trauma
and rapid retrieval to minimise it.
After 10 minutes in suspension the risk of irreparable damage increases rapidly.
Rescue plans identify the equipment needed. This may include:
fall arrestor with retrieval handle
specialist rescue equipment such as the GOTCHA system
crane and crane basket
a mobile elevated work platform
man-riding winch and basket
forklift with personnel basket
scaffolds and ladders.
Rescue plans shall identify personnel who will perform the rescue.

18.5.9 Emergency response and rescue plans for over side working
If the site standard response ERRP is not adequate for over side working, create a
task-specific ERRP.
The ERRP shall cover situations where people cannot descend from fixed or
temporary structures or equipment without help and where relevant, rescue and
recover people from water. Include arrangements to lower them or recover them to
deck level by other means, or to rescue them using rescue craft (RC).
For tasks where over side working controls include wearing a harness and
suspension line (that is, where someone can fall, but remains suspended), the
ERRP shall consider the risk of suspension trauma.
Rescue plans identify the equipment needed. This may include:
fall arrestor with retrieval handle
specialist rescue equipment such as the GOTCHA system
crane and crane basket
a mobile elevated work platform
man-riding winch and basket
forklift with personnel basket
scaffolds and ladders
rescue craft.
When working over water, a rescue craft or ERRV shall be available with close
standby cover confirmed.
When the work party is not visible to RC, deploy a suitable flag or streamer to
indicate the work party’s location.
When relevant, the rescue plan shall include consideration of:
access for RC below the platform
weather side working
weather conditions and forecasts

Page 217 of 361 Revision: B06

how the rescue would be affected if personnel are in the water and do not float
free of the jacket, wells, piping, structure or all of these.

18.5.10 Emergency response and rescue considerations for lone working

Where work is required at remote sites and lone working is the planned option, a
TRA shall determine if a lone worker can do the work safely.
The following shall be considered to reduce the risks associated with lone working:
train lone workers on emergency response
establish a clear action plan in the event of an emergency (for example how do
they raise the alarm and who do they contact?)
set limits for what is permissible during lone work (some tasks may be deemed
too difficult or dangerous to be carried out by a lone worker)
require supervisors to make periodic visits to observe lone workers at the
frequency defined in the risk assessment
regular contact between lone workers and supervisors via phone or radio
use automatic warning devices that alert others if signals are not received
periodically from a lone worker
Verify that lone workers have returned to fixed base or home after completing a
task.

18.6 Abrasive task on live equipment certificate

The abrasive task certificate is designed to manage the risks associated with
performing abrasive tasks on live equipment.
Isolate and depressurise equipment or lines whenever reasonably practicable, for:
abrasive blasting, grinding, buffing, needle gunning, power tools with abrasive
attachments or other abrasive tasks for non-destructive testing
preparing for fabric maintenance
executing repairs, maintenance or modifications
retrojetting.
Operational and logistical constraints can mean that not all the fabric maintenance
can be done during a planned shutdown. If this happens, work may be executed
during normal operations, if the following conditions are met:
the planned scope has an Approved Abrasive Task Certificate (ATC)
the risk assessment for the task execution may be a Level 1 TRA or Level 2
TRA depending on the task. The risk assessment is Approved by the SA as a
minimum, and permit authorised for use by SA
the ATC is required for every abrasive task activity and is Approved by the
OSTL or their delegate.
The abrasive task certificate records the output and requirements of an engineering-
based risk assessment that has determined the risk of integrity failure while executing
abrasive work is low enough for the task to continue (see Table C.6).
Following abrasive activities (on live or isolated equipment), the SA should Verify
that the integrity of the equipment being returned to operation meets the design
requirement, if not an ORA is required.

Page 218 of 361 Revision: B06

18.7 Mechanical seal plugs certificate

Mechanical seal plugs are specialist devices or equipment and shall only be used
where there are no other reasonably practicable alternatives. To use as an isolation
device, see section 14.14.8 obtain the entity leader’s (VP’s) approval supported by
an engineering review documented in a formal process (for example MoC).
Complete a mechanical seal plug certificate whenever a seal plug is used (see
Table C.7).
Where plugs or balloons are used as a vapour barrier obtain AOM approval see
section 14.14.8

18.8 Well handover certificate

A well handover is the point where the ability to influence or control the state of a
well or well equipment moves from one party to another (including between two BP
operating entities). Therefore, a formal transfer of accountability shall take place to
Verify that the receiving party can continue operations safely and effectively.
GOO-GE-PRO-00001 BP Procedure Global Operations Organization: Risk
Management (100243) defines the functional boundary between GOO and GWO to
be the flange downstream of the wing valve. Isolations executed by GOO for a well
handover and to isolate plant process from the tree and wellhead are normally
applied downstream of this functional boundary. But they could also include the
wing valve when applicable (e.g. where GWO has no plans to remove it).
In this case downstream for wing valve is always the outer flange from the well. It does
not change due to flow direction (e.g. production or injection as can be interpreted by
GOO).
Use the local well handover certificate (WHC) to conform with sections 18.8.1 and
18.8.2.

18.8.1 Well handover from GOO to GWO and from GWO to GOO
For well intervention work, where GOO is handing over responsibility for CoW to
GWO, the SA and GWO representative shall:
define the scope of work covered by the WHC
define CoW responsibilities and accountabilities
assign an accountable person for the CoW activity.
The WHC shall reference, as a minimum:
preventive maintenance and valve integrity testing status for all tree and
annulus valves, wellhead, annulus pressures and depressurisation details when
applicable
valve status for wing valves (WV), upper and lower master valves (UMV, LMV),
swab valve, downhole or subsurface safety valve (DHSV or SSSV) and further
downstream valves if applicable
ICC number when plant process has been isolated. This isolation shall follow
the requirements in section 14 of this Upstream CoW Procedure.

18.8.2 Well handover in GWO, and from GWO to GOO

GWO follows the requirements in BP Practice Well Handover (100023) to manage
either of the following:

Page 219 of 361 Revision: B06

internal well handovers in GWO (that is, from Drilling to Well Interventions and
vice versa)
where GWO is handing over responsibility to GOO (that is, Drilling to
Operations, Well Interventions to Operations).
See BP Practice Well Handover (100023) for more information that needs to be
detailed in the WHC.
For well equipment (for example the tree and wellhead), the applicable BP Practice
Well Barriers (10-65) (100222) and approval process for non-conformant isolations,
shall govern all isolations:
required for well intervention or breaking containment
for piping connected to the well.
For wells isolation on non-BP operated sites, the CoW section in the bridging
document details how any gaps between the requirements of Group Defined Practice
Control of Work GDP 4.5-0001 and the contractor’s safety management system, are
managed.

18.9 Pre-startup certificate

Use a pre-startup certificate to Approve the introduction of fluids or energy into a
system if its containment envelope has been broken (see Table C.9).
The SA may decide a pre-startup certificate is not required when appropriate checks
are included within the IDP or permit and scope is limited (e.g. calibrating
transmitter, leak testing pig receiver or launcher doors).
The SA shall Approve the certificate, but this approval can be delegated to an AA for
individual pieces of equipment or small subsections of plant.

18.10 Ventilation plan certificate

For work inside a confined space, where actual or potential atmospheric hazards
exist, a ventilation plan Approved by the HSE team is required. Ventilation has
several benefits. It can replace oxygen being consumed by a task (welding) and
provide dilution and removal of fumes when a task or worksite is adding potential
contaminants to the atmosphere (grinding). It can also help to create a tolerable
temperature within the confined space. Ventilation can be provided naturally or
mechanically depending on the nature of the space and the work.
The ventilation plan determines the ventilation requirements for the space and tasks
taking place and documents the layout of equipment and people. The plan is completed
by discipline engineering and is attached to permits as a certificate.

18.11 Pressurised habitat certificate

This certificate is required for all Type 3 habitats and has to be completed before a
habitat is used. The certificate is Approved by the habitat inspector or the AA.

18.12 Heavy equipment movement certificate

Use this certificate when it is planned to move heavy equipment off any permanent
roadway or area designed for vehicular movement. Heavy is defined as exceeding
the axle loading for the bridges, roadways or areas over which the equipment will
travel. The certificate is Approved by the OSTL or delegate.

Page 220 of 361 Revision: B06

18.13 Cross site boundary isolation certificate

This is required when an isolation is required for pipes, cables, drains or
communication connections that cross the site boundaries between BP sites or a
BP and a third-party site. This documents the process for controlling and
communicating the isolations.
The SA Approves a cross site boundary isolations certificate.

18.14 Leak testing certificate

This certificate summarises the leak test plan and acceptance criteria. The leak test
SPA records the results of the test on the certificate.
The certificate is accepted by AA.

Page 221 of 361 Revision: B06

19 Purging, leak and pressure testing

Test equipment and piping systems for leaks to confirm integrity following
alteration, repair or joint disturbance.
When using temporary equipment for purging, these activities shall be managed
using the leak test process covered in this section 19.
This section does not apply to GPO projects when commissioning new equipment
on greenfield or brownfield sites. Requirements for integrity testing of equipment
and piping for GPO projects are defined in a project-specific procedure based on GP
32-20 Site Inspection, Testing, and Commissioning of Plant and the GPO Joint
Integrity Tightness Testing Guide (GPO-CG-GLN-00009).
For GWO, this section only applies to GWO Maintenance activities on BP owned
and operated equipment. GWO is required to follow BP Practice Pressure Testing
(10-45) (100218) for pressure testing in drilling, completions and interventions
operations.

19.1 Purpose of leak testing

Leak testing (as distinct from hydrostatic strength testing or pressure testing) provides a
final and complete test of the tightness or integrity of a process or utility system. It uses
techniques and materials that allow the entire pressure envelope to be tested in
conditions which simulate normal operating conditions.
To maximise the value from leak testing, use a test medium which resembles the
physical properties of the normal operating fluids. Water is generally used on liquid
service equipment and nitrogen on dry gas systems. For two-phase operations,
water may be used up to the normal operating level with nitrogen above to most
closely replicate live conditions. This allows function testing of instrumentation in
advance of introducing the operating fluids.

19.2 Managing leak and pressure testing

The SA shall appoint a leak test single point of accountability (SPA) to design,
supervise and manage each leak, purge or pressure test.
When an alteration has been made to the equipment or pipework the design of the
test is specified by engineering and covered by an MoC. See section 19.3.
Every test, with the exception of in-service testing (19.5), shall have a valid leak test
certificate (Table C.14) attached to either the IDP or permit.
The SPA shall verify that any temporary equipment being connected to the facility is
either covered by a valid MoC, or its use does not require an MoC.
When a test continues over shift:
the SA shall Approve a delegate for the leak test SPA who will assume the SPA
responsibilities and continue to manage the test.
the shift handover shall include the status summary and any monitoring and
verification requirements.
When a weld or joint is excluded from testing, document the reason for exclusion
and Approve as part of reinstatement or system handover management process.
For example, this can be because a 100% non-destructive test of that weld or joint
is the lower risk solution. These are sometimes called a golden weld or witnessed
joint.

Page 222 of 361 Revision: B06

Choosing the correct method of leak testing is the first step in deciding how to safely
and efficiently execute leak or pressure testing.
In BP, and the wider industry, various terms are used to refer to methods of pressure or
leak testing. For this Upstream CoW Procedure, the following six test methods and
terminology have been adopted by BP.
• Pressure testing
• Gross leak testing
• In-service leak testing
• Tightness testing – hydrostatic
• Tightness testing - standard pneumatic
• Tightness testing - high pressure pneumatic
Section 3 (Terms and definitions) and section 19.3 to 19.9 provide guidance on each of
these terms.
Three engineering practices cover leak and pressure testing:
• For operational facilities – GP 32-40 In-service pressure testing - common
requirements.
• For pipelines – GP 43-46 Guidance on Practice for Pipeline Hydro-test and Pre-
commissioning.
• For new construction, commissioning or TAR - GP 32-20 Site Inspection, Testing,
and Commissioning of Plant.

19.3 Pressure testing

A pressure test verifies the integrity of the equipment. Typically, this would be after
initial construction and will be at a pressure higher than design and used after repair or
alteration.
It is a code mandated pressure test with the test criteria determined through the
engineering design of the system.
A liquid medium (hydraulic testing) is preferred for pressure testing wherever
possible, to minimise the stored energy.
The preferred liquid medium is potable water. However, consider the effect of the
water and any additives on the process (for example formation of hydrates), and the
effect of any residual water or additives on the metallurgy of the pressure envelope.
For details, refer to GP 06-29 Corrosion Protection during Hydrotesting.
When testing austenitic stainless-steel systems, use distilled or demineralised
water containing <250 ppm56 of chloride ions.
When testing carbon steel systems using seawater, treat with oxygen
scavenger (to reduce oxygen content below 50ppb57) coupled with chlorination,
or biocide injection – or both of these – to minimise corrosion.
Pneumatic pressure testing takes place above the design pressure. The pressure test is
normally performed as the first test after initial construction or after an alteration to
the equipment or pipework. The stored energy hazard is significant. If the pressure
equipment fails, then this can result in a blast wave or fragmentation of the equipment
under test. The threat of equipment failure resulting in blast or fragmentation is
significantly lower after the first pressure test.

Page 223 of 361 Revision: B06

19.4 Gross leak testing

A gross leak test is performed to ensure overall leak tightness of the system or its
connections before further testing or process medium is introduced.
A gross leak test typically uses dry air or nitrogen up to a maximum of 8barg
(116psig)58 but not exceeding 90% of the maximum potential system operating
pressure, to identify large leaks before doing further service or tightness testing.
A gross leak test may be used as a preliminary leak test for new construction, hook-
up or following disturbance of a significant number of joints such as in TAR or
overhaul.

19.5 In-service leak testing

In-service leak testing, sometimes called service testing, is a tightness test using the
process medium or fluid at the normal operating pressure of the system and is
performed during startup of the equipment. The risk assessment can be part of the IDP,
TRA or SOP depending on which type of document is being used to manage the service
test.
The following systems are normally service tested:
water or water injection (for example seawater, potable water, open drains)
steam
nitrogen generation or systems
air.
For hazardous utilities or hydrocarbon, consider a service test where a leak or
tightness test:
is not reasonably practicable and
is covered by a risk assessment that considers the potential toxicity, flash
point, volume, temperature and pressure of the fluid.
The minimum approval level for service testing with hazardous utilities or
hydrocarbons is SA.
Where reasonably practicable, perform a gross leak test before a service test on
hazardous process fluids and hazardous utilities.

19.6 Tightness testing

A tightness test is performed to ensure overall leak tightness of the system’s
mechanical connections before the process medium is introduced.
If no alteration has been made, then the (leak) test is a tightness test. There are three
methods of tightness testing:
• Hydrostatic
• Standard pneumatic
• High pressure pneumatic
Tightness testing:
• confirms that the plant or system is leak tight
• verifies that production equipment and piping systems are safe for hydrocarbon
gases and liquids, and hazardous utilities, to be introduced

Page 224 of 361 Revision: B06

• demonstrates integrity of all hydrocarbon production and hazardous utility systems

• allows function testing of instrumentation in advance of introducing operating
fluids.
Complete a tightness test at the following percent of the design pressure or relief
device pressure setting:
1. Hydrostatic at 90%59
2. Standard pneumatic at 30%59
3. High pressure pneumatic at 90%59.

19.7 Hydrostatic tightness testing

Hydrostatic testing uses a liquid test medium; the preferred liquid medium is
demineralised, potable or treated water. However, consider the effect of the water
and any additives on the process and metallurgy, including:
the formation of hydrates or corrosion
the impact of water in vacuum systems
the impact of water in cold climates
where the weight of water is more than the system is designed for (this could
result in structural failure or rupture).
When testing carbon steel systems using seawater, treat with oxygen scavenger (to
reduce oxygen content below 50 ppb57) coupled with chlorination or biocide
injection, or both of these, to minimise corrosion.
Use distilled or demineralised water containing <250 ppm56 of chloride ions when
testing austenitic stainless-steel systems.
Further requirements for water quality are in GP 06-29 Corrosion Protection during
Hydrotesting.
Consider the following if selecting liquids other than water:
the possibility of explosion resulting from the diesel effect
the boiling point relative to the test temperature
the flammability of the liquid: a minimum flash point of 65°C (149°F)60, and at
least 10 degrees above the maximum test temperature.
Consider the possibility of brittle fracture when doing a hydrostatic test at metal
temperatures near the ductile/brittle transition temperature of the steel. We
recommend not using hydrostatic leak testing when the ambient temperature is
below 2°C (35°F)61 on equipment and piping constructed from non-impact tested
carbon steel materials (for example, API 5L, A 106, A 105 and A 216) with nominal
thickness of < 19mm (3/4in).
For non-impact tested carbon steel materials with nominal thickness > 19mm (¾in),
a competent person specifies the minimum metal temperatures for leak testing,
based on requirements of GP 42-10 Piping Systems. Sites shall identify any
systems containing non-impact tested carbon steel and prepare the appropriate
local test procedures.
To select any hydrocarbon or other flammable or toxic fluid, conduct a Level 2 TRA,
where the initial impact is F or above, with SA as minimum approval level.

Page 225 of 361 Revision: B06

19.8 Pneumatic tightness testing

Used for pressure testing, gross leak testing, standard and high-pressure tightness tests.
Pneumatic testing is a pressure or tightness test where a gas, generally nitrogen,
nitrogen/helium mix or air, is the test medium.
Tightness tests are completed at pressures below the design pressure after successful
completion of the pneumatic or hydrostatic pressure test. If the equipment has not been
altered, then the pressure test that was completed as part of the initial construction
confirms the integrity of the material and welds. Blast and fragmentation hazards are
not normally considered significant when risk assessing tightness tests. The more
significant threats include local failure of fittings and personnel contact with leaking
test medium.
Nitrogen can asphyxiate. Manage this when opening vessels that have been
nitrogen-purged or when nitrogen is being vented.
Air can form explosive mixtures with hydrocarbons and this hazard needs to be
managed through the purging and testing process.
Inert gas mixtures (for example nitrogen or a nitrogen/helium mix) may be used for leak
testing. This may be the preferred method:
• for gas or flare systems testing
• where using water could harm the process
• where the weight of water is more than the system is designed for (this could
result in structural failure or rupture).
Nitrogen leak testing generally uses nitrogen quads, site nitrogen equipment or
both. Site generated nitrogen is typically 98-99% pure but shall be 95%62 as a
minimum.
Alternatively, a specialist contractor’s nitrogen pumping equipment and bulk tanks might
be used. When using a specialised contractor, these tests generally use 99-99.5%63
nitrogen with a 0.5-1% helium tracer gas.
Helium tracer testing is normally used for large-scale testing of plant or for installing new
equipment involving a specialist contractor. Bubble testing is normally for smaller scale
testing using nitrogen quads.
When nitrogen leak testing vessels containing a catalyst, use catalyst
manufacturers’ recommendations for nitrogen purity.
If the system cannot be leak tested as a single system, then begin testing with the
highest-pressure system to enable decanting to other systems. This will help
conserve nitrogen by decanting to pressurise or partially pressurise other systems.
To avoid background helium readings and to help detect leaks, tape flanged joints
for nitrogen or helium leak tests. Tape other joints and valve stems only as required
for identification numbering on as-built drawings and reference back to the testing
database. Remove the tape once testing is complete.
Gradually introduce pressure into the system, allowing enough time for temperature
equalisation. Be aware that the cooling Joule-Thompson effect happens when
introducing high-pressure nitrogen or air into the system to be tested.
Consider the possibility of brittle fracture when doing a pneumatic test at metal
temperatures near the ductile, or brittle transition temperature of the steel – or both
of these. Pneumatic testing is not recommended when the ambient temperature is

Page 226 of 361 Revision: B06

below 2°C105 on equipment and piping constructed from non-impact tested carbon
steel materials (for example API 5L, A 106, A 105, A 216) with nominal thickness of
<19mm (¾ in).
For non-impact tested carbon steel materials with nominal thickness >19mm (¾in),
a competent person specifies the minimum metal temperatures for leak testing,
based on the requirements in GP 42-10 Piping Systems. Sites shall identify any
systems containing non-impact tested carbon steel and prepare the appropriate
local test procedures.
Introducing nitrogen to a system creates an energy source far greater than the
energy stored in an equivalent liquid leak test. To minimise this stored energy, add
water to vessels that normally operate with a liquid level before pressurising with
nitrogen. However, make sure filling with water will not cause corrosion, scaling, or
contamination problems.

19.9 Selecting test method

Use the flowchart in Figure 19 to select a test method.
A standard pneumatic tightness test (30% of design pressure or up to 90% of
pressure relief valve set pressure) can only be selected if the flanged joints are
assembled in accordance with GOO-PM-GLN-00011 BP Guide Build it Tight (BIT)
Flange Management (100577). This includes:
assembly workmanship and integrity of connections
systematic approach to bolted joint assembly
systematic approach to defect elimination
assembler training and competence.
When conducting a pneumatic tightness test, a standard test (taking credit for BIT) is the
preferred test method. The standard test reduces the risks associated with the test
arrangement (such as test fittings and test equipment) and improves efficiency in terms
of time and cost.
Both ASME PCC-2 and HSE GS4 recommend tightness tests are carried out at
pressures between 10% and 35% max.
The test pressure is selected to maximise the test envelope where adjacent
systems require slightly different test pressures. The system tests may be
combined by selecting a single test pressure that is within the specified range of
both systems.
If bursting discs are present within the test boundary with set pressures less than
the relief device or design pressure, the leak test pressure shall be 90%64 of the
burst disc set pressure inclusive of rupture tolerance.
For compressor and pumps, Verify the seal systems are suitable for the proposed
test pressure. If the seal pressure is the first constraint, then typically test to 90%
of the seal design pressure. Consult SME to Verify the test plan and pressure are
suitable.

Page 227 of 361 Revision: B06

*When selecting test pressures, consider other

system limitations (e.g. pump or compressor seals)
Define scope of piping and
equipment to be tested

Pressure test method, pressures

Has an Alteration and acceptance criteria specified
YES
occurred to the as part of engineering design
equipment or documents or work pack.
pipework? This is sometimes called a
NO
strength or integrity test

Are there
numerous
disturbed joints YES
Gross leak test using N2 or air
or will there be a
up to 8bar max
service test as
per section NO
19.5.b?

Can a service
test be used in
conformance YES
In-service leak test process fluid
with section at operating pressure
19.5a (e.g.
water, steam, NO
nitrogen or air)?

Is it reasonably
practicable to YES Hydrostatic test at
carry out a 90% design pressure or 90%
hydrostatic pressure relief device setting
tightness test? NO
Has ‘BIT’
standard
been
followed?
Is it reasonably
practicable to YES NO High pressure tightness test
carry out a 90% design pressure or 90%
pneumatic pressure relief device setting
tightness test? NO YES

Standard tightness
L2RA
test.
To identify controls and assess
30% of design pressure or up to
if risk of service testing is
90% of pressure relief device
acceptable
setting

Figure 19 - Selecting test method

Page 228 of 361 Revision: B06

19.10 Selecting test medium, pressures and acceptance criteria

Table 38 - Selecting test medium, pressure and acceptance criteria

Test method Pressure Medium Acceptance criteria

Engineering design
defines test
Water
Pressure test requirements. Typically, Min 30 minute pressure hold (note 1)
Nitrogen or air
110% to 150%65 of
design pressure

8 barg (116 psig)58

maximum or 90% Holding pressure (notes 1 and 2), audible
Gross leak test Nitrogen or air
pressure relief device leaks or ultrasonic testing (note 6)
setting.
Process Visual bubble test – (method 1 or 2 in note
In-service leak test Operating pressure
medium 3) or drip test no visible seepage

90%59 design pressure

Hydrostatic tightness test or 90% pressure relief Water Drip test. No visible seepage
device setting.

30%59 design pressure Visible bubble test (method 1 or 2 in note

Standard pneumatic 3)
tightness test or up to 90%pressure
relief device setting. Helium tracer (note 4)
Nitrogen or air
High-pressure pneumatic 90%59 design pressure Visible bubble test (method 1 or 2 in note
tightness test or 90% pressure relief 3)
device setting. Helium tracer (note 5)
Notes:
1. A test is successful if there is no significant reduction in pressure over the test period and all joints and
connections have been visually inspected for leakage. Sometimes it might not be possible to maintain a constant
test pressure due to trapped air in the system or passing valves.
2. If the pressure drops more than 2% during the test, the visual inspections are suspended until the pressure can
be restored. Joint inspection can be resumed once the system is back at test pressure.

3. Bubble test Method 1: Apply a soap solution to the joint and monitor A bubble test is successful
for surface bubbles. if there is no continuous
bubble growth on the
surface of the connection
under examination.
Five bubbles per minute.
Method 2: Tape the joint, insert a 6mm (¼in) diameter
(This approximates to
tube from the flange into a water bucket, and monitor the
15scf a year from a 6mm
number of bubbles released.
(¼in)66 tube.)

4. Helium tracer for Duty scf/yr maximum

standard pressure Oil 133
(30%)67 Gas <50 barg (725 psig) 20
Gas >50 barg (725 psig) 10

5. Helium tracer for high Duty scf/yr maximum

67 Oil 400
pressure (90%)
Gas <50 barg (725 psig) 200
Gas >50 barg (725 psig) 100

6. Ultrasonic leak testing. To be carried out by a trained and competent person following an Approved procedure
which includes test method and acceptance criteria.

Page 229 of 361 Revision: B06

19.11 Designing the test

The leak test SPA shall:
create testing envelopes that resemble operating envelopes as far as
reasonably practicable and include all connections and periphery equipment
that make up a system.
The leak test SPA shall consider the following in the design:
The test envelope has a PSV with sufficient capacity and a set pressure to stop
the test or design pressure being exceeded.
Full flow pressure relief is available through PSVs. It is acceptable and
appropriate to use PSVs on an installation’s system or plant for leak testing.
However, if full flow pressure relief is not available using a plant system, then
use temporary PSVs. If full flow pressure relief is not provided, then complete a
Level 2 risk assessment to show that enough control is in place to manage the
HP/LP interface.
Where pressure at PSV location cannot be monitored from the pressure
injection location, then a communication protocol is needed to Verify the PSV is
at system pressure and providing the expected protection.
All HP/LP interfaces are clearly identified and adequately protected.
The pressure envelope under test is minimised to reduce the level of stored
energy in the envelope.
Testing takes place as close as reasonably practicable to the startup date.
If simultaneously leak testing two independent and non-connected envelopes
that are adjacent to each other, the effects that failure in one pressure
envelope might have on the other.
The effect on any adjacent system if the pressure in the leak test envelope
were to migrate into that adjacent system.
Any interfaces with lower pressure systems or equipment (use positive or
double block and bleed isolation and consider locking open a vent path to
prevent over pressurisation).
The location and condition of screwed fittings within the test envelope.
Any parts inside the proposed envelope that the test pressure may adversely
affect (for example the maximum static pressure on a balanced pump seal,
balanced heat exchangers requiring pressure on both sides of the unit).
The ability to control the rate of pressurisation and depressurisation within the
design limits of the system (including the full depressurisation route).
Connected high-pressure equipment (for example accumulators or pulsation
dampeners).
The suitability of components (for example expansion joints, pipe supports and
spring hangers).
The need for additional temporary piping support (and removing it after
reinstatement).
The need to restrain or protect any pipe supports, spring hangers or expansion
joints.

Page 230 of 361 Revision: B06

The implications of non-return valves or other devices or system configuration

with the possibility to trap pressure (e.g. fail closed valves).
Providing an emergency depressurisation route for large-volume tests. This will
ideally be a remote operated blowdown valve, which is an integral part of the
leak test envelope and will operate automatically on an installation trip and
blowdown event. If this is not possible, identify a manual blowdown route.
Both the IsA and the leak test contractor are aware of its location.
If the test envelope extends beyond one site (for example pipelines), establish
effective communication, including formal procedures, between each site.
Set a minimum safe distance for barrier far enough from the equipment to be
tested considering the volume, pressure and type of test medium.

19.12 Documenting the test

The SPA shall record the test requirements and results in the leak test certificate.
The testing shall be part of the IDP or permit. To minimise the number of
documents used and hence human error, include the leak test within the IDP where
reasonably practicable.
When an SOP is used to detail the leak test, include its reference number in the IDP
or permit.
The IDP, or procedure shall include the following:
For preparing for the test – the isolation and isolation state changes needed.
For conducting the test:
a) the test method
b) procedural steps
c) pressurisation and venting rates
d) drawings (P&IDs) with details (for example isolation points, fill and vent
points, and valve status).
e) Monitoring requirements.
f) Depressurisation.
g) De-isolation and reinstatement.

19.13 Preparation for a leak test

The leak test SPA shall Verify the following:
Pressure indicating, sensing, and relief devices are secure and online,
calibrated, and set to the appropriate pressure as necessary.
The area is cordoned off with barriers at the distance set in the test procedure
or plan.
Warning signs are posted at access ways, other strategic positions, and on the
equipment to be tested or on the door of test workshops or other designated
test areas.
Blanking devices (for example spades blinds and screwed plugs) conform to
the equipment specification.

Page 231 of 361 Revision: B06

A suitably calibrated pressure-indicating device, or devices, is located where

the person controlling the pressure can clearly see the device, or devices.
Pressurising equipment has suitably calibrated pressure control or regulator
devices.
The equipment to be tested is free from any obvious flaws.
All attachments that are not rated for the planned pressure have been removed
or are effectively isolated.
Any temporary restraints needed are in place and will restrain movement if the
system fails.
Vent and drain valves are in the correct position.

19.14 Checking hardware

Deterioration in the leading threads of connectors can reduce the remaining thread
contact area sufficiently for it to fail under pressure with a sudden energy release.
Typically, this takes place in test fittings and blanks (as these tend to be frequently
tightened and released during pressure testing operations).
All test connectors are subject to cyclic loading, both from the pressure test application
and from tightening torque loadings. Some signs of fatigue are clearly visible and
measurable (deformed threads), and some are not. If there is any doubt, have the fitting
inspected by a competent discipline engineer.
The leak test SPA shall Verify the following:
The pressuring equipment and all associated fittings and connections have
been inspected, are secure, in sound condition and free from contaminants
such as diesel oil.
Fatigue has been considered when test connectors are being inspected and
assessed before the test and for continued use.
Hoses and connectors are suitable for their testing purpose (i.e. they are rated
for the test pressures and test medium).
Flexible hoses are suitably restrained or shielded to restrict whiplash hazard
from failure.

19.15 Executing and monitoring the test

The leak test SPA shall supervise the test and Verify the following:
Before the test, a sweep of the test area is completed to check that no one is
inside the barrier. Communicate that a pressure test is imminent.
Access is prohibited to everyone during pressurisation periods. Following
pressurisation, continue to prohibit access to the test area until the pressure
has stabilised. Restrict access for leak detection to essential personnel (a
minimum of 2), or as specified on the work permit.
Boundaries of the test area are monitored throughout the test to stop
unauthorised personnel entering the area.
During pressurisation and depressurisation, access to the test area is
minimised.
Always begin to add pressure to any system slowly and in a controlled manner.
Stop initially at 4-5 barg (60-75 psig)68 or 25% of the final test pressure if the

Page 232 of 361 Revision: B06

final test pressure is less than 20 barg (290 psig). Confirm the entire leak test
envelope is pressurised before continuing.
Pressure is increased in stages equivalent to 25% of the final test pressure.
Pressurisation is stopped at these intervals (that is, 25%, 50%, and 75%) to
allow the system to stabilise.
The minimum monitoring time for test is 3069 minutes (time required for
pressure stabilisation in the system). When the leak test volume is small
(≤0.3m3 (10ft3)) the time may be reduced to 10 minutes. Typical examples
include; single instruments, small pumps and short lengths of pipe between
isolation valve and pressure relief valves.
Joints and flanges are checked for visible or audible leakage at each step
change in pressure. Pressure drop time assessments are performed at each
stage to satisfy the AA of leak test envelope integrity. Verify adjacent systems
are not building pressure at hold points.
When test pressure is reached, the pressurising equipment is isolated from the
pressure envelope.
In an extended test, the possibility of a pressure increase due to thermal
expansion is considered.
Pressure monitoring shall include any adjacent systems and depressurisation
routes that are not positively isolated. Alarms on adjacent systems and
depressurisation routes are used to monitor for pressure build-up.
The equipment being tested is not subjected to any form of shock loading.
The test results recorded in the leak test certificate or attached prints or charts
from a recording device meet the acceptance criteria.

19.16 Managing identified leaks

If any leakage from a joint is detected during pressuring a system, the PA shall stop
pressurisation and inform the leak test SPA and do one or more of the following:
Depressurise the system using the Approved venting point and repair leak.
Isolate the leak from the test so the rest of the system can be pressurised as
planned to find additional leaks at higher pressures.
Isolate the section that has the leak, depressurise that section and repair.
Use an Approved procedure or method to repair leak at an agreed criteria (e.g.
pressure, temperature).
Depressurise systems under test before bolt re-tightening, tensioning or other
remedial action to reduce leaks. Valve glands may be adjusted but not re-packed
while the system is still pressurised.
Additional information concerning flanged joint repair is given in GOO-PM-GLN-
00011 BP Guide Build it Tight Flange Management (100577) and GP 42-32 Flanged
Joints - repair.

19.17 Depressurising
The leak test SPA shall Verify the following:
When the test is complete, the pressure is reduced gradually and under
controlled conditions following the depressurisation rate in the leak test

Page 233 of 361 Revision: B06

certificate until the system reaches atmospheric or the desired operational

pressure.
Vents at high points are opened before draining liquids, to prevent a vacuum
being drawn.
Where reasonably practicable, inert gases are vented to the installation flare
and vent system. If this is not reasonably practicable, they are vented to a safe
area where they will not affect personnel. Sometimes pressuring fluid can be
decanted into another test envelope to conserve pressuring media. If venting
large volumes to atmosphere, a risk assessment of this activity is conducted
and a procedure detailing how personnel will be protected during
depressurisation developed.
When venting a high-pressure system through a lower pressure system, the
flow rate does not result in a pressure that exceeds the pressure rating of the
lower pressure system.
Liquefied hydrocarbons such as LNG or LPG are routed to a flare via fixed or
suitable temporary facilities and not be released to atmosphere.
Clamps or bolts are not loosened while the system is still under pressure. Only
competent personnel who have been trained in the appropriate procedures can
remove clamps.
There is no trapped residual pressure in any part of the envelope (for example
behind non-return valves or check valves).

19.18 Pipeline pig trap leak testing

Test pig trap doors before a pig trap is left unattended. This requirement can be met
by either of the following:
a tightness test using water or nitrogen
a low-pressure seal test with nitrogen or water followed by a service test.
Manage either through an Approved procedure (SOP) or by approving a risk
assessment within a permit.

19.19 Vessels with engineered closure

Engineered closures are typically designed to be opened regularly and are found on
vessels such as filters and coalescers. They can be managed in the same way as pig
traps provided the closures meet the design requirements of GP 43-50 Pigging, Pig
Launchers, and Receivers.

19.20 Using high pressure gas

The following requirements are in addition to those covered in section 19.
In the context of this section only, ‘using high pressure gas’ refers to use of a gas supply
that has the potential to produce more than a system’s design pressure (e.g. nitrogen
cylinders, quads and/or pumps).
Plant nitrogen, with a pressure of approximately 8 barg, would not typically be
considered high pressure, unless the system design pressure is less than this.
Use a Level 2 TRA to manage leak testing or purging when using;
temporary equipment
gas cylinders, quads or pumps, or

Page 234 of 361 Revision: B06

a specialist contractor.
Fatalities in the industry have resulted from temporary equipment or fittings failing
during leak testing. Industry estimates suggest 95% of incidents can be avoided if
people are sufficiently separated from equipment under pressure.
The requirements in 19.20.c can be delivered for regularly used equipment on a site
by having list of equipment, recorded in the LIP, that has been assessed by
engineering as suitable and conformant.
The leak test SPA shall Verify that engineering has confirmed the following:
Gas injection is supplied through hoses rated for maximum discharge pressure
of the source.
The velocity of the medium shall not exceed criteria specified in EP-GP-28-01.
This can be achieved by either;
a) selecting a suitable size hose, or
b) limiting the flowrate.
Where the velocity criteria cannot be met, engineering approval is required and
documented in the leak test certificate. Engineering review will consider as a
minimum, the effects of high pressure drop and high velocity on all associated
equipment.
Most hose failures are due to high velocities, or incorrect use (e.g. wrong bend angle,
lateral offsets etc). For more information on hose velocity limits, see: EP-GP-28-01
(Flexible Hose Assemblies).
The injection point is suitable for the planned flowrates within acceptable
velocities and pressure drops. High velocities and pressure drops can damage
hardware, seals and instruments. False pressure readings can also occur
impacting OPPD performance or pressure recording equipment.
A suitable PSV (either permanent or temporary) is installed to provide over
pressure protection from nitrogen supply equipment, being able to handle the
maximum rated discharge pressure and flow of supply equipment as per
equipment datasheets:
a) at the injection point and
b) within the system being purged or tested
Where a single PSV may be used to protect the system being purged or tested.
Over Pressure Protection Devices (OPPDs) are installed to prevent safe design
limit excursion and shut off pressurisation equipment when a set pressure is
reached.. When designing the leak test decide on the number and location of
OPPDs required. In making this decision consider:
a) Is an OPPD required?
b) the number and location of OPPDs
c) OPPD response time to stop gas injection.
d) differential between the source and leak test pressures.
e) location and number of sensing elements with respect to the size and
layout of the test envelope.

Page 235 of 361 Revision: B06

In deciding the number and location of injection points, PSVs and OPPDs the
overall risk from the number of disturbed joints and resulting witness joints has
been considered.
OPPDs do not automatically re-start the gas injection if the system pressure
reduces below the OPPD set-point.
The leak test SPA shall Verify the following:
If temporary PSVs are used, consideration has been given to where these PSVs
would vent to if they lift. The location has been agreed with the AA.
All valves between the injection point and the PSVs and, or OPPDs are secured
and tagged in the open position (using yellow pro-locks).
OPPDs are tested before the task commences and the test requirement is
included in the leak test certificate.
In case of OPPD activation during the task, all activity is suspended, and the AA
is informed for further investigation before injection can re-commence.
Where fitted, test the low temperature trip prior to use.
During purging or leak testing operations, all valves that are used to create the
leak test envelope, are either; managed by an IDP, or secured and clearly
tagged (e.g. Do not operate, purge / leak test in progress)
A communication protocol is in place for conducting the leak test.
Before pressurisation, the AA or delegate and leak test SPA shall walk through the
system to be tested with the marked-up P&IDs and Verify the following are as per
the leak test certificate and supporting documents:
test envelope limits
valve positions
injection points
over pressurisation protection and monitoring positions and settings
method to safely depressurise the system
the test area is adequately barriered off
all relief valves are online, and settings are as specified
When a leak test goes over a shift, the shift handover shall include the status
summary and any monitoring and verification requirements.
Figure 20 shows an example layout for purging and leak testing using temporary
equipment.

Page 236 of 361 Revision: B06

Figure 20 - Example layout for purging and leak testing using temporary equipment

19.21 Leak testing positive isolations

All positive isolations shall conform to section 14.14.3 of this procedure, be fully
rated and appropriately torqued.
Positive isolations that are likely to see material and/or pressure shall be leak tested
before use.
For example: Dropping a spool to have an air gap and installing a blank on the
process side of the positive isolation.
When assessing whether a positive isolation is likely to see material and/or pressure
consider the following:
known or historical integrity risks with valve isolation integrity
the risks from integrity or process event issues
human error associated with the duration of the isolation and management of
PBUs
potential for trapped fluid and/or pressure
effects of thermal expansion
potential for blank/spade and joint corrosion
how to safely remove the positive isolation (e.g. use vented blank, vented
spade or temporary system shutdown to remove any pressure).
LTI positive isolations shall conform to section 14.27 of this procedure.
LTI positive isolations shall be leak tested as soon as reasonably practicable.

Page 237 of 361 Revision: B06

Positive isolations that are not likely to see material and/or pressure, do not require
a leak test.
For example:
1. Dropping a spool to have an air gap and installing a blank on a confined space side
of the positive isolation.
2. Inserting a spade into a flange connection with a proven valve isolation on the
process side of the positive isolation including ongoing verification of integrity via
PBU
All leak testing shall be conducted in line with this leak testing section 19.

19.22 Leak testing relief valve flanges

When relief valves (RV) are removed for overhaul or replacement, the flanged joints
upstream and downstream of the RV shall, where reasonably practicable (e.g.
where suitable isolation and vents are available), be leak, or tightness tested in line
with Figure 19.
When leak testing the downstream flange, leak test to the maximum allowable back
pressure of the RV, or 90%70 of the downstream line design pressure, whichever is
lower.
The downstream line design pressure can be limited in three ways:
• the downstream line (spool) can be fully rated to the same design pressure as the
upstream line
• the downstream line (spool) can be rated to the same design pressure as the flare
header
• the downstream flange of the RV can be connected directly to the isolation valve.
The maximum allowable back pressure can be found on the PSV data sheet.
If leak testing of the downstream flange is not reasonably practicable (e.g. relief
valve to flare with no block valve), use the process in Figure 19 to determine if it is
safe to perform a service test.
Note: when assessing the risk of using a service test on the downstream flange,
consider that, in many cases there is negligible pressure in the flare system until a
system on the plant is relieving.

Page 238 of 361 Revision: B06

20 Plant reinstatement
For GWO, this plant reinstatement section only applies to GWO maintenance activities on BP
owned and operated equipment. GWO is required to follow BP Practice Pressure Testing (10-
45) (100218) for pressure testing in drilling, completions and interventions operations.

Reinstating plant and equipment requires as much attention to planning and detail as the initial
isolation. Historical data shows that many incidents involving failure of isolations, occur during
reinstatement.

a. The SA shall use either of the following:

1. Full system handover management (SHM) or guidance on certification (GOC)
process for managing reinstatement following local SHM or GOC procedures
typically used for major activities such as TAR or projects.
2. Simplified or ‘SHM light’ for smaller maintenance type activities comprising of:
a) IDP
b) pre-startup certificate where applicable
c) witness joints where applicable
d) leak or tightness testing (see section 19)
e) broken joint tagging management (see section 16.8).
b. Typically, the system handover process is as follows:
1. The SA shall Verify that CoW roles assigned are competent and able to deliver
the SHM requirements.
2. The IsA and Isolator are responsible for isolating the equipment or system for
work to be executed using an IDP.
3. The AA, or IA when delegated, handover to PA to execute work.
4. Upon mechanical completion, the PA will handover to the AA, or IA who shall
Verify the work is complete and within the documented scope.
5. The AA shall Verify ‘return to service’ requirements – confirming the applicable
level of ‘commissioning’.
6. All applicable CoW checklists, certificates, witness joints, leak testing and
broken joint integrity management are available and complete.
7. After completion of commissioning the AA informs the SA.
c. The SA shall:
1. Verify that a plan is developed and implemented to safely return equipment or
plant to service, and
2. Approve readiness of plant reinstatement for larger scale jobs or restarts of the
whole facility.

20.1 Return to service

The SA is accountable for developing and implementing a plan for safely returning
equipment or plant to service.
The plan includes pre-start verification checks to confirm the equipment or plant is
ready for return to service. To develop these checks, consider the following as a
minimum to deal with the risks involved in a restart:

Page 239 of 361 Revision: B06

intrusive work, including removing scaffold, is complete

critical equipment (for example relief valves, F&G, and ESD systems) are de-
isolated and available
broken joint integrity is reinstated
equipment (for example fittings and hoses that were attached during the
testing) has been removed
check that any plugs, caps or blanks have been replaced to original specification
after any fittings and hoses have been removed
oxygen, water, or leak test fluids introduced during the outage have been
removed
management of dead-legs
valves have been reinstated to normal operating status
LO/LC valves are secure, and their status has been checked
rate of increase of temperature or pressure during startup
competent personnel are available to do pre-startup checks
the quality of the pre-startup checks is verified
the introduction of hydrocarbons is authorised
plant or equipment is restarted.
Table C.9 has a pre-startup certificate to help SA manage safe plant restarts.
For all plant outages that have involved intrusive work, line-walking is performed as
follows to confirm the plant or equipment is ready for restart:
line-walk each system to be reinstated
the AA verifies that the technicians or competent individuals who are familiar
with the process system perform the line-walking
P&IDs for line-walking are assigned to individuals for marking up to record a
system has been checked. The line walker signs and dates each drawing used.
The line-walking checklist in Table D.8 can be used to help mitigate human error.
For TARs and extended system outages, draw up a specific TAR and planned
intervention pre-startup certificate, based on the template Table D.8. This is part of
the overall verification process that the SA uses to Approve the introduction of
hydrocarbons and plant restart.
Use a pre-startup certificate for all plant startups following TARs or extended plant
outages. The SA may decide not to make this a requirement for plant startups
where there has been minimum intrusive work (e.g. following a trip).
Pre-startup certificates are used for all plant startups following maintenance work.
The SA may decide not to make this a requirement when the scope is minimal (e.g.
maintenance routines or replacing a single instrument). The integrity verification
required will depend on the extent of the work that has been carried out. It ranges
from leak testing process systems to function testing logic systems or shutdown
systems. In all cases, these tests and their results are recorded using SHM. Only
after these tests have been successful can the SA, or AA if delegated, give
permission to reinstate the plant or equipment. In all cases, a level of pre-start
verification and line walks shall be done to Verify the plant or system’s full integrity.

Page 240 of 361 Revision: B06

The line walk checking and pre-startup certificate are to Verify the integrity of the
system to prevent a loss of primary containment (LOPC). They are not designed to line
up the whole system ready for startup.
Do not reinstate a system until the section where containment was broken has
been leak tested or the broken joints managed as a witnessed joint (see section
20.2).
Following successful leak testing, complete plant line-up checks to Verify the plant
is ready for the reintroduction of process fluids.
Before plant and equipment is reinstated, Verify that:
the plant and equipment are ready to be re-energised
process fluids can be reintroduced.

20.2 Witnessed joints

Typically, connections that are dismantled after a leak test, left deliberately
untested, or are not part of the leak test boundary, are treated as an untested joint
and use the witness joint process to manage the risks associated with them.
A witnessed joint is:
independently witnessed
quality assured by following an Approved jointing procedure
recorded on a joints register that contains joint identification number, system
ID, operating fluid, temperature and operating pressure
monitored as agreed in the risk assessment, for any leaks as part of a service
leak test.
The SA shall Verify that a competent mechanical person witnesses the making of
the joint. As a minimum, they are to Verify that:
the surface is clean
the correct gasket or seal ring is used
no scoring on surface or gasket is present
the correct sequence and value of torque is applied
the leak test section of the five-part joint tag is used to indicate the flange is a
witnessed joint: write witnessed by and, or a large ‘W’ on the tag.
If no leak is detected, then a portion of the tag is torn off and signed-off to its
inspection test record.
The leak testing SPA shall Verify the leak test certificate specifies the frequency and
type of leak test monitoring and that post leak test monitoring is completed and
recorded.
Lagging and cladding may be left off and scaffolding left in place to conduct this
verification. Where this is not desirable (for example LNG), a tell-tale may need to be
fitted to the cladding.
After hydrocarbons or hazardous utilities are introduced, visually check joint integrity
of all broken joints and other joints on the same system that might have been
affected by disturbance of the system. Repeat checks typically every 12 hours71
until the plant has reached its normal operating pressure and temperature. These
checks are done for a minimum of two days.

Page 241 of 361 Revision: B06

The systems are re-energised to Verify their technical integrity and for the team to
prove the integrity of any joints that were broken or re-made. The team needs to
complete the joint integrity forms and the pre-startup certificates, before the SA, or
delegate, allows the re-introduction of the process fluids.
In some circumstances, it may not be reasonably practicable to apply the witness
joint process to all untested joints. In these cases, other controls shall be used to
manage the risks.
When untested joints are not classified as a witness joint, Verify:
a) a five-part tag (orange section) is used to identify the point needing
additional verification
b) competent technicians refit plugs/blank flanges to the original specification
c) after hydrocarbons or hazardous utilities have been introduced, production
technicians follow the joint checking process described in 20.2f above,
visibly checking the disturbed joints a minimum of every 1271 hours for two
days, before removing the five-part tag.
It is not expected that the tag will be applied to the plug, as when the plug is
removed, the identification will be lost. Attach the tag to a suitable place close to
the disturbed point and make it clear on the tag (orange section) which point is
being referred to.
Below are some examples of where it may or may not be considered reasonably
practicable to apply the witnessed joint process to an untested joint. In all cases, the
higher standard is the preferred choice:
• Example 1: Casing drains with blank flanges on the bottom of a compressor that
will operate with hydrogen at 30 barg. In this case, the result of these blank flanges
leaking, once the compressor is running, could be catastrophic. Therefore, based
on reasonable practicability, these blank flanges would be treated as witnessed
joints.
• Example 2: A plug on a 3 barg cooling water circuit where the valve upstream of
the plugs was part of the leak test envelope. In this situation, you may decide that
this joint does not need to be witnessed and would just be subject to the
verification process described in 20.2b above.
• Example 3: a vent/bleed point within the isolation boundary used to introduce the
test medium. One option would be to extend the test envelope to include the
point, another would be to treat as a witness joint.
• Example 4: DBB isolation that is not de-isolated for the leak test and that leaves the
bleed valve and the plug untested. Options as example 3.

Page 242 of 361 Revision: B06

21 Ground disturbance
Ground disturbance is a man-made cut, cavity, trench, or depression made in the
ground by removing the covering material (for example earth or concrete) that is:
deeper than 0.3m (12in)72 if made with hand tools (for example shovels and
spades), or
any depth if made with mechanical equipment (including piles and boring
systems), or sharp objects (e.g. picks, spikes, chisels, posts, earthing or
grounding rods).
All ground disturbances shall have a ground disturbance certificate (GDC).
All underground services shall be positively identified by physically exposing using
safe excavation methods
Excavations >1.2m (4ft)73 deep shall have:
atmospheric testing in a hazardous area and, if there is potential for hazardous
atmospheres, in non-hazardous areas
shoring or grading as detailed in section 21.2. Consider shoring or grading for
shallower excavations depending on soil
access and egress points every 6.7m (25ft)74 (for example in trenches or large
excavations).
See Figure 21 for an overview of the ground disturbance process.

21.1 Ground disturbance preparation and site surveying

The OSTL or delegate shall verify the following:
The procedures used for site survey services are consistent with applicable
sections of ICE/BSI document PAS 128-2014 Specification for underground
utility detection, verification and location.
Further guidance and input on survey, positioning and mapping support from the
region survey & geospatial resource, can be found in RD001-SP-GLN-800-00003951
Ground Disturbance – Survey & Geospatial Guideline.
A suitable data search is conducted internally and with relevant 3rd parties, to
identify all applicable site drawings and plans to be used for site survey
planning and execution. The search includes interface with the region
geospatial team to review OneMap and other relevant sources.
The region survey and positioning team have verified the survey procedures,
survey calibrations, operations, as-found results (existing services) and as-built
results (new services).
The person using the detection and mapping equipment is competent and
qualified, with evidence either attached or referenced on the ground
disturbance certificate.
Further guidance on competency can be provided by the local survey and positioning
team.
The person performing the underground services detection and mapping use:
a) suitable cable/pipe locating equipment (CATSCAN, Ground Penetrating
Radar, Electro-Magnetic Locator, or equivalent devices).

Page 243 of 361 Revision: B06

b) acoustic (tone) or other active signal systems where reasonably

practicable, to improve the detection and location of service lines.
The person conducting the survey shall:
a) mark the location of all underground services, and the results recorded in
the GDC
b) mark lines at 5m (15ft)82 intervals or less, as applicable, to clearly define
the location of services with colours in line with Table 39
c) pin flags or markers that do not infringe on the marking conventions or
colours within Table 39, to instruct personnel to hydrovac or manually
excavate.
A regulation at US sites, including a recommended practice, is to place pin flags or
equivalent markers that show the location of underground services.
The HSE adviser has Verified a site survey for environmental hazards is carried
out and has advised on the need for a pre-excavation contamination
assessment.

Table 39 - Designated pin flag or marker colours

Colour Colour name Item

Red Electric

Yellow Gas, oil, steam or chemical

Orange Communications, cable

Blue Potable water

Green Sewer or storm drain

Purple Reclaimed water, irrigation

Pink Temporary survey

Grey Search zone

White Proposed excavation

21.2 Excavation design

The OSTL shall verify that the design of temporary bridges installed at crossing
points to protect pipelines or equipment are either, part of an approved engineering
workpack, or covered by an MoC.
For excavations of 1.2m (4ft)73 or deeper the following shall apply:
Include an excavation-specific drawing as part of the ground disturbance
certificate.
Shield (trench box), bench or slope all excavations unless they are in stable
rock.
Table 40 below identifies the maximum slope for different soil types.
Determine soil type using visual and manual testing. If this is not reasonably
practicable, assume the soil type is type C with 1½ to 1 slope, see Table 40.

Page 244 of 361 Revision: B06

For some activities, materials or ground conditions (or a combination of all of

these), danger might arise from excavations less than 1.2m (4ft)73 deep and
shoring or sloping may be required.

Table 40 - Excavation slope requirements

Soil type Description Maximum slope78

(horizontal to vertical)

Solid rock Not applicable Vertical (90o)

Hard and dense soils, compressive strength greater than

A ¾ to 1 (53o)
144kPa, clay, hardpan, caliche.

Medium soils, 144kPa > strength > 48kPa (angular gravels,

B silty soils, Type A soil that has been disturbed, subjected to 1 to 1 (45o)
vibration or is fissured.
Weak soils, strength ≤ 48kPa, gravel, sand, wet (seeping or
C 1½ to1 (34o)
submerged) soil.

21.3 Risk assessment

Risk assess ground disturbance using a Level 2 risk assessment unless the GDC
verifies there are no hazards from underground services. If there are no hazards
from underground services, a Level 1 risk assessment may be used.
To determine if the excavation is to be treated as a confined space, consider the
following:
does the excavation meet the criteria for a confined space in section 15c?
is there is a risk of atmospheric hazards either from the surrounding area or
from the task being performed?
does the excavation require any form of isolation before entry?
is there a risk of engulfment from entry of solids or liquids?
is there restricted means of access and exit for the work party?
are access and exits restricted if anyone needs to be rescued?
If the answer to any of the above is yes, a confined space permit is required.
Consider the following during the risk assessment:
if it is reasonably practicable to isolate services, including electric cables before
excavation
Identify overhead power lines, structures or pipework and isolate if reasonably
practicable. If isolation is not reasonably practicable limit the maximum height
of any machinery to 0.75 x the minimum safe operating clearance. Erect non-
conductive or earthed goalpost type height warnings or signage both sides of
overhead power lines. Follow the requirements of section 22.6.
the level of supervision required
consider the quality and completeness of documents and the complexity of the
location with respect to quantity and depth of underground services
the need for signs and the type of barriers. When classed as a CSE, control
access to the excavation following the CSE process

Page 245 of 361 Revision: B06

the need to provide lighting

the need to segregate and transport excavated materials
testing required before work starting and during the excavation
the need for any standby personnel
any required ground penetrations for the task
controls to prevent injury from ejected soil and other material when using air
digging or jetting
the use of jetting tools around old and fragile cables that could be more easily
damaged by this method
the need to notify site emergency services if the work will restrict access to
facilities or area
provision for diverting traffic or for over-plating roads or footpaths.

21.4 Performing excavations

The PA shall use the following safe excavation practices:
Assume all services (for example electricity, pressure, and hazardous
substances) are live.
Immediately stop work if an unexploded ordinance (UXO) or unidentified object
is uncovered. The PA shall tell the AA who will initiate the incident
management process. Clear the area and put barriers in place to keep people at
least 100 metres away from the area.
Use service plans or drawings and suitable location devices (CATSCAN, ground
penetrating radar, electro-magnetic locator) to find or confirm suspected
locations of underground services.
Positively identify all underground services using trial holes by using safe
excavation methods (hand digging, hydro excavation and suction, or air blow) to
confirm location and depth. A number of trial holes may be needed to
accurately identify; the size, number, direction and depth of the services (e.g.
for a 100m long excavation, the risk assessment may require a trial hole every
10 meters). Consider that services do not always run in straight lines.
When closer than 0.5m (18in)75 to any service, use hand digging, air jetting or
suction and hydro excavation to excavate. Do not use power tools or
mechanical excavators.
When hand digging, use plastic spades and shovels with curved edges rather
than other tools that are likely to damage services.
Make frequent use of scanning during the excavation (scan and scrape).
Service location and depth is likely to become more accurate as material is
removed.
Where reasonably practicable excavate alongside the service rather than
directly above it.
Do not throw or spike spades or shovels into the ground but ease them in with
gentle foot pressure.

Page 246 of 361 Revision: B06

Do not use picks in soft clay or other soft soils near to buried services. If they
are included in the risk assessment, they may be used with care to free lumps
of stone and break up hard layers of chalk or sandstone.
Position the machinery and vehicles so they cannot affect the security of the
excavation walls.
Do not allow vehicles and machinery within 2m (6ft 6in)76 of a trench or
excavation. Place vehicle stoppers to prevent vehicles reversing into and near
excavation.
Stop work and seek advice from the AA if any previously unidentified pipes,
cables, cable ties, or cable identification tape are exposed.
Support and protect exposed services such as pipelines or cables.
Do not use exposed services as handholds or footholds.
If an underground service is damaged during excavation, stop work, make the
worksite safe, and inform the AA. Keep people away from the area until it has
been made safe.
Disposal of any excavation materials shall conform to local materials or waste
management procedures.
Clearly signpost or mark any temporary crossing or bridge. Consider the need
for temporary lighting.
Fence or erect guardrails for crossing lanes on both sides along the edge of the
pipe crossing to restrict access. Assess the extent of fencing or guarding based
on local conditions.
In addition to the requirements in 21.4(a), when an excavation includes breaking
hard surfaces, follow the requirements below:
Assume the service is embedded within the hard surface until exposed.
Handheld power tools may be used 0.5m (18in)75 or more away from the
indicated line of a service buried in or below a hard surface.
Once hard surface is broken, careful hand digging from the side under the hard
surface to positively locate the service.
Avoid using hand-held power tools over the service unless:
a) the service has already been exposed by digging under the surface to be
broken out and it is at a safe depth (at least 300mm77) below the bottom of
the hard surface material; or
b) physical precautions have been taken to prevent the tool striking the
service.
Mechanical excavators and power tools can be used to break-up hard surfaces
where the survey has proved that there are no services, or the services are
deep enough so as not to be damaged by such tools.

Page 247 of 361 Revision: B06

Figure 21 - Ground Disturbance overview

21.5 Inspecting and tagging excavations

The SA shall appoint a suitable person to inspect and tag the excavation:
When excavation works are completed.
At the start of every shift, before any work can begin on or within the
excavation to identify potential hazards and review ground conditions.
After any event likely to have affected the strength or stability of the excavation
or the shoring, such as water encroachment from weather, ground conditions,
fall of rock, earth or other material.

Page 248 of 361 Revision: B06

Carry out periodic monitoring for factors that could affect the disturbed ground
(for example adverse weather, water encroachment, or uncovering hazardous
substances such as asbestos). This might involve 24-hour monitoring in high-risk
areas.
Weekly. Sign and date the excavation tag on the reverse and replace it in the
holder.
If the inspection of the excavation does not meet the required standards, the
excavation tag shall be removed and reported to the AA.

21.6 Excavation tags

The PA attaches a tag holder and tag (see Figure 22) to barriers as soon as they are
erected. The tag displays the relevant details for the work scope, including contact
details.
At the end of each shift and whenever the worksite is left unattended, remove the
excavation tag to reveal ‘Do Not Enter’ on the tag holder.

A Excavation tag insert (front) B Excavation tag insert (reverse) C Excavation tag holder (empty)

Figure 22 - Excavation tags and tag holder

21.7 Entry to a completed excavation

Before entry into the excavation, check the excavation tag is current and signed DO
NOT ENTER if the inspection tag is out of date.

21.8 Reinstating an excavation

The PA shall verify the following actions:
Reinstatement is carried out in line with the reinstatement plan included in the
excavation’s method statement, procedure or ground disturbance certificate.
Underground services are adequately protected during backfilling.
Most of the water is removed from the trench before backfilling commences.
Pipelines and services are evenly bedded on the trench padding throughout
their length.
Access controls, warning signs, or barriers are not removed until:
a) backfilling is complete

Page 249 of 361 Revision: B06

b) all plant, equipment and materials have been cleared from the site
c) the area has been restored to original or better conditions.
The compaction techniques in the Approved work plan are followed, to avoid
damage to services when compacting of the backfill is needed.
The OSTL or delegate shall verify:
all changes to underground services are recorded on the relevant drawings
following local MoC procedure.
copies of updated drawings are provided to region survey and positioning team
so that relevant region drawings, GIS and OneMap system can be updated
accordingly.
|

Page 250 of 361 Revision: B06

22 Special conditions and techniques

22.1 Guardrails and barriers
Guardrails provide physical protection and are constructed from rigid materials (for
example scaffold or fencing). Guardrails prevent falls, guard created openings, or make a
work platform or other place of work safe.
Guardrails can also be called barricades.
Barriers provide a warning of a hazard and may be constructed of non-rigid materials (for
example synthetic rope, plastic chain, yellow caution or red danger tape).
During normal rig floor operations drilling red zone management is enforced and is used
instead of a barrier.
Erect guardrails or barriers around any area that is considered unsafe to enter. See
Table 41 for guidance on when to use a guardrail or barrier.
Consult a competent person (for example an SA, AA, H&S site lead, or engineer) if
there is any uncertainty around defining an unsafe area.

22.1.1 Using guardrails and barriers

Guardrails and barriers shall:
have a sign or signs clearly showing, as a minimum, the name of the owner
with contact information and the hazard it is protecting or reason for it being
there
not restrict access to emergency equipment or exits, or affect operation of
instruments such as fire and gas detectors
be in place for the minimum period of time necessary to manage the hazard
and be removed promptly after the work is completed
not be crossed without permission from the owner, AA, or SA
be securely tied-off to avoid being inadvertently dislodged but not tied-off on
any process or instrument equipment.
Consider weather and potential deflection of dropped objects when defining the
protected area radius. The radius of the protected area will increase with the height
of the potential dropped object.
Use a barrier whenever there is hazard or danger area that has restricted access but
for which a guardrail is not required.

22.1.2 Additional guardrail requirements

Guardrails shall meet the following additional conditions:
Placed to prevent, so far as is reasonably practicable, anyone falling or any
material or object from any place of work falling.
The minimum height for the top rail of all new permanent guardrails is 1.07m
(42in)79 above the surface from which a person could fall.
The minimum height for the top rail of any guardrails already installed or being
used in construction is 0.95m (37in)47 above the surface from which a person
could fall.

Page 251 of 361 Revision: B06

Toe-boards are suitable and sufficient to prevent a person falling, or any

material or object from any place of work falling.
Positioned so that any gap between any horizontal guardrails and other means
of protection does not exceed 0.47m80 (18.5in).
Suitable and of sufficient size, strength, and rigidity for their purpose and to
withstand accidental entry into the guarded area.
Sufficient guardrail strength is the capability to withstand a load of at least 90kg (200lb)49
applied in any direction at any point on the top rail. This meets the OSHA requirement.
Are placed, secured and used so far as is reasonably practicable, so that they
are not accidentally displaced.
Do not have a lateral opening except for a point of access to a ladder or
stairway if an opening is necessary.
Guardrails, fencing or other means of protection may need to be removed to
perform a task, causing created openings for short periods (less than one shift). In
these circumstances the PA shall Verify that:
the area is adequately barriered to prevent accidental entry into the danger area
the guardrails are removed or altered for the minimum time needed to
complete the task
a standby person is there to manage and control access until the means of
protection is replaced
if a method of personal fall protection is required, it is securely anchored as
detailed in section 17.
Consider gates, preferably self-closing, for all scaffolds. Minimise the gap for
protection at all times and immediately close the gates after the operation has
finished.

Page 252 of 361 Revision: B06

22.1.3 When guardrails and barriers are required

Table 41 - Guardrails and barriers

Guardrails
Barriers
Hazard

Unattended open holes in decks or walkways that are greater than 0.3m (12in)54 square.

Not permitted

Minimum
required
Deteriorated or unsafe gratings that pose the risk of a fall to a lower level.

Deteriorated or missing handrails that poses the risk of a fall.

Unattended and exposed excavation, trenches, vessels or tanks.

Hot work areas.

Unattended confined space work areas.

Attended work areas with exposed or energised electrical equipment.

Attended open holes in decks or walkways where the opening is one square foot or more.

Slip, trip and same-level fall hazards.

Minimum required

As appropriate
Pressure or leak testing.

Overhead work areas where there is potential for falling objects.

Lifting operations.

Work areas that pose a health risk, (for example NORM, X-ray, asbestos, lead, and benzene).

Injury or incident scenes that have not been investigated or where potentially infectious material
might be present.
Radiation work areas identified by radiation tape, as applicable.

Asbestos work areas identified by red danger tape, as applicable.

Areas where dangerous goods or cargo are being stored.

22.1.4 Created openings and holes

A created opening is any opening where:
• gratings, handrails, stair treads or kicker plates have been removed from structures
or
• damaged structures create a potential risk of falls or dropped objects, or both.
This includes equipment removal, hatches, trap doors, manholes, access ways and voids
larger than 0.3m (12in)54 square.

22.1.5 Planning for a created opening

When planning a job, eliminate created openings where reasonably practicable (for
example carrying out work from below using a suitable access such as scaffold or a
man lift). If the need for an opening cannot be eliminated, a TRA is required to
establish whether the associated risks can be sufficiently controlled.

Page 253 of 361 Revision: B06

22.1.6 Choosing the level of TRA

To determine the appropriate level of risk assessment, consider the following:
Does the space limit the provision of suitable access and egress?
Does a working at height hazard exist?
Is the floor space unstable?
Does the floor space contain any hazardous fluids or residues?
Is there any potential for ingress of materials, liquids or gases?
If the answer to any of the above questions is yes, a Level 2 TRA and ERRP is
required.
For created openings, falling a distance that could cause injury refers to falling into
the opening and could happen when working within the guarded area, but outside of
the opening itself. When working within the created opening, consider if there is a risk
of falling within that space.
If no significant risk exists, then a Level 2 TRA may not be required.

22.1.7 Risk assessment considerations for working at height near openings

Where there is a risk of falling a distance that could cause injury, the risk
assessment shall consider the following:
Clear accountability by identifying a worksite owner to monitor and secure the
created opening. This includes any periods of worksite inactivity or interruption
and continues until the opening is removed by replacing the cover or by
installing an adequate temporary covering.
Minimising risk exposure by minimising the amount of time the created
opening is present. Replace the grating, manhole or handrail or install an
adequate temporary covering at the end of the shift, or during periods of
inactivity such as breaks or shift handovers. For tank or vessel entries where
manholes need to stay open for ventilation consider fitting mesh covers
capable of withstanding a 366kg/m2 (75lb/ft2)81 load.
The use of guardrails, barricades or load bearing covers to protect against the
hazard. Place adequate signage with the name of worksite owner, their contact
details and the hazard or risk within the barriered or guarded area.
Fall protection: everyone within the barriered or guarded area at risk of falling
through created openings shall wear suitably secured, personal fall protection
equipment.
See section 17 for more information on working at heights.
Use an entry attendant to:
prevent unauthorised access to the work area
control the number of persons within the guarded area
Verify that fall protection is being used within the guarded area
replace the cover or install an adequate temporary covering before they (the
entry attendant) leave.

Page 254 of 361 Revision: B06

22.2 Energised electrical work

Energised electrical work is work or testing that meets either of the following criteria:
• On or in close proximity to exposed energised conductors (≥50 V ac or dc82).
• Involves interaction with equipment where an increased likelihood of injury from an
exposure to an Arc Flash hazard exists.
Close proximity is defined as being within the distance shown in Table 42 and Table 43.
In US, this distance is known as the limited approach boundary.
Exposed (in this context) is defined as – an electrical conductor or circuit part that is not
suitably guarded, isolated, or insulated, to prevent it being inadvertently touched.
Examples that would be deemed as ‘suitably guarded’ include Ingress Protection
standard IP2X (and higher) (IEC 60529), and Type 1 (and higher) NEMA enclosures
(NEMA 250).
Normal operation of properly installed, maintained, and secured equipment with no
evidence of impending failure is not considered work and hence is not Energised
Electrical Work.
No evidence of impending failure means that there is no evidence such as arcing,
overheating, loose parts, visible damage or deterioration.
Normal operation of a circuit breaker includes opening and closing but not insertion
or removal (i.e. racking).

22.2.1 Control of energised electrical work

All work on electrical equipment shall take place when the equipment is isolated in
accordance with section 14.18. However, there are situations where this is not
reasonably practicable. These situations are limited to when:
the risk of isolating the circuit is greater than the risk of doing the energised
work. For example:
a) Interrupting emergency response equipment such as fire and gas systems,
fire water supplies.
b) De-activating emergency alarm systems.
c) Shutting down hazardous area ventilation equipment.
it is not practicable to do the work in a de-energised state (e.g. work on
batteries, live-line phasing, fault finding).
the equipment is being isolated or energised (e.g. racking in/out, proving dead)
All energised electrical work shall be risk assessed per section 22.2.2.
Energised electrical work requires an energised electrical work certificate (see
section 18.4) other than the following exceptions.
Racking equipment on or off live busbars.
Testing for absence of voltage as part of an isolation.
Applying earths/grounds as part of an isolation.
Visual inspections completed from outside the restricted approach boundary
distance (see Table 42 and Table 43).

Page 255 of 361 Revision: B06

22.2.2 Risk assessment for energised electrical work

In all cases of energised electrical work, a risk assessment shall assess the risk of:
electric shock
Arc Flash injury
At a minimum, an electric shock risk assessment shall determine the following:
potential for an electric shock to occur
location and voltage of exposed conductors
safeguards necessary to mitigate the risk of shock.
At a minimum, an Arc Flash risk assessment shall determine the following:
potential for an Arc Flash to occur
severity of the Arc Flash hazard to which personnel will be exposed
safeguards necessary to mitigate the risk of Arc Flash.
Controls to reduce risk from electric shock and Arc Flash may include the following:
Installing temporary insulation, protective enclosures, or screens to prevent
contact with live conductors.
Using temporary barriers and warning notices to keep unauthorised people
away from the work area.
Ensuring that adequate clearances are established and maintained when
working near to energised equipment.
Providing a good working environment (e.g. dry, non-dusty, quiet, low vibration,
with adequate lighting, access and space for working).
Using insulated or insulating tools.
Using test instruments with shrouded leads, current limiting fuses, secure
connections and appropriate voltage rating.
Having an accompanying person to monitor the work and provide emergency
support.
Reducing the arc-flash energy, for example by:
a) changing the network configuration to reduce the fault current at the work
location
b) increasing the work distance
c) reducing protection device trip times.
Use of rated and maintained PPE to reduce the risk of contact with energised
parts, or the effect of arc-flash (e.g. insulating gloves, insulating matting, arc-
flash PPE) and removing metallic jewellery and removing conductive tools from
pockets.

Page 256 of 361 Revision: B06

22.2.3 Approach boundaries

Table 42 - Approach boundaries (AC systems)

Nominal system Close proximity or limited approach boundary83

voltage range (phase- Restricted approach
to-phase) Exposed movable Exposed fixed circuit part boundary
(ac systems) conductor*

<50 V Not specified Not specified Not specified

50 V – 150 V Avoid contact

1.0m (3ft 6 in)
151 V – 750 V 0.3m (1ft 0in)

751 V – 15 kV 1.5m (5ft) 0.7m (2ft 2in)

3.0m (10ft)
15.1 kV – 36 kV 1.8m (6ft)
0.8m (2ft 7in)
36.1 kV – 46 kV

46.1 kV – 72.5 kV 2.5m (8ft) 1.0m (3ft 3in)

72.6 kV – 121 kV 3.3m (10ft 8in)

138 kV – 145 kV 3.4m (11ft) 3.0m (10ft) 1.17m (3ft 10in)

Table 43 - Approach boundaries (DC systems)

Nominal potential Close proximity or limited approach boundary84

Restricted approach
difference
Exposed movable boundary
(DC systems) Exposed fixed circuit part
conductor*

≤ 50 V Not specified Not specified Not specified

51 V – 100 V Avoid contact

100 V – 300 V 1.0m (3ft 6 in) Avoid contact

301 V – 1 kV 3.0m (10ft) 0.3m (1ft 0in)

1.1 kV – 5 kV 0.5m (1ft 5in)

1.5m (5ft)
5 kV – 15 kV 0.7m (2ft 2in)

Page 257 of 361 Revision: B06

Nominal potential Close proximity or limited approach boundary84

Restricted approach
difference
Exposed movable boundary
(DC systems) Exposed fixed circuit part
conductor*

15.1 kV – 45 kV 2.5m (8ft) 0.8m (2ft 9in)

45.1 kV – 75 kV 1.0m (3ft 2in)

75.1 kV – 150 kV 3.3m (10ft 8in) 3.0m (10ft) 1.2m (4ft)

150.1 kV– 250 kV 3.6m (11ft 8 in) 3.6m (11ft 8 in) 1.6m (5ft 3in)

*Exposed movable conductor describes a condition in which the distance between the conductor and a person is not
under the control of the person. The term is normally applied to overhead line conductors supported by poles.

22.3 Battery systems

A battery cell is a source of electrical energy that is always live (even when isolated from
its charger and load). It contains corrosive electrolyte and can produce explosive gases
during charging and discharging.
Cells may be linked together, to form battery-bank systems with a significant stored
energy capacity.
Only use proprietary battery tools or tools suitable for live working (that is, ASTM
F1505-10 in US and IEC 60900 elsewhere) for work on battery systems. Use
separate equipment for alkaline and lead acid cells, to prevent cross-contamination
of electrolyte and damage to cells.
When risk assessing work on battery systems, consider the following hazards:
Batteries remain live even when isolated from their charger and load. As such,
if the battery work gives rise to the risk of contact with electrical conductors,
≥50 V, the work requires an energised electrical work certificate, as described
in section 22.2.
Do not wear jewellery or other conductive materials that can fall across the
battery terminals.
Shrouding terminals, using appropriate tools and removing inter-cell
connections may reduce the risk of electric shock.
Batteries can produce explosive gases during charging and discharging and the
risk of explosion may be reduced by:
a) isolating batteries (from a remote location) to prevent charging or
discharging
b) providing ventilation while work is in progress
c) using gas testers calibrated to detect hydrogen and positioned so that the
effects of ventilation and the fact that hydrogen is lighter than air are
captured
d) eliminating or controlling both worksite and task ignition sources.
Gassing can be seen as bubbles in the battery electrolyte and can smell of strong acid.
Manual handling.
Chemical hazards.

Page 258 of 361 Revision: B06

The risk assessment shall identify task-specific PPE appropriate for the hazards
associated with working on battery systems. This can include rubber apron, rubber
gloves and any other clothing required by the safety data sheet. Suitable insulating
gloves may be worn if the required manual dexterity is not impaired.
The PA shall Verify that a supply of eyewash solution is available at the worksite
while work on batteries is in progress. (This is also valid when working on sealed
batteries.)
Isolation of the battery from the charger or load is not required for checking cell
voltages, adjusting electrolyte levels or measuring electrolyte concentration.

22.3.1 Battery discharge testing

Discharge testing of batteries shall only be done using a BP Approved procedure, by
vendor specialists or by those who have been assessed competent and authorised.
Where battery banks have to be re-linked or have temporary leads fitted for testing,
the work may require an EEWC.

22.4 Cutting pipework

General work location tags might not reliably identify cut locations. Mark cut
locations on pipes or cables using bands of coloured tape (see Figure 23).
On austenitic stainless-steel systems (for example 316 SS), take care to use tape
containing low chloride levels to avoid stress corrosion cracking occurring beneath
the tape.
When a piping system is physically cut or drilled to repair, modify, decommission, or
demolish it, include the following steps in the CoW preparation and risk assessment
process:
The PA uniquely identifies all planned cut points in the system within the work
scope.
When preparing the job, the PA physically marks planned cut points by taping
on either side of each cut point.
During the fitting of this marking tape, make a 360 degree check around the cut points
to confirm the cut path is clear of any other lines and cables etc.
The PA and AA individually mark all planned cut points on pipework or cable
using different colours of tape.
The PA removes insulation before taping the line.
The AA clearly marks process lines near the planned cut as ‘Live Pipe’ or ‘Dead
Pipe’.
Each cut point mark references the permit number and is uniquely identified in
line with the work scope.
The AA verifies that cut points are correctly marked before work starts.
The IsA verifies that the system has been depressurised or deenergised, and
proves the integrity of the isolation and zero energy to the PA.
An AGT tests to confirm the line is gas-free before cutting, using a drilled pilot
hole, if necessary.
The risk assessment considers hazardous substances and activities associated
with the cutting process (pipe material, pipe coating, cutting method).

Page 259 of 361 Revision: B06

The IsA witnesses the first cut in any isolation envelope or system.
The PA removes all tapes when the work is complete.
Where it is impossible to mark a line (for example working subsea), use another
method to Verify that the correct line or equipment has been identified.
The AA shall have enough knowledge of and information about the work scope to
correctly mark cut points (for example Approved work pack and marked-up P&IDs,
isometrics, or wiring diagrams with each cut point clearly marked and numbered).
Where necessary, the AA consults an engineer or operations technician who can
Verify the position of the cut location tape.

Figure 23 - Marking lines or cable for cutting

22.5 Cutting electrical cables

Consider all electrical cables to be energised until proven dead. The only exception
is cables that are being installed and have not been connected to a point of supply,
provided they can be positively identified.
Before cutting an electrical cable, the following steps are required:
Isolate, prove dead, and earth (see section 14.18.5 for more information on
when earthing is required).
Positive identification.
Prove dead at the point of work.
A Level 2 TRA is used when:
cutting cables that cannot be positively identified using a noose
where the cable has a known fault.
The Site Electrical Leader is part of the Level 2 TRA team for work involving cutting
cables.

22.5.1 Positive identification

Use cable records, drawings and cable markers to identify the cable and any
adjacent cables that may be present.
The cable shall then be positively identified using either of the following methods:
A rope noose to trace the cable, sliding a noose formed by a rope tied around
the cable along the cable from the point of work to an isolated point where the
cable can be identified by a cable number and proven dead.

Page 260 of 361 Revision: B06

A cable tracer to identify the cable and spiking the cable. An electromagnetic
tone may be injected onto the cable and appropriate detection equipment used
to identify the cable at the location where it is to be cut. The cable is then
proved dead by cable spiking. Cable identification by electromagnetic tone is
completed by a person competent in cable tracing techniques and trained in
using the specific detection equipment employed.
Following positive identification, the PA shall apply identification tape to the cable at
the point where it is to be cut.

22.5.2 Proving dead at point of work

Prove the cable is dead at the point of work by:
proving the cable is dead at a convenient point and tracing the cable from that
point to the point of work by a noose or
spiking the cable.
If the point of work coincides with the location of a break in cable continuity (e.g. a
cable and, or cable joint fault) then both sides of the fault or break are proven dead.
This can be done by repeating 22.5.2 at points 1 or 2 at both sides of the point of
work.

22.5.3 Proving dead by cable spiking

The purpose of cable spiking is to prove that the cable is dead. In the case of mis-
identification, cable spiking may cause the supply protection to trip.
Treat cable spiking as energised electrical work (see section 22.2) and hot work (see
section 12). Use HWOF when explosive charge is used and HWSP if using a
hydraulic spiker.
The cable spiking equipment shall be designed for the purpose of cable spiking and
remotely operated (typically by lanyard or hydraulic hose).
A person competent in cable spiking and familiar with operating the type of
equipment being used shall complete cable spiking.
Use the following method when cable spiking:
Install barriers around the cable to be spiked, to keep all personnel at a safe
distance from the spiking equipment.
Before spiking the cable, test the insulation resistance of the cable between
line conductors and between line conductors and earth. Record the impedance
values. This requires earths (if applied) to be removed and conductors to be
proven dead before testing.
After spiking, re-test the cable insulation to confirm that all conductors have
been shorted to earth.
If the test values have not changed from the pre-spike test then use caution as this may
mean the incorrect cable has been spiked, or that the spike has not penetrated the cores
of the cable. Review the results and check other possible circuits.
For further confirmation that the correct cable has been spiked, re-apply the cable
tracer after spiking. This may be necessary, for example, where a cable has a low
insulation resistance (cable fault), and the cable testing steps above are ineffective.
The tracer signal should not be present past the point of spiking.

Page 261 of 361 Revision: B06

Re-apply the earths (where required in section 14.18.5) before the spiking device is
removed from the cable.

22.5.4 Cable cutting

The cable may be cut after isolation, proving dead and earthing (where required as
per section 14.18.5), positive identification, marking, and proving dead at the point
of work.
BP recommends using remote hydraulic cutters to cut cables.
Use of cutting equipment is considered hot work spark potential.
For small diameter LV cables, use suitable insulated hand tools at the discretion of
the Site Electrical Leader. In this case, consider the Arc Flash hazards and use
appropriate PPE, which may include insulating gloves, full-face screen, and Arc
Flash suit.
Once the cable is cut, drain earths shall be applied if there is a risk of induced
voltages from adjacent current carrying cables.
Temporary drain earths shall be used after pressure tests or insulation resistance
testing to discharge the cables.

22.6 Working close to overhead power lines

If work has to take place close to an overhead power line and the overhead line cannot
be diverted or isolated, follow the requirements in BP Procedure GOO Electrical Safety
Rules (100610).

22.7 Engineered scaffolding

During the planning process, if scaffolds are outside the scope of a generally
recognised standard configuration, then the scaffold design shall be:
engineered by a competent person, and
assessed by calculation to have adequate strength, rigidity, and stability while it
is erected, used, and dismantled.
Examples of this type of scaffold are:
• load bearing
• temporary pipe supports
• cantilever or jib support scaffolds
• hanging scaffolds
• suspended scaffolds.
Consider the weight of what might be placed on the scaffold (e.g. heat exchanger
cradles, intelligent pigs, catalysts and pipe spools) as they can be heavier than they
look and beyond the capacity of a standard scaffold.
Produce drawings, supplemented with specific instructions on how to use the
scaffold safely, and make available to all scaffold users.
If engineered scaffolds need to be modified, the design calculation shall be
reassessed.

Page 262 of 361 Revision: B06

22.8 Hot tapping

Hot tapping is the penetration of the pipe using a hot tap machine to either drill or cut a
coupon out of an in-service pipe with specialised equipment.
Stoppling is placing pipe plugs through a hot tap to plug the line with a stoppling tool.
On-line or in-service welding is the welding of specialised fittings or sleeves to an in-
service on-line pipe for both pressure and non-pressure sleeves.
a. Hot tapping and stoppling shall only be executed once an eMoC has been Approved.
b. When Approved, the task of hot tapping shall follow the normal CoW planning and
execution processes described in this Upstream CoW Procedure.
For more information on hot tapping refer to GIS 18-023 In-Service Welding and
Material Specification for Hot Tap Fittings.

22.9 Controlling access to restricted areas

Clearly mark padlocks so that it is easy to identify ownership. This can be by colour,
stencilling or accompanied by a tag.
A site may use locks or padlocks for restricting access to equipment not associated
with energy isolation.
Padlocks or locks used to restrict access shall not be the same as padlocks used for
isolations or locked valve management.
The SA can authorise removal in an emergency where the owner of a padlock used
solely for restricted access cannot be located.
Rooms containing any electrical, telecoms, control and automation equipment and
systems are normally locked and access to them is restricted.

22.10 Re-classifying hazardous areas as non-hazardous

A classified hazardous area is a location where fire or explosion hazards might exist due
to the presence of flammable gases or vapours, flammable liquids, combustible dust or
ignitable fibres.
a. Classified hazardous areas are shown on hazardous area drawings which shall be
available to the AA to help assess risk when planning work in hazardous areas.
The reason for re-classifying an area as non-hazardous is to allow the use of potential
ignition sources safely by eliminating potential sources of combustible gases, vapours or
dusts.
b. To temporarily re-classify an area from hazardous to non-hazardous, personnel shall
apply the relevant local MoC process:
The MoC process specifies the validation period. The Engineering Manager
defines this in consultation with the SA and with the AOM’s approval.
The process plant is positively isolated.
The process plant is shut down, depressurised, evacuated, tested, and
confirmed free from hydrocarbons.
Red-lined drawings may be used to re-classify a hazardous area in the short term
(that is less than six months).

Page 263 of 361 Revision: B06

22.11 Entry into machinery enclosures

Machinery enclosures, including gas turbine, emergency generators, nitrogen
generation cabinets etc., are designed for entry. However, these spaces are
considered as restricted spaces and entry needs to be controlled. This can be
managed using a procedure or permit and the risk assessment shall cover hazards
from the following:
Release of debris from a major failure of the machine, most likely during
startup, load changes or failure of the starter motor. The hazards associated
with diesel engines are less than gas turbines, but the same precautions will
apply.
Gas release within a machinery enclosure where gas is the fuel or part of the
process; ignition could result in fire and explosion.
Asphyxiation from fixed water mist fire suppression systems which use stored
pressure nitrogen (N2) as a propellant and where the water produces steam
that displaces oxygen in the event of a fire.
Asphyxiation from CO₂ or halon fire suppression systems.
Leaks from nitrogen generation.
Personnel shall not enter the enclosure during:
machinery startup
planned major load changes (for example plant startup)
manual adjustment of load settings
fuel changes.

22.12 Digital security on automation systems

Cyber-attacks on automation systems (such as DCS, PAS, BPCS, PLC, SIS, ESD
etc.) can create a process safety hazard. To protect against these attacks, BP has
defined a set of automation system cyber security requirements. A number of these
measures shall be addressed when performing risk assessments on automation
systems work activities.
Do not use removable media (e.g. memory sticks and external hard disks) to
transfer data to and from any automation system for any other purpose and scan
them for malware (e.g. viruses) before using them.
Scan PCs and laptops for malware (e.g. viruses) before connecting them to
automation systems.
This requirement is particularly important when vendors and contractors provide their
own PC or laptop to perform work, as normal BP IT&S digital security policies and
procedures have not been applied and BP has no knowledge of what the equipment
has previously been used for.
Prior to connection to automation systems, PCs and laptops shall have wireless
network connectivity disabled (e.g. Wi-Fi and Bluetooth).
This requirement is important to prevent a direct connection (bypassing the firewall)
between the automation systems and the BP corporate network.

Page 264 of 361 Revision: B06

22.13 Temporarily supported or suspended loads

Working with temporarily supported or suspended loads is potentially a high-risk task.
The loads can move while suspended, leading to serious injury, fatality or damage to
equipment.
Loads shall not be suspended over or near people when this can be avoided. When
this cannot be avoided the risks to people shall be minimised using appropriate
controls.
Where loads are suspended, consider the area below them as a danger zone and
restrict access to avoid line of fire hazards.
Complete a Level 2 TRA, with appropriate engineering input, for work involving
temporarily supported or suspended loads when:
a fatality is a credible consequence if the load were to move or if the support
failed whilst the load was suspended or supported
the potential exists for energy to develop, including axial and lateral loads due
to thermal energy, whilst the load is supported or suspended.

22.14 Draining operations

Draining water from equipment that also includes hazardous materials can lead to the
release of hazardous materials if the draining operation is not stopped before the
hazardous materials begin to discharge from the drain. Equipment failure can cause
these releases, but human error is a more common cause. Various conditions may
increase the potential for human errors leading to an LOPC during routine draining
activities, including the following:
• inefficient, trivial or repetitive actions
• unclear signage on equipment
• change in status is not easily perceived
• drain outlet piping not visible to operator
• no written procedure or checklist to cover this task
• difficult working environment (weather, ease of access, noise)
• potential for interruptions or distractions
• reduced operator alertness or fatigue
• inadequate verification that the steps in the procedure are followed
• line-up to sewer is not correct.
Before draining fluids, the AA shall Verify the following:
Where a task requires draining of any system containing hazardous material the
operator shall not leave the draining activity without closing the drain valve.
The appropriate chemical risk assessment safety data sheet and has been
reviewed.
Direct reading instruments are used to monitor for expected hazardous
substances when draining (e.g. benzene).
The use of suitable RPE and specific PPE until there are consecutive readings
showing levels are below that requiring RPE or specific PPE.

Page 265 of 361 Revision: B06

Where required F&G overrides are applied only in the immediate area of the
draining.

22.15 Pyrophoric scale

Pyrophoric scale is a form of iron sulphide that combusts on exposure to oxygen. It may
be present where hydrogen sulphide can react with carbon steel.
Manage the use of equipment or work on systems containing pyrophoric scale
using one of the following methods:
use a BC permit for work on small pipework systems, strainers, filters and
valves where water flooding can be an effective control measure
use a HWOF permit for large pipework systems, heat exchangers or vessels
contaminated with pyrophoric scale.

22.16 Abandoned in place (AIP)

As installations age, or alterations are made, some systems or items of equipment are
no longer required for operation. Plant or equipment that is no longer operational needs
to be formally assessed, and if appropriate, decommissioned, or ‘abandoned in place’
(AIP) in a timely manner.
The inherently safer method would be to remove the equipment completely if it is
unlikely to be used in the future, as abandoned equipment no matter how well prepared,
represents a risk. Typically, removal would be the first choice.
When equipment, or pipelines are to be decommissioned/abandoned in place (AIP),
a technical eMoC is required with relevant engineering SMEs to:
determine how the equipment will be prepared for the decommissioned state
assess the ongoing hazards related to abandonment (e.g. appropriate external
inspections to make sure that deterioration of insulation, vessel supports, and
other aspects do not deteriorate to the point where they become a hazard to
people)
Identify relevant process change requirements (e.g. document and
maintenance system updates).
Preparation for abandonment includes cleaning, (e.g. flushing, purging, or inerting,
treating, cleaning, draining etc). Considerations for this preparation will include:
consideration of equipment type (e.g. vessels, tanks, pipes, motors, pumps,
valves, electrical) and relevant hazards associated with each
age of equipment
integrity (including internal/external corrosion)
nature and physical characteristics of material that has been inside the
equipment
potential of H2S residuals in equipment and pipelines
potential presence of NORM
geography of equipment/pipeline (e.g. harsh corrosive conditions, under-road
pipework, possible collapse)
plans for future removal and timeline
proximity to other equipment/people/activities

Page 266 of 361 Revision: B06

potential for dead legs

electrical equipment involved (motors, feeders, earthing)
instrumentation loops (feeders and outputs)
risk based inspection plans; the RBI planning exercise should consider
deterioration modes while the equipment is out of service to avoid structural
collapse of equipment, objects falling from the structures, or other out-of-
service failures with adverse consequences.
Once the equipment has been prepared, it shall, so far as is reasonably practicable,
be air-gapped from existing/remaining equipment.
When it is not reasonably practicable to air-gap the equipment, then it shall be
positively isolated from existing /remaining equipment.
Once air-gapped, or positively isolated, blanks/blinds/plugs/gaps shall be installed to
prevent any material escaping from or entering the decommissioned, or AIP
equipment.

22.17 Working on tank roofs

Avoid working on floating or fixed roof tanks where reasonably practicable.

22.17.1 Floating roof

Due to the infrequent nature of work on floating roof tanks, an expert shall be
included in the risk assessment team when personnel are required to access the
roof.
The risk assessment shall consider the following guidance as a minimum:
Use a confined space permit to manage work on top of a floating roof tank
when it contains hydrocarbons and take the tank offline.
Raise the tank roof to a high level (0.5m102 below the high-high level trip) to
provide the best ventilation while keeping the HHL trip active.
Tank relief vents should be in the normal closed position and not actively
relieving pressure.
Evaluate tank roof condition before access (no cracks or signs of hydrocarbons
leaks, and the roof should be relatively level).
Tank roof drains should be open and operational.
While on the roof the roof position should be marked at the boundary
(minimum of four equidistant points) and a member of the team assigned to
warn of any issue of roof instability.
Any people and equipment loaded on to the tank roof should first have a weight
assessment – and if required mitigation measures taken.
Weather should be good with no threat of storms or lightning.
Anti -static PPE to be worn.
Materials to be evaluated for the zone, specifically aluminium and other
materials as identified in IEC60079-0.
Tools to be suitable for the hazardous are zone (note that open hatches and
vents create zone 0 risks based on duration).

Page 267 of 361 Revision: B06

Continuous gas testing while personnel are working on tank roof (see section
24), note that depending on the tank contents other emissions may need to be
monitored and have other limits for safe working (e.g. benzene, H2S, PCAH).

22.17.2 Fixed roof

Due to the infrequent nature of working on fixed roof tanks, an expert shall be
included in the risk assessment team when personnel are required to access the
roof outside of the engineered access ways.
The risk assessment shall consider the following guidance as a minimum:
Evaluate tank roof condition before access.
Suitable access provision (e.g. scaffold with engineering approval).
Open hatches or vents.
Weather should be good with no threat of storms or lightning.
Any people and equipment loaded on to the tank roof should first have a weight
assessment – and if required measures taken.
Tools to be suitable for the zone (note open hatches and vents create zone 0
risks based on duration).
Continuous gas testing.

22.18 Retro-jetting
Retro-jetting, also known as high-pressure jetting, involves using a lance or wand to
locally direct high-pressure water into a plugged pipe to clear a blockage or restriction.
Jetting pressures of the water can be high (several thousand psig), therefore localized
internal pressures can be very high on piping systems, depending on the nature of the
blockage or restriction in the pressure piping. Pipe internal blockages often occur on
drains systems, which are subject to internal corrosion risks and may have localized
areas of thin wall.
LOPCs have occurred within BP through high-pressure jetting into equipment with
internal corrosion.
High pressure jetting can create electrostatic discharge and therefore can be an
ignition risk in Hazardous Areas
Prior to high-pressure jetting into any equipment, the condition of the equipment to
be jetted shall be verified using an abrasive task certificate.
The use of abrasive task certificate is not required where the equipment has been
positively isolated and hazardous materials removed. For example, cleaning of tube
bundles using a specialist contractor with an approved methodology.

Page 268 of 361 Revision: B06

23 Managing locked valves

Valves are either locked open or locked closed (LO/LC) to prevent harm to people, plant or the
environment.
Sometimes valves are labelled CSO/CSC on P&IDs and other documents. In this
Upstream CoW Procedure, LO/LC requirements apply to CSO/CSC valves.
BP follows a locked valve management process to Verify the following:
• the correct valves are locked
• valves are secured and tagged
• valve position changes are authorised
• status and any changes are recorded in the locked valve register (LVR)
• conformance through operational inspections and self-verification.
This locked valve management process reduces the risk associated with the following:
• loss of primary containment
• process flow deviations caused by valve movement (e.g. equipment overpressure,
overfilling or operation outside of its design parameters)
• HP/LP interfaces
• equipment damage
• unplanned equipment trips
• loss of availability or functionality of:
o fire and gas detection
o emergency response systems (e.g. fire pumps, foam or halon)
o overpressure protection
o metering systems
o depressurisation systems.

23.1 Types of locked valves

a. There are two types of locked valves:
1. Type 1 – valves preventing high consequence safety or environmental events.
2. Type 2 – valves preventing lower consequence safety or environmental events,
or preventing availability impact, or production impact.
b. Examples of Type 1 and 2 valves are listed in section 23.1.1 and 23.1.2 below.
The lists are mandatory, but not exhaustive.
c. When a valve is not covered in either of the lists below the Engineering Manager
decides if the valve is a Type 1 or a Type 2.
The type of device used affects the likelihood of a locked valve being in the incorrect
position as a result of human error. This in turn can influence the way in which
activities such as a layer of protection analysis (LOPA) treat this valve as a protection
layer.

Page 269 of 361 Revision: B06

23.1.1 Type 1 locked Valves

Instrument isolation valves in safety instrumented functions ≥IL2.
Isolation valves around pressure relieving devices (excluding thermal relief duty).
Isolation valves around pressurisation valves.
Isolation valves around depressurisation and blowdown valves.
Isolation valves around vacuum relief devices.
Isolation valves on cargo vents.
Valves in flare headers.
Valves on high pressure and low pressure (HP/LP) interfaces where overpressure of
equipment or pipework could otherwise occur.
Bypass valves where it is possible to overpressure downstream equipment, or
where opening in normal operating conditions could result in flow induced vibration
failure.
Instrument isolation valves to instruments managing compressor control systems.
Hydraulic lines, including returns, on systems rated as ≥IL2.
Isolation valves on fuel gas or inert gas systems providing purge gases for integrity
or safety (e.g. in cargo and storage tanks).
Valves that the HAZOP (or equivalent) has identified, whose incorrect position is an
initiating cause that could lead to a level D (or higher) safety or environmental
impact. Where information is not available, the Engineering Manager decides if the
valve is a Type1 or Type 2.

23.1.2 Type 2 locked valves

Valves on active fire protection systems such as firewater, foam or CO2.
Instrument isolation valves on highly managed alarms and IL1 safety instrumented
functions.
Chemical injection into potable water systems.
Valves on fiscal metering systems.
Valves to change operating mode.
Isolations around thermal relief valves.
Valves that the HAZOP (or equivalent) has identified, whose incorrect position is an
initiating cause that could lead to a level E (or lower) safety or environmental impact.
Where information is not available, the Engineering Manager decides if the valve is
a Type1 or Type 2.
Utility provision to support critical equipment e.g. diesel to firewater pump.
Typically valves on main headers that could disable large sections of plant would be
Type 1.

23.2 Securing locked valves

Valves shall be secured as per Table 44.
When securing the valves, consider the following:

Page 270 of 361 Revision: B06

use installed securing points or fit the manufacturer’s recommended adapter

plates to secure the valve stem to the valve body and prevent rotation.
if you cannot use or fit the manufacturer’s recommended adapter plates, do not
lock valve handles together. Independently secure them to the piping to
prevent rotation.

Table 44 - Managing locked valves

Type Type 1 Type 2

Description Valves preventing high consequence safety or Valves preventing lower consequence safety or
environmental events. environmental events or preventing availability or
production impact.

Operational Every year85. Every 2 years85.

inspections

Control of IDP, operational movement. Using personal isolation if within shift.

movement
IDP or operational movement if longer than one
shift.

Securing Engineered interlocks, or colour-coded Pro-lock, Plastic breakable car seal. Colour coded as follows:
method or similar product, with integrated securing
device. There is no requirement for additional • Green for open.
padlocks or seals. Colour coded as follows:
• Red for closed.
• Green for open.

• Red for closed.

Securing • IDP – yellow pro lock and eCoW isolation label

method when
Isolated or out • Personal isolation – yellow pro lock and personal isolation label
of position
• Operational movement – yellow pro lock and out of position label

Page 271 of 361 Revision: B06

Pictures of
devices

23.3 Tagging locked valves

Tag locked valves according to their normal design position of either ‘Locked Open’
(green tag) or ‘Locked Closed’ (red tag).
Attach the tags to the valve independently of the locking device so that they remain
in position when the locking device has been removed. The tag shall be
manufactured from a durable material (for example, prism polypropylene, traffolite,
brass or stainless steel).

Figure 24 - Tags for locked valves

Page 272 of 361 Revision: B06

When moving valves from their designated or normal position, tag them with one of
the following, whichever applies:
Isolation tag.
‘Altered valve’ or ‘out of position’ tag or operations flagging tape to designate
valves out of position.
Personal isolation tag (type 2 only).

23.4 Locked valve movement

a. The AA authorises movements of locked valves to control the position and security:
1. Type 1 valves may only be moved using an IDP or operational movement
function in eCoW. All type 1 movements are cross-checked.
2. Type 2 valves can be moved using:
a) an IDP (which updates the LVR).
b) an operational movement (which updates the LVR) supported by a permit
or SOP.
c) a personal isolation for less than one shift supported by a permit (LVR is
not updated).
3. Type 2 valves are typically cross checked, but this may be de-selected with AA
agreement.
b. All positional changes are recorded in the LVR for Type 1 valves, but Type 2 valve
positions are only recorded if the position is changed for more than one shift.
c. If the movement of a safety valve defeats a safety system, the AA shall follow the
temporary override process in section 10.
d. When designing an isolation, avoid using locked valves as PBU points where
reasonably practicable. If there is no other option, you may use locked valves that
are controlled as an isolation point without updating the locked valve register each
time the valve is moved for PBU checking.

23.4.1 Using an IDP

If a Type 1 or Type 2 locked valve forms part of an isolation, identify it in the IDP.

23.4.2 Using operational movement function with eCoW

Only move a locked valve out of, or back into, its designated position for operational
requirements if the move is covered by a permit or an SOP.
The AA may authorise the locked valve movement when they have verified that the
permit or SOP is available and approved.
If a safety system is defeated by a locked valve movement, then an override is
required.

23.4.3 Using personal isolation

Do not move Type 1 locked valves using a personal isolation.
When PSVs are being tested in situ and if the test will take less than one shift,
a personal isolation may be used if:
a) by design, there is no 100% spare PSV,

Page 273 of 361 Revision: B06

b) the TRA considers and manages the risks associated with incorrect
isolation and de-isolation (including cross checking), and
c) the SA has authorised the permit.
Type 2 locked valves may be moved using a personal isolation for less than one
shift when specifically identified in the permit or SOP.

23.5 Maintaining a locked valve register

Use a legible copy of the master P&IDs to identify all locked valves to support use
of the LVR.
Include the locked valve category listed in Table 45 in the LVR.
The valve categories are shown in Table H.1 with descriptions and layout diagrams.
The LVR is available within eCoW and has 21 attributes in columns as listed in Table 46 .
The AA informs the Site Engineer and SA if valves are identified that:
need to be moved repeatedly
might need to be locked but are not on the register
are on the register but might not need to be locked.

Table 45 - Locked valve categories

Locked open valves Locked closed valves

LO-1 SIL1 or greater rated process trip system LC-1 Closed or hazardous drains

LO-2 Compressor anti-surge systems LC-2 HP or LP flare vent valve

LO-3 Pressure or vacuum relief system LC-3 Fiscal metering

LO-4 Overpressure protection blowdown LC-4 Bypass valve

LO-5 Continuous flow path to drains LC-5 Fire protection systems drain valves

LO-6 Flow path to HP/LP flare LC-6 Wellhead control panel

LO-7 Continuous vents to atmosphere LC-7 HP/LP interface protection

LO-8 HP/LP interface protection LC-8 Environmentally critical valve

LO-9 System functionality critical valves LC-9 System functionality critical valves

LO-10 Isolation valves in drain headers LC-10 Pressure or vacuum relief system

LO-11 Minimum flow protection

LO-12 Fire protection systems delivery valves

LO-13 Safety critical valves

Page 274 of 361 Revision: B06

Table 46 - Locked valve register

No. LVR column Entry

Shaded lines are controlled through eCoW and non-shaded are static fields
1 Site Name of the site.

2 Area or Location A description of the location of the valve on the facility.

3 P&ID P&ID reference number where the valve is located.

4 Line The line number of the line containing the valve.

5 Valve tag The unique valve tag number.

6 Valve description Description of what the valve does.

7 Spare For future use

8 Lock number If numbered locks are used, enter the lock number in this cell.

9 Key number Number of key used.

10 Type and Device Type 1 locked (pro-lock), Type 1 interlocked, Type 2 locked (breakable car seal)
or Type 2 interlocked.

11 Category This is the locked valve category LO1 to LO12 or LC1 through to LC8. These
categories summarise the design intent or reason for the valve being managed
as LO/LC.

12 Normal position The position the valve is designated to be in.

13 Current position The position the valve is presently in eCoW. Out of position is when this
position is different from the normal or design position.

14 Comments A free text box to add further details on why the valve is out of position or any
other helpful comments.

15 ICC or movement The ICC or movement number or numbers are entered here.

16 Last Moved The date the valve was last moved. This is generated by the eCoW system
based on the last signed valve movement entry in the register.

17 Operational Inspection The valves in the register are split into groups that can be allocated to different
Group shifts or teams for completing operational inspections.

18 Last Inspection The date the last inspection was entered into the system.

19 Service Description Process duty of the line or equipment (for example crude oil, water, or steam).

20 Purpose or Hazard A free text box to describe why the valve is locked in the open or closed
position (i.e. its purpose for being there or the hazard it is mitigating).

21 Inspection Notes Any comments or notes from operational inspection.

Page 275 of 361 Revision: B06

23.6 Operational inspections

a. Complete and record operational inspections within eCoW as follows:
Every 365 days86 for Type 1 locked valves.
Every 730 days86 for Type 2 locked valves.
Before startup of equipment or systems containing locked valves that were
shut down for maintenance or modifications.
Where operational inspections or self-verifications identify non-conformance with
process, the above frequencies would typically be reduced.
For LO/LC valves that have been replaced because of maintenance or installed as a
result of a new project, Verify the flow direction and the valve position before fluids
are introduced.
Confirm the following during operational inspections:
Valves are in the position recorded in the locked valve register.
Securing devices are in good condition (i.e. they are in place and not corroded
or broken) and secured to make locked valves inoperable.
Tags are fitted separately from the securing device.
When the securing device is removed and the valve is moved during maintenance, the
tag remains in place to signify the valve’s correct position for isolation reinstatement.
Valves found in the wrong position are recorded in the inspection comments
and reported to the SA, who takes appropriate action.
The locked valve register is correct and up-to-date.
The most recent revision of the controlled P&ID is available showing the normal
position of locked valves.
Any defective tags or securing devices are replaced or a maintenance work
order is raised where appropriate.
The AA verifies that there are no overdue operational inspections.
Conformance with locked valve process is managed through a combination of
operational inspection, self-verification and assurance.

23.7 Interlocked valves and keys

Valves are interlocked to ensure they are operated in a particular sequence because
doing otherwise could result in an unsafe condition, harm to the environment, or damage
to equipment. When a valve is fully opened or closed, another key is released. To return
the valve to its original position the key is returned.
Interlocks are used in a variety of circumstances and each interlock system is individually
designed based on a functional specification.
a. Record the trapped interlock key number in the locked valve register ‘key number’
field when moving a valve using IDP or valve movement (Type 1 or 2).
b. Interlocked valves for operational sequencing are recorded in a locally managed
interlock register.
c. Use a local site process to control all interlock keys. This local site process shall
include and record the following:
1. device tag or number associated with the interlocked valve

Page 276 of 361 Revision: B06

2. key number
3. the reason for key issue or key return
4. who the key was issued to, when, who the key was returned by and when
5. approval from the SA or the delegated role to issue the key to change the valve
position
6. approval dates
7. verification that interlock keys are securely stored and controlled by the SA or
their delegate
8. spare or master interlock keys.
d. If a master interlock key is used to operate valves out of sequence, complete a Level
2 risk assessment as part of the CoW document that is being used to move the
interlocked valve, (IDP, SORA, ORA, permit, RAP or SOP).
e. A Level 2 risk assessment needs to identify the hazards associated with overriding
the interlock and the controls required to manage risk.
f. Complete an ORA if there is a prolonged hold part-way through a sequence due to an
abnormal condition.

23.8 Maintenance of locked valves

The equipment maintenance strategy shall include the managed valve maintenance
requirements.
Keep a record of all maintenance on locked valve in the site’s CMMS.

23.9 Modifying a locked valve register

The Engineering Manager, or delegate shall:
manage updates to the locked valve register using eMoC. Minor administrative
changes to the register may be made without an eMoC (e.g. P&ID number or
incorrect title and a change to the static fields in the register).
Verify the accuracy of all updates.

Page 277 of 361 Revision: B06

24 Gas testing
Gas testing involves testing for toxic and flammable gases using portable detection
equipment and, where such gases may be present, is an integral part of the CoW
process.
Gas tests are done to confirm that:
• the working environment is safe from flammable or toxic gas hazards
• oxygen is present to support life.
Sites have many intrinsic hazards, including the presence of flammable and toxic gas.
Therefore, gas testing is carried out by competent personnel to either confirm that
worksites are free from toxic or flammable gases, or to allow the use of appropriate
controls. This is a key control in managing the risks of fire, explosion, poisoning or
asphyxiation.
Authorised gas testers (AGTs) are responsible for carrying out gas tests in
compliance with this Upstream CoW Procedure. Every AGT shall have completed
the appropriate training and been assessed as competent.
There are three levels of AGT, with Level 1 the highest level of competence:
Level 1 – gas test for all tasks, including hot work and CSE.
Level 2 – gas test for all tasks, except CSE initial testing.
Level 3 – use and interpret results from both portable and personal continuous
gas monitoring. This level of gas tester is not authorised to complete the initial
gas test prior to permit issue.
It is expected that the AGT level 1 is a senior role with extensive experience of
confined spaces and knowledge of all substances that need managing within them.
They will understand nitrogen and oxygen enrichment, be able to determine what
materials we might need to test for (e.g. benzene, VOCs, mercury, H2S, NORM) and
they provide quality assurance for AGT2 and AGT3.
For a task that requires continuous gas monitoring, an AGT shall be present. The PA
or a member of the work crew if trained and competent may fulfil this role.
The PA for a CSE task shall not also be the initial gas tester (AGT 1) for that task.
An AGT1 gas tests:
before entry into a confined space
to establish continuous monitoring and Verify an AGT2 or AGT3 is able to
manage the continuous gas monitoring and any alarms where delegated.
An AGT1 or AGT2 gas tests:
before hot work open flame of any type where heat is used or generated (for
example welding, flame cutting or grinding in a hazardous area)
when the risk assessment requires for work located in a non-hazardous area or
within 11m (35ft)2 of live plant
during work that might cause an uncontrolled release of hydrocarbons or other
flammable or toxic materials
when investigating activation of fixed gas detection systems
when monitoring purging operations.

Page 278 of 361 Revision: B06

Continuous gas monitoring using a personal detector is the preferred method for
HWSP activities. If this method is not used, then a gas test is required before work
that might generate sparks or other sources of ignition where there is any potential
for flammable atmosphere.
Maintain and check that gas detectors are serviceable before use.
To help collect a representative sample for conducting a gas test, consider location,
obstructions, wind direction, and contaminants (for example dust or steam).
Use active monitors where reasonably practicable, especially for CSE.
Active monitors are those that use a pumped system to provide the sample to the
sensor. Passive monitors rely on the sample passing over the sensor by natural
movement.

24.1 What checks to do before an authorised gas tester uses a gas detector
The AGT shall Verify the following before using a gas detector:
the gas detector is correct for the task. The user is competent to use it
the detector is within its calibration date. If not, replace the detector and restart
the pre-use checks
the gas detector is in a good state of repair and the casing is not damaged. If it
is in poor repair or damaged, replace the detector and restart the pre-use
checks
the battery is fully charged. Replace the battery, if necessary
the sensor head and membranes are clean. Clean or replace if necessary
the detector ‘zeroes’ in a clean air environment and the readings are as
follows87:
a) % LEL = 0% ppm
b) Hydrogen sulphide (H₂S) = 0 ppm
c) Carbon monoxide (CO) = 0 ppm
d) Percentage oxygen = 20.9%
if using an aspirator, Verify that the aspirator is in a serviceable condition and is
leak-free. If not, replace the aspirator
Bump test the detector with sample gas(es) of known concentration
only use sample lines or sensors recommended by the manufacturer.

24.2 How to maintain a gas detector

The SA nominates a person or people to be responsible for maintaining and
calibrating gas detection equipment to deliver consistent standards.
Follow the manufacturer’s instructions for servicing portable gas detection
equipment. If the equipment is used frequently or in a dirty environment, additional
servicing may be needed.

24.3 Limitations of portable gas detectors

When detecting flammable, asphyxiant and toxic gases at the worksite, know the
limitations of gas detectors, cross-sensitivities and be aware of alternative gas detecting
equipment.

Page 279 of 361 Revision: B06

24.3.1 General limitations

Some substances (for example solvents or silicones) could adversely affect portable
gas detectors. If contamination is suspected, return the detector so it can be
rectified, recalibrated, or both.
Flammable gas detectors are not sensitive to low levels of hydrocarbon vapours
below the Lower Explosive Limit (LEL) range. If concerned about the presence of
hydrocarbon vapours in the ppm range, use a photo-ionisation detector or
colorimetric detector tubes.
The presence of very low concentrations of flammable gas could produce
indications that can be mistaken for ‘zero drift’. In such circumstances, remove the
equipment to a clean air environment and recalibrate.
Dust, mist, or saturated steam could block the flame arresters of certain types of
gas detection equipment. This would make them stop working or give wrong
readings. Take care to keep detection equipment clean.
Off-scale indications, in either direction, could indicate the presence of a potentially
explosive atmosphere. It will then be necessary to flush the detection equipment
with clean air and cross-check for the presence of gas by taking the reading again,
or by using another type of gas detection equipment. Under such circumstances,
assume the presence of a potentially explosive atmosphere until proven otherwise.
Catalytic type LEL detectors rely on the presence of oxygen to detect hydrocarbons
in the air. Do not use them for detecting hydrocarbons in an inert or oxygen-
deficient atmosphere unless using a dilution tube in accordance with the
manufacturer specifications. When testing for hydrocarbons in an inert or oxygen-
deficient atmosphere, use a meter specifically designed for this purpose.
Meters used to test for hydrocarbons in an inert or oxygen-deficient atmosphere are
often referred to as tank scopes. They usually read in percentage hydrocarbon by
volume. Be careful not to confuse this with an LEL reading.

24.3.2 Aspirated detector tubes

Aspirated detector tubes may be used to measure contaminants that LEL gas
detection equipment are not able to detect.
Aspirated detector tubes consist of either a manual or a battery-operated suction
pump, with the inlet fixed to a reactive chemical tube. Tubes exist for detecting a
wide variety of gases and contaminants in a variety of concentrations.
Use them under the manufacturer’s instructions. Separate training may be needed
to use aspirated detector tubes or Drager chips.

24.3.3 Photo-ionisation detectors

Photo-ionisation detectors (PID) measure volatile organic compounds (VOC),
including hydrocarbon vapours at the ppm level, typically in the range 0.1 ppm to
2000 ppm.
PIDs are available as both sentry and personal monitors. They can be set to alarm
and to log exposure levels, if applicable.
PIDs with a benzene-specific option are available to purchase.
Do not use PIDs to measure LEL as they do not respond to methane.
Consider the PPE required to protect against breathing in VOCs when sampling
because the levels are unknown.

Page 280 of 361 Revision: B06

24.4 Gas alarm limits

To provide safe limits and avoid spurious alarms set portable or personal gas
monitors to alarm as follows:
LEL = 10% (0.44% by volume methane)87
H₂S = 10 ppm
Oxygen = 19.0% (low) and 23% (high)
Total hydrocarbons (for PIDs) = 100 ppm
CO = 30 ppm (low) and 200 ppm (high)
For OSHA sites the low oxygen alarm set point is 19.5% and high is 23%.
As a minimum, personal H₂S monitors shall have one alarm set at 10 ppm. If
personal H₂S monitors have the functionality for two alarm settings, apply best
practice of alarms at 5 ppm and 10 ppm.
At 5 ppm88 the accuracy of the personal gas detector shall be verified, source
of H₂S in the area investigated, and exposure risk based on H₂S LTEL of 5 ppm
evaluated.
At 10 ppm88 immediately evacuate the area and investigate the alarm. Consult
an Industrial Hygienist (IH) to confirm the area is safe for re-entry.
For personal CO alarms:
If the alarm is Low – leave the area straight away and investigate further with a
different monitor before entering the area again.
If the alarm is High – evacuate the area and initiate emergency response.

24.5 Gas testing when purging and investigating leaks

Before returning hydrocarbon plant to service it is important to displace oxygen to
reduce the likelihood of a flammable atmosphere. This can be done by purging with
an inert gas (for example nitrogen), or by displacing all gases with water. See
section 16.8
When investigating a known leak or when breaching a hydrocarbon envelope, use a
portable monitor to test the breathable atmosphere (not the atmosphere around the
leak itself). Continue this throughout the tests.
If a hydrocarbon leak is observed, do not intervene unless a gas monitor is available
to test the atmosphere. If necessary, evacuate the site and return with a gas
monitor or monitors.
In any situation, evacuate to a safe area and reassess if:
levels of hydrocarbons in the atmosphere reach 10% LEL or 19%89 oxygen
more than one local fixed gas detector goes into low alarm.
When investigating a leak, approach from upwind. If a suspect leak contains H₂S,
the AGT shall stop and put on breathing apparatus before resuming the
investigation. Use a buddy system whenever using breathing apparatus.

24.6 Carbon monoxide

Carbon monoxide (CO) can cause death or loss of consciousness, so understanding the
danger from CO and the safe operating limit (SOL) is important. CO inhibits the blood’s

Page 281 of 361 Revision: B06

ability to absorb oxygen. It exists where there are combustion products (e.g. turbine
exhausts). The short-term exposure limit (15min) for CO is 200 ppm90.
Where sites deploy CO monitors in temporary refuges, their ERRPs shall include
guidance on the action to take if the CO level exceeds 60 ppm. This may involve
moving personnel to a less affected part of the temporary refuges or in extreme
cases considering the temporary refuges to be impaired.

24.7 Nitrogen
Nitrogen (N2) can cause death or loss of consciousness, so understanding the danger is
important. N2 is present in air at 78% and frequently used to purge vessels, tanks, and
process plant.
Gas detectors cannot detect the increased presence of nitrogen and show only a
reduced presence of oxygen. The hazards from inhaling nitrogen are often
underestimated. Remember, two breaths of pure nitrogen can make a person
unconscious.

24.8 Explosive or flammable limits

The region between the LEL and the UEL is known as the flammable or explosive range.
The LEL refers to the lowest concentration of a gas in the atmosphere that gives a
flammable mixture. For example, the LEL of methane is 4.4%91 by volume. This means
that, if there is less than 4.4% by volume of methane in air, the mixture is too lean
(weak) to support combustion.
Some regions specify the LEL for methane as 5%. Where this is the case, regions
shall recalibrate atmospheric monitors to the 4.4% standard.
The UEL refers to the highest concentration of a gas in the atmosphere that results in a
flammable mixture. For example, the UEL of methane is 16.5%92 by volume. This means
that, if there is more than 16.5% by volume of methane in air, the mixture is too rich
(concentrated) to support combustion.
A rich gas mixture would typically occur in a confined area (for example, an oil storage
tank), where the methane cannot disperse.

Figure 25 – Methane lower explosive limit (LEL) and upper explosive limit (UEL)

Page 282 of 361 Revision: B06

Figure 25 shows that concentrations of methane in air between 4.4% and 16.5% are
flammable.

24.9 Lower explosive limit and upper explosive limit of common gases
The LEL and UEL of some common gases found in the oil and gas industry are
shown in Figure 26.
For most gas testing purposes, it is the LEL that is significant. The AGT is
responsible for recording the percentage of LEL for the specific flammable gas they
are testing.
When calibrating portable gas monitors, always use the manufacturer’s correction
factors for the respective calibration gas being used.
0% 100% LEL UEL

ACETYLENE 2.4% 88.0%

BUTANE 1.5% 8.5%

ETHANE 3.0% 15.5%

ETHYLENE 2.7% 34.0%

HYDROGEN 4.0% 75.6%

METHANE 4.4% 16.5%

PROPANE 2.0% 9.5%

PROPYLENE 2.0% 11.0%

= Too lean to support combustion

= Will support combustion

= Too rich to support combustion

Figure 26 – Lower explosive limit (LEL) and upper explosive

limit (UEL) for common gases

24.10 The flashpoint for a liquid

The flashpoint for a liquid is the lowest temperature at which it produces enough vapour
to form an ignitable mixture with air. This means that the concentration of flammable
vapour above the liquid is close to the LEL.

24.11 The narcotic effects of hydrocarbon vapours

Inhaling volatile hydrocarbon vapours, such as those from condensates, can cause
narcotic effects (for example drowsiness, dizziness, confusion and inability to make
rational decisions). Such effects could be apparent after three to four breaths, depending
on concentration. Equally, recovery after three to four breaths of uncontaminated air is
expected.
Figure 27 shows the physical effects of breathing a hydrocarbon vapour at different
concentration levels.

Page 283 of 361 Revision: B06

Figure 27 – Narcotic effects of hydrocarbon vapours

The concentration levels are expressed as a percentage of the LEL of the vapour, not
the concentration by percentage volume. One hundred percent LEL is about 4.4%
methane in air by volume. The calibration against LEL enables personnel with
portable hydrocarbon gas monitors to be aware of the presence of a potential narcotic
atmosphere quickly enough and to take appropriate action to evacuate to a safe place.

24.12 Toxic gases, vapours and asphyxiants

Gases such as nitrogen, hydrogen and methane all act by simply displacing oxygen in air.
These gases are known as simple asphyxiants.
Substances that affect the body’s assimilation of inspired oxygen, such as carbon
monoxide, prevent the uptake of oxygen in the blood. These gases are known as
chemical asphyxiants.
More toxic asphyxiants, such as hydrogen sulphide (H2S), directly affect the respiratory
centre of the brain, causing breathing to stop.
For details of occupational exposure limits (OELs), refer to sources such as UK HSE, US
OSHA, US ACGIH.

24.13 Hydrogen in analyser houses and systems

Hydrogen is often used as a fuel and carrier gas in gas chromatographs and
analysers. Consider hazards associated with the use and potential leak of hydrogen
in analyser houses, shelters and cabinets when performing risk assessments for
activities associated with such systems.
All analyser house, shelter and cabinet gas detection alarms shall be healthy before
work commences.
All persons entering an analyser house, shelter or cabinet that contains hydrogen
shall have a personal gas detector, which detects H2 and CO.
CO is generated by inefficient combustion of hydrogen.

Page 284 of 361 Revision: B06

Locate portable gas detectors measuring hydrogen at the vent of the purged
enclosure of gas chromatographs and analysers that use hydrogen as a fuel and/ or
carrier gas during work activities.
Gas detectors at these vents will activate if there has been a leak of hydrogen within a
purged analyser enclosure.

24.14 Atmospheric testing for confined spaces

An AGT1 using calibrated gas testing equipment shall perform initial gas testing.
Continuous monitoring can be performed by any AGT. The gas testing results are
recorded on the CSE permit.
Continuous monitors shall be placed at air intakes and within the CSE.
For a CSE the PA and AGT1 shall be different people.
Initial gas testing includes testing for oxygen, flammable vapour (percentage of
LEL), and any toxic gases or vapours (for example benzene, VOCs, H₂S and
mercury), as identified in the hazard analysis. The types of gas testing required is
based on the historical content of the confined space. The test results are used to
decide:
if the space is safe for entry
if additional vessel purging will be needed
which PPE is required for entry
any time limitations for entry into the space
any other additional controls.
The AGT1 shall initially test for gas from outside the confined space before anyone
enters and as close as possible to the time work starts. Use an extension wand to
sample as far into the space as possible.
Always test and Verify the oxygen content before measuring the LEL readings of
flammable gases and concentrations of toxic gases are measured.
If oxygen is deficient, the LEL cell will not work properly, giving a false (low) response.
Following the atmospheric testing of a confined space evaluate the results to Verify
that conditions are acceptable for manned entry (i.e. within the limits set out in
Table 47). Where there is any uncertainty, contact an industrial hygienist or HSE
adviser to help interpret the results.
Oxygen and explosive levels are measured using standard instruments. The AGT1
doing the testing shall validate these before and after each test or series of tests.
The software in eCoW does not allow the permit to be issued unless these readings are
in place.
A CSE permit may be issued for entry without respiratory protection (for example
BA) when:
the AGT1 is able to collect fully representative samples from all areas of the
confined space from outside the confined space
this representative testing meets the acceptable criteria for entry summarised
in Table 47.
there is no sludge, residue, or contamination that could generate a hazard when
disturbed.

Page 285 of 361 Revision: B06

In addition, temperatures within the confined space should be risk assessed for
entry which include ambient parameters (air temp, radiant heat, humidity, air
flow) as well as clothing / PPE, personal risk factors and duration of entry.
Typically, hydrocarbon vapours (including benzene) will be present where there is
residual hydrocarbon and, or hydrocarbon sludge.
Where abrasive blasting or other activities have created a dust-filled atmosphere,
then clear the confined space of dust before allowing re-entry.
If subsequent activities conducted inside the confined space after entry generate
hazardous substances (e.g. welding, cutting) risk assessment should determine
appropriate controls which may include general or local exhaust ventilation and RPE.
Figure 28 provides an overview of the steps to take when initially testing the
atmosphere of a confined space. The provided flow assumes the space has been
suitably isolated, emptied, purged and flushed, and is not kept intentionally inert.

Page 286 of 361 Revision: B06

Is mechanical ventilation NO
required?
YES

Has mechanical ventilation been YES Switch off and wait 10 mins
installed and verified working? before testing atmosphere
NO

AGT1 to test the space using BA.

Can AGT1 collect fully NO Issue CSE permit for AGT1 entry, link live –
representative sample from not live with CSE permit for the task. Permit
outside the space? for use with BA only and have explicit
YES
controls and scope for the BA entry.

AGT1 test from outside, test

for O₂ first to confirm LEL
readings are accurate

NO TRA to determine next

Do the results allow entry without course of action (e.g. flush,
BA (see table 47)? clean or purge further)
YES

NO TRA to determine next

Do the results allow entry without
course of action (e.g. flush,
RPE (see table 47)?
YES clean or purge further)

Are the temperatures within NO TRA to determine next

the space acceptable (typically course of action
below 120°F (50°C)93)? (e.g. ventilate further)
YES

Is there any sludge, residue or YES TRA to determine next

contamination that could generate
course of action
a hazard when disturbed?
NO

Has abrasive blasting or other YES Clear dust before allowing

activity created a dust filled
entry/re-entry
atmosphere?
NO

Is ventilation and continuous NO

monitoring in place and ready to Set up ventilation
start?
YES

Start ventilation and verify

Issue CSE permit
it is sufficient. Start
(for space not task)
continuous monitoring

Figure 28 – Atmospheric testing a confined space

Page 287 of 361 Revision: B06

24.15 Entry to a confined space with breathing apparatus for testing

For larger confined spaces where it is not possible to test all areas of the space
from the outside, take additional measurements from inside the confined space.
Once the initial test from outside the confined space is within the range shown in
Table 47, the AGT1, wearing PPE that includes a supplied-air BA, may go inside the
confined space to do further testing. A CSE permit shall be issued for the AGT’s
entry.
The CSE permit for entry using BA shall be separate to the CSE permit for entry
without BA and linked live-not live.
For confined spaces with complex internal layouts, extra work (for example
installing access and removing access hatches) may have to be carried out to allow
full testing and to confirm the environment is safe (for example no sludge present
that may contain hazards). This may be done on the CSE permit, if the permit scope
is specific and AGT1 trained personnel are conducting or helping with the process.
Carefully manage the CSE, as the BA can make access and egress awkward.
Entry with BA may exist for an extended period and requires precise controls with
clear signage and barriers at the CSE. The permit shall be explicit in scope, controls,
and ERRP requirements. The SA verifies and authorises the initial entry to a
confined space.
When gas testing larger vessels (for example tanks), where a ventilation system is
used to maintain a continuous airflow, the AGT shall shutdown the ventilation for at
least 10 minutes94 before performing the gas test to get a representative sample. If
the AGT needs to enter the confined space to conduct the test they do this using
BA. Once they have a representative sample, the ventilation system can go back
into service.
Do not stop the ventilation system while anyone is inside the confined space
without BA.

Page 288 of 361 Revision: B06

Table 47 – Confined Space Entry (CSE) criteria

Flammability %
Oxygen % in
atmosphere
lower explosive Toxicity Action95
limit (LEL)
< 10%LTEL and/or
20 to 21 <1 Safe to enter without respiratory protection.
STEL (Note 5 & 6)
TRA to determine appropriate controls associated
<1 ≥10% LTEL and/or with mitigating occupational exposures (e.g.
19.5 to 22
STEL (Note 5 & 6) ventilation, respiratory protection (notes 9 & 10) and
oxygen levels (note 11)).
H₂S 10 ppm Alarm settings.
19 and 23 10
CO 30 ppm Work stops, evacuate area and investigate (note 7).

TRA to investigate oxygen enrichment and assess

21 to 23
risks associated with it (note 14).

16.1 to 19.5 1-10 BA required due to oxygen levels (note 14).

<16.1 No entry allowed. Classed as inert entry (note 13).

No entry allowed. Classed as oxygen enriched

>23.5 > 10
atmosphere, risk of spontaneous ignition exists.

Notes:
1. When gas testing larger vessels (such as tanks), where a ventilation system is used to maintain a continuous
air flow, the AGT shall shutdown the ventilation for at least 10 minutes before performing the gas test to get a
representative sample.
2. If the AGT needs to enter the confined space to conduct the test they do this using breathing apparatus.
Once they have a representative sample, the ventilation system can go back into service.
3. Never stop the ventilation system while anyone is inside the confined space.
4. Perform continuous gas monitoring throughout the period that anyone is in the confined space.
5. Some toxic substances do not have an occupational exposure limit (OEL) or both an LTEL and STEL. Where
this is the case, consult an industrial hygienist. Control exposure to carcinogens, mutagens and sensitisers to
a level as low as reasonably practicable below the OEL. Where LTEL and STEL are available for a toxic
substance, exposures for the duration of the task have to be less than 10% of both these limits before entry
without RPE.
6. LTEL is long-term exposure limit based on eight-hour exposure as a time-weighted average. STEL is short-
term exposure limit based on 15-minute exposure.
7. H₂S and CO limits are provided as these are commonly used. OELs for toxic substances are defined in the
local regulatory documents (for example UK HSE Guidance Document EH40 or US National Institute for
Occupational Safety and Health (NIOSH) guide to chemical hazards).
8. Lower explosive limit (LEL) means the same as lower flammable limit (LFL).
9. Risk assessment shall include a specialist (for example industrial hygienist) to determine appropriate controls
(including ventilation and respiratory requirements) based on measured concentrations of gases or dusts and
the work to be carried in the confined space.
10. Some chemicals do not have Approved filters or cartridges for APRs and may require BA if determined by the
risk assessment.
11. Where the O2 content is found to be above 21, investigate the area as oxygen is being produced and a risk
assessment shall be required to determine the appropriate controls. Oxygen enrichment can lead to
spontaneous ignition and fire.
12. Oxygen concentrations below 19.5% are considered oxygen-deficient and IDLH in the US unless the
employer can demonstrate that O2 levels cannot fall below 16.0%. Only use self-contained breathing
apparatus (SCBA) or supplied-air respirators with an auxiliary air supply in IDLH.
13. For the purposes of CSE, treat any atmosphere with less than 16.1% oxygen as inert. A competent specialist
contractor with VP approval shall perform inert entry.
14. Evaluate any toxicity risk to determine if controls are adequate.

Page 289 of 361 Revision: B06

25 Leaks and seeps management

The effective management of leaks and seeps (L&S) helps to reduce both process and
personnel risks caused by the uncontrolled release of material. Such incidents may result in
injury, environmental impact, property damage and deferral of production.

The environmental impact of leaks and seeps includes the associated methane emissions to
the atmosphere. Although global carbon dioxide emissions are significantly greater than
methane emissions by volume, methane has a more potent short-term effect on global
warming and is increasingly recognised as being a significant contributor to climate change,
with every tonne of methane emitted having the same impact as 25 tonnes of carbon dioxide
(the most common greenhouse gas). Thus, effectively managing leaks and seeps not only
reduces process safety risks, but also reduces BP GHG emissions.

Design and engineering controls supported by a searching and monitoring regime both on
plant startup and during normal operation help to reduce the likelihood of L&S.

The frequency of L&S searches shall be risk based, specific to the facility, and
consider processes, age and condition of plant.
Conduct more frequent searches on high-pressure process gas systems.
Consider additional searches following TARs, planned and unplanned shutdowns,
and in support of plant restart, taking into account warm-up and pressure increase.
The following are examples of common sources of leaks:

• Joints, including flanged, threaded and compression fittings.

• Piping, instruments and impulse lines including small bore connections, inside
instrument housings, external corrosion, damaged insulation, vibration and
inadequate support arrangements.
• Valves: body, joints, plugs and stem seals.
• Hoses: support arrangements, condition of end fittings and connections, and for
cuts, kinks, bulges, signs of abrasion, corrosion and over-bending.
• Pumps and compressors: casings, fittings, mechanical seals and small-bore lines.
• Incorrectly fitted or missing caps, plugs and blanks.

25.1 Identifying leaks and seeps

Leaks and seeps can usually be identified:
• visually through wetting or discolouration, frost or freezing
• by sound, or smell
• using portable gas detectors or aspirational detector tubes
• using forward looking infrared (FLIR) camera.
The FLIR camera is used to proactively identify new hydrocarbon L&S and to monitor
existing emissions. Additionally, the camera can be used following major interventions
such as turnarounds to monitor integrity following the re-introduction of hydrocarbons.
See section 25.7 for guidance on using an FLIR.
The SA shall implement a structured L&S search and monitor programme.
Frequency is risk based but search the whole plant at least annually.

Page 290 of 361 Revision: B06

The programme should include a regular FLIR camera search on plants’ gas
systems, during normal operations to identify leaks and seeps invisible to the
human eye. Any identified leaks and seeps are added to the L&S database in eCoW,
risk assessed and managed according to risk. The frequency of the FLIR search is
typically quarterly but is informed by the integrity performance of the asset.

25.2 Managing leaks and seeps

There are four steps in the process to manage leaks and seeps (L&S):
• Classify the leak or seep (C1-C4 as per Table 48 and Table 49) and decide whether
continued operation is acceptable.
• Prove the leak or seep is stable.
• Tag the leak or seep and create a record in eCoW. Set a repair date and priority in
the maintenance management system with L&S in the title. Always record the leak
or seep, even if repair is immediate, as the record provides valuable information
regarding leaks and seeps risk on the site.
• Monitor the leak or seep.
Leaks and seeps that are isolated need to be recorded in eCoW.
The SA uses the operations dashboard in eCoW to manage leaks and seeps and set
suitable self-verification frequency.

25.3 Classifying leaks and seeps

Table 48 – Leaks and seeps

Type Description Measure96 Monitoring frequency

Fugitive Methane or other As per HSE guidance on Typically an annual

emissions uncombusted hydrocarbons emission factor. survey.
emitting from equipment.

Seep Leakage at a rate less than A liquid release of < 4 drips Every 2 weeks, or
that defined as a leak. per minute. conduct a risk
assessment to set
For gas < 20%LEL at 10 cm monitoring frequency
downwind of source.

Leak Occasional observable or A liquid release is dripping at a C1: as per risk

measureable releases of rate of ≥ 4 drops per minute. assessment
hydrocarbons, chemicals or
hazardous utilities – are For gas ≥ 20% LEL 10 cm C3: every 2 weeks, or
observed from a pump seal, or downwind of source. conduct a risk
valve packing, or flange to a assessment to set
containment area (i.e. not monitoring frequency.
directly to land or water). The
If stability is in doubt
condition does not require
conduct a risk
immediate action to mitigate
assessment
risk.

Page 291 of 361 Revision: B06

If the leak is C1, see Table 49, or if its stability is in doubt conduct a risk
assessment to establish monitoring frequency and identify if any additional controls
are required.
Use task monitoring within eCoW to track and review the monitoring frequency and
controls if the condition deteriorates.
When a leak or seep is covered by an ORA it is still tracked in eCoW but does not
require a separate risk assessment.
The decision to repair a leak or seep is risk based and a timely repair is always the
preferred choice. Balance the risk of delaying repair against disruption to planned
work if carried out immediately.

Table 49 – Leak classification

Category Medium (Annex I) Release type

1 Hydrocarbon or hazardous utility Leak

2 Hydrocarbon or hazardous utility Seep

3 Non-hazardous utility Leak

4 Non-hazardous utility Seep

25.4 Prove the leak or seep is stable.

When anyone identifies a leak or seep the AA or delegate shall evaluate its class
and whether it is stable.
L&S from glands, joints, plugs, nipples or screwed fittings may be assessed as
stable if the leak or seep rate has not deteriorated at a second evaluation within
two days of it being identified.
If the leak or seep is from an integrity breach such as corrosion, then do not
assume it is stable.
Consider factors such as location, materials, escalation potential and area
occupancy during the evaluation.

25.5 Tagging and recording leaks and seeps

Tag all leaks and seeps in the field to identify the location.
Record leak or seep in eCoW and CMMS with a planned repair date.
The tag shall be easily visible and contain the following information as a minimum:
description of duty, including unique leaks and seeps eCoW number
date reported
who placed the tag

Page 292 of 361 Revision: B06

CMMS number

Figure 29 – An example leaks and seeps tag

25.6 Monitoring leaks and seeps

When a gas leak or seep has been detected, record and date a baseline of the leak
either by description, gas detector measurement, using a digital camera or FLIR
camera.
Establish a regular re-evaluation of the leak to evaluate for deterioration and possible
intervention. The frequency of the re-evaluation depends on the leak location, size
and material type.
For category C2-C4, either:
a) monitor as a minimum of every 2 weeks97 without the need for a risk
assessment, or
b) conduct a risk assessment to set a leak or seep specific monitoring
interval.
For C1, conduct a risk assessment to establish monitoring frequency and
identify whether any additional controls are required.

25.7 Using a FLIR camera

FLIR cameras shall be calibrated and maintained as per manufacturer’s
recommendations and used by trained personnel.
The AA shall consider the camera’s effect on other infra-red devices such as fire and
gas detectors before issuing a permit or giving permission for NPW.

25.8 Surveys for methane fugitive emissions

As part of BP’s goal to reduce GHG emissions, it is important to identify fugitive
methane emissions. These can occur from sources such as compressor seals and
valve stem seals. The FLIR camera is used to survey sites in a structured manner to
identify sources of fugitive emissions.

25.9 Re-commissioning gas hydrocarbon systems

Following a major overhaul, turnaround or project involving gas systems, the FLIR
camera may be used to confirm the integrity of identified joints, blind flanges, valves
and valve glands on gas systems. Any identified L&S are added to the L&S database
in eCoW, risk assessed and managed according to risk.

Page 293 of 361 Revision: B06

26 Self-verification, assurance and audit

BP aims to Verify consistent application of the CoW process. Therefore, having a programme
of regular self-verification (SV) in place is key. Assurance and audit, in line with S&OR and
Group Audit programmes also helps assess how the CoW process is being managed at the
site and identifies any areas where an improvement or correction might be needed.

Table 50 – Self-verification, assurance and audit summary

Type Scope SPA Tool Frequency

1 Self-verification Site SA eCoW Risk based, but
typically daily.
2 Assurance Site, regional and S&OR Assurance insights and As stated in
functional Regional recommendations are assurance plan,
OA recorded in the Upstream typically quarterly.
assurance database.
3 BP Group Audit Site, regional and Group Group Audit protocols. Determined by
functional Audit Group Audit.

26.1 Line personnel carry out self-verification

Using the SV protocols, review the CoW system against all aspects and requirements of
this Upstream CoW Procedure.
The AOM shall verify conformance with this Upstream CoW Procedure and the
review of SV results are a key part of this verification.
Task-level self-verification protocols have been developed and shall be used within
eCoW. These protocols include a list of questions to ask and they suggest some
areas to test. The CoW SV protocols are as follows:
permits
isolations
overrides and inhibits
procedures
operational risk assessments
lifting
shift handovers
locked valves
leaks and seeps
alarm management
TRA quality assessment
IDP quality assessment
TBT quality assessment
LTI engineering assessment.
The SA participates in the process and appoints additional people to do these
reviews (for example team leaders, H&S leaders). Asking supervisors and
technicians to be part of the verifications is a good coaching opportunity and brings
a broader perspective to the verification.

Page 294 of 361 Revision: B06

The SA shall take a risk-based approach to decide how often each site performs SV
checks, and the sample size in each of the 14 areas that is appropriate for the site.
Consider when to do a SV, for example: conducting isolation verification during
execution of the isolation or de-isolation.
This risk-based approach shall include consideration of:
type, complexity, risk level, and amount of work activity in the schedule
CoW incidents, near misses, HIPOs, and self-verification findings for similar
work
routine work that is infrequently checked
level of PA and work team familiarity with the work and the site or work
location.
Focus the site’s efforts based on feedback received from the reviews and risks
being managed and do not follow a pre-set schedule.
The SA shall review the effectiveness of self-verifications by considering:
the effectiveness of self-verification checks in identifying gaps in conformance
the effectiveness of actions to close gaps in conformance
the number and types of checks based on planned activities
the status and target dates for all actions.
The mix and number of SVs completed may vary over time. The SA shall verify all
14 protocols are covered at a suitable frequency based on risk and findings.
If SV checks identify observations that require corrective action, record those
actions with the relevant observation.
eCoW provides reports to help the SA manage the completion of self-verification
actions in a timely manner.

26.2 Reviewing self-verification

Discuss the findings from each self-verification review at the daily CoW meetings.
AOMs also review the summary of findings at one of their regular meetings.
Verify and record observations and actions to close gaps or to cover proposed
improvements in the following areas:
CoW organisation and roles, including contractors filling CoW roles
training and competency of BP and contractor personnel in CoW roles
the CoW planning and scheduling process
permits to work and supplementary certificates.
risk assessments (TRA, SORA, ORA, and isolation)
risk assessed procedures
self-verification protocols and process.

26.3 Deployed S&OR assurance

For GOO, an S&OR representative leads the assurance reviews at the frequency
agreed in the annual assurance plan.

Page 295 of 361 Revision: B06

S&OR complete the assurance against this Upstream CoW Procedure. The S&OR
team documents this assurance review, agrees any actions with the line and
records them in IRIS and upstream assurance action tracker.
All milestones are to be agreed with GOO Leadership. S&OR conduct assurance to
support progression between OMS conformance levels.
For GWO, an S&OR team requested by the GWO leadership leads rig assurance.
For GPO, functional teams lead construction and startup assurance with the terms
of reference agreed between GPO and S&OR. The project health safety security
environmental review (PHSSER) process is a Group Practice and the startup
assurance review (SUAR) process is covered in a Segment Defined Practice and
includes Control of Work assurance. Findings and actions are formally tracked by
the project.

26.4 OMS conformance levels

Conformance with OMS 4.5 is delivered through the relevant sections of the Upstream
CoW Procedure. Boundaries and technical scope are defined in the Upstream CoW
Procedure.
OMS conformance is assessed using the Group conformance level definitions. To assist
practitioners, the framework in Table 51 below, with examples, has been developed.
This framework (listed as ‘recommended evidence’) does not seek to redefine the OMS
conformance levels but is used to guide, inform and support the determination of OMS
conformance levels.

26.5 Audits by Group Audit

The BP Group Audit team leads these audits. The site, region or function being audited
identifies actions to address any findings, agrees them with the audit team, and records
them in IRIS. The audit team documents these audits, including any findings and the
actions agreed to address them.

Table 51 – OMS conformance summary

Conformance level Evidence to support a conformance level assessment

Level 3 CoW Procedure and eCoW deployed

Group Definition 3.1 All sites live with the Upstream CoW Procedure and eCoW in use.
Evidence demonstrating
conformance with the Group
Essential.

Level 4 eCoW

Group definition: 4.1: Full functionality of ‘mandated’ eCoW elements, or equivalent tool, are in place.
Level 3 plus documented 4.2: Any residual CoW data not transferred at ‘go live’ is migrated to eCoW.
processes that are practiced and
4.3: All isolations (including LTIs), ORAs and SORAs are being managed in eCoW.
well understood with clear
accountabilities and defined 4.4: Process being applied with minimal overdues in eCoW.
competencies.
CoW Procedure

Page 296 of 361 Revision: B06

Conformance level Evidence to support a conformance level assessment

4.5: Upstream CoW Procedure is fully adopted with clear evidence that ‘8 steps of
the CoW process’ are operational.
4.6: Any deviations are Approved and documented in eCoW or the LIP.
4.7: Any updates to the Upstream CoW Procedure have been communicated,
implemented and users trained.

Competence

4.8: All CoW roles are in place as per Upstream CoW Procedure.
4.9: All training completed with knowledge assessment records available in My
Talent & Learning.
4.10: All BP CoW roles have been assessed using the Upstream competence
process and records and certificates are available in RMS database.
4.11: Any existing site CoW training or competence assessment profiles, processes
and tools are retired.

Self-verification (SV)

4.12: All SV protocols are in use in eCoW as per Upstream CoW Procedure.
4.13: Full functionality of eCoW is in place for task SV, or an equivalent process,
using performance management KPI measures identified in the procedure.
4.14: Task SV is being used and the SV programme is being updated based on
findings and site-specific risks.
4.15: The daily site CoW meeting uses the eCoW dashboard (suite of measures) to
Verify the CoW process is being followed and key risks are being managed.
4.16: System SV of the CoW process is being performed using reports and
dashboards.

Level 5 Self-verification

Group definition: 5.1: Self-verification is driving corrective actions & CI.

Level 4 plus verification and Monitoring

monitoring processes to confirm
that conformance is maintained. 5.2: Reports generated from eCoW confirm that CoW performance remains within
acceptability bands (in comparison to other sites) defined by GOO Operations.
5.3: The analysis of performance measures required within the procedure is
consistently used to identify and address conformance gaps with visible leadership
engagement in monitoring outputs.

Page 297 of 361 Revision: B06

27 Performance management
There are two tools available to help the site manage and improve its control of work
performance. There are:
• dashboards within eCoW
• web based reports

27.1 Dashboards
Dashboards provide real time information of current control of work documents and
status. They also include measures and KPIs to support day-to-day management of the
system and process.

27.2 Web based reports

The reports provide a time and site-based trending and visualisation of useful information
including dashboard and KPI trending. These should be used for continuous
improvement and system optimisation.

Page 298 of 361 Revision: B06

28 Training and competence

The training and competency process confirms that everyone in a CoW role has:
• the right training to perform their role
• demonstrated their knowledge of the training they have received, and
• had their competencies assessed and any identified gaps closed to Verify they can
correctly apply the CoW process and systems.
The competency assessment covers practical demonstration and knowledge
testing. The individual being assessed shall be trained and practised. For example,
an IsA would be expected to:
complete online and classroom training
build portfolio of isolations under full supervision in training version of eCoW
(utilities, SV, DBB)
be competency assessed in the field, and
have post-assessment work verified using quality indicator self-verifications to
demonstrate the role is being executed to the required standard.
To retain competency and skills an individual shall be actively executing the role.

28.1 Training
There is a comprehensive range of CoW training products that includes all aspects of the
CoW policies, standards and procedures. The requirements for training are in a training
matrix available in the GOO library.
Link to master version of CoW training matrix
This training may be used for refresher and revalidation. BP recommends assessing
personnel to identify competency gaps and what revalidation or refresher training is
required to fill these gaps.
All training is accessed via the My Talent & Learning system which retains all training
records and expiry dates.
The SA shall Verify that the site induction, or any new-start training, includes:
an overview of this Upstream CoW process
what individuals are expected to do including specifically ‘anyone has the
authority and obligation to stop unsafe work or report unsafe conditions’.

28.2 Competence Assessment

Upstream CoW has a defined set of role-based competency assessments to achieve
consistency across Upstream.
Before being assessed, candidates for CoW roles require training, time working at
the site, practise within the training system and to deliver some of their expected
responsibilities under supervision.
When an individual has completed their training, the line manager may also carry out
on-the-job informal assessments before the formal competency assessment.
Contractors who hold roles in the BP Upstream CoW system are required to meet
the competency requirements in line with the CoW role they are filling.

Page 299 of 361 Revision: B06

Individuals can hold multiple CoW roles, provided they have been assessed as
competent in each of the roles. Each assessment shall be done individually. Multiple
candidates cannot be assessed as a group for a specific role.
Assessments include practical demonstration in addition to assessing basic
knowledge. For some CoW roles, both technical knowledge and leadership
behaviours are assessed. Certain roles require completion of an online test based
on the Upstream CoW Procedure.
The candidate’s line manager works with the candidate to develop an action plan to
close any identified gaps. All assessment gaps shall be closed prior to appointment
into role by the SA.
SAs at hydrocarbon operating sites shall complete the SOR Critical Role
assessment and have all gaps closed in order to be appointed to the SA role. Only
SAs at non-hydrocarbon operating sites, e.g. buildings, shops, roads/pads etc. can
be assessed for the SA role using the stand-alone SA Assessment in this section.
Site Authorities subject to the SOR Critical Role assessment shall:
be re-assessed before the expiry date.
close any gaps on re-assessment within six weeks of the re-assessment date.
be either: removed from role if their re-assessment gaps are not closed within
the gap closure due date, or a risk assessment and approved deviation obtained
per section 6 of this Upstream CoW Procedure to continue in role.
The stand-alone SA assessment will not be valid for a hydrocarbon site. Therefore,
an SA that moves from non-hydrocarbon sites, shall follow the safety critical role
appointment procedure GOO-OP-PRO-00003 BP Procedure Site Manager
(OIM/OSM) Appointment (100466)
A re-assessment is required to extend the competency validity period. The re-
assessment process can either be:
an evidence-based portfolio where the candidate has been actively fulfilling the
role, or
a full reassessment.
CoW roles are assessed using qualified assessors. An Approved list of assessors is
maintained within RMS.
The assessment process is managed, and records are retained within RMS.

28.3 Competence Assessors

The assessor requirements for CoW roles are listed in Table 52. Suitable
practitioners may be appointed as exceptions to this table by agreement between
SA and Central team (e.g. new deployments, organisational structure, projects).
Assessors shall complete the competency assessor training as detailed in Table 52.
Assessors shall not assess anyone they have coached and developed in preparation
for the role.
The number of assessors per site will be limited to maintain consistency and quality.
Assessors are nominated by SA and approved by the CoW Central team prior to
appointment.

Page 300 of 361 Revision: B06

Table 52 – CoW assessor requirements98

Role being assessed Experience / Requirements

FA • SOR Critical role assessor, or

• Held OIM / OSM / AOM roles with >5 years’ experience of CoW and competency
assessor level 2.

SA • SOR Critical role assessor

SA Standalone • SOR Critical role assessor, or

• Held OIM / OSM / AOM / OA with >5 years’ experience of CoW and competency
assessor level 2.

AA & IA • SA in role >1 year and competency assessor level 2, or

• Those qualified to assess FA or SA.

IA • AA in role >1 year and competency assessor level 2, and

• Only by agreement between SA and Central team (e.g. new deployments,
organisational changes, projects)

TRA Facilitator • Nominated by SA after demonstrating suitable behaviours to deliver “professional

distance“ and is an experienced TRA facilitator and competency assessor level 2,
and
• facilitated a minimum of 3 TRAs with a quality assessment >80% score in eCoW.
Score is verified by central team, or
• AA assessors

Assessors for all the following roles to be trained to competence assessor level 3.

IsA & Isolator • Nominated by SA after demonstrating suitable behaviours to deliver “professional
distance“ and is an experienced IsA in the same discipline.
• Approved a minimum of 3 IDPs with a quality assessment >80% score in eCoW.
Score is verified by central team.

• IsA HV can assess IsA LV 2 or isolator electrical but IsA LV2 cannot assess IsA HV.

PA • AA in role >1 year and have completed a minimum 3 TBT quality assessments with
improvement opportunities recorded.

AGT1 & 2 • AGT 1 nominated by SA after demonstrating suitable behaviours to deliver

“professional distance“.
• Have been active in the AGT1 role for one year (per low use report).

AGT3 • AGT1 or 2, HSE Advisor, ER Team

Leak Testing SPA • Those qualified to assess AA.

CSE Attendant • AA, IA, HSE Advisor, ER Team

Firewatcher • AA, IA, HSE Advisor, ER Team

28.4 Appointing individuals to Control of Work roles

The SA shall only appoint someone to a CoW role when they have been trained and
assessed competent for the role. An individual may hold more than one CoW role
provided they have been assessed as competent in each of those roles.
The SA verifies that individuals are inducted, have completed any required local
training and are familiar with the site before authorising roles in RMS.
For example, a PA on platform A has been working there for six months. They
then move to platform B but do not have to repeat any of the training courses

Page 301 of 361 Revision: B06

for CoW and their competency is still valid. However, before they are assigned
platform B in eCoW the SA authorises that they have been inducted and
familiar enough with the site to be a PA. Once on site it is expected that self-
verification is used to check on any new user to Verify their work meets the
competency standard.
The SA shall use self-verification to test, through sampling, that those holding CoW
roles can clearly demonstrate they understand their CoW roles and responsibilities.
The SA, or AA when delegated, shall inform any contractor employees who hold
CoW roles in the BP CoW system of the role’s responsibilities. They complete any
necessary BP training and are verified that they meet the competency requirements
in line with the CoW role they are filling.
The CoW system is a global consistent system and therefore the roles in it apply
globally. A competent PA or IsA, for example, retain their CoW role competence
which can be applied anywhere BP uses the Upstream system.
The time they need to be on a site to be deemed familiar will vary depending on the
role and the complexity of the site. This is an SA decision and they consider the
following when deciding:
If user training is complete, consider a refresher training programme.
Practice permits, shadowed by an AA with the individual playing an active and
supervised role.
Practice IDPs, shadowed by an IsA with the individual playing an active and
supervised role.
Re-assess competency.
Assignment of roles shall follow the criteria in Table 53 below.

Page 302 of 361 Revision: B06

Table 53 – Role assignment criteria99

eCoW Role Role assignment criteria

All roles • The number of roles should be consistent with workload to make sure skills can
be maintained. Verified using minimum usage report.
• Where criteria below cannot be met, exceptions shall be agreed with Central
CoW team and recorded in RMS.

Permit Vision User • View access.

• Ability to draft documents.
• Able to conduct self-verifications.
• Not required if user has another role in eCoW for same site.
• Should not be used to train PAs, use the training system for this.
• RMS automatically revokes when another role is assigned.

Site Authority • Nominated by the functional authority.

• Site or facility manager (e.g. OIM/OSM) typically holds this role.

Area Authority • Does not need an IA role for the same site.
• RMS automatically revokes IA role when AA role is assigned.

Issuing Authority • Experienced production technician, or supervisor who are very familiar with the
process and the facility.
• Experience of participating in risk assessments.

Performing • Not normally held by AA, SA or FA

Authority

Isolating Authority • Production technician who has been an active Isolator process for min 1 year.
Process • RMS automatically revokes Isolator role after IsA is assigned

Isolating Authority • Technician who has been an active instrument Isolator for min 1 year.
Instrument • RMS automatically revokes Isolator role after IsA is assigned

Isolating Authority • Limited to on/off switches that do not require access to the internals of any
Electrical LV 1 equipment or the use of tools.
• Not intended for those who hold Isolator electrical Low Voltage or Isolating
Authority roles.

Isolating Authority • Electrical Technicians who have been an active isolator LV for min 1 year
Electrical LV 2 • RMS automatically revokes Isolator and LV1 roles after this role is assigned.

Isolating Authority • Electrical technicians authorised to work on High Voltage Electrical systems.
High Voltage • RMS automatically revokes LV2, LV1 And Isolator after IsA HV role is assigned.

Isolator Process • Production technicians who are competent to work unsupervised at the
relevant facility.
• Maintenance technicians who also operate equipment, e.g. GWO rig personnel,
or who have extensive experience and knowledge of both the process and the
facility.
• Not required by those who hold an IsA role.

Isolator Instrument • Instrument technicians who are competent to work unsupervised at the
relevant facility.
• May be held by specialist disciplines with suitable experience and knowledge
(e.g. HVAC)
• Not required by those who hold an IsA role.

Isolator Electrical • Electrician Technicians competent to work unsupervised at the relevant facility.
Low Voltage • May be held by specialist disciplines (e.g. HVAC, or telecoms)
• Not required by those who hold an IsA role.

TRA Facilitator • Have been a team member of at least 5 level 2 TRAs

• Can demonstrate suitable behaviours to be objective and sufficiently impartial to
the task and work crew.
• Ability to facilitate a group discussion.

Page 303 of 361 Revision: B06

eCoW Role Role assignment criteria

Functional • Held by senior leadership.

Authority

Authorised Gas • Conduct gas test for HWOF and CSE tasks.
Tester 1 (AGT1) • Production technicians, HSE advisors, or ER team who are very familiar with the
process and the facility.
• Is an experienced AGT2.
• Extensive experience of confined spaces with knowledge of all substances that
need managing within them (e.g. benzene, VOCs, mercury, H2S, NORM,
oxygen enrichment, N2).
• Have the behaviours to train and provide quality assurance for AGT2 and AGT3.

Authorised Gas • Monitor gas test for HWOF and CSE tasks, after equipment has been placed
Tester 2 (AGT2) and set up by AGT1.
• Production Technician, ER team, HSE, contractors familiar with the operating
site.

Authorised Gas • Personnel that will be required to continuously monitor for gas using a personal
Tester 3 (AGT3) gas monitor.

Control Room • Responsible for recording and implementing all overrides in eCoW.
Technician (CRT) • Responsible for managing active overrides through shift handover.

Leak Test SPA • Has sufficient experience and knowledge to create test envelopes and be able
to consult with engineers and specialist contractors on leak test methods and
requirements.

Site Electrical • Can demonstrate suitable technical skills and behaviours to hold overall
Leader electrical accountability on-site.

Site Lifting Co- • Is normally held by the SA, but may be delegated to a suitably competent
ordinator person if approved by the AOM.

LOLC Data Manager • Normally delegated to the Process and Process Safety Engineering Team
Leader, unless otherwise recorded in the LIP.
• Accountable for technical content of the static fields within the LVR.
• May nominate additional users for LOLC Data Manager role within eCoW to
assist with updates to LVR static fields.
• Additional users limited to 2 per site, unless otherwise agreed by Central CoW
team.

LOLC Mover • Held by production technicians who move locked valves using an operating
procedure.

LOLC Operational • Held by production technicians who conduct periodic field inspections on locked
Inspection valves.

Fire Watcher • Have ability to communicate clearly and courage to stop the job.

Confined Space • Have ability to communicate clearly and courage to stop the job.
Entry Attendant

28.5 Delegating roles

There may be a need to delegate some of a CoW role’s responsibilities. Delegating,
splitting or merging CoW roles and responsibilities is controlled by doing the
following:
The AOM Approves an organisational eMoC for delegating the role of SA. This
approval shall be subject to agreement by the region operations authority.

Page 304 of 361 Revision: B06

For GOO, apply GOO-GE-PRO-00003 BP Procedure Management of Change

(100544).
Any split or merged roles shall have competency assessments defined.
The SA Approves an organisational eMoC for delegating the role of AA and IsA.
For greenfield or brownfield projects at a BP site where there is a GOO SA,
GPO and GOO shall agree delegation of Control of Work authority for
construction and commissioning activities.

28.6 Revoking roles

When an individual has low, or no use of the role, the SA shall either:
1. revoke the role via the role management system (RMS), or
2. following a familiarisation and coaching plan, Verify that they meet the
expectations of minimum use.
When an individual is no longer working at the site, the SA shall revoke the role via
RMS.
c. RMS will auto-revoke following configured business rules (e.g. Permit Vision User
when user has another role on same site, hierarchy of roles, inactive IT account
combined with no recent access).

Page 305 of 361 Revision: B06

Roles and responsibilities

This annex sets out in detail the roles and responsibilities for the following CoW roles:

Site Authority (SA)

Area Authority (AA)

Issuing Authority (IA)

Performing Authority (PA)

Isolating Authority (IsA)

Authorised Gas Tester (AGT)

Fire Watcher (FW)

TRA Facilitator

Site Electrical Leader

Confined Space Entry Attendant (CSEA)

Isolator

Site Lifting Co-ordinator

Leak Test SPA

LOLC Roles

CRT

CoW Certificate Approver

Page 306 of 361 Revision: B06

Site Authority (SA)

Table A.1 – R&R Site Authority

Site Authority (SA)

The SA is accountable for safely executing work on BP-operated sites. The site or facility manager (e.g. OIM, OSM,
WOM, project, construction, or commissioning manager) normally holds this role. They verify that the site’s CoW
systems, processes, and organisational structure are in place to implement and conform to this procedure.
For the GOM Region, the SA is always the OIM and the designated Ultimate Work Authority in accordance with Safety
and Environmental Management Systems (SEMS, 30 CFR) requirements.
How to
The SA: Section
demonstrate
1 Is accountable for implementing this Upstream CoW Procedure. 7.1 Job description.

2 Defines the AA’s areas of responsibilities and the physical limits for each 6.2 Plan or map in
area on a plan or map. LIP.
3 Is accountable for site lifting co-ordination either by holding the role of SLC 5.3 Self-verification.
or Verifying delivery when the SLC role is delegated.

The SA does the following:

4 Chairs the daily CoW meeting to manage cumulative residual risk, SIMOPS 8.4.2 Records of
and CoW performance for the site. meetings.
5 Submits HWOF to the relevant VP (i.e. GOO, GPO, or GWO) if they are not 12.2 Functional sign
employing any of the five primary controls. off in eCoW.
6 Authorises RA II, HWOF (in Haz area) and CSE permits 8.4.5 eCoW records.

7 Attends first TBT for CSE RA II and HWOF RA II. 8.5.4 eCoW records.

8 May delegate TBT to AA for all RA II permits (other than CSE, or HWOF) and 8.5.4 eCoW records.
for RA I HWOF/CSE.
9 Conducts and manages site CoW self-verification. 26 Self-verification.

10 Submits any requests for non-conformance to this Upstream CoW 6.5 LIP.
Procedure as described in section 6.5. Accountable for implementing any
conditions in agreed non-conformances.
11 Formally delegates responsibility to suitably competent delegate when 5.3 Handover log or
required (e.g. for night shifts and weekends). email.

12 Documents regularly performed delegations in the LIP. 5.3 LIP.

13 Communicates that everyone has the authority to stop unsafe work. Does 8.5.4 On permits.
this throughout the process (e.g. when talking to leaders during CoW self- Site inductions.
verifications, at site inductions).
14 Appoints ORA leaders. Authorises ORA use and reviews ORA status, 11, 11.8 & 11.9 eCoW records.
including remedial plans, weekly.
15 Conducts and records crew and shift change where applicable. 8.7.8 Handover log.

16 Appoints a leak test SPA to supervise and manage a leak test 19.2

The SA verifies the following:

17 Non-conformant isolations are managed as per this Upstream CoW 14.5 Self-verification.
Procedure.
18 Quality of CoW documents before moving to verified state. Most of these Table 5 eCoW records.
documents are verified by AA or IA. 8.3.15

Page 307 of 361 Revision: B06

Site Authority (SA)

19 Adequate equipment and competent resources for every designated site 7.1 Self-
CoW role are in place. verification.
20 Everyone involved in CoW on their site conforms to this Upstream CoW 7.1 Self-verification.
Procedure.
21 The site induction, or any new-start training, includes an overview of this 28.3 Self-verification.
CoW process and what individuals are expected to do.
22 CoW Incidents are investigated and recorded. 8.5.6 IRIS.

23 Shift handovers involving CoW are in line with this Upstream CoW 8.7.7 Self-verification.
Procedure.
24 Site CoW content of the training and competency databases. 28.3 Self-verification.

25 Through sampling, that those holding CoW roles can demonstrate they 28.1 Self-verification.
understand their CoW roles and responsibilities.
26 CoW self-verification detailed in section 26 is being delivered. 26 Self-verification.

27 CoW training and competency detailed in section 28 is being delivered. 28 Competency

assessments.

The SA decides, Approves or authorises the following:

28 Tasks on integrated activity schedules that meet the applicable execution Table 2 & 8.1.6 Records of
readiness criteria in Table 2. Dashboards Approved
schedules.
SA advises Site Manager when SA is not the Site Manager.
29 Appoints people to CoW roles. 28.1 My T&L.

30 The approval of the following risk assessments in line with the risk matrix Table 3, Table 4, eCoW records.
approval levels for TRA, SORA and ORA. 11.8 & 11.7
31 Authorises emergent work that is raised. 8.1.4 Break in KPI.

32 Authorises work to proceed as scheduled or amends schedule as part of 8.4.3 eCoW records.
daily CoW meeting.
33 Authorises HWOF permits in hazardous areas. Table 3, Table 4, Permit
signatures.
34 Authorises permits in line with the risk matrix approval table and 7.3 & 8.7.3 & eCoW records.
re-authorises permits and templates for permits, LRP IDP and SORA. 8.3.5 & 8.3.11
35 Authorises the use of Approved bridging documents that affect the site 5.5 Sign bridging
CoW (e.g. projects, diving vessels, rigs, and vessels working within a documents.
platform 500m zone).
36 The readiness for plant reinstatement for large-scale jobs or restarts of the 20.1 Pre-start
whole facility. certificate
37 Approves Level 2 TRA for service testing (up to risk area III). 19.5 eCoW records.

38 Approves certificates listed in table 37. Table 37 eCoW records.

39 Authorises removal of locks in an emergency. 22.9 eCoW records.

40 Authorises use of master or spare keys for interlocked systems. 23.7 eCoW records.

41 Authorises use of Approved Level 2 SORAs and ORAs. 10.6 & 11.4 eCoW records.

42 Delegates authority, with GPO representatives at a brownfield site, to 5.5 Bridging

project personnel. document or
MoC.
43 Approves a leak test SPA delegate to supervise and manage a leak test after 19.2 eCoW records
shift change

Page 308 of 361 Revision: B06

Area Authority (AA)

Table A.2 – R&R Area Authority

Area Authority (AA)

The AA manages and controls the CoW process in their area. AAs are accountable for task, process, and worksite
hazard identification and risk controls associated with work performed in their area of responsibility.
The AA can delegate some of their CoW responsibilities to the IA but cannot delegate responsibilities listed in point 1
below. Accountability for the work always remains with the AA.
If planned activities in one area affect activities in another area, refer to the other AA as the AAA.
Substations and electrical buildings can be classed as areas. These can have their own AA with electrical skills as well
as the skills they need to take on the AA role.
Section How to
The AA is:
demonstrate
1 Not allowed to delegate AA accountability but may delegate 5.3 & Table J.1 Handover log.
responsibility to a competent AA or IA the activities as detailed in
Table J.1.

The AA does the following:

2 Monitors the worksite at minimum frequency defined in the TRA and 7.2.5 & 8.6.1 eCoW records.
permit.
3 Visits the worksite with PA to prepare for a TRA. 8.2.2 & 9.2 Signed TRA.

4 Closes a permit by signing to confirm that the work is complete, and Table 5 eCoW records.
the worksite was left in a safe and tidy condition. The worksite visit & 8.7.4
can be delegated to an IA.
5 May assist the planner to determine the individual CoW tasks needed 8.1.1 Self-verification
during the planning of the job.
6 Conducts a detailed handover about ongoing tasks at a shift change 8.7.8 Handover logs.
with the oncoming AA and documents this conversation.
7 Communicates with other AAs affected by work that affects their area 8.1.3 AAA signatures.
of responsibility (e.g. HW or BC).
8 Authorises permits with residual risk in Area I and may issue them to Table 3, Records of
the PA. Table 5 & 8.4.5 authorised permits.
9 Conducts a joint worksite visit (with the PA), on the first issue of a 8.5.4 & Self-verification
permit, or may delegate to an IA if in residual risk area I. Figure 5
10 Controls SIMOPS in their area of responsibility. 7.5 TBT records.

11 Develops the permit and any applicable CoW supplementary 8.3 eCoW records.
certificates with the PA during the task planning stage.
12 Manages the scheduled work list for their area of responsibility. 8.1.3 Integrated
schedules.
13 Works with the planners and schedulers to provide guidance on and 8.1.1 & 8.1.3 Integrated
prioritise planned and unplanned work requests. schedules.
14 Participates in TRA for any HWOF, CSE, or where initial risk is in Area Table 19 Signatures on TRA.
III or above.
15 Inspects worksite with the PA for HWOF, pressurised habitats and Figure 5 & Signature verifies
auxiliary equipment before allowing work to start and weekly checks 8.5.1 CoW documents.
whilst the habitat is in place.
16 Agrees with the PA which competent person is assigned to fire 8.5.1 Self-verification.
watcher (FW), authorised gas tester (AGT) or confined space entry
attendant (CSEA).

Page 309 of 361 Revision: B06

Area Authority (AA)

17 Delegates responsibility to a competent person. 5.3 & Table J.1 Handover log or
email.
18 Captures any lessons learned from the CoW process within eCoW. 8.8 eCoW.

19 Completes, before executing de-isolation, all associated pre-start 8.7.5 & 20 Pre-start
verification checks. certificates.
20 Manages LTIs. 14.28 SV in eCoW.

21 Authorises all movements of locked valve. 23.4 eCoW records.

22 Cross-checks isolations and de-isolations. 14.6 eCoW records.

The AA verifies the following:

23 The original documents for closed permits and supplementary 8.7.9 Paper copies of
certificates are retained for at least one month. documents.

24 The permit specifies how often the worksite will be inspected and 8.6.1 eCoW records.
monitored, as agreed in the Approved TRA.
25 The quality of CoW documentation during the planning stage by Table 5 eCoW records.
checking both the content is accurate and supplementary certificates
are Approved and attached.
26 It is safe to restart work in an area after a work suspension. 8.5.6 eCoW records.
27 Level 2 TRAs are planned. 8.1.3 Integrated
schedule.
28 Pre-requisite TRA controls are in place and fully effective before 8.5.1 Rule in eCoW.
issuing permits.
29 Isolations are in place and meet the requirements of this Upstream 8.5.1 IDP.
CoW Procedure. The AA can delegate this verification to an IsA.
30 There are no overdue locked valve operational inspections in eCoW. 23.6 eCoW records

The AA decides or Approves the following:

31 IDPs and confirms energy isolation integrity before issuing permit to 14 Approved IDPs.
work.
32 Any STT associated with work. 14.7 Rule in eCoW.

33 Risk assessments where residual risk is in Area I of the risk matrix. Table B.5 & eCoW records.
8.2.2
34 Approves pressurised habitat certificate. 18.11 Certificates.

Page 310 of 361 Revision: B06

Issuing Authority (IA)

Table A.3 – R&R Issuing Authority

Issuing Authority (IA)

The IA role, which can exist at sites, is a CoW role that is an assistant to the AA.
How to
The IA is: Section
demonstrate
1 Not the same person as the PA for a specific task. 8.5.1 eCoW rule.
The IA does the following:
2 Carries out worksite visits for risk assessment, work start, monitoring Table 3, 8.5.1 & Signature on
or completion. Figure 5 permit.
3 Conducts a detailed handover about ongoing tasks at a shift change 8.7.8 Permit records.
with the oncoming AA or IA and documents this conversation.
4 Stops any work that does not conform to the permit to work. 8.6 Permit records.
5 Issues permits to the PA when delegated by AA. 7.1, Table 3, Signature on
Table 5 & 8.5.1 permit.
6 When delegated by AA and for residual risk area I permits only, may 8.5.4 & Self-verification.
conduct a joint worksite visit with the PA following issue of the permit Figure 5
to work
7 When delegated may participate in Level 2 TRA in place of the AA for Table 19 Signature on TRA.
tasks in risk area I.
The IA verifies the following:
8 The quality of CoW documentation during the planning stage by 8.1.3 & Table 5 eCoW records.
checking both the content is accurate and supplementary certificates
are Approved and attached.
9 Worksite is safe before work can restart after a work interruption. 8.5.6 Signature on
permit.
10 Everyone on the work party understands the work scope, the hazards 8.6.1 Signed off permits.
associated with it, and the controls in place for the task.
11 The worksite monitoring has been completed in line with the risk 8.6.1 Permit.
assessment.
12 Pre-requisite TRA controls are in place and fully effective before 8.5.1 Signed.
issuing permits, particularly fire watch, gas testing, and monitoring for
hot work.
The IA Approves or decides the following:
13 Risk assessments with residual risk in area I, when delegated by AA. Table B.5 Signed TRA.
14 Where delegated, activities listed in Table J.1 Table J.1 Self-verification.

Page 311 of 361 Revision: B06

Performing Authority (PA)

Table A.4 – R&R Performing Authority

Performing Authority (PA)

The PA is the person in charge of the task described in the permit to work.
How to
The PA does the following: Section
demonstrate
1 Performs the task or supervises the work party performing the task. 7.1 Self-verification.
2 Can be responsible for more than one task at a time, provided they can 7.1 Self-verification.
safely manage tasks, provide adequate supervision and effective
monitoring.
3 Delegates to another PA with the equivalent competency if they 5.3 Self-verification.
cannot be present for CoW related activities (e.g. developing a permit
to work or taking part in a TRA).
4 Visits the worksite with the AA or IA to identify and record the hazards 9.2 & Figure 4 eCoW records.
and controls for the task being planned before completing a Level 1
TRA.
5 Participates in the Level 2 TRA or, if unavailable, nominates a 9.15 & eCoW records.
competent PA as delegate. Table 19
6 Reviews that the permit to work sufficiently describes the task, 8.3 eCoW records.
location, start time, duration, and any known risks and limitations.
7 Conducts a pre-job toolbox talk with the work party to: 8.5.4 Signed TBT
• communicate the requirements in the permit, RAP and TRA records.
• Verify that the work party understands the requirements
• post a copy of permit in an accessible area close to the
worksite.
8 Keeps the worksite in a clean and safe condition and work within the 8.5.3 eCoW records on
scope covered by the permit. PA feedback.
9 Tells the AA or IA when the task is completed or suspended or if Table 5 & 8.5.6 eCoW records on
worksite conditions change. & 8.7 PA feedback.
10 Conducts a detailed handover about ongoing tasks at a shift change 8.7.7 Handover log.
with the oncoming PA and documents this conversation.
11 Stops any unsafe work and reports to the AA or IA. 8.6 eCoW records.
12 Records any feedback from the task on the permit to work. Informs Table 5 & 8.7 eCoW records.
the AA or IA so they know what action has been taken.
13 Confirms, if safe to do so, that when a task is interrupted, the worksite 8.5.6.1, 8.5.6.3 PA feedback in
is left in a safe and orderly condition and any equipment being used is &8.5.6.4 eCoW.
shut down or isolated.
14 Assesses the worksite following an interruption to check it is safe to 8.5.6.4 eCoW records.
resume work.
15 Communicates contingency plan from IDP to TBT discussion 8.5.4 Self-verification.
The PA verifies the following:
16 The PA, or their delegate (e.g. FW), stays on site for 30 minutes after 12.5 Self-verification.
HWOF has been completed to monitor for potential ignition sources.
17 The equipment, including task-specific PPE being used is correct for 17.4 & 17.4.4 & Self-verification.
the task, meets site safety standards and is in safe condition. 17.7 & 17.8.1
18 The controls specified on the permit are followed. 8.5.3 Self-verification.
19 The work party members who have been selected for the task are Table 14 Self-verification.
competent to carry out the tasks, use the equipment and PPE as
detailed in the permit to work.
20 The schedule includes all assigned and required tasks (e.g. scaffolding, 8.1.1 Self-verification.
insulation and, isolation).

Page 312 of 361 Revision: B06

Performing Authority (PA)

21 Before work that involves isolation starts, a competent IsA has 8.3.8, 14.1 & Self-verification.
demonstrated the integrity of the isolation. 16.3
22 An IsA is in attendance before carrying out BC work. 8.3.8 & 16.3 Self-verification.

The PA decides the following:

23 Following a discussion with the AA, accepts the permit to work by 7.1 & Table 5 & eCoW records.
signing, electronically or on the form. 8.5.1
24 To escalate to a Level 2 TRA when a Level 1 TRA is not adequate for 8.2.1 Self-verification.
the task, along with the AA.
25 With the AA or IA, assigns FW for HWOF tasks, an AGT for gas 8.5.1 Self-verification.
testing.

Page 313 of 361 Revision: B06

Isolating Authority (IsA)

Table A.5 – R&R Isolating Authority

Isolating Authority (IsA)

There are five types of IsAs based on discipline:
1. IsA-Electrical LV1 (low voltage)
2. IsA-Electrical LV2 (low voltage)
3. IsA-Electrical (high voltage)
4. IsA-Instrument
5. IsA-Process.
How to
What we require: Section
demonstrate
The IsA does the following:
1 Designs energy isolations in line with this procedure and drafts an IDP 7.1 & 14.1 IDPs & ICCs.
2 Cross-checks isolations and de-isolations 14.6 ICC records.
3 Secures isolations in accordance with this procedure 14.10 Self-verification
4 Signs off each completed isolation on the IDP and reports any points 14.3 & 14.9 ICC records.
they are unable to implement to AA.
5 Demonstrates isolation integrity or proves dead at the initial stage and 8.3.8, 14.1 & eCoW records on
then continues to monitor (e.g. PBU verification and isolation security) 14.13 PBU
throughout the duration of the isolation.
6 Attends breaking containment associated with the energy isolation to 8.3.8, 14.1 & Control on permit.
demonstrate isolation integrity and zero energy state. 16.3
7 Signs each step of IDP after isolations have been removed. Informs 8.7.6 ICC records.
the AA that energy isolations have been removed and the equipment
is ready for testing.
8 Performs STT as instructed by the AA and updates the IDP. 14.7 ICC records.
The IsA verifies the following:
9 Energy isolation integrity is in place to safely conduct the task. This 8.3.8 & 14.1 & ICC records.
includes the cross-check for each isolation point with the IDP being 14.6
countersigned for each one as required.
10 When delegated by the AA, verifies Isolations are in place and meet
the requirements of this Upstream CoW Procedure
The IsA Approves or decides the following:
11 With the PA, requirements for any STT at the early stages of planning 14.7 ICC records.
any isolations.

Page 314 of 361 Revision: B06

Authorised Gas Tester (AGT)

Table A.6 – R&R Authorised Gas Testers

Authorised Gas Tester (AGT)

There are three levels of AGTs, as follows:
1. AGT 1 authorised for all gas testing and monitoring and is the only level that can perform initial test for CSE.
2. AGT 2 as AGT 1 except CSE initial testing.
3. AGT 3 authorised to provide monitoring using atmospheric gas detectors. These detectors can be in the form of
personal or portable monitors. When portable monitors are used, be it active or passive, these monitors shall first
be checked, calibrated and positioned by an AGT1 or AGT2.

How to
What we require: Section
demonstrate
1 The PA for the CSE task shall not be the AGT Level 1 for CSE. 24 eCoW records.
The AGT 1 does the following:
2 Conducts initial test for CSE and records results on CSE permit. 8.3.12, 15.3, 24 eCoW records.
& 24.14
3 Checks, calibrates and places the equipment to be used for 24.14 Calibration records
continuous monitoring by any level AGT.
4 All tasks within AGT 2 scope

The AGT 2 does the following:

5 Tests for the presence of flammable gases vapours, toxic gases, or 24 eCoW records.
vapours and oxygen content for all types and levels of testing.
6 Conducts the required initial testing for HWOF tasks. 24 eCoW records.
7 Operates and confirms the gas testing equipment is calibrated and 24.1 Calibration records.
suitable for use.
8 Conducts worksite gas tests before a permit to work is issued. 24 eCoW records.
9 Monitors, in line with prescribed controls, for the presence of 24 eCoW records.
flammable gases and vapours, particularly for HWOF and CSE tasks.
The AGT 3 does the following:
10 Uses or wears a device for continuous monitoring for any tasks 24 Self-verification.
assigned to them.
11 Performs the role of monitoring the continuous gas detectors and 24 Self-verification
stopping the job if the detector alarms.

Page 315 of 361 Revision: B06

Fire Watcher (FW)

Table A.7 – R&R Fire Watcher

Fire Watcher
Fire Watchers shall be present and have no other duties but monitoring a worksite during any hot work open flame
(HWOF) task and for 30 minutes after the work has stopped.
In complex multi-deck layouts, more than one Fire Watcher may be required.
A fire watcher shall have AGT3 competence
How to
The Fire Watcher does the following: Section
demonstrate
1 Raises the alarm if there is a fire, incident or hydrocarbon release. 12.5.1 Self-verification.
2 Monitors the worksite to Verify that safe conditions are maintained 12.5.1 Self-verification.
during hot work operations.
3 Reads, understands and adheres to the TRA and permit requirements. 12.5.1 Self-verification.
4 Understands and agrees with the AA and PA how to communicate and 12.5.1 Self-verification.
what site protocol to use at the start of an HWOF task, during breaks
and when the task is completed.
5 Demonstrates understanding of their emergency duties. 12.5.1 Self-verification.
6 Knows what levels activate the continuous monitor alarm, and the 12.5.1 Self-verification.
action to take should an alarm activate.
The Fire Watcher verifies the following:
7 Suitable firefighting equipment is available, certified and ready to use. 12.5.1 Self-verification.
8 Flammable materials have been cleared away from the worksite. 12.5.1 Self-verification.
9 Drains remain covered and sealed while the task is being carried out. 12.5.1 Self-verification.
10 Sparks and weld spatter are contained within the habitat. 12.5.1 Self-verification.
11 That they know where the following are: 12.5.1 Self-verification.
• The nearest manual alarm call point.
• The emergency shutdown button.
• The emergency shutdown for portable engine-driven equipment
such as generators and compressors.
12 That continuous gas monitoring is completed as defined in the permit. 12.5.1 Self-verification.
The Fire Watcher Approves or decides the following:
13 Stop hot work operations if unsafe conditions develop. 12.5.1 TBT records.

Page 316 of 361 Revision: B06

TRA Facilitator
Table A.8 – R&R TRA Facilitator

TRA facilitator
The facilitator is a role, not a position. It may be filled by anyone who has completed the facilitator training and met the
required CoW competencies for the role.
The facilitator leads a Level 2 task risk assessment process from its research phase through to the field visit, meeting
and documentation phases. This is a team process, but the facilitator is responsible for the quality of the team’s
product. They shall use the team members’ knowledge of the task being risk assessed to record the hazards and the
agreed controls.
How to
What we require: Section
demonstrate
For tasks identified with an initial risk in risk area IV or above, the TRA
1 facilitator shall be independent of the AA’s area and the discipline 9.5 eCoW records.
performing the task that requires the Level 2 TRA.
The TRA facilitator does the following:
2 Leads the team through the task risk assessment process. Table 19 Self-verification.
3 Researches and gathers relevant data and supporting documents such Table 19 Documents
as previous TRAs, incidents and safety data sheets before the meeting attached to TRA.
to help in the task risk assessment process.
4 Tells the team what they can expect on the worksite visit and who will Table 19 eCoW records.
be involved in the TRA meeting.
5 Gets the group consensus and records the TRA initial and residual risk Table 19 eCoW records.
and approval level required.
The TRA facilitator verifies the following:
6 The team to use the HITRA energy sources to identify the worksite 9.1 Hazards in TRA.
process, and task hazards.
7 The team considers and identifies SIMOPS. Table 19 Self-verification.
8 The team considers emergency response requirements beyond basic Table 19 Self-verification.
emergency procedures.
9 The correct people attend the TRA (e.g. the AA, PA, any additional Table 19 eCoW records.
specialists).
10 The team has agreed the consequences for each identified hazard. Table 19 eCoW records.
11 The team has agreed the controls for each identified hazard. Table 19 eCoW records.

The TRA facilitator Approves or decides the following:

12 Determines the approval level based on highest residual risk using the Table 19 eCoW records.
HITRA approval table (this is automated within eCoW).

Page 317 of 361 Revision: B06

Site Electrical Leader

Table A.9 – R&R Site Electrical Leader

Site Electrical Leader

Electrical competent person with accountability to Verify and Approve electrical CoW activities where defined by this
procedure. Typical roles used are Responsible Electrical Person (REP), Electrical Lead Engineer or Electrical Team
Leader.
Section How to
The Site Electrical Leader does the following:
demonstrate
1 Approves electrical energised work certificates. Table 37 Self-verification.
2 Approves 110 V / 120 V lighting for use in CSE. 18.2 Self-verification.

3 Is part of the TRA team for cable cutting scope. 22.5 eCoW records.
4 Is part the TRA team, or delegates to a competent electrical person, 9 eCoW records.
for electrical scope.
The Site Electrical Leader decides the following:
5 Tasks cannot be done by a safer alternative method when working on 18.4 Self-verification.
energised electrical equipment.

Page 318 of 361 Revision: B06

Confined Space Entry Attendant (CSEA)

Table A.10 – R&R Confined Space Entry Attendant

Confined Space Entry Attendant (CSEA)

The CSEA shall be present and have no other duties when managing confined space entry and exit. More than one
entry attendant may be required where there is more than one entry or exit point.
How to
The CSE Attendant does the following: Section
demonstrate
1 Not enter the confined space or leave their post whilst anyone is 15.7 Self-verification.
inside the confined space.
2 Not attempt a rescue and prevent unauthorised personnel from 15.7 Self-verification.
attempting a rescue.
3 Attends the TBT before work starts. 15.7 Self-verification.
4 Raises the alarm to call emergency response team if there is an 15.7 Self-verification.
incident.
5 Monitors the worksite to Verify that safe conditions are maintained 15.7 Self-verification.
during CSE activities.
6 Reads, understands, and adheres to the TRA and permit to work 15.7 Self-verification.
requirements.
7 Understands and agrees with the AA and PA how to communicate and 15.7 Self-verification.
what site protocol to use at the start of a CSE operation, during breaks
and when the task is completed.
8 Maintains a tagging system or log for each entry and exit point of CSE. 15.7 Self-verification.
It is good practice to use photo ID passes on a display board to do this.
9 Puts in place guardrails and signs to prevent unauthorised entry when 15.7 Self-verification.
the CSE is left unattended.
The CSE Attendant verifies the following:
10 The number of people in CSE at the same time is not more than the 15.7 Self-verification.
number specified in the risk assessment.
11 Gas testing is completed and recorded on the CSE permit at the 15.7 Self-verification.
required frequency.
12 Suitable rescue equipment is available and ready for immediate use. 15.7 Self-verification.
13 They know where the following are: 15.7 Self-verification.
• The nearest manual alarm call point.
• The ESD button.
• The ESD for portable engine-driven equipment such as generators
and compressors.
The CSE Attendant decides the following:
14 When to stop work if unsafe conditions develop. 15.7 Self-verification.

Page 319 of 361 Revision: B06

Functional Authorities
Table A.11 – R&R Functional Authorities

Functional Authorities
How to
All Functional Authorities Section
demonstrate
1 Reviews the status of the SORAs and ORAs every 9016 days. 11.9 eCoW records.

2 Approves TRAs, SORA and ORA for their functions in 11.8, eCoW records.
accordance with the HITRA approval table. Table B.5
3 Approves TRAs in accordance with Table 4 which defines Table 4,12.2 eCoW records.
minimum approval levels for specific tasks.

Isolator
Table A.12 – R&R Isolator

Isolator
An Isolator implements isolations and de-isolations in the appointed discipline (process, electrical low voltage, and
instrument).
How to
The Isolator does the following: Section
demonstrate
1 Install or remove isolations (limited to low voltage for electrical 14.1 IDP.
isolations) specific to their discipline
2 Design and implement personal isolations. 14.13 Self-verification.
3 Cross-check isolations and de-isolations. May only cross-check 14.6
isolations and de-isolations made by a discipline specific IsA.

Site Lifting Co-ordinator

Table A.13 – R&R Site Lifting Co-ordinator

Site lifting coordinator (SLC)

The SLC provides verification but does not create lifting plans, supervise or execute lifting operations.
The SLC shall be independent from the work group executing the lifting operation (i.e. not influenced or controlled in
any way by the company or organisation executing or responsible for the task).
How to
The SLC does the following: Section
demonstrate
1 Provides on-site verification that lifting operations are planned, GOO-GE-GLN- Self-verification.
assessed and executed in conformance with the Approved lifting 0007 BP SV in
Plan, Risk assessment and OMS requirements. GOO (100573)
2 Seeks endorsement of category 3 lift plans. Lifting procedure Self-verification.
3 Takes part in the regional lifting community of practice meetings and Lifting procedure Meeting minutes.
shares lessons learned.
The SLC verifies the following:
4 A sample of category 1 lift plans. Lifting procedure Self-verification.
The SLC decides the following
5 Authorisation of category 2 lifting plans. Lifting procedure Self-verification.

Page 320 of 361 Revision: B06

Leak Test SPA

Table A.14 – Leak Test SPA

Leak Test SPA

The leak test SPA is appointed by the SA to supervise and manage the test.
The SPA is responsible for designing a test, managing the test area, recording of the results and verification that all
requirements in this procedure are followed.
The SPA may handover to a delegate if the test goes beyond a shift, but the delegate requires SA approval and the SPA
retains accountability for the test.
How to
The Leak Test SPA does the following: Section
demonstrate
1 Designs a leak test. 19.11 Self – verification
2 Supervises and manages a leak test. 19.15 Self – verification
3 When using high pressure gas in a leak test, and before 19.20 Self – verification
pressurisation, walks through the system with the AA or delegate to
Verify all requirements have been completed.
4 Records the results of a leak test on the leak test certificate. 19.15 eCoW records
5 Hands over leak test responsibilities to a delegate if a test continues 19.2 eCoW records
past the shift.
The Leak Test SPA verifies the following:
6 Leak test preparations have been completed. 19.13 Self – verification
7 When witness joints have been used, verifies the leak test certificate 20.2 eCoW records
specifies the frequency and type of leak test monitoring and that post
leak test monitoring is completed and recorded.

Page 321 of 361 Revision: B06

LOLC Roles
Table A.15 – LOLC Roles

LOLC Roles
The LOLC roles manage the movement and recording of locked open and locked closed valves
How to
The LOLC Mover does the following: Section
demonstrate
1 Moves locked valves out of, or into position after authorization from 23.4 eCoW records
the AA
The LOLC Data Manager does the following:
1 Own the technical content of the static field of the LVR. 23.9 eCoW records
2 Make amendments to the master document held in eCoW following 23.9 eCoW records
MoC.
3 Verifies accuracy of LVR content. 23.9 eCoW records
The LOLC Operational Inspection role verifies the following:
1 Valves in the field have been physically checked. Annually for type 1 23.6 eCoW records
and every 2 years for type 2.
The position in the LVR and the field are aligned, and the following
field checks are confirmed:
2 Valves are in the position recorded in the locked valve register. 23.6 eCoW records
3 Securing devices are in good condition (i.e. they are in place and not 23.6 eCoW records &
corroded or broken) and secured to make locked valves inoperable. SV
4 Tags are fitted separately from the securing device. 23.6 eCoW records &
SV
5 Valves found in the wrong position are recorded in the inspection 23.6 eCoW records
comments and reported to the SA, who takes appropriate action.
6 The locked valve register is correct and up to date. 23.6 eCoW records
7 The most recent revision of the controlled P&ID is available showing 23.6 Self - Verification
the normal position of locked valves.
8 Any defective tags or securing devices are replaced or a maintenance 23.6 Self – Verification &
work order is raised where appropriate CMMS

CRT
Table A.16 - CRT

Control Room Technician

How to
The CRT does the following: Section
demonstrate
1 Provides input to SORA risk assessments when required 10.5 eCoW records
2 Record all overrides in the override register 10.3.2 eCoW records
3 Authorise and record implementation of an override with an active 10.3.2, 10.3.3 eCoW records
SORA
4 Verifies that any live overrides are recorded in the shift handover 10.3.4 Shift log

Page 322 of 361 Revision: B06

CoW Certificate Approver and non-eCoW roles

Table A.17 - CoW Certificate Approver and non-eCoW roles

CoW Certificate Approver and non-eCoW roles

The CoW Certificate Approvers Verify that CoW certificates are accurate and fit for purpose. The approval of these
certificates is required before a permit can be issued
The OSTL does the following: How to
Section
demonstrate
1 Approves or delegates approval of Heavy equipment movement Table 37 & Table eCoW records.
C.12
2 Approves or delegates approval of ground disturbance certificate Table 37 eCoW records.
3 Approves or delegates approval of Abrasive task on live equipment Table 37 & Table eCoW records.
C.6
The Site Engineer does the following:
1 Completes, with the AA, the engineering review of LTI after 180 days and 14.27 eCoW records.
then risk based with a minimum of annually.
The Project Manager or TAR Manager does the following:
1 Use a pre-startup certificate to Approve the introduction of fluids or 18.9 eCoW records
energy into a system if its containment envelope has been broken
HSE representative does the following:
1 Approves a ventilation plan for confined spaces to identify the 18.10 eCoW records
ventilation requirements and the layout of equipment and people.
Emergency Response Leader does the following:
1 Approves the ERRP to confirm: 18.5 eCoW records
• the content is suitable and accurate
• all personnel are competent and capable
• any equipment mentioned is available and tested and that all
ERRP members understand their duties.
The Habitat Inspector does the following:
1 Approves a pressurized habitat certificate for all type 3 habitats. 18.11 eCoW records
The Engineering Manager does the following:
1 Accountable for the content of the locked valve register. 23.9 LVR
The AOM does:
1 Approves delegation of SLC from SA 5.3 LIP
2 Verifies that regional requirements to notify regulators about SORA 10.3.2 & 11.1 Regional document
and ORA application is completed within the required time frame.
3 Approves temporary changes to hazardous area classification 22.10b MoC
4 Verifies conformance with Upstream CoW Procedure. 26.1 & 26.2 Self-verification
5 AOM approves delegation of SA role 28.2 eMoC
The VP does:
1 Approves delegation of SLC role to outside of GOO 5.3 LIP
2 Approves use of mechanical plugs as primary isolation 18.7 Certificate
The Radiation Protection Supervisor (RPS) does:
1 When isolating radioactive sources, countersigns the IDP to verify it 14.27 eCoW records
meets relevant radioactive source legislative requirements.

Page 323 of 361 Revision: B06

HITRA tables

HSE impacts levels

Table B.1 - HITRA HSE impacts levels

Level Health and Safety Environmental

A • Comparable to the most Future impact with

Levels A-C maintain the visibility of risks with the potential for catastrophic impact even if their likelihood
of occurrence is extremely low. The upper level of this framework is defined by the most severe level of

catastrophic health/safety • unintended release, with widespread damage to any environment and
incidents ever seen in which remains in an ‘unsatisfactory’ state for a period > 5 years.
industry.
• extensive damage to a sensitive environment and which remains in an
• The potential for 100 or more ‘unsatisfactory’ state for a period > 5 years.
fatalities (or onset of life
threatening health effects) is • widespread damage to a sensitive environment and which can only be
always classified at least at restored to a ‘satisfactory’/agreed state in a period of more than 1 and up to
this level. 5 years.

B • Catastrophic health/safety Future impact with

incident causing very • extensive damage to a non-sensitive environment and which remains in an
widespread fatalities within or ‘unsatisfactory’ state for a period > 5 years.
outside a facility.
• extensive damage to a sensitive environment and which can only be
• The potential for 50 or more restored to a ‘satisfactory’/agreed state in a period of more than 1 and up to
fatalities (or onset of life 5 years.
threatening health effects) is
always classified at least at • widespread damage to a non-sensitive environment and which can only be
this level. restored to a ‘satisfactory’/agreed state in a period of more than 1 and up to
5 years.
• widespread damage to a sensitive environment and which can be restored
to an equivalent capability in a period of around1 year.

C • Catastrophic health/safety Future impact

incident causing widespread • with extensive damage to a non-sensitive environment and which can only
fatalities within or outside a be restored to a ‘satisfactory’/agreed state in a period of more than 1 and
facility.
impact ever seen in industry.

up to 5 years.
• The potential for 10 or more • widespread damage to a non-sensitive environment and which can be
fatalities (or onset of life restored to an equivalent capability in a period of around 1 year.
threatening health effects) is
always classified at least at • extensive damage to a sensitive environment and which can be restored to
this level. an equivalent capability in a period of around 1 year.
• widespread damage to a sensitive environment and which can be restored
to an equivalent capability in a period of months.

BP's commitment to health, safety and the environment is paramount; this is reflected in BP’s HSE goal of ‘No Accidents, No Harm to
People, and No Damage to the Environment’. No accident, injury, or loss of containment causing damage to the environment is ever
‘acceptable’ to BP. BP is using this framework (equivalents of which are used throughout industry) to support the consistent
prioritisation of actions to eliminate or mitigate HSE risk and as part of BP's Performance Improvement Cycle to deliver continuous risk
reduction.

D Very major health/safety incident. Future impact with

• The potential for 3 or more fatalities (or • extensive damage to a non-sensitive environment and which can be
onset of life threatening health effects) is restored to an equivalent capability in a period of around 1 year.
always classified at least at this level. • localised damage to a sensitive environment and which can be restored to
• 30 or more injuries or health effects, either an equivalent capability in a period of around 1 year.
permanent or requiring hospital treatment • widespread damage to a non-sensitive environment and which can be
for more than 24 hours. restored to an equivalent capability in a period of months.
• extensive damage to a sensitive environment and which can be restored to
an equivalent capability in a period of months.

Page 324 of 361 Revision: B06

Level Health and Safety Environmental

E Major health/safety incident. Future impact with

• 1 or 2 fatalities, acute or chronic, actual or • localised damage to a non-sensitive environment and which can be restored
alleged. to an equivalent capability in a period of around 1 year.
• 10 or more injuries or health effects, either • extensive damage to a non-sensitive environment and which can be
permanent or requiring hospital treatment restored to an equivalent capability in a period of months.
for more than 24 hours. • localised damage to a sensitive environment and which can be restored to
an equivalent capability in a period of months.
• extensive damage to a sensitive environment and which can be restored to
an equivalent capability in a period of days or weeks.

F High impact health/safety incident. • Future impact with localised damage to a non-sensitive environment and
• Permanent partial disability(ies). which can be restored to an equivalent capability in a period of months.

• Several non-permanent injuries or health • Future impact with immediate area damage to a sensitive environment and
impacts. which can be restored to an equivalent capability in a period of months.

• Days Away from Work Case (DAFWC). • Future impact with extensive damage to a non-sensitive environment and
which can be restored to an equivalent capability in a period of days or
weeks.
• Future impact with localised damage to a sensitive environment and which
can be restored to an equivalent capability in a period of days or weeks.

G Medium impact health/safety incident. • Future impact with immediate area damage to a non-sensitive environment
• Single or multiple recordable injury or and which can be restored to an equivalent capability in a period of months.
health effects from common source/event. • Future impact with localised damage to a non-sensitive environment and
which can be restored to an equivalent capability in a period of days or
weeks.
• Future impact with immediate area damage to a sensitive environment and
which can be restored to an equivalent capability in a period of days or
weeks.

H Low impact health/safety incident. • Future impact with immediate area damage to a non-sensitive environment
• First aid. and which can be restored to an equivalent capability in a period of days or
weeks.
• Single or multiple over-exposures causing
noticeable irritation but no actual health
effects.

Page 325 of 361 Revision: B06

Business impact levels

Table B.2 - HITRA Business impacts levels

Non-Financial

Level Financial Government/key

Accounting Media/public License to Management
stakeholder
and control reaction operate time
reaction
A >$20 billion External auditors Public or investor Threat of global loss Major intervention Long-term diversion
issue an adverse outrage on a global of licence to from major of Board and
opinion on the scale. operate. government – US, Executive
accounts. UK, EU, Russia. management time
Irrevocable damage to manage
to relationships with issue/event.
key stakeholders of
benefit to the Group.

B $5 billion - External auditors Public or investor Loss of licence to Intervention from Long-term diversion
$20 billion qualify accounts. outrage in major operate a major major government – of Executive
western markets – asset in a major US, UK, EU, Russia. management time
US, EU. market – US, EU, Damage to to manage
Russia. relationships with issue/event.
key stakeholders of
benefit to the Group.
C $1 billion - Material error in Public or investor Loss of licence to Intervention from Mid-term diversion
$5 billion published financial outrage in other operate other other major of executive
statements and material market material asset, or government. management time
restatement where we have severe enforcement to manage
required. presence or action against a issue/event.
Material Weakness aspiration. major asset in a
(actual or potential major market.
error) externally
reported.
D $100m - Error in published Public or investor Severe enforcement Interventions from Short-term diversion
$1 billion accounts, and outrage in a non- action against a non-major of Executive
restatement not major market, or material asset in a governments. management time
required. localised or limited non-major market, Damage to to manage
Tier 1 Significant ‘interest-group’ or against other relationships with issue/event.
Deficiency (actual or outrage in a major assets in a major key stakeholders of
potential error) market. market. benefit to the
reported to the Prolonged adverse Segment.
MBAC. national or
international media
attention.
Widespread adverse
social impact.

E $5m - Tier 2 Deficiency Limited ‘interest- Other adverse Damage to Mid-term diversion
$100m (actual or potential group’ outrage in enforcement action relationships with of Senior
error) reported non-major market. by regulators. key stakeholders of management time
internally. Short-term adverse benefit to the SPU. to manage
national or issue/event.
international media
coverage.
F $500k- Tier 3 Deficiency Prolonged local Regulatory Damage to Short-term diversion
$5m (actual or potential media coverage. compliance issue relationships with of Senior
error) reported Local adverse social which does not lead key stakeholders of management time
internally. impact. to regulatory or benefit to the to manage
other higher impact Performance Unit issue/event.
level consequence. (PU).
G $50k - Tier 4 Deficiency Short-term local Non-compliance Some disruption to Mid-term diversion
$500k (actual or potential media coverage. with industry local operations (e.g. of Local
error). standards but no loss of single road management time
regulatory action access less than 24 to manage
taken. hours). issue/event.
H <$50k Minor error or Isolated and short- Non-compliance Minimal damage to Short-term diversion
control deficiency. term complaints with standards that relationships with of Local
from neighbours exceed industry local stakeholders or management time
(e.g. about a specific norms. neighbours. to manage
issue/event.
noise episode).

Page 326 of 361 Revision: B06

Energy sources
Table B.3 - HITRA Energy sources

Energy source Description and guidance

Biological Many sources of energy in life forms, including wildlife and viruses or bacteria (e.g.
as found in sewage systems, drain lines and cooling towers).

Body mechanics Human strength and agility applied to a task involving lifting, pushing, pulling,
climbing, or positioning.

Electrical Types and voltages of electricity including high-voltage power systems (i.e. AC,
battery systems, DC) and static. Electrical work involves considering whether the
task:
• requires equipment related to the task or in the area of the task to be isolated
• involves electrically-powered equipment
• is in an area where there is vulnerable electrical equipment (e.g. insulated
cabling, uninsulated overheads, and power lines)
• involves transferring fluids, power or friction between non-conducting materials
that could generate static electrical charges
• involves systems and equipment that are adequately grounded, or bonded, or
both.
Gravity Causes tools, equipment, or people to fall or move. This affects lifting tasks, work at
height, and objects that might fall.

Hazardous process material Reactive, combustible, flammable, or explosive gases, liquids or solids (e.g.
hydrocarbons or process chemicals that have the potential to cause fires or
explosions).

Human Factors People and their interactions with other people as well as:
• how people interact with the plant and processes
• characteristics of individuals (e.g. Height, fatigue, physical capability).

Mechanical This includes mobile equipment, moving parts on stationary equipment, and rotating
equipment. Even though items are non-powered, their momentum as they are
moved can crush or cut people or vulnerable equipment. Also includes sharp edges
of tools and equipment.

Noise A form of pressure energy that has the potential to result in noise induced hearing
loss. Work that can generate noise involves considering whether:
• the task is in a high-noise area
• the task involves using noisy tools or equipment
• noise could cause communication problems, including in an emergency.
Pressure Air, water, pneumatics, springs, and gases are possible sources of significant
pressure energy. Work that involves pressure involves considering the following:
• Non-return valves where material can be trapped between the valve and an
isolation point.
• Equipment in which trapped or undrained material can remain.
• General equipment or line conditions (e.g. and area of corrosion, where a
pressured leak is foreseeable).

Page 327 of 361 Revision: B06

Energy source Description and guidance

• Reaction forces from a pressure leak, which can move an unrestrained item
(e.g. hose, cylinder, pipe segment).
Radiation This can be in the form of
• Ionising radiation (i.e., radioactivity) for example from level transmitters, logging
devices and NORM. Hazards to health and activation of process control or
protection
• Sunlight - Hazards to health, temperature changes to equipment and its
contents
• Radio waves, - Interference with wells, communication or protection systems.
SIMOPS These are possible interactions between tasks occurring at the same time.
Tasks are reviewed to prevent the following from happening at the same time:
• Actions within the task itself.
• Unrelated work taking place nearby.
• Work in restricted access area that calls for close co-ordination.
Thermal Energy associated with hot or cold surfaces and fluids, undesired chemical reactions,
and ambient temperatures.

Toxic substances Substances that are hazardous to health which may be present in the form of gases,
vapours, dusts, aerosols, fumes, liquids, or solids (e.g. hydrocarbon, nitrogen,
welding fumes, paints, process chemicals, benzene, toluene, ethylbenzene, xylenes,
H2S, asbestos, lead, mercury).

Weather A source of potential harm related to environmental conditions (e.g. rain, wind, snow,
sleet, hail, heat, cold, fog). These create conditions that can potentially impact an
employee’s ability to perform a task safely.

Page 328 of 361 Revision: B06

Risk matrix (Group 8x8)

When positioning a risk event on the matrix, it is not usually possible to determine the
likelihood and impact of an event precisely in advance of the risk event happening. Reflecting
this uncertainty, the position on the matrix is, therefore, only approximate.

Normally for a TRA, use the risk matrix levels A to H and likelihood descriptors 1-8 to
determine the risk figure. Use the additional numerical information on probability when
additional data exists to support a further quantitative estimate of a probability value.

Table B.4 - Risk matrix (Group 8x8)

Likelihood of risk event

1 2 3 4 5 6 7 8
A similar A similar A similar A similar A similar Likely to Event Common
event has event has event has event has event has occur likely to occurrence
not yet not yet occurred occurred occurred, once or occur (at least
occurred in occurred somewhere somewhere or is likely twice several annually) at
our in our in our within BP to occur, within 30 times the facility
industry industry. industry within 30 years of within 30 business or
and would outside of years of the the facility years of function
only be a BP. facility, business the
remote businesses or facility,
possibility. or function. business
functions. or
function
Less than Less than Less than 1 Less than Less than Less than Greater
Probability 1 in a 1 in in 1 in 1 in 1 in than 1
million 100,000 10,000 1,000 100 10 1 in 10
A 8 9 10 11 12 13 14 15

B 7 8 9 10 11 12 13 14
Area
V
Impact (severity) level

C 6 7 8 9 10 11 12 13

D 5 6 7 8 9 10 11 12
Area
E 4 5 6 7 8 9 10 11
IV
Area
F 3 4 5 6 7 8 9 10
III
Area
G 2 3 4 5 6 7 8 9
II
Area
H 1 2 3 4 5 6 7 8
I

Page 329 of 361 Revision: B06

HITRA approval table

Table B.5 - Approval table

Approval authority
Risk area
GWO GOO GPO

V
Risks in these areas shall not be managed through the CoW procedure. Follow the requirements of
the entity risk management procedure to manage these risks.
IV (C+)

IV (D/E) Region VP Wells * Region VP operations * VP Projects *

III Wells Operations Manager Area Operations Manager Projects Manager

Construction and, or
II Wells Superintendent Site Authority
Commissioning Manager

I Area or Issuing Authority Area or Issuing Authority Area or Issuing Authority**

*Some Blue D/E risks may require additional notification and endorsement through the entity risk management
procedure before they are Approved via CoW. See entity risk management procedures for details.
** When delegated by Area Authority

Page 330 of 361 Revision: B06

Certificates

CoW certificates Verify that a worksite or job is prepared safely and in conformance with this
CoW Procedure. CoW certificates are created during the planning phase of the job. These
certificates record any actions or conditions and provide technical approval provided these
actions are delivered. See below:

Link to Isolation

Link to Ground disturbance

Link to Energised electrical work (Non-US)

Link to Energised electrical work (US)

Link to Emergency response and rescue plan (ERRP)

Link to Abrasive task on live equipment

Link to Mechanical seal plug

Link to Pre-startup

Link to Ventilation plan

Link to Pressurised habitat

Link to Heavy equipment movement

Link to Cross-site boundary isolation

Link to Leak test

Page 331 of 361 Revision: B06

Link to Isolation confirmation certificate

Table C.1 - Isolation confirmation certificate

Created by eCoW software.

Link to Ground disturbance certificate

Table C.2 - Ground disturbance certificate

Link to Energised electrical work (Non-US) certificate

Table C.3 - Energised electrical work certificate (Non-US)

Link to Energised electrical work (US) certificate

Table C.4 - Energised electrical work certificate (US)

Link to Emergency response and rescue plan (ERRP) certificate

Table C.5 - Emergency response and rescue plan certificate

Link to Abrasive task on live equipment certificate

Table C.6 - Abrasive task on live equipment certificate

Link to Mechanical seal plug certificate

Table C.7 - Mechanical seal plug certificate

Link to Well handover certificate

Table C.8 - Well handover certificate
Use the local well handover certificate to conform to sections 18.8.1 and 18.8.2.

Link to Pre-startup certificate

Table C.9 - Pre-startup certificate

Link to Ventilation plan certificate

Table C.10 - Ventilation plan certificate

Link to Pressurised habitat certificate

Table C.11 - Pressurised habitat certificate

Page 332 of 361 Revision: B06

Link to Heavy equipment movement certificate

Table C.12 - Heavy equipment movement certificate

Link to Cross-site boundary isolation certificate

Table C.13 - Cross-site boundary certificate

Link to Leak test certificate

Table C.14 - Leak test certificate

Page 333 of 361 Revision: B06

Checklists

CoW checklists provide guidance for the user to aid checking the key issues and hazards when
planning, during the risk assessment or as part of work execution. BP recommends these are
used but they do not need to be signed and attached to the CoW documents.

Link to Breaking containment

Link to Confined space entry

Link to Confined space entry for water jetting

Link to Ground disturbance

Link to Hot work open flame

Link to Leak testing

Link to TRA

Link to Line walking

Link to Working at height

Link to Over side working

Link to Isolation

Link to LTI – Engineering review checklist

Page 334 of 361 Revision: B06

Link to Breaking containment checklist

Table D.1 - Breaking containment checklist

Link to Confined space entry checklist

Table D.2 - Confined space entry checklist

Link to Confined space entry for water jetting checklist

Table D.3 - Confined space entry checklist for water jetting

Link to Ground disturbance checklist

Table D.4 - Ground disturbance checklist

Link to Hot work open flame checklist

Table D.5 - Hot work open flame checklist

Link to Leak testing checklist

Table D.6 - Leak testing checklist

Link to TRA checklist

Table D.7 - TRA checklist

Link to Line walking checklist

Table D.8 - Line walking checklist

Link to Working at height checklist

Table D.9 - Working at heights checklist

Link to Over side working checklist

Table D.10 - Over side working checklist

Link to Isolation checklist

Table D.11 - Isolation checklist

Link to LTI – Engineering review checklist

Table D.12 - LTI – Engineering review Isolation checklist

Page 335 of 361 Revision: B06

Paper Backup

Paper backup
If a server fails or if, for any reason the electronic CoW system is not available, a
limited paper backup system is provided. The paper backup system cannot deliver
the rigour inherent in the design of the electronic CoW system and as such the
paper system shall only be used for essential work when the electronic system is
not available.
Each site is required to have a backup paper system ready to use in the event of a
system outage at the normal place of permit issue.
There is an expectation that the paper backup system will only be used for a limited
period of a few shifts at most. If the paper backup system is used, certain
safeguards provided by the electronic system will be lost. Examples include permit
dependencies, permit and certificate linking, automatic updates to associated
registers, approval levels and visual SIMOP indicators. To reduce the risk associated
with using this system, as far as is reasonably practicable, minimise or defer all non-
essential work including:
movement of locked valves
use of ORA and SORA
isolation movement
HWOF and CSE work.
The workflow follows the same steps to generate, Verify, and authorise all permits,
ORAs and IDPs as with the electronic system. Level 1 and Level 2 risk assessment
forms and the risk assessment process in section 8 and section 9 of this Upstream
CoW Procedure are applied. The work party signs the declaration form in
accordance with the normal process.
When a permit is used in conjunction with a risk assessment, the paper copies are
cross-referenced against each other by adding the risk assessment number to the
permit and the copies of the paperwork collated together to take to the worksite. As
each pre-printed form has a second copy, these are retained for a minimum of one
month in the control room, permit office or a central place on the site where CoW is
managed.
If existing paper copies of an eCoW permit or isolation are available from the
previous shift, then it is acceptable to use these permits and re-issue using wet ink
signatures as long as conditions have not changed, and the risk assessment is still
valid.
When the eCoW system becomes available after an outage it is acceptable to
continue to work under the paper backup system certificates for the remainder of
the shift. Transfer all paper backup permits and isolations to eCoW at the earliest
opportunity to maintain a single point of control.

Page 336 of 361 Revision: B06

Safety override risk assessment (SORA)

When eCoW is not available an ORA shall be used in all situations that would
normally require a SORA.

Permit register
During permit issue, the AA needs visibility of the interactions between current
ongoing works. This and the permit register provide a log of all live permits and their
location. The AA refers to this log before issuing a permit to confirm that there are
no SIMOP clashes or conflicts with any isolation. The AA completes all the required
fields in the register during permit issue. When the permit is completed or
suspended, then the AA records this in the relevant field.

Isolation register
A register is provided to log all isolations that are put in place during the period
where eCoW might not be available. The AA completes all the data required in the
register when an isolation is moved to in place. When an isolation is removed, then
the AA enters the time and date in the relevant section to signify that the isolation is
now complete. The AA also cross-references any work permits linked to the
isolation so that the status of the permits can be checked prior to giving permission
to remove an isolation.

Locked valve register

During isolations and de-isolations, it is understood that locked valves will change
position when the isolation points are applied and removed. During a period when
the eCoW system is not available, a register is provided to log all locked valve
movements so that the LVR can be updated or checked, or both, when the eCoW
system becomes available. When valves are moved under isolation, de-isolation, or
both of these, then the AA updates this register with the relevant details.

Page 337 of 361 Revision: B06

Site CSE Register

Table F.1 below is a site CSE register. Some examples are provided, but the register is
completed by the site.

Table F.1 - Site confined space entry (CSE) register

Site A - CSE and Restricted Space Register

CSE/ Restricted Rescue Minimum No. of Min No. of

Equipment Location Space Level/Gas Plan Persons Entering Standby Man
Test Space
Turret Head and Turret CSE
Transverse L2RA/Gas Testing Yes 1 1
bulkheads 1/2/3 Required
TSS Void Spaces – TSS CSE
All levels, including L2RA/Gas Testing Yes 1 1
forepeak tank Required
All process Topsides CSE
separation vessels, Process Deck L2RA/Gas Testing
including and Marine Deck Required Yes 1 1
oil/water/gas plant.
(SRP cartridge
filters – see below)
SRP cartridge filters Module 15 Restricted workspace Yes 1 1
L2RA/Gas Testing
All Process Module 16 CSE Tank
Chemical Tanks L2RA/Gas Testing Dependent 1 1
Required
All Hull Tanks, Main Deck CSE
including but not L2RA/Gas Testing
limited to Cargo Required Yes 2 1
Tanks/Ballast Tanks
/Void Spaces
All Fresh Water Engine Room CSE
Tanks L2RA/Gas Testing Yes 1 1
Required
All Diesel Fuel Engine Room CSE
Tanks L2RA/Gas Testing Yes 2 1
Required
All vessel skirts Topsides CSE
process modules L2RA/Gas Testing Yes 1 1
and Engine Required
Room
Crane Pedestals Module 13 CSE
Starboard and L2RA/Gas Testing Yes 1 1
Module 14 Port Required
Gas Turbine Modules 5&6 Restricted workspace Offline: Not
enclosure – L2RA Offline: 1 Required
Enclosure area (hazards different for No Online : 1 Online: 2 (1 at
around Engine / PT online / offline entry) access door, 1 at
/ Exhaust water mist cabinet)
Gas Turbine Modules 5&6 CSE
exhaust volute L2RA/Gas Testing Yes 1 1
(exhaust collector) Required
VSAT “Raydomes” Bridge Restricted workspace Yes 1 1
L2RA
All accommodation Accommodation Restricted workspace
/engine room lift and Engine L2RA Yes 1 1
shafts Room

Page 338 of 361 Revision: B06

Applicability guidance for GPO activities

Table G.1 - Applicability guidance for GPO activities

Activity At BP Site

Greenfield Brownfield
Contractor construction vessel activities at BP
Contractor SMS
offshore site (not including interface activity).

Contractor camp activities at BP onshore site. Contractor SMS

Hook- up or Tie-in activities at BP site. Contractor SMS Upstream CoW

Commissioning by contractor at BP site. Contractor SMS Upstream CoW

Construction activities at BP site. Contractor SMS Upstream CoW

Commissioning by GPO at BP site. Contractor SMS Upstream CoW

Decommissioning facilities at BP site. Upstream CoW

Decommissioning or demolishing entire BP

Contractor SMS
plant.

Subsea activities from contractor vessel at BP

Contractor SMS
site.

Onshore pipeline construction. Contractor SMS Upstream CoW

Onshore pipeline commissioning by contractor. Contractor SMS Upstream CoW

Activity At Contractor Site

Fabrication at contractor site. Contractor SMS

Commissioning by GPO at contractor site. Contractor SMS

Utilities operation by GPO at contractor site. Contractor SMS Upstream CoW

Page 339 of 361 Revision: B06

Locked valve categories

Table H.1 - Locked valve categories

LO-1 IL 2 or greater rated process trip system: LO-2 Compressor anti-surge systems:
Instrument isolation valves when the instrument forms Isolation valves to instruments managing compressor
part of any process trip system. anti-surge systems.

CONTROL
VALVE
SD SD

RECYCLE
FLOW

INSTRUMENT INSTRUMENT UNIT

(TAPED) (TAPED) CONTROL
DUBLOK DUBLOK PANEL

FLOW IN LO LO

FICAL PIAHL TI TI
LO LO

LO LO COMPRESSED
PROCESS LINE GAS

VESSEL
FLOW OUT PICAHL
LO

COMPRESSOR

LO-3 Pressure or vacuum relief system: LO-4 Overpressure protection blowdown:

Valves in a pressure or vacuum relief system, including a Valves upstream or downstream of an ESDV (XXV),
valve in the inlet and outlet of the relief lines. This which opens to blow down the system.
includes dual PSV systems.

XXV
TO BLOWDOWN
TO RELEASE
SYSTEM

LO FO LO
LO LO

PROCESS FLUID PSE PSE

COOLING
MEDIUM
LO LO

PROCESS COOLING
FLUID MEDIUM

Page 340 of 361 Revision: B06

LO-5 Continuous flow path to drains: LO-6 Flow path to HP/LP flare:
Valves providing continuous access to drains from Isolation valves on vents to HP / LP flares, for example:
vessels or systems (for example vendor skids) where it • to prevent vessels overpressurising
is critical that the flow of excess fluids is controlled.
• to provide a controlled route of gas disposal from
cavity bleeds
• isolation valves on the flare header.

VESSEL
TO FLARE BLOWDOWN
LINES

LO
VESSEL
SKID INLET
FLARE HEADER

VESSEL
LO LO
VESSEL
OUTLET

TO CLOSED CAVITY PRESSURE

DRAINS BLEEDS RELIEF
VALVES
LO

LO-7 Continuous vents to atmosphere Isolation valves LO-8 HP/LP interface protection:
to vents systems that provide a controlled route for the Valves on a HP/LP interface that are LO to prevent a
continuous removal of gases. section of line overpressurising.

HP RATED LP RATED

RECOVERED OIL TO MISC VENTS

LO
LO

PIPELINE SPEC CHANGE

HH1 SB4

FLOW IN

CAISSON

Page 341 of 361 Revision: B06

LO-9 System functionality critical valves: LO-10 Isolation valves in drain headers:
Isolation valves in systems that shall be LO to maintain Manual valves in drain headers are LO to avoid
the function of the system, typically focused on systems backflowing from one vessel to another if they are being
essential to maintain operation of SCEs valves in for drained simultaneously.
example:
• Fuel gas - Diesel - Nitrogen - Chemical injection.
• Water injection - Seawater - Heating medium.
• Potable and service water - Instrument air.
• Breathing air - Firewater.

TO USER

MAIN MAIN
INLET INLET

VESSEL A VESSEL B
RINGMAIN
RETURN MAIN MAIN
TO
OUTLET OUTLET
INLET TO USER
SYSTEM
LO

TO
CLOSED
USE DRAINS HEADER
BUFFER
VESSEL
LO (LC) (LC)
CHANGE
IN HEIGHT
TO LO
USER

LO
TO CLOSED
LO DRAINS
ISOLATION
VALVE
ISOLATION
VALVE

LO-11 Minimum flow protection: LO -12 Fire protection system delivery valves
LO valves in a minimum flow recycle loop around a
pump to prevent causing damage to the pump.

FIREWATER RINGMAIN

RECYCLE
VESSEL LO
INLET

TO HYDRANT
LO

MAIN FLOW

PUMP

Page 342 of 361 Revision: B06

LC-1 Closed or hazardous drains: LC-2 HP or LP flare vent valve:

Valves to closed/hazardous drains, which are opened Valves to the flare, which are required to vent off gases
when it is required to drain a vessel or process line once contained within a vessel or a process flowline once it
it has been isolated. has been isolated.

INLET INLET
TO FLARE

LC
INSTRUMENT TO FLARE
BRIDLE
LC

VESSEL VESSEL
TO CLOSED
DRAINS
INSTRUMENT
LC BRIDLE
OUTLET OUTLET

TO CLOSED
DRAINS

LC-3 Fiscal metering: LC-4 Bypass valve:

Vents and drains on and downstream of the fiscal meter Bypass valves required for pressure equalisation before
that cannot be opened for fiscal reasons. opening at startup (e.g. valves around the pig launcher).
Control valve bypasses that have the potential to
overpressure downstream plant shall be LC. If included
in the plant HP/LP Interface list, they may also have a
restriction orifice fitted, limiting the potential to
overpressure downstream plant.

LC FROM
COMPRESSOR GAS SYSTEM
FLUID IN
FC

FISCAL
METER LC
FLUID OUT

TO DRAINS

LC-5 Fire protection systems: LC-6 Wellhead control panel:

Drain valves on the firewater ring main, deluge, and Valve in which the position is controlled by containing it
sprinkler skids. within either a locked lunch box valve cabinet or a
locked Brisco panel.

FIREWATER RINGMAIN
LUNCH BOX LOCKED CLOSED

FROM BRISCO TO XMAS

PANEL TREE XXV
LC
LO LO
FROM BRISCO TO DOWNHOLE
PANEL SAFETY VALVE
LO LO

TO DRAIN

TO SAFETY
ANNULUS VALVE
LO LO

Page 343 of 361 Revision: B06

LC-7 HP / LP Interface: LC-8 Environmentally critical valve:

Valves on a HP/LP interface that are LC to prevent a
section of line overpressurising.

HP RATED LP RATED

ATMOSPHERE
PIPELINE SPEC CHANGE

Page 344 of 361 Revision: B06

Hazardous and non-hazardous process fluids and utilities

Table I.1 - Hazardous and non-hazardous process fluids and utilities

Hazardous process fluids and hazardous utilities100

All hydrocarbon systems, including:

Wellheads, flowlines, and risers Closed drains

Separation Fuel gas

Crude metering Diesel

HP compression Hydraulic oil

Gas dehydration Methanol

LP compression Oil-based drilling mud

Relief, flare and vent Lube oil and Seal oil

Non-hydrocarbon systems, including:

Produced water Hazardous open drains

Water injection (HP, > 50 barg (725 psig) design pressure) Inert gas (asphyxiation hazard)

Cooling medium (containing toxics) Nitrogen (asphyxiation hazard)

Heating medium (containing toxics) Chemical injection

Chlorination (until diluted) Steam

Water (≥60°C (100°F) Water based mud and brine

Non-hazardous process fluids and non-hazardous utilities:

Seawater used for ballast or cooling Firewater

Water injection (LP, ≤ 50 barg (725 psig design pressure) Bilge water

Fresh service water and potable water Sewage and grey water

Compressed air ≤ 14 barg (200 psig)

Page 345 of 361 Revision: B06

Tasks that an AA can delegate

Table J.1 - Tasks that an AA can delegate

Tasks that an AA can delegate

AA can delegate to another AA AA can delegate to an IA

Verification of permits Issue permits

Pre de-isolation verification Worksite visit for permit close out

Pre-startup checks Verify permit suspension during emergencies

Isolation integrity checks Rescue plan review before permit authorisation

Verifications before work restart after suspension Approval of risk area I risk assessment
Worksite visit and TBT attendance , providing it is not the Verify working at height TRA, conditions, equipment (see
first visit for CSE or HWOF section 17)
Verify permit suspension during emergencies Retain permits and certificates for one month

Monitoring of witness joints when delegated by SA Verification of permits

Rescue plan review before permit authorisation Habitat inspections

Follow hierarchy of controls to confirm HWOF Agree with PA for FW competency

Habitat inspections
On closing a permit verify the personal isolation has been
Verify working at height TRA, conditions, equipment
removed and the plant line-up is correct
Retain permits and certificates for one month Verifications before work restarts after suspension

Agree with PA for FW competency

Worksite visit for permit close out

Verify BP Golden Rules of Safety (or Life Saving Rules
where applicable) breaches recorded in IRIS
Review TRAs include lessons learned from incidents, near
misses

Capture knowledge within eCoW

Change of permit to work conditions (e.g. monitoring

frequency)

Page 346 of 361 Revision: B06

Measuring airflow through a vessel

a. Field measurement requires a pocket calculator, measuring tape and air velocity
instrument. Calculations are made using the following formula:
1. Q = VA
In this:
2. Velocity (V) is in feet per minute (fpm).
3. Area (A) is in square feet (sq.ft.) For circular openings, the formula to
derive A is A = πr2.
4. Air flow (Q) in cubic feet per minute (cfm) is the quantity of air passing
through a manway.
b. Measure the average makeup air velocity (in fpm) entering the vessel through each
opening. Makeup air entering the vessel is measured because the air moving
devices, when used to pull air through the vessel, usually make the exhaust air too
turbulent for effective measurement.
When identifying and selecting intake air openings for airflow measurement, consider
the possible effects of short-circuiting which may be present. If short-circuiting is
suspected, it may be prudent to test the air flow pattern using smoke tubes to confirm
that the 2,000 cfm per welder criterion is appropriate for the situation under
investigation. If short-circuiting is suspected but cannot be excluded, use of local
exhaust ventilation is likely the better choice.
c. Measure the largest openings first. Since most of the air will pass through the larger
openings, they will account for the majority of the makeup air entering the vessel. If
the confined space is supplied with pressurised makeup air (from portable air
conditioners or heaters), pierce the flexible ducting to measure the air flow velocity
and repair the hole with duct tape.
d. Multiply the average airflow velocity for each opening by the cross-sectional area (in
sq.ft.) of the opening to obtain the quantity of makeup air (in cfm) entering the
confined space. Finally, add the makeup air quantities for each opening in the vessel.
The ACGIH Industrial Ventilation, A Manual of Recommended Practice recommends
up to 20 measurements along two 10-point transects at 90° to each other. This
document provides the details of accurate air velocity measurements which provide
spacing for circular openings which will provide equal areas. For rectangular
openings, 16 measurements are recommended. The average velocity can be calculated
by averaging the measurements for a given opening.
Example #1: A single fan is mounted on a manway near the top of a vessel, and makeup
air is entering through a manway (40’ diameter) near the bottom of the vessel at an
average velocity of 370 fpm. Determine the amount of make-up air.
1. Determine the cross-sectional area (A).
2. Use the formula: 𝐴𝐴 = 𝜋𝜋𝑟𝑟 2
3. Radius = ½ diameter = 20’ = 1.67'
4. A = (3.1416) (1.67)² = 8.76 ft²
5. Calculate the air flow (Q) in cfm:
a) Use the formula: Q = VA

Page 347 of 361 Revision: B06

b) Q = 370 fpm x 8.76 sq.ft. = 3,242 cfm

In this example, 3,242 cfm dilution ventilation is supplied to the vessel. Remembering
that one active welder is allowed for each 2,000 cfm dilution ventilation entering the
confined space, only one welder may work in this space.
Example #2: For the same space, if there is still one fan on the upper manway, but there
are now two 40’ manways available for makeup air. What is the amount of makeup air if
the average velocity is 280 fpm through one manway and 310 fpm through the other?
The cross-sectional area for the two 40’ manways is 8.76 sq.ft. (See Example #1)
6. The air flow in cfm:
a) 280 fpm x 8.76 sq.ft. = 2,453 cfm
b) Plus
c) 310 fpm x 8.76 sq.ft. = 2,716 cfm
d) Total: 5,169 cfm
In this example, 5,169 cfm dilution ventilation is supplied to the vessel and two welders
may work simultaneously in this space.

Page 348 of 361 Revision: B06

Temporary Ladders

Table L.1 - Temporary equipment examples101

Item Description Picture of item

no.
a Scissor lifts or mobile elevated work platforms

b Mobile platform stairs or ladders (with rear bar or chain).

c Scaffolding:
1. With a lift.
2. With stairs.

d Scaffolding with internal inclined scaffold ladder with protection

(i.e., ladder trap hatch or handrails)

e Scaffolding with external scaffold ladders accesses using a

safety gate or swing arm system or onto platform with
guardrails.

Page 349 of 361 Revision: B06

Item Description Picture of item

no.
f Ladders

Table L.2 - additional requirements for all temporary ladders101

Item Requirement Picture for reference

no.
a Personal fall protection is used on temporary ladders where the height of
climb exceeds 3 m (10 ft).
To allow for adjustment limitations on some proprietary equipment, there
is a tolerance of +5% allowed.

b While ascending and descending the ladder, the worker faces the ladder
with both hands available to climb.

c Ladders are secured or stabilized to prevent accidental displacement.

Page 350 of 361 Revision: B06

Table L.3 - additional requirements for accessing scaffold101

Item Requirement Picture for reference

no.
1 Ladders, rails or grab bars extend at least 1 m (3 ft) over
or into any landing or scaffold platform to maintain
balance for transition to platform.

2 Scaffold ladders at the point of access or egress have a

step-across distance of not more than 30 cm (12 in) as
measured from the centerline of the steps or rungs to
the nearest edge of the landing area.

3 Self-closing swing gates that open inward or an

equivalent barrier are used at all entry points for
scaffold ladders.

4 Internal scaffold ladder access protection around the Ladder trap door is designed
opening, such as a protected ladder trap with self- with guard rails on both sides
closing mechanism, guard rail or an equivalent barrier.

Page 351 of 361 Revision: B06

Item Requirement Picture for reference

no.
5 When installed externally, scaffold ladders are installed
at between 90 and 135 degrees to the platform deck
being accessed.

6 If the length of any section of a scaffold ladder exceeds

6 m (20 ft), a rest platform (deck) is required

The requirement (a) in Table L. 2 for fall protection

where Height of Climb exceeds 3 m (10 ft) still applies.

Page 352 of 361 Revision: B06

Table L 4 - additional recommendations for accessing scaffold 101

Item Additional recommendation Picture for reference

no
1 Access and egress are accomplished using stairs
or internal ladders.

2 Where stairs cannot be used, inclined ladders at a

maximum 75-degree (4:1) angle are used.

Table L.5 - Additional requirements for using extension or straight ladders101

Item Additional recommendation Picture for reference

no
1 Extension ladders have rung-locks fully engaged
while in use.

2 When the use of an extension ladder is the only

means of access to complete the work, the
extension ladders are limited to 9 m (30 ft).
The requirement (a) in Table L. 2 for fall
protection where Height of Climb exceeds 3 m
(10 ft) still applies.

Page 353 of 361 Revision: B06

Table L.6 - Additional recommendations for using extension or straight ladders101

Item Additional recommendations Picture for reference

no.
1 If an extension or straight ladder is being used as part of
normal operations, an engineering solution is implemented.

2 Extension or straight ladders are used at a maximum 75-

degree angles (4:1), so that the distance from ladder base
to the base of the support is one quarter of the working
length of the ladder.

Table L.7 - Additional recommendations for performing work from a platform ladder101

Item Additional recommendations Picture for reference

no.
1 Platform ladders are used in place of extension or straight ladders to
perform work.

Platform ladders are preferred over folding ladders and extension

ladders.

2 Platform ladders are:

a) Used on level ground with support for all four sides of its base.
b) Not moved while someone is on it.
c) Not used on ice, snow or slippery surfaces unless suitable
means to prevent slipping is employed.

Page 354 of 361 Revision: B06

Table L.8 - Additional requirements for performing work from a ladder101

Item Additional requirements Picture for reference

no.
1 If the ladder does not have an inbuilt platform or safety rail, Fall
Protection is required when working from a ladder above 2 m (6 ft).

Note: Working from a ladder is working at height. However, the use

of a ladder for access and egress is not working at height.

2 Do not stand on the top two rungs of the ladder.

3 Step ladders are:

a) Equipped with a metal spreader or locking braces that
securely holds the front and back sections in an open
position while the ladder is in use,
b) Not used for accessing an elevated work area unless
designed by the manufacturer for this use.

Page 355 of 361 Revision: B06

References

Table M.1 - References

No. Value Section Source

1 500m 5.5 & 8.4.3 Upstream CoW Practice,

US GOV 33 CFR 147.10 Establishment of safety zones,
IMO IA910M
GOO-LI-PRO-00001 BP Procedure GOO Asset 500 Meter
Zone
2 11m or 35ft Table 20 & US government: Safety & Environmental Enforcement,
12.2, 24 & Interior § 250.113
Table 4 OSHA 1910.252(a)(2)(iii)
3 24 hr. 8.3.2 & Table Upstream CoW defined
5
4 14 days 8.3.4, 8.4.5 & Upstream CoW defined
8.7.3
5 4 hours 8.3.4, 8.5.1 & Upstream CoW defined based on working time directive
14.13
6 3 years 8.3.5 & 10.6 Upstream CoW defined
7 10 barg (US 150 9.4 & Table 8 Upstream CoW defined based on limit for single valve
psig). isolation limit
8 392°C (738°F) Table 12 API RP 2216. In this case we have used the auto ignition
temperature for diesel, (210°C) which is a credible fluid that
could come into contact with hot surfaces in upstream
operations with a low auto ignition temperature. We then
applied the 182°C as defined in API RP 2216 to give a
minimum hot surface ignition temperature of 392°C.
Where a site has materials with a lower auto ignition
temperature then this figure is revised.
9 1.2m (4 ft) Table 13 UK HSE. Consider if this space meets the criteria for CSE
10 10% 8.6.2 Upstream CoW defined
11 5 Years 8.7.9 BP document retention policy
12 MTTR (7 days, Table 21 Upstream CoW defined based on advice and support of
whichever is instrument and control TA S&OR + I&C engineering discipline
the lower leader GOO.
figure)
specified.
13 7 days Table 21 Decision made after consultation with ICE SMEs
14 Review every Table 21 Decision made after consultation with ICE SMEs
90 days
15 12 hours Table 21 US CFR Title 30 CFR 250 Subpart H
16 90 days 11.4 & 11.9, Upstream CoW Practice
A11
17 72 hours 11.7 Upstream CoW defined
18 <1% LEL 12.5, 12.6 & Upstream CoW defined based on industry practice.
15.4
19 30 minutes 12.5 NFPA® 51B Standard for Fire Prevention During Welding,
Cutting, and Other Hot Work
20 20 air changes 13.2 Industry guidance - SafeHouse
21 1.5m (5ft) Table 23 Upstream CoW defined based on industry custom and
practice

Page 356 of 361 Revision: B06

No. Value Section Source

22 25-50 Pa or 0.1- Table 23 Industry guidance - SafeHouse

0.2in
23 25Pa Table 24 Industry guidance - SafeHouse
24 240Vac or Table 25 Upstream CoW defined with GOO central senior electrical
120Vdc. engineer approval
25 19mm (3/4in) Table 25 Upstream CoW defined. Decision taken with UEC based on a
max valve <50 practical approach
barg for BC and
Non-BC>50barg
26 <10 barg (US 14.6, Upstream CoW defined. 150 psi reflects the fact that many
150 psig). 14.14.10, regions use 150psi spec pipework. Limitations or standards
14.22 that require 10bar, this can include a 150psi rating.
27 25kg (50lb) 14.10 OSHA 1910.147
28 10 minutes Figures BP Custom and practice based on Code B31.3
13,14, 15,
29 <50V ac or dc 14.19 GOO central senior electrical engineer defined
30 ≤ 20mm, ¾in 14.19 Upstream CoW defined
31 <50 barg 14.22 Upstream CoW defined
32 180 days 14.28 Upstream CoW practice
33 90 and 365 14.28 Upstream CoW defined
days
34 Multiple Table 29 GOO central senior electrical engineer defined based on: IEC
voltages 60038 and NEMA C84.1
35 Multiple Table 30 GOO central senior electrical engineer defined based on: IEC
voltages 60038 and NEMA C84.1
36 0.5m/sec (100 15.5.2, OSHA 1910.252(c)(2)(ii)
ft/min) 15.5.4
37 8 and 20 ACH 15.5.3 2001 American Industrial Hygienist association Confined
Space Entry Protocol Guide
38 57m3/min 15.5.4 OSHA 1910.252(c)(2)(ii)
(2,000 ft3 /min)
39 60°C (140°F) 15.8 Upstream CoW defined based on HSE guidance on scalding
or burning hazards.
40 50 ppm 16.7.1 & API 660
6.4.3
41 50%LEL 16.7.2 GP 60-20

42 1barg (14.5 16.7.3 Upstream CoW defined based on industry practice

psig).
43 95°C (203°F) 16.7.3 Upstream CoW defined based on industry practice

44 20% safety 16.8 In consultation with process engineering with consideration of

factor American gas associated purging manual. Fourth edition
45 4 feet (1.2 m) 17 OSHA 1910.28(b)(2)(i)

46 0.1m (4in) high. 17.3 OSHA 29 CFR 1910.23(e)(4)

47 0.95m (37in) 17.3 & 22.1.2 US OC 200/31 - The work at height regulations
high
48 0.47m (18in). 17.3 OSHA 1926.451(g)(1)(vii)
BS EN 12811
49 90 kg (200lb) 17.3 OSHA 1926.502(b)(3)
50 12kN (2700 lbf) 17.5 EN 795:2012 European standard relating to the testing of
and 18kN (4047 personal fall protection equipment – Anchor Devices
lbf)

Page 357 of 361 Revision: B06

No. Value Section Source

51 Multiple values 17.5 Upstream CoW defined based on calculations from Alaska
engineering team
52 12 months 17.8.2 BS EN 365:2004 Personal protective equipment against falls
from a height. General requirements for instructions for use,
maintenance, periodic examination, repair, marking and
packaging
53 10% 17.11.2 Sourced from HSE & IEC guidance
54 0.3m (12in) 18.2 & OSHA Walking-Working Surfaces Regulation 29 CFR 1910.21-
22.1.3, 30
22.1.4 table
41
55 6 months 18.3.1 Upstream lifting practice based on generic lift plan only
56 <250 ppm 19.3 & 19.7 UEC mechanical seta interpretation of GP 06-29
57 50ppb 19.3 & 19.7 GP 06-29
58 8 barg (116psig) 19.4 & Table GP 32-40
38
59 90%, 30%, 19.6 & Table GP 32-40
90% 38
60 65°C (149°F) 19.7 Upstream CoW defined
61 2°C (35°F) 19.7 & 19.8 Custom and practice based on ASME design codes
62 95% 19.8 CoW defined based on normal industry practice. UEC
Approved
63 99-99.5% 19.8 UEC supplied catalyst manufacturer recommendations to
avoid exotherms
64 90% 19.9 UEC supplied industry design practice
65 110% to 150% Table 38 UEC supplied industry design practice
66 15scf a year Table 38 GP 32-40
from a 6mm
(¼in) tube.)
67 Multiple values Table 38 GP 32-40
based on
helium tracer
68 4-5 barg (60-75 19.15 Upstream CoW defined based on GP 32-40
psig) or 25%
69 30 minutes 19.15 30 Mins from GP32-20 and GP 32-40. 10 minutes for low
volumes (volume defined by upstream CoW based on UEC
input) based on process piping codes B31.1
70 90% 19.22 Upstream CoW defined based on UEC guidance
71 12 hours 20.2 Upstream CoW defined based on BP custom and practice
72 0.3m (12in) 21 Upstream CoW defined based on industry practice
73 >1.2m (4ft) 21 OSHA 1926.651(g)(1)(i)
74 6.7m (25ft) 21 OSHA 29 CFR 1926.651 and 1926.652 21
75 0.5m (18in) 21.4 UK. HSE: HSG47 (Third edition), Avoiding danger from
underground services
76 2m (6ft 6in) 21.4 Upstream Cow Defined based on APWA guidance
77 300mm 21.4 UK. HSE: HSG47 (Third edition), Avoiding danger from
underground services
78 Multiple values Table 40 OSHA Technical manual:
Excavations: Hazard Recognition in Trenching and Shoring
79 1.07m (42in) 22.1.2 OSHA 1926.502 & HSE WAH regs 2005
80 0.47m (18.5in 22.1.2 BS EN 12811
81 366kg/m 2
22.1.7 Upstream Cow Defined based on equivalent load limit to
(75lb/ft2) scaffolding board

Page 358 of 361 Revision: B06

No. Value Section Source

82 ≥50 V ac or dc 22.2 GOO central senior electrical engineer guidance based on the
principle that live equipment is hazardous above 50 V as
referenced in NFPA70E and UK HSE HSG85
83 Multiple values Table 42 NFPA70E
84 Multiple values Table 43 NFPA70E
85 1 year & 2 Table 44 Upstream CoW defined based on Oil industry practice
years
86 365 days for 23.6 Upstream CoW defined based on Oil industry practice
Type 1 locked
valves.
730 days for
Type 2 locked
valves
87 Multiple gas 24.1, 24.4 Based on international regulations and guidance and Approved
alarm limits by S&OR IH Director
88 5ppm & 10ppm 24.4 BP S&OR Senior Industrial Hygiene Director guidance
89 10% LEL or 24.5 IH community guidance
19% oxygen
90 200 ppm 24.6 ACGIH, NIOSH, OSHA and EH40
91 4.4% 24.8 GP 60-20
92 16.5% 24.8 GP 60-20
93 120°F (50°C) Figure 28 Upstream CoW defined based on industry practice
94 10 minutes 24.15 IACS & ICS industry practice
95 Multiple values Table 47 Upstream CoW defined based on international legislation and
guidance. Approved by S&OR IH Director
96 Multiple values Table 48 Upstream Cow defined based on BP custom and practice
97 2 weeks 25.6 Upstream CoW defined
98 Multiple values Table 52 Upstream CoW defined
99 Multiple values Table 53 Upstream CoW defined
100 All Table I1 Upstream CoW defined, guided by GP 44-40 Design for
Isolation of Equipment for Maintenance and Emergency
101 Multiple values Table L1-L8 BP Practice Working From Temporary Ladders
102 .5m below HH 22.17.1 Upstream CoW defined based on discussions with regions
trip
103 zone 0 or class 15.4 Provided by Upstream S&OR and based on U.K. HSE
1 zone 0 or Confined Space regulations
class 1 division
1
104 <10% OEL 15.5.1 UK HSE Guidance Document EH40 or US National Institute
for Occupational Safety and Health (NIOSH) guide to chemical
hazards)
105 2°C (35°F) 19.8 Custom and practice based on ASME design codes
All sources marked as ‘Upstream CoW defined’ have been Approved by the CoW Governance Board which consists of
GOO, GPO, GWO and S&OR.

Page 359 of 361 Revision: B06

Previous Reviewers

Table N. 1 - Previous Reviewers of version B05, October 2017

Name Role

Dave Wall VP Engineering Services, GOO

Dave King VP, Upstream HSE
Ken Daigle VP Safety Management, S&OR
Darren Hughes Senior Electrical Engineer, GOO
Danny McHugh Discipline Leader - Instrumentation, Control & Electrical (ICE), GOO
Geoff Evans SETA Static Mechanical, UEC
Kyle Erdbruegger Commissioning Engineer, GPO
Ralph Eguren Process Engineering SETA, UEC
William Kelly Subsea Operations Director, Subsea
Susan Connochie AP Specialist (Process), GOO
Marcin Nazaruk Human Performance Lead Advisor, HSE
Barnaby Annon Human Performance Lead Advisor, HSE
Simon Robinson Senior Human Performance Advisor
Alex Bird GOO HSE Manager
John Sanders Risk Authority, S&OR
Lesley Burgess Senior Industrial Hygiene Director, S&OR
Tracy Whipple Process Safety SETA, UEC
Randy Jones Competence Manager, UT&L
Sandra McMinn Learning Manager – Petro-technical Academy, UT&L
Jonathan Harker BP Requirements Lead Practitioner, Upstream
Rodney Hosein Maint and Engineering Manager Trinidad
Christa Lawson AOM Nakika
Ryan Mefiardhi OSTL
Ian Alleyne I&C discipline Lead
Bruce Price VP maint and Engineering
Martin Dove VP Subsea Operations

Regional S&OR

Mike Parker Operations Authority – Oman, S&OR

David Yearwood Operations Authority – GoM, S&OR
David Collins Operations Authority – Angola, S&OR
Kelly Eager Operations Authority – Alaska, S&OR
Javid Mehtiyev Operations Authority – AGT, S&OR
Samir S Aliyev Operations Authority – AGT, S&OR
Stephen Bashford Operations Authority – AsPac, S&OR
Mark Cowie Operations Authority – North Sea, S&OR

Page 360 of 361 Revision: B06

Paul Winkle I&C TA

Brian Mcleod VP S&OR AGT

Regional Operations Leads and their extended teams

Tim Hendricks COW Director, Alaska

Robert Zamarripa CoW Director, Alaska
Rafaela Vale CoW Regional Deployment lead, GoM
Jason Adams CoW Technical Authority, Trinidad
Danny Cooper CoW Regional Deployment lead, Angola
Budi Haryanto CoW Regional Deployment lead, AsPac
Rashad Sadyhov CoW Regional Deployment lead, AGT Offshore
David Lezhava CoW Regional Deployment lead, CoW Lead, Georgia
Bakhtiyar Nuriyev CoW Regional Deployment lead, AGT Midstream
Paul Anderson CoW Regional Deployment lead, North Sea Offshore
John Wallace OIM AGT region
Zaza Ramishvili OSM Georgia
David Lezhava PTL AGT
Javid Mehtiyev OTL AGT
Ian Alexander Khazzan Ops Planner
Salim Al Kalbani OTL Khazzan
Ahmed Said Ahmed Al rawahi OSM

Page 361 of 361 Revision: B06

Electrical Transformers and Rotating Machines 4th Edition Herman Solutions Manual
0% (2)
Electrical Transformers and Rotating Machines 4th Edition Herman Solutions Manual
2 pages
Boeing 777 BA27-01 Component Maintenance Manual PDF
100% (1)
Boeing 777 BA27-01 Component Maintenance Manual PDF
52 pages
#VIP 100221 Zonal Isolation
100% (1)
#VIP 100221 Zonal Isolation
34 pages
Attachment PDF
100% (2)
Attachment PDF
362 pages
Override Bypass Control
100% (5)
Override Bypass Control
26 pages
Agriculture Fruit Farm Business Plan
73% (11)
Agriculture Fruit Farm Business Plan
18 pages
95-0210 Drilling
100% (1)
95-0210 Drilling
152 pages
DECS SERVICE MANUAL - 09 VII - Human Resource Management and Development Policies
100% (5)
DECS SERVICE MANUAL - 09 VII - Human Resource Management and Development Policies
51 pages
EP2005-0310 HSE Case Guideline
100% (2)
EP2005-0310 HSE Case Guideline
11 pages
Technical Authority Framework
0% (1)
Technical Authority Framework
22 pages
AZSPU-HSSE-DOC-00060-2 (Permit To Work)
No ratings yet
AZSPU-HSSE-DOC-00060-2 (Permit To Work)
47 pages
PR-1001c - Temporary Override of Safeguarding System Procedure
100% (2)
PR-1001c - Temporary Override of Safeguarding System Procedure
33 pages
Jotun Master Spec by SLT
No ratings yet
Jotun Master Spec by SLT
18 pages
BP Process Safety Series, Control of Work-2007
100% (3)
BP Process Safety Series, Control of Work-2007
91 pages
Isolation of Process Equipment Procedure Rev 0
No ratings yet
Isolation of Process Equipment Procedure Rev 0
39 pages
GP 00 02 Engineering Technical Practice (ETP) Governance and Management Principles
No ratings yet
GP 00 02 Engineering Technical Practice (ETP) Governance and Management Principles
10 pages
#VIP 100220 Well Equipment
No ratings yet
#VIP 100220 Well Equipment
43 pages
GP 35-20-Isolation of Equipment For Maintenance
No ratings yet
GP 35-20-Isolation of Equipment For Maintenance
23 pages
AzSPU SSOW Procedure For Energy Isolation (Process)
No ratings yet
AzSPU SSOW Procedure For Energy Isolation (Process)
36 pages
CPL Handbook 2006
No ratings yet
CPL Handbook 2006
187 pages
Nsspu-Gp 44-40-1 - Sirps
100% (1)
Nsspu-Gp 44-40-1 - Sirps
101 pages
Ep 950100
No ratings yet
Ep 950100
62 pages
PR-1081 2014 Buddy System
No ratings yet
PR-1081 2014 Buddy System
19 pages
TSE Framework
No ratings yet
TSE Framework
3 pages
Process Safety - Barrier Management: Nageswara Rao HSSE Manager Shell Technology Center Bangalore
100% (4)
Process Safety - Barrier Management: Nageswara Rao HSSE Manager Shell Technology Center Bangalore
16 pages
AMS One pdf Standard and Manuals
100% (1)
AMS One pdf Standard and Manuals
181 pages
Pro 4-5-0001!1!06 Lifting Operations
No ratings yet
Pro 4-5-0001!1!06 Lifting Operations
11 pages
HEMP-Leader Engagement SOPAF GM-1
100% (3)
HEMP-Leader Engagement SOPAF GM-1
64 pages
Critical Equipment Identification and Maintenance
No ratings yet
Critical Equipment Identification and Maintenance
10 pages
PR-1171 - I
100% (1)
PR-1171 - I
38 pages
PTTP ProcessSafetyFundamentals
100% (1)
PTTP ProcessSafetyFundamentals
12 pages
BP Intro Relative Resource Manager
No ratings yet
BP Intro Relative Resource Manager
24 pages
AzSPU SSOW Procedure For Deviations
No ratings yet
AzSPU SSOW Procedure For Deviations
11 pages
GU-874 Competence Development and Assurance PDO
100% (1)
GU-874 Competence Development and Assurance PDO
37 pages
3.1.1 Overpressure Protection Basic Rules
100% (1)
3.1.1 Overpressure Protection Basic Rules
21 pages
Pro 4 5 0001 1 02a Energy Isolation Air BP Anz v2
No ratings yet
Pro 4 5 0001 1 02a Energy Isolation Air BP Anz v2
25 pages
Azspu Practice For Assessment, Prioritization, and Management of Hsse&O Risks
100% (1)
Azspu Practice For Assessment, Prioritization, and Management of Hsse&O Risks
29 pages
GU-513 - PDO - Guidelines For Alarm Management and Rationalization, Dec 2009
100% (2)
GU-513 - PDO - Guidelines For Alarm Management and Rationalization, Dec 2009
45 pages
BP Golden Rules - Download From Step Change Web Site PDF
No ratings yet
BP Golden Rules - Download From Step Change Web Site PDF
16 pages
GP 10-20 26 August 2008
100% (1)
GP 10-20 26 August 2008
41 pages
Hazard Management in Contracts Guidelines: Petroleum Development Oman L.L.C
No ratings yet
Hazard Management in Contracts Guidelines: Petroleum Development Oman L.L.C
13 pages
Safety Case Technical Guidance V3 280416
No ratings yet
Safety Case Technical Guidance V3 280416
88 pages
SCE
100% (4)
SCE
36 pages
ED Offshore Inspection Guide: Well Integrity (Operate Phase)
No ratings yet
ED Offshore Inspection Guide: Well Integrity (Operate Phase)
46 pages
GDP 3.1-0001 Assessment, Prioritization and Management of Risk
100% (1)
GDP 3.1-0001 Assessment, Prioritization and Management of Risk
31 pages
Cp-122 Hse Manual
No ratings yet
Cp-122 Hse Manual
1 page
SP-1074 Pom PDF
100% (2)
SP-1074 Pom PDF
24 pages
PR-1171 - I
100% (1)
PR-1171 - I
33 pages
2016-09-04 Operational HSSE Competence Brochure 2015 - Shell PDF
100% (2)
2016-09-04 Operational HSSE Competence Brochure 2015 - Shell PDF
62 pages
HSE Manual: Overview Hazards and Effects Management Process
100% (1)
HSE Manual: Overview Hazards and Effects Management Process
84 pages
Standard HSSE Managements.
100% (1)
Standard HSSE Managements.
4 pages
1383
100% (1)
1383
80 pages
Global Upstream Tier 1 and 2 Process Safety Event Classification Guidance 2015
No ratings yet
Global Upstream Tier 1 and 2 Process Safety Event Classification Guidance 2015
19 pages
AzSPU Control of Work Training Policy
No ratings yet
AzSPU Control of Work Training Policy
18 pages
PR-1005 - Maintenance and Inspection Activity Variance Control Procedure
100% (4)
PR-1005 - Maintenance and Inspection Activity Variance Control Procedure
18 pages
HSE Manual: Health, Safety and Environmental Management Systems
100% (1)
HSE Manual: Health, Safety and Environmental Management Systems
62 pages
GU-140 (C9) 2012 Contract HSE Management
No ratings yet
GU-140 (C9) 2012 Contract HSE Management
19 pages
ALARP - Demonstration STD - AUS
No ratings yet
ALARP - Demonstration STD - AUS
24 pages
Lessons From Texas City (By BP)
50% (2)
Lessons From Texas City (By BP)
26 pages
Petroleum Development Oman L.L.C.: H S & So Management Drilling and Well Intervention
0% (1)
Petroleum Development Oman L.L.C.: H S & So Management Drilling and Well Intervention
67 pages
Control of Work OE Process - Final
100% (1)
Control of Work OE Process - Final
14 pages
COW Standard
No ratings yet
COW Standard
2 pages
Well Control Policy Manual - STAP-P-1-M-6150-rev-C
No ratings yet
Well Control Policy Manual - STAP-P-1-M-6150-rev-C
112 pages
Operational Control
No ratings yet
Operational Control
3 pages
Management of Critical Equipment (Safety) On Drilling Rigs
No ratings yet
Management of Critical Equipment (Safety) On Drilling Rigs
23 pages
Zaye Family Therapy
No ratings yet
Zaye Family Therapy
2 pages
Exercise MRI
No ratings yet
Exercise MRI
4 pages
Common Moods
No ratings yet
Common Moods
2 pages
National Spatial Development Framework and Urban Planning System of Myanmar
No ratings yet
National Spatial Development Framework and Urban Planning System of Myanmar
11 pages
No. NCRTC/HR/Rectt./O&M-01/2021 Dated: 30.11.2021
No ratings yet
No. NCRTC/HR/Rectt./O&M-01/2021 Dated: 30.11.2021
9 pages
RWS 2.4 Sentence Outline
50% (4)
RWS 2.4 Sentence Outline
13 pages
Proposed Active Constituents of Dipladenia
No ratings yet
Proposed Active Constituents of Dipladenia
3 pages
Awo D 45135 1
No ratings yet
Awo D 45135 1
28 pages
Basic Concept of Chemistry (2021-22)
No ratings yet
Basic Concept of Chemistry (2021-22)
15 pages
Eastern Shipping Lines Inc. V. Bpi/Ms Insurance Corp. and Mitsui SUMITOMO INSURANCE CO. LTD. G.R. No. 193986, January 15. 2014 Villarama JR., J. Doctrine
100% (1)
Eastern Shipping Lines Inc. V. Bpi/Ms Insurance Corp. and Mitsui SUMITOMO INSURANCE CO. LTD. G.R. No. 193986, January 15. 2014 Villarama JR., J. Doctrine
3 pages
Piping Material Specification - Tsmto 99fu M 99 Pt0 001 Rev0!3!65
100% (1)
Piping Material Specification - Tsmto 99fu M 99 Pt0 001 Rev0!3!65
64 pages
Civil Engineering Model Exam: (Level-04 and Level-05)
No ratings yet
Civil Engineering Model Exam: (Level-04 and Level-05)
3 pages
Course Outline EMERGING - PROFESSIONAL - Courseoutline - SJTC - 2020 - Corrected
No ratings yet
Course Outline EMERGING - PROFESSIONAL - Courseoutline - SJTC - 2020 - Corrected
7 pages
GCSE Practice 5,6 Grammar Revision
No ratings yet
GCSE Practice 5,6 Grammar Revision
14 pages
Yoga and MPA
No ratings yet
Yoga and MPA
13 pages
AEROPONICS
No ratings yet
AEROPONICS
2 pages
(Ebook) Dragons' Captive: Her Royal Dragon Pack by Alex Lidell ISBN B0C19J8H7P - Instantly access the full ebook content in just a few seconds
100% (2)
(Ebook) Dragons' Captive: Her Royal Dragon Pack by Alex Lidell ISBN B0C19J8H7P - Instantly access the full ebook content in just a few seconds
72 pages
Effect of High-Pressure Processing On Colour, Texture and Flavour of Fruit - and Vegetable-Based Food Products: A Review
No ratings yet
Effect of High-Pressure Processing On Colour, Texture and Flavour of Fruit - and Vegetable-Based Food Products: A Review
9 pages
BNAP AR 2025
No ratings yet
BNAP AR 2025
2 pages
Blast Furnace
100% (2)
Blast Furnace
91 pages
Midface Fractures PART II
100% (1)
Midface Fractures PART II
64 pages
Santosh BK
No ratings yet
Santosh BK
1 page
An SC 1 - Intro To Animal Science
No ratings yet
An SC 1 - Intro To Animal Science
12 pages
Instant download Practical Ethics for Psychologists A Positive Approach 1st Edition Samuel J. Knapp pdf all chapter
100% (5)
Instant download Practical Ethics for Psychologists A Positive Approach 1st Edition Samuel J. Knapp pdf all chapter
81 pages
Magnetic Effects of Electric Current
No ratings yet
Magnetic Effects of Electric Current
17 pages