David Galbraith and Edmund Terry
The Offshore Industry – Learning From Accidents
David Galbraith, Ocean Structures Limited, Aberdeen, UK
Edmund Terry; Sauf Consulting Limited, London, UK
Introduction
The offshore oil and gas industry has to contend with a number of major hazards which arise
from hydrocarbons being processed on relatively small and congested platforms, with a
consequent risk of fires and explosions, together with a location which can be a hundred miles
or more from the nearest land; the platforms are expected to remain manned and operating
throughout the year and in any weather conditions.
There have, over the years, been a few very serious accidents involving multiple fatalities, the
worst ones being the “Alexander L Kjelland”, the “Ocean Ranger” and “Piper Alpha”.
Despite these major accidents and a significant number of lesser ones the industry’s accident
record compares well with other high hazard industries. This paper describes some of the
learnings from these accidents and some tools used to reduce the likelihood of future
accidents.
Overview of the offshore industry
Worldwide there are some 7000 offshore oil and gas production platforms together with
several hundred mobile rigs used for exploration and development drilling and a considerable
flotilla of marine equipment used to install and support offshore equipment. The first offshore
platforms were located in the US Gulf of Mexico (GoM) and the first “true” platform was
installed in 1947. Although the number of North Sea platforms is only around 600, these
include the biggest, most complex and most exposed to severe weather conditions in the
world.
A typical Northern North Sea production platform is in essence a relatively simple process
plant which is required to separate the fluids from the subsurface reservoir into its main
components of oil, gas and water. The oil and, generally, most of the gas are exported and the
water is disposed of. Everything else on the platform is in support of the central process but
the additional facilities can include:







hotel facilities to accommodate the workforce;
power generation, generally using some of the produced gas as fuel;
Gas compression to allow either export of the gas by pipelines or reinjection of the gas
into the reservoir;
treatment facilities to condition oil and gas such as removal of H2S;
pumps and in some cases storage for oil for export by either pipeline or by shuttle
tanker;
drilling facilities for creating the wells in the first instance and for redrilling;
“work-over” facilities to allow subsurface maintenance and enhancement of the wells;
David Galbraith and Edmund Terry



water treatment and pumping to allow water to be injected into the reservoir to
maintain pressure and hence production;
deck and transportation facilities including cranes and helideck;
all the instrumentation, control and safety systems to allow it all to work.
North Sea platforms can have total topsides weights of up to some 60,000 tonnes and
substructures up to 40,000 tonnes if built from steel or up to 1.5 million tonnes if built from
concrete. 400 or more people can live on the larger platforms.
As a result of the weight and cost of the substructures, in water depths of up to 300 m, real
estate is at a premium and hence offshore platforms are very congested, relative to onshore
facilities with a similar function.
A major difference between the Gulf of Mexico and the North Sea is the weather and sea
conditions. The North Sea is characterised by “vigorous frontal depressions”, these result in
long duration (several days) intense storms. Usual practice in the North Sea is to keep
platforms in production at all times, although certain operations (such as transporting people
and freight) can be disrupted and sometimes production has to be cut back or suspended due
to knock-on effects.
The Gulf of Mexico in contrast is generally benign with some winter storms, except when
tropical cyclones (hurricanes) are present, the hurricane season generally runs between May
and November and on average about 3 hurricanes will occur each season. The hurricanes can
cause huge damage both onshore and offshore, but since usual Gulf of Mexico practice is to
evacuate offshore platforms before a hurricane arrives there has generally been no loss of life
on the platforms.
Major Hazards
The major hazards to an offshore oil or gas production facility include:








loss of well control (blowout);
fires from the process plant;
explosion from the process plant;
H2S and naturally occurring radioactive materials from the reservoir;
extreme weather;
ship collision;
seismic event;.
helicopter or other aircraft impact
Development of design standards for offshore structures
As noted earlier, the first offshore platform in the Gulf of Mexico dates from 1947. Also, as
noted earlier the Gulf of Mexico is characterised by hurricane conditions, and consequently a
platform can be installed for many years before suffering any major storms.
The first hurricane to cause major losses to installations in the GoM was Camille in 1969, and
this resulted in the American Petroleum Institute (API) producing its first edition of its
recommended practice for steel platforms the same year in an allowable stress format
(Working Stress Design or WSD). In 1977 the 9th edition of this standard was a milestone in
that it was the first to provide wave force equations. 2007 saw the 3rd supplement to the 22nd
edition 1 of this standard, this and other API work is a result of GoM platform losses in 2004
and 2005. The first “Load and Resistance Factor Design” (LRFD, similar to limit state design)
David Galbraith and Edmund Terry
edition 2 was produced in 1993 and the 2nd edition of the LRFD is expected in 2010 when it
will incorporate the recently published ISO 19902 3 for fixed steel offshore structures.
Alexander L Kjelland
The Alexander L. Kjelland was a floating semi-submersible installation with 5 vertical
columns providing the main buoyancy, see Figure 1; these columns were braced between to a
framework which supported the accommodation and facilities. In 1980 it was in use in the
Norwegian sector of the North Sea being used as a flotel (floating-hotel) adjacent to the Edda
installation. During a storm at around 1830 hours on 27 March, one of the main horizontal
braces supporting one of the five legs failed 4. The failure of the brace was attributed to a
fracture which had developed around a hole in which a hydrophone, used to aid the
positioning of the rig, had been installed. After the failure of the first brace, the remaining five
braces attached to the leg failed in quick succession causing the leg to break off. The rig listed
to an angle of about 35 degrees, partially submerging the main deck and accommodation
block.
During the following quarter of an hour, a number of attempts were made to launch lifeboats,
with only two of the seven lifeboats launched successfully. Three of the lifeboats were
smashed against the rig's legs as result of the storm winds and waves whilst being lowered,
leading to a number of casualties. During this time water flowed into another two of the legs,
leading to the failure of the last anchor line and the capsizing of the rig.
The crew had little protection for the weather conditions, and in particular for the very cold
water, and 123 of the 212 men on the rig died in the first major offshore disaster in the North
Sea.
This disaster led to improvements in evacuation and survival equipment and an enhanced
awareness of the significance of fatigue in some parts of the world.
Figure 1 – Pentagon Semi-submersible similar to Alexander L Kjelland and one of the
columns following the disaster
A sister vessel to the Alexander L Kjelland is the Buchan production platform, now operated
by Talisman and in an extended life phase. This platform receives close attention from both
the operator and from the regulator to ensure that any defects that could affect its integrity are
found early.
David Galbraith and Edmund Terry
Ocean Ranger
The Ocean Ranger was another semi-submersible mobile unit, but with 8 vertical columns, 4
sitting on each of two parallel pontoons. It was drilling an exploration well in the Grand
Banks area, East of St. John's, Newfoundland in February 1982.
The Ocean Ranger was one of the largest semi-subs working offshore in the early 1980s,
approved for 'unrestricted ocean operations' and designed to withstand extremely harsh
conditions at sea.
A forecast storm arrived at the site in the evening of 14th February, radio messages between
the Ocean Ranger and 2 other semis near by reported a broken portlight and water in the
ballast control room, and later that ballast control valves were opening and closing by
themselves, but otherwise no immediate concern was reported by the Ocean Ranger.
At 00:52 the following morning the Ocean Ranger issued a Mayday call, reporting a severe
list and requesting immediate assistance. The Ocean Ranger’s standby vessel was joined by
the standby vessels from the other two semis and at 01:30 the Ocean Ranger issued its last
message that the crew were going to lifeboat stations. The crew abandoned the semi in
atrocious weather and it sank some 90 minutes or so later. Although 36 crew members got
into a lifeboat and another 20 or more were seen in the water the entire crew of 84 died due to
hypothermia and drowning.
Figure 2 – Ocean Ranger prior to the accident
The United States Coast Guard Marine Board of Investigation report 5 into the Ocean Ranger
sinking summarised the chain of events leading to the loss of the Ocean Ranger as follows:







a large wave appeared to cause a broken portlight which allowed the ingress of sea
water into the ballast control room;
the ballast control panel malfunctioned or appeared to malfunction to the crew;
as a result of this malfunction or perceived malfunction, several valves in the rig's
ballast control system opened due to a short-circuit, or were manually opened by the
crew;
the Ocean Ranger assumed a forward list;
as a result of the forward list, boarding seas began flooding the forward chain lockers
located in the forward corner support columns;
the forward list worsened;
the pumping of the forward tanks was not possible using the usual ballast control
method as the magnitude of the forward list created a vertical distance between the
David Galbraith and Edmund Terry




forward tanks and the ballast pumps located astern that exceeded the suction available
on the ballast system's pumps;
detailed instructions and personnel trained in the use of the ballast control panel were
not available;
at some point, the crew blindly attempted to manually operate the ballast control panel
using brass control rods;
at some point, the manually operated sea valves in both pontoons were closed;
progressive flooding of the chain lockers and subsequent flooding of the upper deck
resulted in a loss of buoyancy great enough to cause the rig to capsize.
A Canadian Royal Commission 6 concluded that the Ocean Ranger had design and
construction flaws, particularly in the ballast control room, and that the crew lacked proper
safety training, survival suits and equipment.
Piper Alpha
The most significant disaster in the history of offshore production is undoubtedly Piper Alpha,
which has had far reaching implications on how oil and gas operations are conducted all
round the world. It was a large fixed steel platform producing in the Northern North Sea.
Figure 4 – Piper Alpha before and after the accident
On 6 July 1988 there was a massive leakage of gas condensate which was ignited causing an
explosion which led to large oil fires 7. The heat ruptured the riser of a gas pipeline from
another installation. This produced a further massive explosion and fireball that engulfed
Piper Alpha. All this took just 22 minutes. 167 people died, including the 2 man crew of a fast
rescue boat despatched from a standby vessel, 62 people survived.
It is believed that the leak came from pipework connected to a condensate pump. A safety
valve had been removed from this pipework for overhaul and maintenance. The pump itself
was undergoing maintenance work. When the pipework from which the safety valve had been
removed was pressurised at start-up following a shift change, the first leak occurred.
The disaster occurred in the middle of summer with long hours of daylight and with a very
rare almost flat sea. All of the survivors jumped or climbed down into the sea, including some
who jumped from the helideck. If the accident had occurred during more usual conditions the
number of fatalities would have been even higher.
As details of the causes of the disaster emerged every offshore Operator undertook wideranging assessments of their installations and management systems 8. These included:
David Galbraith and Edmund Terry






Improvements to "Permit to work" management systems
Relocation of some pipeline emergency shutdown valves
Installation of subsea pipeline isolation systems
Mitigation of smoke hazards
Improvements to evacuation and escape systems
Initiation of Formal Safety Assessments
The Industry invested in the order of £1 Billion on this and other safety work before Lord
Cullen's Public Inquiry into the disaster reported.
Lord Cullen 7 made 106 recommendations. Responsibilities for implementing them were
spread out. The Health and Safety Executive (HSE) was to oversee 57 of these (Prior to the
disaster the Department of Energy was responsible for both production and safety). The
Operators were responsible for 40. Eight were for the whole industry to progress and the last
was for the Standby Ship Owners Association. Industry acted urgently to carry out the 48
recommendations that Operators were directly responsible for. By 1993 all had been acted
upon and substantially implemented.
At the same time the HSE developed and implemented Lord Cullen's key recommendation,
the making of regulations to require that the Operator/Owner of every installation should be
required to submit to the HSE, for their acceptance, a Safety Case which demonstrated that
the Company had:





adequate Safety Management Systems;
identified risks and reduced them to as low as reasonably practicable;
put management controls in place;
provided for temporary safe refuge to be available; and
made provisions for safe evacuation and rescue.
The Temporary Refuge is designed to provide a period of protection, allowing personnel to
muster in safety while an accident is being assessed, and a decision is taken on whether or not
to abandon the installation. The Temporary Refuge is equipped with, amongst other things,
command, communication, monitoring, mustering and medical facilities.
Chinook crash near Sumburgh and Super Puma crash at Cormorant
There have been a number of helicopter accidents related to offshore operations around the
world, however two of these will be noted here, the Chinook crash because of the number of
fatalities resulting from it and the other because it took place a few years after the Piper Alpha
disaster and in bad weather.
On 6th November 1986 a Chinook helicopter was returning to Sumburgh in the Shetland
Islands having been delivering and collecting passengers and freight from the Brent field
platforms 9. Having been cleared to land it was only 4 km from Sumburgh and at a height of
about 100 m, when it suffered a catastrophic failure of the from gearbox which lead to the
front and rear rotors colliding and a nose dive of the aircraft into the sea
Of the 43 passengers and 2 crew members on the aircraft only 2 passengers survived the crash
after being rescued by a coastguard helicopter which arrived on the scene within minutes of
the crash.
Although there was never widespread use of Chinooks in the North Sea (mainly because most
helidecks are not big enough to allow them to land) there had been at least one previous
incident with one putting down in the sea. Following the Sumburgh crash they were restricted
David Galbraith and Edmund Terry
to freight operations before being fully withdrawn from North Sea service. The gearbox in the
civilian version of the aircraft was different from that in the military versions.
Figure 5 – The Chinook lost at Sumburgh and a Super Puma of the type lost at
Cormorant A (Note the Chinook was operated by BIH at the time of the accident)
The Super Puma crash 10 in March 1992 was carrying 15 passengers and two crew members
from the Cormorant Alpha platform to the “Safe Supporter” accommodation vessel lying
alongside – a distance of 200 m with a flight time of less than 1 minute. 5 passengers and 1
crew member survived. Transfers between the Platform and the flotel were normally along a
bridge, but this had been disconnected and the flotel moved away from the platform because
of the stormy weather.
A contributory cause seems to have been the decision of the aircraft commander to take the
shortest route between the two installations meaning that the captain would have to take off
and the co-pilot would have to land so that each had the necessary visibility for his part of the
flight. A rapid descent from the platforms helideck to the flotel combined with the turn seems
to have resulted in a “vortex ring condition” similar in effect to a stall of a fixed wing aircraft.
"The handling pilot who was also the commander performed a rushed and hazardous flight
manoeuvre which resulted in the crash into the sea. A number of factors including possibly
some frustration and fatigue, may have led him to rush this manoeuvre."
As a result of this accident Shell and some other operators instituted an adverse weather
policy to prohibit helicopter flying is such that rescues would be hampered.
Other major platform losses
In terms of numbers of installations lost, the vast majority are either without loss of life or
with few fatalities associated. For example in 2004 and 2005 Hurricanes Ivan, Katrina and
Rita passed through the Gulf of Mexico, and as a result of the waves associated with these
hurricanes some 160 installations of different types were lost. One of the perennial problems
in offshore engineering is determining “metocean” conditions with different probabilities. We
believe that in the past we have overestimated wave heights for the North Sea, but have
historically underestimated them in the Gulf of Mexico.
In other parts of the world platforms have been lost as a result of fires and explosions, such as
the Petrobras P-36 offshore Brazil following a gas explosion in a column of a floating
platform in March 2001 and the BHN platform in India’s Bombay High field following a
collision between a support vessel and a gas export pipe on the platform in July 2005. Shortly
before the P-36 incident Petrobas management were proclaiming the savings they had made
by having a “more streamlined” review and approval process than is usual.
These events had immense financial consequences for oil and gas production from their
respective areas.
David Galbraith and Edmund Terry
Texas City
Although not an offshore accident it is worth noting the accident at BP’s Texas City refinery
in March 2005 as the facility was operated by a major oil company that believed it used the
same standards for all its operations. There were a complex series of events that lead to the
accident in which raffinate vapours were ignited following loss of level control in a splitter
column. 15 people died and over 170 were injured in the explosions and their aftermath.
In many ways this accident mirrored some of the causes of Piper Alpha. In the case of Texas
City there was a lack of understanding of the effects of budget cuts at senior management
level and a belief that their safety standards and procedures were much higher then they
actually were. Lack of experience in the operations staff was a major cause of the incident and
the inappropriate location of some temporary offices in a high hazard area. An excellent video
is available online from the US Chemical Safety Board 11 of the events leading to the
explosion with universal lessons to be learned.
The UK Safety Case regime
The safety case is the demonstration of a risk based regime where operators (Duty Holders)
define the hazards they consider their installation is vulnerable to and then demonstrate how
they manage those hazards.
The first step in this management process is to identify hazards; embedded into the duty to
manage the hazards is a requirement to manage not only the hazards themselves but also any
escalation arising from them. When the regulatory regime is prescriptive and dependent either
on explicit requirements in regulations or referenced standards, there is actually a reduced
demand for gathering knowledge and learning. The operators follow accepted standards and
dislike departing from those requirements in case they become liable for a subsequent
incident. Therefore the prescriptive regime provides few incentives to learn and change, that
is not say that changes do not happen because they are often seen! In areas of prescriptive
regulation, the associated legislation can and does change as do the referenced standards; the
point is about incentive and timescale. Achieving an industry consensus based upon an
international or industry standard takes time, changing specific regulations takes time. Thus
lessons may be learned but are not necessarily acted upon.
The risk based regime positively exhorts the operator to illustrate that their hazards and
hazard management systems are current; otherwise they are failing to manage hazards. Part of
this demonstration of achievement is identifying where one’s knowledge falls short, thus the
operators in a risk based regime have an incentive to monitor latest knowledge and more
importantly to demonstrate how they implement it. This approach also puts a burden on the
regulator, it is not solely due to the operator to collate the data and assimilate the
ramifications, one operator is unable to collate all the data, whereas the regulator is perfectly
positioned to act as a repository for all accident data. In the UK offshore sector safety notices
produced by the regulator capture the latest information arising from an incident. However,
the operators also collaborate to gather information on recent incidents (and near misses) and
many of the major operators freely share these safety alerts with other operators.
Thus the safety case or risk based regulatory regime has actively encouraged the gathering
and sharing of knowledge.
Assessment techniques
Interrogating the causes and contributors is the first step towards identifying the lessons to be
learned.
There are traditional approaches adopting analysis techniques such as Fault-Trees, Event
Trees or even Hazard and Operability Studies and retrospectively applying them. Just as they
David Galbraith and Edmund Terry
may be applied in combination during the design phase, they can also be applied in
combination retrospectively, this is usually referred to as the Bow-Tie diagram (see figure 6).
One can then learn from the incident about the manner in which the protective barriers failed
and whether this should have been anticipated or not.
Figure 6 – Example bow-tie diagram
The failures arising from organisational failure are more elusive, but their results are
nonetheless extremely tangible, as can be seen from Piper Alpha 7 and Texas City 11.
With respect to failures arising from organisational failure, the authors have been working
with others 12 to 16 to develop a tool-kit for assessing organisational behaviour, and this tool kit
can be applied retrospectively just as for the techniques described above.
The Capability Maturity Modelling 12, 13 tool measures the business processes that an
organisation undertakes to carry out its business. It places those businesses (or rather the
processes) on a scale that rises from 1 (Initial or Ad Hoc) to 5 (Optimised), see Table 1.
Table 1 – Capability maturity levels
Maturity
Description
5
Optimised
“Best practice”, capable of learning and adapting
4
Managed
Controls management processes, sets and monitors requirements
3
Defined
States goals, practices and procedures
2 Repeatable Repeats but cannot necessarily define what it does
1
Initial
Limited experience, still learning and developing
David Galbraith and Edmund Terry
The lessons learned arise from a reversal of the maturity modelling process, whereby we
normally look at potential improvement steps; we can now look at failures of processes and
see how these failures contributed to the incident.
There is a further technique within this “suite of tools” that lends itself particularly well to
lessons learned, the analysis of distributed problem solving or distributed cognition. The tool
was developed from analyses of accidents 14, 15, 16.
The essential principle of distributed problem solving is that, when people solve problems, it
is not just their own thinking that determines the solution. They import partial solutions from
their surroundings, by replicating other people's behaviour, by conforming to custom and
practice, by following organisational procedures, by using particular tools and so on.
Sometimes they follow a routine they have watched other people perform. Sometimes they
follow a code of practice developed in the past. Sometimes they read an instrument on the
basis that it works in the same way as instruments they have formerly encountered.
The model accumulated about 30 distinct ‘assumptions’ which were identified as having
contributed to incidents or accidents. There were 3 main ‘assumption’ categories:



appropriate organisation assumption;
knowledgeable individual assumption;
reasonable system assumption.
The latter is the most relevant to designers as it contains assumptions about the designed
system. However, all are valuable for providing an interrogative basis.
To implement this process of interrogation, the team generated a database or HTML
application that the HSE is in the process of issuing to interested parties, see Figure 7.
Figure 7 – Part of the Distributed Cognition tool for the HSE
David Galbraith and Edmund Terry
In summary, there are a number of tools for analysing what went wrong and how to extract
information from the knowledge gained. However, the interpretation of information is a fine
art and currently there exists no substitute for scientific and engineering experience. The
offshore industry in the UK in particular is seen as a “sunset” industry, and just a few years
ago was not attracting young engineers and scientists. At the time of writing, the UK Prime
Minister is meeting with senior industry figures to see what can be done to extract more oil
and gas from the UK sector to ease the growing cost of energy (not to mention oil as a raw
material). Recruiting and training the right young engineers may help the industry continue
but bitter experience is needed for extracting the most information from an incident and
translating that information into a coherent lesson for others.
Over recent years the UK HSE has been assessing the condition of the UK platforms with
their “KP3” initiative 17, which has lead to increased inspections.
Conclusions and recommendations
The offshore oil and gas industry has suffered a significant number of losses of platforms,
several of which have been major disasters in terms of loss of human life, however it can been
seen that learnings have followed these accidents and disasters.
The biggest disaster, Piper Alpha, led directly to a change in how safety is addressed in the
North Sea, shifting the onus of responsibility for safety the operator or duty holder rather than
relying on a series of prescriptive requirements, not all of which were originally targeted at
offshore operations. The duty is required to demonstrate a “case for safety” for his
installations. The success of the safety case regime is shown by the adoption of variations of
the concept in many other jurisdictions.
Organisations can, however, become complacent and senior management can believe that
they are running a much safer organisation than is really the case. Each of the major accidents
has been the result of a particular set of circumstances that is unlikely to be repeated so
organisations’ safety cultures and methods for identifying hazards and the corresponding risks
become particularly important.
Whereas much of the expertise for assessing risks can be provided by consultants it is
important that the operator retains sufficient competence to both call on expertise when
necessary, and interpret and act on advice when given.
Equally, even in a safety case regime, it is important that the regulator’s personnel are
competent, fully conversant with industry issues and will take the lead in pushing for
enhanced understanding. A complacent regulator adds nothing to the safety of the operations
being regulated and any accident represents a failure not only of the operator but also of the
regulator.
There have been failings in recent years in the North Sea, particularly related to asset integrity
management, but these have been recognised and the situation is improving
References
1
API RP2A WSD, Recommended practice for Planning, Designing and Constructing
Fixed Offshore Platforms—Working Stress Design, 1st edition, American Petroleum
Institute, 2007
2
API RP2A LRFD Recommended practice for Planning, Designing and Constructing
Fixed Offshore Platforms—Load and Resistance Factor Design, 1st edition, American
Petroleum Institute, 1993
3
ISO 19902:2007; Petroleum and natural gas industries, Fixed steel offshore structures.
David Galbraith and Edmund Terry
4
The Alexander L. Kjelland accident, report of a Norwegian public commission,
March, 1981
5
United States Coast Guard: Marine Casualty Report, Mobile Offshore Drilling Unit
“Ocean Ranger”, Report USCG 16732/0001 HQS 82
6
Royal Commission on the Ocean Ranger Marine Disaster (Canada). Hearings Toronto,
1984
7
The Public Inquiry into the Piper Alpha Disaster, The Honourable Lord Cullen, HM
Stationery Office, 1990
8
Oil & gas UK web site, http://oilandgas.org.uk
9
Report No: 2/1988. Report on the accident to Boeing Vertol (BV) 234 LR, G-BWFC
2.5 miles east of Sumburgh, Shetland Isles, 6 November 1986, Air Accidents
Investigation Branch, 1988
10
Report No: 2/1993. Report on the accident to AS 332L Super Puma, G-TIGH near the
Cormorant 'A' platform, East Shetland Basin, on 14 March 1992, Air Accidents
Investigation Branch, 1993
11
http://events.powerstream.net/002/00174/player/iPlay.asp?contID=BPTexasCity
12
Sharp, J.V., Strutt, J.E., Busby, J.S. and Terry, E.: Measurement of Organisational
Maturity in Designing Safe Offshore Installations, Offshore Marine and Arctic
Engineering Conference, Paper 28421,Oslo 2002.
13
Sharp, J.V., Strutt, J.E., Terry, E., Galbraith, D.N. and Miles, R.: Further
developments of the Capability Maturity Model to monitor activities supporting the
offshore industry, Hazards XIX 2006
14
Busby, J.S., Sharp, J.V., Strutt, J.E., Terry, E., Hughes, E.J. and Miles, R.: Distributed
Problem Solving and Offshore Accidents, ERA Major Hazards Onshore and Offshore
2002
15
Busby, J.S., Terry, E., Sharp, J.V., Strutt, J.E., Lemon, C. and Miles, R.: Distributed
Problem Solving and Offshore Accidents, ERA Major Hazards Onshore and Offshore
2003
16
Busby, J.S., Hughes, E.J., Sharp, J.V., Strutt, J.E. and Terry, E.: Distributed Cognition
and Human Factors Failures In Operating And Design Processes, Hazards XVI 2001.
17
Health and Safety Executive Hazardous Installations Directorate, Offshore Division,
Key Programme 3, Asset Integrity, KP3 Handbook, 2007