An Organization’s Documented Evidence to Provide a Convincing and Valid Argument that a System is Adequately Safe

Organizations are obliged to produce documented evidence that their systems of operation, at any of their installations or facilities, are adequately safe. This document is known as a safety case or safety report. In some countries this is a legal requirement, but whether it is a legal requirement or not, it is still regarded as best practice and essential.

Where documented evidence is used

Safety case and safety reports: an introduction

For offshore installations, there are regulations in the UK which are specific to the offshore oil and gas processing industry. These are the Offshore Installations (Safety Case) Regulations (OSCR) 2005. These regulations set out specific requirements to provide evidence and information that present a clear, comprehensive and defensible argument that a system is adequately safe to operate in a particular context. The document produced to provide this evidence is called a “safety case”.

For onshore installations, there are regulations in the UK which are specific to the onshore oil and gas processing industry. These are the Control of Major Accident Hazards Regulations 1999 (COMAH) and their amendments 2005. Again, the regulations set out specific requirements to provide evidence and information that present a clear, comprehensive and defensible argument that a system is adequately safe to operate in a particular context. The document produced to provide this evidence is called a “safety report”.

Similar legislation exists in some other countries around the world. However, for those countries that don’t have specific legislation, similar standards exist because of the globalized nature of the oil and gas industry.

Regardless of which part of the world production activity is being undertaken, or what regulations apply, the requirements are very similar. Those requirements are that an organization should have in place a documented body of evidence to provide a convincing argument that a system is adequately safe to operate.

This is achieved by the provision and submission to the regulatory authority, where required, of a safety case or safety report.

The purpose of documented evidence such as safety cases and safety reports

Organizations are required to submit a safety case or safety report for each installation or facility they own or operate. This takes the form of a report which demonstrates the level of safety applied to that installation or facility. It has to be updated as required to reflect any changes in operational conditions.

Read also: Common Hazards and Risk Assessment in Oil and Gas Industry

The safety case or safety report covers all aspects of health and safety on an installation/facility. It is submitted at the planning stage and remains in place throughout the lifespan of the installation/facility until it is decommissioned. It is reviewed at five-yearly intervals by the enforcing authority, or sooner if requested. It should also be reviewed if there are significant modifications to the operation of the installation/facility.

The typical content of documents such as safety cases and safety reports

Let’s look at offshore requirements first, and what is involved in writing a “safety case”.

Offshore safety case

The safety case will be assessed by the enforcing authorities and evaluated in line with certain principles. These principles also reflect the structure and content of the safety case.

The three overriding principles to be demonstrated in a safety case are:

1. The management system is adequate to ensure compliance with statutory health and safety requirements; and for management of arrangements with contractors and sub-contractors;
2. Adequate arrangements have been made for audit and for audit reporting;
3. All hazards with the potential to cause a major accident have been identified, their risks evaluated, and measures have been, or will be, taken to control those risks to ensure that the relevant statutory provisions will be complied with.

The underlying principles are as follows

Factual information

The safety case will include factual information about the installation itself, the plant and systems used, its location and external environment. It should also cover the activities to be carried out on, or in connection with, the installation. Each piece of information will be linked to all identified hazards associated with the information and which have the potential to cause a major accident.

Management of health and safety

The safety case should show how the management system will apply appropriate levels of control during each phase of the installation’s life cycle. This will include the design, construction, commissioning, operation, decommissioning and dismantlement stages.

Control of major accident hazards

The safety case should demonstrate that all hazards with the potential to cause a major accident have been, or will be, identified, their risks evaluated and that measures have been, or will be, taken to control those risks.

Major accident hazard identification

The safety case will show how a systematic process has been, or will be, used to identify all reasonably foreseeable major accident hazards that are applicable to the installation. This will include identifying the initiating events or sequences of events related to those identified hazards.

Major accident risk evaluation

The safety case will clearly show what criteria have been, or will be, adopted for major accident risk assessment, including the methods used and the evaluation process applied. These will include:

• That particular attention has been, or will be, paid to instances or areas that have been identified where people may be exposed to significantly higher risks in comparison to the installation as a whole;
• How the evaluation has, or will, consider people as both a key element in safe operation as well as a potential cause of major accidents and their escalation;
• That adequate consideration of uncertainty has been, or will be, taken into account when presenting quantitative and qualitative risk assessment arguments;
• That the relative merits of engineering judgement and good practice have been, or will be, adequately considered;
• That the process of identifying risk reduction measures is systematic and takes into account new knowledge. Furthermore, what the reasoning was behind the choice of risk reduction measures;
• That proposed measures to reduce risk have timescales applied;
• Major accident risk management;
• The safety case should describe what measures will be taken to manage major accident hazards. These will include;
• An explanation as to how inherently safer design concepts have been, or will be, applied in the decision-making process relating to design;
• What measures are in place to prevent major accident hazards during the installation’s current phase of operation and the activities associated with it;
• What measures are provided for detecting events that require an emergency response;
• What control and mitigation measures will be provided to protect personnel from the consequences of a major accident. Also, how they will take account of likely conditions during an emergency. Finally, what measures and arrangements have been made for managing an emergency;
• What arrangements have been made to ensure that the Temporary Refuge (TR) will provide sufficient protection to enable people to muster safely;
• What arrangements and provisions have been made to ensure that the integrity of the Temporary Refuge (TR) is not compromised by any of the hazards identified in the risk assessment. Also, how long this integrity has been designed to be maintained for;
• Demonstrate that the evacuation and escape arrangements have been integrated in a logical and systematic manner. Also, that they take into account the potential worst environmental conditions in which they may need to be undertaken.

Rescue and recovery

The safety case should demonstrate that effective rescue and recovery arrangements have been planned for to cope with major accidents.

Life cycle requirements

The safety case should include a design notification, which describes how the principles of risk evaluation and risk management are being applied to the design to ensure that major accident risks will be controlled. This should include well engineering aspects, especially those that refer to well operations before the start of facility operations.

Combined operations

The safety case should demonstrate how the management system addresses the additional risks associated with combined operations.

These will include:

• Demonstration of a systematic approach to assessing the impact of combined operations on the conclusions of the operational safety case for each installation;
• Demonstration of a systematic approach to identify and assess any additional major accident hazards arising from combined operations.

Decommissioning and dismantlement

When the installation is reaching the end of its working life, the safety case will have to be revised to deal with decommissioning or dismantlement operations. At that point the safety case revision will include a description of the sequence of events from cessation of production to dismantling of the structure. The safety case will also include a description of the extent and availability of safety systems during decommissioning or dismantlement operations.

Any major accident hazards identified from the decommissioning or dismantlement operations will be identified in the safety case, as well as how the management system will maintain effective control during these periods.

Availability

The document should be made available to anyone on the installation.

Safe design concept

As we’ve mentioned, the report is required to include an explanation of how inherently safe design concepts were considered and applied. This requirement not only applies to when the installation was at the design stage but also at other stages in the life of the installation.

In order to ensure an inherently safer design, the design process should incorporate at a very early stage a hazard management strategy. This should include consideration of:

• The concept selection, e.g.:
  • a platform or subsea development;
  • attended or unattended wells;
  • floating or fixed wells;
  • multiple or single structures;
  • the pre-drilling of wells;
• Where the installation should be located and its orientation;
• The substitution of hazardous substances and processes by less hazardous ones;
• The segregation of hazards;
• Reducing the complexity of the design;
• The reduction of subsea uncertainty (e.g. the use of seismic surveys);
• The location and routing of the riser;
• Making allowances for human factors (e.g. by designing in fail-safe features);
• The selection of materials;
• The Crew Evaluation Test online about Corrosion Protection I and IIcorrosion, erosion and stress concentration in the design;
• How the design can allow for inspection and maintenance.

Safety Management System (SMS)

The Safety Management System (SMS) is at the heart of the safety case. Once the aspects previously mentioned are implemented, it can be demonstrated that the management of safety incorporates a risk based approach, and that this is the basis of a safety management system.

The safety case should show that the safety management system is compliant with relevant statutory provisions.

The safety case should include the following elements in the descriptions of the management system in order to demonstrate that the system is adequate:

• Policy setting:
  • outlining the policy and its objectives;
  • demonstrating corporate acceptance of responsibility;
• Organization:
  • the structure of the organization;
  • demonstration of its accountability;
  • demonstration of its safety culture;
  • demonstration of how professional health and safety advice will be shared;
  • demonstration of how the workforce will be encouraged to be involved;
  • outlining of the risk assessment systems;
• Planning and standards:
  • outlining the standards and procedures for controlling risks, including workload and working hours;
  • outlining the permit-to-work system and where it will be applied;
  • outlining how competency and training will be implemented;
  • outlining how key personnel will be selected;
  • outlining how control of change will be implemented;
  • outlining how contractors will be selected and controlled;
  • outline the planning and control for emergencies;
  • outlining how occupational health will be managed;
• Performance measurement:
  • outlining how the recording and Investigating Incidents, effective identification of the root causes and making recommendations for improvementinvestigation of incidents will be implemented;
  • outlining how active monitoring will be implemented;
• Audit and review:
  • outlining the auditing process;
  • outlining when and how any review will be applied and the process for learning lessons.

The safety management system should demonstrate an appropriate level of control during each phase of the installation’s life cycle. This will include the design, construction, commissioning and operation as well as the decommissioning and dismantlement phases.

The safety management system should clarify who is in charge of activities during normal operating conditions and in emergency situations. This would include the arrangements for communications between the “responsible persons” both on and offshore.

The safety management system should take account of:

• The levels of authority;
• Performance standards;
• How to deal with exceptional conditions;
• Any lessons learned from previous incidents.

In the situation where an installation is working in combination with another installation or vessel, the safety case should summarize any arrangements which have been put in place to co-ordinate both parties with the safety management system of the installation.

Let’s now look at onshore requirements and what is involved in writing a“safety report”.

Onshore safety report

The safety report will be assessed by the enforcing authorities and evaluated to ensure it meets the requirements of the legislation.

The safety report is split into five main sections:

1. Descriptive information;
2. Information on management measures to prevent major incidents;
3. Information on potential major incidents;
4. Information on measures to prevent or mitigate the consequences of a major incident;
5. Information on the emergency response measures of a major incident.

Its content will be similar to that set out below:

Section 1 – descriptive information

An overview of the facility and its activities. The overview will give a general outline of the installation itself, what activities are carried out, and what products it uses and produces. It will also include the identified major incident scenarios and the measures in place for protection and intervention. Information about dangerous substances in use at the facility.

This will show:

• The maximum quantities of dangerous substances likely to be present on the site at any time;
• The chemical name of each and every type of dangerous substances involved in the process system;
• The physical and chemical behaviour and/or characteristics of each type of dangerous substance including, where relevant, flashpoint, flammable limits, vapour pressure, density, etc.;
• The potential harm, either immediate or delayed, which could be caused by these dangerous substances, e.g. an asphyxiant, flammable, harmful to the environment, etc.

Information about the surrounding environment. A description of the surrounding environment including use of the land or activities conducted in the surrounding land, the extent and location of population, the location of significant buildings and infrastructure (e.g. hospitals, schools, road networks, etc.) and water extraction points.

A map of the area usually forms part of this section. This will also show the extent of the area to be affected by the worst case scenario.

Section 2 – information on management measures to prevent major incidents

Major Accident Prevention Policy (MAPP). The Major Accident Prevention Policy (MAPP) sets out the policy on the prevention of major accidents and it should outline the following:

• Description of the Safety Management System (SMS);
• Roles and responsibilities of all key personnel;
• Training requirements to maintain competency levels as well as making good any identified shortfalls in competency levels;
• Hazard identification and risk assessment process;
• Procedures and instructions for the safe operation of plant;
• Design and any subsequent modification of the site;
• Identification of all foreseeable emergency scenarios and preparation for them;
• Accident investigation procedures;
• How compliance will be measured;
• Review and audit frequency and procedures;
• When, and under what circumstances, the Major Accident Prevention Policy (MAPP) is required to be updated.

Section 3 – information on potential major incidents

This section describes the processes and scenarios that could lead to a major incident occurring. This will include details about the processes, the areas of the facility likely to be affected and the scenarios identified as plausible.

Section 4 – information on measures to prevent or mitigate the consequences of a major incident

This section describes the facility, the plant and the equipment in context of how major incidents can be prevented or mitigated. This will include details on operating parameters and what measures are in place to ensure they are not exceeded, emergency shutdown elements, detection equipment, fire-fighting arrangements, emergency evacuation and temporary refuge arrangements, etc.

All these elements will be categorized into either:

• Inherent safety measures;
• Prevention measures;
• Control measures;
• Limitation measures.

This section then expands to describe how safety and reliability have been built into the facility.

Section 5 – information on the emergency response measures of a major incident

Onsite emergency plan. This section describes the protection and intervention measures which are included in the onsite emergency plan. This will include

• What equipment there is to limit the consequences of a major incident;
• What arrangements there are for alerting and intervening in an emergency;
• What onsite and offsite resources are available;
• What arrangements have been made to ensure all the resources and other equipment are maintained to an acceptable standard;
• What arrangements there are for the training of personnel in emergency response;
• What arrangements there are for testing the emergency plans.

Offsite emergency plan. This section describes the arrangements for involving external emergency services and agencies.

This will include:

• Details of the site including its location, roads and access points;
• A site plan showing key facilities such as control centres, medical centres, main process plants and storage areas;
• Details of site personnel;
• Details of offsite areas likely to be affected by a major incident as well as levels of harm/damage possible. This will include types of buildings, population density, sensitive buildings, drainage detail, etc.;
• Details of dangerous substances on site including types of substances, quantities, hazardous properties, location, etc.;
• Details of any relevant technical advice;
• Details of equipment and resources that are available for fire-fighting purposes;
• The function of key posts with duties in an emergency response, their location and how they can be identified;
• An outline of the initial actions to be taken in case of an emergency situation, such as warning the public, setting up emergency facilities such as a control room, etc.

Revision questions for element 1 continued