Professional Documents
Culture Documents
SafetyCaseGuidelines PDF
SafetyCaseGuidelines PDF
SAFETY AUTHORITY
SEPTEMBER 2004
September 2004
the Preparation and Submission of Facility Safety Cases, 2nd edition, August 2000, ISBN 0 642
72091 6; and Guidelines for the Preparation and Submission of Mobile Offshore Drilling Unit
Part one explains the legislative framework, provides detailed guidance on the Safety Case
Regulations, and explains the administrative processes associated with submission,
assessment and acceptance of Safety Cases;
Part two provides detailed guidance for assessment of Safety Cases, addressing the Safety
Case as a whole, and also its constituent parts: the descriptions of the Facility, the Safety
Management System and the Formal Safety Assessment; and
September 2004
TABLE OF CONTENTS
Part 1 : Guide to the Legislation ..........................................................5
1
1.1
1.2
1.3
1.4
1.5
2.1
Introduction .......................................................................................................... 16
2.2
Preliminary ............................................................................................................ 16
2.3
2.4
2.5
2.6
Validation.............................................................................................................. 25
2.7
2.8
Miscellaneous ........................................................................................................ 26
2.9
2.10
2.11
3.1
Introduction .......................................................................................................... 29
3.2
3.3
3.4
Construction Facilities............................................................................................. 34
4.1
Pre-Submission...................................................................................................... 36
4.2
4.3
4.4
4.5
4.6
Introduction................................................................................................................. 50
2.1
Introduction .......................................................................................................... 52
September 2004
Preparation and Assessment Principles for the Overall Safety Case Process ................. 56
Facility Description ....................................................................................................... 68
3.1
Introduction .......................................................................................................... 68
3.2
4.1
Introduction .......................................................................................................... 83
4.2
5.1
5.2
Preparation and Assessment Principles for the Formal Safety Assessment ................. 128
6.1
6.2
References................................................................................................................. 170
September 2004
SEPTEMBER 2004
September 2004
September 2004
Introduction
The principal legislative instruments governing petroleum activities offshore Australia are the
Petroleum (Submerged Lands) Act 1967 of the Commonwealth, and the Petroleum (Submerged
Lands) Act 1982 of each State and of the Northern Territory. However, to simplify the regime,
the Offshore Constitutional Settlement of 1975 requires that the PSLA 1982 of each State and of
NT be made consistent with the PSLA 1967 of the Commonwealth, so far as possible within the
legal constraints of each jurisdiction.
More generally, Australian law applies offshore in accordance with the Constitution. Thus laws
that address matters assigned to the Commonwealth by the Constitution taxation, immigration,
customs, etc apply throughout the offshore area, both within and outside the 3 Nm limit. At
the same time, laws that address matters assigned to the States and Territories by the
Constitution which normally include OHS laws apply for the first 3 Nm only.
However, to create a complete set of laws for offshore petroleum activities, sections 9, 11 and
140H of the Commonwealth PSLA apply all laws of a State or Territory to petroleum activities in
the adjacent waters, beyond the 3 NM limit. Thus there is a complete set of laws in all offshore
petroleum activities, and these laws are consistent throughout the waters off a particular State or
off the Northern Territory.
1.2.2
The following sets out a brief history of the OHS laws applying to Australias offshore petroleum
activities. In reading this section, it should be noted that (as discussed later) some of the laws no
longer apply.
September 2004
Health and Safety (Commonwealth Employment) Act 1991. The Petroleum (Submerged Lands)
(Occupational Health and Safety) Regulations 1993 were also introduced, again based on
Commonwealth Employment legislation, which supported Schedule 7 by setting out detailed
procedures for compliance.
A State or NT could apply their OHS law to petroleum activities, both within and outside the 3
Nm limit, using the option under Section 140H for Commonwealth waters. Victoria and
Northern Territory adopted this option.
A State or NT could apply Schedule 7 outside of the 3 Nm limit, and make a Direction to
apply equivalent law within 3 Nm. Western Australia adopted this option, using a Schedule of
Performance-Based Regulations
Since 1993, the Commonwealth has worked to reduce the level of prescription under the PSLA
1967. In relation to OHS, a number of the Directions in the Specific Schedule have been revoked
with the progressive introduction of these performance-based regulations:
September 2004
By 1 January 2005 the States and NT will mirror all these regulations, and Directions related to
OHS will have been revoked, thereby forming a single performance-based OHS regime.
1.2.3
The PSLA 1967 initially established two administrative decision-making bodies for the offshore
petroleum industry a Joint Authority and a Designated Authority.
A State or the Northern Territory Minister is the Designated Authority (DA) for the Commonwealth
waters adjacent to the individual State or the Northern Territory, whilst the Commonwealth
Minister responsible for resources and the relevant State or Northern Territory Minister together
comprise the Joint Authority (JA) for that area1.
The JAs were established as the principal decision making bodies to administer the offshore
petroleum legislation in the waters off each State and the Northern Territory, whilst the DAs took
any necessary day-to-day action to apply and enforce the legislation:
The JA grants titles to explorers and developers, determining conditions and monitoring
these, thus providing a legal basis for companies offshore petroleum activities.
Each DA handles the day-to-day operational and administrative matters relating to petroleum
activities in each adjacent area.
For the Territory of Ashmore and Cartier islands the only external territory of Australia where
there is petroleum activity - there is no JA. In this case the Commonwealth performs the
equivalent functions of both JA and DA, but for reasons of practicality the NT DA performs dayto-day functions on behalf of the Commonwealth.
Except in relation to OHS, the arrangements described above remain in place from 1 January
2005. However, from that date the DAs will cease to administer and enforce the OHS aspects of
the law in their respective adjacent areas, and the National Offshore Petroleum Safety Authority
(NOPSA) will have that responsibility.
The Joint Petroleum Development Area of East Timor and Australia is regulated and administered
separately. This document does not apply to petroleum activities in this area.
Whilst the Ministers are responsible for the functions, in practice the necessary activities are delegated to
September 2004
A safety case regime for Australias offshore petroleum industry was first established in 1993,
through amendment of the Schedule of Specific Requirements as to Offshore Petroleum
Exploration and Production, which were applied throughout each adjacent area by Direction from
each DA. Subsequently, the requirement for Safety Cases was removed from the Schedule and
incorporated instead into the Commonwealth Petroleum (Submerged Lands) (Management of
Recent Changes
In 2000 a team of international experts independently reviewed the Australian offshore petroleum
safety case regime. Their report made two key recommendations for change:
These recommendations were subsequently endorsed by the Ministerial Council for Minerals and
Petroleum Resources (MCMPR) and are being implemented by 1 January 2005.
NOPSA itself was created in late 2003, when the Petroleum (Submerged Lands) Amendment Act
2003 made the necessary amendments to the PSLA 1967. The PSLA 1967 was also amended to
give NOPSA functions and powers with respect to OHS for petroleum activities in Commonwealth
waters from 1 January 2005. The OHS laws that NOPSA will administer in Commonwealth waters
were defined, being an improved Schedule 7, as well as the performance-based regulations or
parts of those regulations that related to OHS. The option under Section 140H to apply State or
Northern Territory OHS law was removed.
By 1 January 2005 the States and Northern Territory will have mirrored the amendments to the
Commonwealth PSLA 1967, creating consistent OHS law within Commonwealth, State and NT
PSLA 1982 waters, and giving NOPSA responsibility and powers to administer and enforce these
laws these areas.
These revised Guidelines reflect these changes to the law and its administration.
10
September 2004
NOPSA has been created, and its institutional form and governance arrangements defined,
through the Commonwealth PSLA 1967. NOPSA is funded by levies on operators, the
provisions to achieve this being in the Commonwealth PSLA 1967 and in the Offshore
NOPSA administers the OHS aspects of the Commonwealth PSLA 1967 and its regulations.
Equivalent provisions in each State and Northern Territory PSLA 1982 will give NOPSA the
powers to administer the OHS aspects of that body of law also.
Apart from OHS laws, State or NT law applies to all activities within the 3 NM limit in its own
right, and the Commonwealth PSLA 1967 then applies the same law to any petroleum
activities in the Commonwealth part of the respective adjacent Commonwealth waters.
These provisions are essentially unchanged from 1 January 2005.
The laws of each State and NT that are wholly or significantly related to OHS do not apply to
offshore petroleum activities. This is a significant change, made by the amended sections 9
and 11 of the Commonwealth PSLA, and by corresponding provisions in the PSLA 1982 of
each State and Northern Territory. These provisions remove the duplication in the applicable
OHS laws that had caused much confusion.
The OHS laws that apply to offshore petroleum activities in Commonwealth waters are:
o
The same provisions apply in the State and NT 3 Nm zones, either by adopting or mirroring
the listed Commonwealth laws.
NOPSA and its inspectors have the power to enforce compliance with the listed laws in
Commonwealth, State and NT PSLA waters.
Where State and NT law contains OHS provisions amongst other matters, and the relevant
parts have not been disapplied, this law would be enforced by the relevant State or NT
agency under an agreement with NOPSA.
The listed OHS laws that apply contain the following broad provisions:
Sets out consultative arrangements in relation to designated work groups, health and safety
representatives, OHS committees, etc;
11
September 2004
Defines the powers of OHS inspectors, enabling them to make inspections, take samples,
seize evidence, issue notices, etc;
Defines prescriptive limits to certain OHS risks, for example by prohibiting certain materials,
defining certain exposure standards, etc;
Prescribes that certain vessels or structures are, or are not, facilities for the purpose of
Schedule 7 and the regulations;
Lists the laws of the States and Northern Territory that do not apply at offshore petroleum
facilities because they are OHS laws;
Defines the processes to be applied when granting persons exemptions from Schedule 7
requirements; and
Defines the forms of improvement notices, and of OHS Inspector identity cards.
Establishes a requirement to have an accepted safety case for each offshore petroleum
facility, and for the facility operator to act in accordance with this case;
Defines the procedures for submission, revision, assessment, withdrawal etc of safety cases;
Sets out the required provisions for safety and emergency management at facilities; and
Establishes a requirement to have an accepted pipeline safety management plan (as part of
an overall pipeline management plan) and to operate in accordance with this;
Defines the procedures for NOPSA involvement in assessment of pipeline plans; and
Establishes a requirement to have an accepted dive safety management system and dive
project plan, and to operate in accordance with these;
Defines procedures for submission, revision, assessment, withdrawal etc of the safety
management system and project plan.
Defines the required contents of the safety management system and project plan; and
Defines detailed requirements for reporting of accidents and occurrences during diving.
12
September 2004
All persons must comply with each set of Regulations, as the requirements of one set of
Regulations do not override those of any other, unless this is explicitly stated.
Acceptance by a regulatory authority of a matter under one set of Regulations does not
necessarily mean that the corresponding matter has been accepted for the purpose of other
Regulations.
Action by a regulatory authority under one part of the body of law (e.g. acceptance of a
Safety Case) can be conditional on a persons compliance with other parts of the body of law
(e.g. Schedule 7), but only if stated explicitly.
If a person has provided a regulatory authority with information under one set of Regulations,
then that person is not required to resubmit the information to meet a requirement under
another set of Regulations.
Northern Territory
Queensland
South Australia
13
September 2004
Victoria
Western Australia
Some of the remaining State and NT law contains provisions related to OHS; these provisions
have been retained, as they could not be disapplied without also disapplying provisions not
related to OHS. Operators and others must also comply with this law, which may include the
following in each State and NT (note that only generic titles are given):
Health Acts
Except that in some areas the application of the Act does not
extend offshore because is limited to Municipal areas.
Except that in some areas the application of the Act does not
extend offshore because is limited to Municipal areas
NOPSA will administer these laws in conjunction with the relevant State or NT agency, under a
Memorandum of Understanding. Operators and other duty holders may seek exemption from
14
September 2004
1.5.2
1.5.3
1.5.4
1.5.5
1.5.6
15
September 2004
2.1 Introduction
This summary guide expands upon the Readers Guide that appeared in the Commonwealth
2.2 Preliminary
Part 1 of the Regulations establishes their commencement date and their objectives, and defines
a number of terms and phrases that have specific meaning within the Regulations.
Part 22 sets out the processes for registration of operators of facilities. A facility owner or the
titleholder of the area where the facility is to operate may nominate an operator for the facility,
and NOPSA will register that person as the operator is satisfied that the person has or will have
appropriate management and control of the facility. There are provisions for changing the
nominated operator.
Part 3 of the Regulations establishes the requirements in relation to Safety Cases, safety
management and emergency management at offshore facilities, which are the main substantive
requirements of these Regulations. The provisions of this Part establish the required content of
Safety Cases, and also the processes for submission of Safety Case, their acceptance or rejection,
revisions to Safety Cases, and withdrawal of acceptance. The provisions are discussed in more
detail in sections 2.3 and section 2.4 of this document.
Part 4 of the regulations relates to validation. The provisions of this Part are discussed in section
2.4 of this document.
Part 5 of the Regulations defines the types of accidents and dangerous occurrences that have to
be reported under the Schedule 7 of the Act.
2
Part 2 of the Regulations formerly related to the grant of consents to construct/install/use a facility. From
1 January 2005 those provisions are to be contained within the Petroleum (Submerged Lands) (Resource
16
September 2004
Part 6 of the Regulations establishes offences and associated penalties. For example, that it is an
offence to construct, install, operate, modify or decommission a facility unless there is a
registered operator for the facility, and a Safety Case in force for the facility.
Part 7 covers some administrative arrangements
Part 8 establishes transitional provisions for the 1 January 2005 amendments to the Regulations,
to ensure that decisions made under the previous version of the Regulations remain valid and in
force, and to provide a period for operators and others to comply with any new or expanded
provisions.
An operator must not construct, install, operate, modify or decommission a facility unless
there is a safety case in force for the facility that relates to the corresponding activity
(regulation 48).
The operator must not construct, install, operate, modify or decommission a facility in a way
that is contrary to the safety case in force for the facility, or in a way that is contrary to any
limitation or condition applied by or under the Regulations (regulation 49), except if NOPSA
has given consent for this in writing.
The operator must not continue to construct, install, use, modify or decommission a facility in
the presence of a significant new risk to health and safety or in the presence of a significant
increase in an existing risk, unless that new or increased risk is accounted for by the safety
case in force for the facility, or by a proposed revision to the safety case (regulation 50).
Division 2 of Part 3 establishes the processes for submission and acceptance of a safety case:
In order for a safety case to be accepted by NOPSA, it must first be submitted to NOPSA by
the operator (regulation 28). The safety case may relate to 1 or more of the stages of the
life of the facility, which means one or more of construction, installation, operation,
modification and decommissioning. The safety case may also relate to 1 or more facilities.
After having received a Safety Case, NOPSA may request that more information be provided,
giving at least 30 days notice. Any such information, once received, is then treated as being
part of the Safety Case (regulation 29)
NOPSA must accept the Safety Case if there are reasonable grounds for believing that it is
appropriate to the facility, it complies with the requirements of Division 1 of Part 3, and that
any validation meets the legislative requirements (regulation 30). NOPSA must give the
operator a reasonable opportunity to change and resubmit a Safety Case that does not
17
September 2004
NOPSA has 90 days from receipt of a Safety Case in which to notify the operator of its
decision either to accept the Safety Case (fully, for selected stages, or with conditions),
refuse to accept it, or give notice that more time is required (regulation 31).
Division 2 of Part 3 also establishes a mechanism whereby NOPSA may authorise departure from
an accepted Safety Case. Specifically, regulation 32 allows NOPSA to give consent for an
operator to work other than in accordance with an accepted Safety Case if satisfied that there will
not be an occurrence of a significant new risk or increased risk to health and safety,
notwithstanding the offences established in Part 6.
Division 3 of Part 3 establishes provisions relating to the revision of a Safety Case:
The operator of a facility must submit a proposed revision of the Safety Case as soon as
practicable after any of the specified circumstances arise (regulation 34). The relevant
circumstances include new technical knowledge, or new methods for identifying and
assessing risks of major accident events, that make the Safety Case outdated. They also
include proposals to make a change or changes to the facility, or to the activities that are
carried out, or to the safety management system, if the Safety Case does not already address
those changes. A revision to a Safety Case may take the form of a revision to a part only of
the Safety Case, with the agreement of NOPSA (subregulation 34(3)).
In addition, NOPSA may request in writing that the operator submit a proposed revision to
the Safety Case (regulation 35). In such cases, the operator is allowed to make a submission
that a revision is not needed, or that a different revision should be made, and NOPSA must
take account of that submission before deciding whether a revision is required and what the
revision must consider.
Further, the operator must submit a proposed revision of the Safety Case every 5 years,
regardless of whether revisions have been made for other reasons in the intervening period
(regulation 36). Such revisions must specifically address the long term integrity of control
measures.
18
September 2004
After having received a revised Safety Case, NOPSA may request that more information be
provided, giving at least 30 days notice. Any such information, once received, is then treated
as being part of the revised Safety Case (regulation 37).
NOPSA must accept the revised Safety Case if there are reasonable grounds for believing that
it is appropriate to the facility, it complies with the requirements of Division 1 of Part 3, and
that any validation meets the legislative requirements (regulation 38). NOPSA must give the
operator a reasonable opportunity to change and resubmit a revised Safety Case that does
not initially meet the requirements. NOPSA also has the option to accept a revised Safety
Case for particular stages of the life of the facility, or to impose limitations or conditions.
NOPSA has 30 days from receipt of a revised Safety Case in which to notify the operator of its
decision either to accept it (fully, or for selected stages, or with limitations or conditions),
refuse to accept it, or give notice that more time is required to make a decision (regulation
39).
A key point to note is that, if a revised Safety Case is not accepted, then the existing Safety Case
remains in force (regulation 40).
Division 4 of Part 3 establishes provisions for withdrawal of acceptance of Safety Cases:
NOPSA is able by written notice to inform the operator of a facility that it withdraws
acceptance of a Safety Case (regulation 41). Valid grounds for this are that there has been a
failure to comply with:
o
Before withdrawing acceptance of a Safety Case NOPSA must give at least 30 days notice to
the operator and to any other persons it thinks fit (regulation 42). The notice must indicate
the date by which the operator or other persons may submit further information to NOPSA
about the matter. NOPSA must take account of any such information before making its
decision.
Note that NOPSA is not compelled to withdraw acceptance in the circumstances specified in
regulation 41 it is merely allowed to do so. Withdrawal of acceptance of a Safety Case is only
likely to occur in extreme circumstances, all other compliance and enforcement measures having
failed to have effect.
19
September 2004
Subregulation (2) states that the description of the facility must give details of the layout of
the facility, the control measures for major accident events (i.e. those identified by the formal
safety assessment), the activities to be carried out at the facility, and any other relevant
matters.
Subregulation (2) states that the formal safety assessment that is described in the Safety
Case must be an assessment (or series of assessments) that:
o
is a detailed and systematic assessment of risk associated with those hazards; and
identifies the control measures that will reduce risk as low as reasonably practicable.
Subregulation (2) states that the safety management system that is described in the Safety
Case must be comprehensive and integrated, and must provide for (e.g. have systems and
procedures for)
o
the inspection, maintenance and testing of control measures for those risks;
20
September 2004
The safety management system must also specify the performance standards that apply.
In general, a Safety Case or revision that is submitted to NOPSA must address the next stage of
the life of the facility, so that the relevant activities may commence as soon as the Safety Case is
accepted. However, there when submitting a Safety Case for construction or installation or of a
facility, the Safety Case must address the operations stage (so far as is practicable at the time) as
well as the construction and installation stage (subregulation (5)). This provides for early
consideration of the hazards and risks of the operations stage.
Note that the safety management system that is described in the Safety Case must be a system
for the management of all hazards and risks to health and safety - it is not limited to potential
major accidents. However, the Formal Safety Assessment that is described in the Safety Case
need only relate to major accident events. The facility description should be general, but with an
emphasis on the design features (e.g. layout and other control measures) that relate to major
accident events.
As well as the matters set out in regulation 9, the Safety Case must also demonstrate that there
are effective means of ensuring the implementation, monitoring and improvement of the safety
management system (regulation 10).
21
September 2004
22
September 2004
23
September 2004
live saving equipment, including life-rafts with launching and/or float free capability.
From this, the analysis must identify those control measures that reduce the risks associated with
emergencies to a level that is low as reasonably practicable.
Similarly, the fire and explosion risk analysis must first identify the possible types of fires and
explosion that could occur at the facility. The analysis must then assess the outcome of the
possible fires and explosions, taking into account a range of possible:
automatic and manual systems for detection, control and extinguishment; and
It must also consider the results of the evacuation, escape and rescue analysis, relevant to fires
and explosions. From this, the analysis must identify those control measures that reduce the
risks associated with fires and explosions to a level that is low as reasonably practicable.
Record Keeping
Regulation 27 requires the Safety Case to include arrangements for making records of documents
and securely storing them for 5 years at a nominated address in a manner that facilitates their
retrieval.
The types of records that must be addressed by these provisions of the Safety Case are the
Safety Case itself, any revisions to the Safety Case, written audit reports related to the Safety
Case, and reports of accidents and incidents under subregulation 46(2).
Other Comments
It is useful to note at this point that regulations 11 to 27 all impose requirements for the Safety
Case to describe or specify or make provision for certain matters, but only 14 and 26 explicitly
state that the relevant matters must be part of the safety management system. However, in
practise, all the relevant matters should be addressed in the safety management system, in order
to meet the requirement that the safety management system is comprehensive and integrated.
Thus the safety management system should contain or refer to the methods of conducting a fire
risk analysis and an evacuation, escape and rescue analysis. Similarly, the safety management
system should contain or refer to the design standards for the facility.
24
September 2004
2.6 Validation
Part 4 of the Regulations (regulation 44) establish the requirements for validation.
Validation is a means of providing NOPSA with assurance that agreed elements of the operators
systems and equipment described in the Safety Case meet the management of safety objectives
required by the Regulations. The starting point is agreement on the scope of validation between
the operator and NOPSA (subregulation 44(1)); the remaining provisions of regulation 44 then
come into play.
In effect, validation is a form of certification of certain matters concerning a facility (subregulation
44(2)). The persons or persons providing the certification must have the necessary competence
and ability, proper access to the appropriate data, and a sufficient degree of independence
(subregulation 44(3)), and the validation must establish the soundness and efficacy of the
matters specified, to the level of assurance reasonably required by NOPSA (sub-regulation 44(4)).
In the case of a proposed facility there are two broad matters to be validated:
that the design, construction and installation (including instrumentation, process layout and
process control systems) of the facility are fit for purpose; and
that the design, construction and installation (including instrumentation, process layout and
process control systems) of the facility are consistent with the Formal Safety Assessment
In the case of an existing facility (i.e. where there is a proposal to make a modification), there is
only one broad matter to be validated that the facility will remain fit for purpose.
The regulations do not set out what an acceptable scope of validation might be, and what level of
competence and independence the person(s) conducting the validation should have. This is
discussed in Part 2 of this document.
25
September 2004
2.8 Miscellaneous
Parts 7 and 8 of the Regulations deals with a range of administrative matters. Part 7 (regulation
54) sets out specific details that must be provided in any submission to NOPSA. Part 8
establishes transitional provisions for the period immediately after 1 January 2005.
Division 2 of Part 8 sets out transitional arrangements for the hand-over of OHS regulatory
responsibility from the Designated Authorities to NOPSA. In essence, the regulation requires
NOPSA and the Designated Authority to consult over the hand-over of documents, and lists the
types of documents that must be handed over. The Division (regulation 57) also establishes that
a notice or request issued by a Designated Authority before 1 January 2005 and not complied
with by that date continues in effect as if it had been issued by NOPSA.
Division 3 of Part 8 sets out the transitional arrangements regarding Safety Cases:
Existing Safety Cases and revisions, already accepted by a Designated Authority, remain in
force, subject to any limitations and conditions imposed by the Designated Authority
(regulation 58).
Applications for acceptance of Safety Cases and revisions made to a Designated Authority
before 1 January 2005, which the Designated Authority has not made a decision, are treated
as if they were applications made to NOPSA on 1 January 2005.
Divisions 4 and 5 of Part 8 sets out the transitional arrangements regarding operators and
facilities:
26
September 2004
If a structure or vessel becomes a facility for the first time on 1 January 2005, or first
enters Australias waters within the first 3 months of 2005, then there are automatic
exemptions as follows:
o
No Safety Case needs be in force, provided one is submitted to NOPSA by 1 July 2005
(and provided NOPSA does not reject the Safety Case).
Lack of fault is not a defence. That is, a person may be taken to have committed an
offence even though they had no intention or knowledge about the offence, and did not
display recklessness or negligence.
Clause 2A(4) of Schedule 7 of the PSLA 1967 allows particular vessels and structure, or
vessels and structures that carry out certain types of activities to be declared under the
regulations not to be facilities. Schedule 7 would not apply to these vessels and structures,
and neither would the Management of Safety Regulations, and hence there would be no
requirement for a Safety Case. However, currently, there are no such declarations.
Clause 27A of Schedule 7 to the PSLA allows NOPSA to exempt persons from the
requirements of Part 3 of that Schedule the part that sets out the required consultative
arrangements. This provision recognises that it may not always be practicable to comply with
the consultative requirements, for example at a not-normally staffed facility. The processes
whereby such exemptions may be granted are set out in the P(SL)(OHS) Regulations. There
are no exemption provisions from the remainder of Schedule 7.
27
September 2004
Regulation 43 allows for partial or total exemption from the Safety Case requirements of the
Management of Safety Regulations, on a case by case basis for which an operator would
need to apply. Thus NOPSA may decide, in some circumstances, that a particular aspect of a
Safety Case is not relevant or necessary, or that the requirement for a Safety Case can be
dispensed with. There are no provisions to exempt operators or others from the remaining
requirements of these regulations, such as those related to accidents and dangerous
occurrences.
2.11.2
2.11.3
How Does the Safety Case Relate to the other PSL Regulations?
2.11.4
2.11.5
28
September 2004
3.1 Introduction
Safety Cases may be prepared for one or more of the following stages in the life of a facility:
Construction/installation;
Operation;
Modification; and
Decommissioning.
and must be in force for a particular stage before that stage can commence.
In practice, these four stages apply only in the case of fixed facilities; the stages of a Safety Case
for such facilities are discussed in section 3.2. Later sections address Safety Cases for mobile
facilities (including mobile drilling units (section 3.3), construction barges and accommodation
barges (section 3.4)) which generally only require a Safety Case for the operational (or use)
stage, and possibly also for modifications.
Construction/Installation;
Operation (use);
Modification; and
Decommissioning.
As noted, a Safety Case may address one or more of these stages. Individual sub-sections below
discuss each these stages, and also the earlier design stage.
3.2.1
Design
Many operators adopt the practice of preparing a Safety Case at an early stage in project
development, which is known either as a Design Safety Case or as a Stage 1 Safety Case. This is
often prepared for the purpose of gaining internal corporate or joint venture partner funding for
the project, prior to proceeding to detailed design, procurement and construction.
There is no requirement in the Regulations for such a Safety Case, but such a document may be
used to support the Field Development Plan that must be submitted to the Joint Authorities when
seeking a Production Licence or Infrastructure Licence under the PSLA.
Whether or not a Design Safety Case forms part of the Field Development Plan, NOPSA will work
with the Joint Authorities at this stage, by reviewing the safety implications of the proposed
development concept, and preparing the part of the Joint Technical Report that relates to safety.
nopsa Safety Case Guidelines
29
September 2004
Any safety related recommendations made in the Joint Technical report would need to be
addressed by the time the Safety Case for Construction and Installation is submitted to NOPSA.
3.2.2
A Safety Case is required under the Regulations prior to commencing construction or installation
of a facility. In this context it should be noted that construction and installation is limited to the
construction and installation activities that take place at the petroleum site. It does not extend to
fabrication and construction in a shipyard etc, even if located in Australia.
The Safety Case for construction and installation of a fixed production or infrastructure facility is
not intended to address the risks of construction and installation. Those risks are to be covered
by a Safety Case for each of the construction facilities (transport barge, accommodation unit,
etc), or by a combined Safety Case for all facilities involved in the design and construction see
section 6.4. Rather, the Safety Case for construction and installation should address the risks of
the operational stage of the life of the facility, so far as practicable at the time.
NOPSA would expect this stage of the Safety Case to contain a complete Facility Description and
a complete Formal Safety Assessment, but would recognise that the Safety Management System
for the operational stage may not yet be fully developed and might only be able to be described
in summary. Accordingly, assessment of such a Safety Case would focus on the design and FSA
aspects, and the assessment of the SMS would be at a systems level only, checking that the
required procedures are developed or are being developed, without assessing their detailed
content or whether they are being implemented.
3.2.3
Operation
A Safety Case is required under the regulations prior to commencing operation or use of a facility.
Operation or use in this context would generally be taken to start either when drilling
activities commence at the facility, or (if there are no wells at the facility, or the wells were predrilled) when the first attempts are made to bring petroleum fluids onto the facility.
The Safety Case for operation or use of the facility needs to address the range of normal and
other foreseeable activities that might take place on the facility, and the risks associated with
these activities. There is benefit to all parties if this Safety Case can properly address the widest
possible range of activities, as this will limit the need for Safety Case revisions.
All aspects of this Safety Case would need to be complete and detailed, although NOPSA
recognises that, at this stage, there may be limited hard evidence to show that the operational
aspects of SMS are being implemented in practice.
nopsa Safety Case Guidelines
30
September 2004
Under the regulations a revision to the Safety Case has to be prepared and submitted to NOPSA
whenever the following conditions are met:
every 5 years;
if NOPSA requests.
Until accepted, any revision remains a proposed revision, but on acceptance becomes the
Safety Case that is in force.
In many cases such a Safety Case will, in effect, be no different from a Safety Case for
operations/use, in that it will need to address the on-going design, activities and management of
the facility, from the moment of revision onwards for a period of up to 5 years.
Some modifications may be only temporary, for example the use of a demountable wire-line or
snubbing unit to perform down-hole activities, or a period of campaign maintenance. In such
cases the revision to the Safety Case might more sensibly take the form of an addendum, which
is removed once the period of abnormal activities is complete.
3.2.5
Decommissioning
The Safety Case for decommissioning of the facility would need to address the same broad types
of hazards as the earlier Safety Cases, although the relative severity of the risks may change
during the course of the decommissioning and this would need to be accounted for. For
example, in the early stages of decommissioning, there may be significant hydrocarbon risks
associated with plugging and abandoning wells, emptying and cleaning process systems, etc, but
in the later stages the significant risks will be associated with the physical dismantling or removal
of the facility.
Various barges might be involved in the decommissioning, which would need to have their own
Safety Cases. Alternately, a combined Safety Case could be prepared for the barges and for the
facility that is being decommissioned.
3.2.6
General Discussion
The figure below shows the staged development of a Safety Case for a fixed production or
infrastructure facility, corresponding to the above discussion
Figure 1 Stages of the Safety Case for a Fixed Platform
31
September 2004
Development
concept
selection
Field Development
Plan
Includes concept
selection decisions
related to safety
Preliminary
Design
Detailed
Design
Construction
in shipyard
DA issues Production
Licence, with NOPSA
advice on safety
matters.
Construction /
Installation
Safety Case
Full Safety
Case for
construction
works
Complete FD, initial
Operation / Use
Safety Case
Complete FD,
complete FSA and
complete SMS for
the fixed facility
Construction /
installation in
Field
Start-up and
Operations
Proposed revisions to
all relevant parts of
the Safety Case
Safety Case
Revisions
NOPSA accepts
proposed revisions to
Safety Case.
Modifications
Abandonment /
Decommissioning
Safety Case
Complete
Safety Case for
barges
Revised Safety Case
for fixed facility
Abandonment
The same stages might also apply to a Floating Production Storage and Offloading (FPSO) vessel
or similar facility, notwithstanding that construction may in such cases be limited to installation
of the mooring and connection of the vessel to it.
In practice, the stages of the life of the facility, and hence the stages of the Safety Case, may not
be as well defined as discussed above. Accordingly, the information presented above is brief,
does not address all possible circumstances, and is for guidance only. Operators
contemplating complex development projects are advised to discuss these with
NOPSA, in order to reach agreements as to what may be the suitable stages for the
Safety Case.
It should be stressed that, although the Management of Safety Regulations list four stages of the
life of a facility, the Regulations simply state that a Safety Case may address 1 or more such
nopsa Safety Case Guidelines
32
September 2004
This section addresses the case where a mobile offshore drilling unit is operating stand-alone,
on a program of exploration or development drilling.
A Safety Case for such a facility needs to account for the design, routine activities, safety features
and safety management arrangements of the facility itself, and also for the particular drilling
program that is to be conducted. There are two possible approaches to this:
a single Safety Case is prepared, that addresses the drilling unit, the specific drilling program
to be conducted, and any issues related to the location of the work; or
the facility has a Safety Case that is generic to the normal range of activities that it may
undertake, and a separate document is prepared that addresses the issues specific to the
drilling program and the site. This separate document is often referred to as a Bridging
Document.
If the drilling unit is intending to conduct further drilling campaigns in Australian waters, the latter
option may be preferred, as this approach to the Safety Case is more flexible.
As well as the Safety Case under the Management of Safety Regulations, there is also a
requirement to prepare well operations management plans, under the Management of Well
Operations Regulations. The well operations management plans primarily address well and
reservoir integrity, and are a regulatory responsibility of the Designated Authorities.
Nevertheless, NOPSA and the DAs will liaise to ensure that proposed well operations are
compatible with the Safety Case that is in force.
3.3.2
This section addresses the case where a jack-up drilling unit is to be used to drill or service a well
at an existing production or wellhead platform. It is assumed that the production or wellhead
platform would already have its own Safety Case, accepted by NOPSA (or previously by one of
the Designated Authorities). The drilling facility may or may not have a Safety Case that has
been accepted in Australia.
The issue here is two-fold:
nopsa Safety Case Guidelines
33
September 2004
The production/wellhead facility has to be safe in its own right, as does the drilling unit, and
this has to be demonstrated to NOPSA for both facilities, through the Safety Cases; and
The hazards and risks associated with the interface between the two facilities need to be
identified, assessed, controlled and managed, and the combined safety of the two facilities
operating simultaneously demonstrated to NOPSA.
The safety issues associated with such combined operations are numerous, and include:
The possible impact of drilling incidents on production personnel, and of production incident
on drilling personnel;
Compatibility of the alarm and shutdown systems, fire protection systems, and escape
evacuation and rescue systems for the two facilities; and
If the drilling facility has its own Safety Case, and this has already been accepted in Australia,
then a Bridging Document could be submitted to NOPSA. The Bridging Document in effect
forms a proposed revision, both to the production/wellhead platform Safety Case, and to the
drilling unit Safety Case, and would apply for the duration of the drilling program only. On
completion of the drilling program, the previous, separate Safety Cases would revert to being
in force; or
If the drilling facility has its own Safety Case, but this has not yet been accepted in Australia,
then the same could apply, except that, in addition, the drilling unit Safety Case would also
have to be submitted to NOPSA. Alternately, the drilling facility Safety Case could be revised
to account for the particular drilling program, as well as the issues surrounding the units
interfaces with the production/wellhead facility.
The operator of the facility must submit the Safety Case. In this case there may be two
operators one for the production/wellhead facility and one for the drilling unit. They would
each be responsible for submitting their respective Safety Cases, and jointly responsible for any
Bridging Document or combined Safety Case.
34
September 2004
35
September 2004
4.1 Pre-Submission
Any person who wishes to construct, install or operate a facility (or facilities) should consult with
NOPSA at an early stage, with a view to agreeing on:
the extent to which Safety Cases for facilities and for stages can be combined;
These consultations will assist the operator in developing Safety Cases that are satisfactory to
NOPSA. It will also assist NOPSA in planning its oversight and assessment activities, and
obtaining the necessary resources for these activities, including specialists as required.
Similar consultations would also be useful prior to Safety Case revision.
Timing
Safety Cases may be submitted at any time, although operators are obviously advised to allow
sufficient time for a Safety Case to be assessed, prior to the scheduled commencement of the
activity to which the Safety Case relates.
It would generally be expected that an exploration permit would have been granted before a
Safety Case was submitted for use of a facility for exploration drilling. It would likewise generally
be expected that a production or infrastructure licence would have been granted before a Safety
Case was submitted for construction / installation of a facility, or for development drilling.
There is no prescribed link between the timing of submission of Safety Cases under the
Management of Safety Regulations, and the timing of submissions under the other PSLA
regulations of environmental management plans, pipeline management plans, diving safety
management systems, diving project plans and well operations management plans.
However, the Safety Case and all relevant management plans have to be accepted (by the
relevant DA or NOPSA, as appropriate) before the respective activities are allowed. This
therefore implies that the submissions under other performance based Regulations are likely to
coincide with either the initial or proposed revised Safety Case:
36
September 2004
The Safety Case, environmental management plan and well operations management plan for
a drilling program would all have to be accepted before the program could commence. An
initial Safety Case has a longer allowable period for assessment, but otherwise these
submissions would closely coincide; and
A diving project plan for a particular diving activity and the corresponding Safety Case
revision would both have to be accepted before the diving could occur at the facility. The
respective submissions would therefore coincide.
Operator
It is the operator of the facility that is responsible for submitting the Safety Case to NOPSA, for
ensuring that the Safety Case meets the regulatory requirements, and (once the Safety Case is
accepted) for ensuring that operations are in accordance with the Safety Case. The operator may
engage others to assist in preparation of the Safety Case, but this would not alter the legal
responsibilities under the PSLA and Management of Safety Regulations.
Legally, the operator of a particular facility is the person who is registered by NOPSA as the
operator of the facility, in accordance with the procedures set out in the regulations. To be
registered, the person first has to be nominated by the title-holder, but the registration only
occurs if NOPSA believes that person to have overall management and control of the facility.
Person includes bodies corporate.
The title-holder may also be the operator, but this is not necessarily always the case. For
example, NOPSA may decided that the owner of a construction barge, accommodation barge,
mobile drilling unit or a pipe-lay barge has overall management and control of that facility,
notwithstanding that the owner is working under a contract with the title-holder. The same could
apply to a production facility, which could be managed by another person, on behalf of the titleholder, whether that other person or the title-holder owns the facility.
37
September 2004
Assessment Principles
actions taken in response to findings will be graduated, and proportionate to the risk.
4.3.2
in association with the relevant team leader, planning the assessment, including defining the
tasks to be conducted, assigning personnel to those tasks and establishing timescales for
completion;
all communications between the operator and NOPSA for the purpose of the assessment,
except for any formal communication that must, under the regulations, be made by the CEO
or delegate on behalf of NOPSA;
liaison with other agencies regarding matters pertinent to the assessment, including for
example maritime and aviation safety agencies, as well as the Designated Authority for their
PSLA waters; and
ensuring that records are kept of the assessment, and preparing a detailed and
comprehensive report of the assessment.
The lead assessor may be the OHS inspector ordinarily assigned to that operator, or may be
another OHS inspector.
38
September 2004
Team leaders are responsible for coordinating the work of their teams, including Safety Case
assessment. Where disputes and issues arise, they are the first point of reference for resolution.
Other OHS Inspectors, including Team Leaders, may be assigned specific tasks for the purpose of
a Safety Case assessment, according to their particular areas of expertise. For that purpose they
report to the Lead Assessor.
Ultimate decision-making regarding whether to accept the Safety Case, for what stages, and with
what conditions and limitations, resides with the CEO of NOPSA or a delegate. The CEO or the
delegate makes this decision taking account of the advice given by the lead assessor for the
Safety Case.
The project plans are based on standard templates prepared by NOPSA, but modified so as to be
appropriate to the particular facility and the Safety Case that is submitted. The plans indicate the
area or areas of particular focus of the assessment.
planning of safety case assessments, both individually and holistically, including the
establishment of resource, training and competency requirements, and the setting of
performance standards;
internal third-party audits of NOPSAs compliance with its current safety case assessment
processes and procedures;
39
September 2004
internal and third-party reviews of NOPSAs safety case assessment processes and processes
against current good practice; and
maintenance of an actions data-base, setting out actions arising from audits and reviews,
assigning responsibility to these actions, and establishing time-frames for close-out.
More details of NOPSAs management systems, including its Safety Case assessment procedures
and procedures, may be found at this link : (HOLD To be inserted)
4.3.3
The Regulations set out timeframes within which NOPSA must make decisions regarding the
acceptability of Safety Cases as follows:
when a Safety Case is submitted for a new facility, NOPSA has 90 days in which to decide to
accept it, decide not to accept it, or inform the operator in writing that more time is needed
and setting out a timeframe for making the decision; and
Within those schedules, the following internal targets have been adopted by NOPSA:
acknowledge receipt of the Safety Case or proposed revision 3 working days; and
all requests for further information within 30 days for initial Safety Cases and within 14
days for proposed revisions to Safety Cases. Operators would be given a further 30 days and
7 days respectively to comply with such requests.
NOPSA will give the operator at least 30 days in which to resubmit a Safety Case; and
NOPSA will make a decision on the resubmitted Safety Case within a further 30 days.
the circumstances in which conditions and limitations may be applied when accepting a
Safety Case, as an alternate to refusing acceptance (section 4.4.2);
40
September 2004
what happens if NOPSA decides to refuse to accept a Safety Case, and the extent to which
such a decision may be subject to review and appeal (section 4.4.3); and
Acceptance Criteria
NOPSA must accept a Safety Case if there are reasonable grounds for believing that the
operator has complied with all clauses of the relevant regulation see regulation 30 for initial
acceptance of a Safety Case, and regulation 38 for acceptance of revisions. Accordingly, NOPSA
must be satisfied that:
The Safety Case is appropriate for the nature of the facilities, the activities to be conducted,
and the management arrangements.
The word appropriate means that, for it to be accepted, the Safety Case must provide
specific information about the design, proposed activities and management system of the
particular facility or facilities to which the Safety Case relates, as opposed to generic
information about the companys assets, operations and management systems. Similarly, the
risk assessments (formal safety assessment, fire risk analysis and escape evacuation and
rescue analysis) must address the particular hazards and risks of the facility or facilities to
which the Safety Case relates, under the range of operational conditions that is likely to be
experienced.
The Safety Case complies with subdivisions A, B and C of Division 1 of Part 3 for the stages
connected with the life of the facility for which the Safety Case is submitted.
The Safety Case must comply with regulations 9 to 26. As was discussed in section 2.4 of
these Guidelines, these particular regulations require certain matters to be contained,
described or specified within the Safety Case. However, as also discussed in section 2.4,
many of these regulations require the things described to be adequate or appropriate or
suitable etc. Therefore NOPSA may accept the Safety Case only it describes the various
matters to the satisfaction of NOPSA, and if NOPSA is satisfied that the matters described are
in themselves adequate or appropriate or suitable.
The Safety Case, or a part of it, complies with subdivision D of Division 1 of Part 3.
This means that the Safety Case must describe the record-keeping arrangements.
Where a validation has been required, the persons undertaking the validation meet the
criterion in subregulation 44(5) and the validation complies with subregulation 44.
41
September 2004
This means that NOPSA must be satisfied that the validation and the person or persons who
conduct it are in accordance with regulation 44
Reasonable grounds for believing means that NOPSA has to be satisfied on balance. It is not
necessary for NOPSA to be satisfied beyond reasonable doubt.
NOPSA may accept a Safety Case in part, meaning (for example) only for specified stages in the
life of the facility or specified activities. Also, when accepting a Safety Case, NOPSA may apply
limitations or conditions to the facility, its operation and management. Where it is possible to do
so, a decision to accept a Safety Case in part, or to accept it with limitations or conditions, would
be made in preference to refusing to accept the Safety Case. This applies both in relation to
initial Safety Cases, and to proposed revised Safety Cases.
The assessment principles set out in Part 2 of these Guidelines elaborate on the above. However,
they go beyond assessing whether the particular clauses of the regulations have been met, as the
assessment may also be used to decide whether there is potential to improve the Safety Case and
the operators safety management, and to inform NOPSAs on-going program of inspection and
audit.
4.4.2
A Safety Case may be accepted for fewer stages in the life of the facility than those for which it
was submitted. A Safety Case may also be accepted subject to limitations or conditions. This
might mean that a Safety Case is accepted, but only for some activities.
This might occur, for example, if a Safety Case is submitted for drilling and production at a
facility, but the information regarding production operations is inadequate. In that case, the
Safety Case may be accepted for drilling only, and a further submission would be required in
relation to the production operations.
Acceptance of a Safety Case can also be subject to conditions and limitations. A condition or
limitation could be used to address an issue such as discussed above (i.e. the Safety Case is
accepted, but a condition is attached that production does not commence until some addition
submission is prepared by the operator, and accepted by NOPSA). However, conditions and
limitations are more general compliance and enforcement tools, and may be used in a number of
ways. For example, they may be used to impose limits to the specific activities that are to be
carried out, over and above the operators own limits.
At a more detailed level, NOPSA might be generally satisfied with the content of the Safety Case,
nopsa Safety Case Guidelines
42
September 2004
If NOPSA is not satisfied to the necessary degree that the Safety Case meets the requirements of
the Regulations, and if it is not possible to accept the Safety Case in part, or with conditions or
limitations, then the only other option is to refuse to accept the Safety Case.
In the event that NOPSA decides to refuse to accept a Safety Case, the following would apply:
Where the refused Safety Case related to construction / installation, the proposed facility
could not be constructed / installed, because to do so would be in breach of the requirements
of regulation 47. It would also be in breach of the consent provisions in the Resource
Management Regulations, as consent could not be granted if no safety case is in force.
Where the refused Safety Case related to operation or use of a facility, it would not be
possible to use or operate the facility, meaning for example that drilling could not commence
at a MODU or at fixed facility, no petroleum could be introduced onto a production or
infrastructure facility, and no construction work could be carried out using a construction
barge. To do so would again be in breach of the requirements of regulation 47, and of the
consent provisions in the Resource Management Regulations.
Where the refused Safety Case is a proposed revision, the existing Safety Case remains in
force. This means that activities must remain in compliance with the existing Safety Case,
and that any proposed modifications addressed in the proposed Safety Case revision would
not be allowed. In some cases, for example if the Safety Case that has been refused is a 5
yearly revision, and there have been significant changes at the facility or developments in
technology in that time, then this may trigger the provisions for withdrawal of acceptance
(see section 4.4.4).
4.4.4
NOPSA can withdraw acceptance of Safety Cases. On withdrawal of acceptance of a Safety Case,
the operator would immediately have to cease activities as there is no longer a Safety Case in
force. This is a sanction that would be used only in extreme circumstances where all other
compliance and enforcement provisions have proved ineffective.
NOPSA may withdraw acceptance of a Safety Case on any of the following grounds (regulation
28I):
43
September 2004
The operator has not complied with the Act, or a notice issued by an OHS inspector under
Schedule 7 of the Act.
This does not mean a failure to comply with any element of the Act it is limited by the
scope and objectives of the Regulations to matters concerning management of safety. In
the main body of the Act, the only such provision is the requirement under section 97 to act
in accordance with good oilfield practice and good storage and transport practice. The
provisions of Schedule 7 are relevant, although the nature of the duties and obligations on
facility operators under the Schedule are varied, and in practice withdrawal of acceptance of
a Safety Case would only ever be considered following a serious breach of a duty of care, or
if (as stated) there is a non-compliance with a notice issued under Schedule 7.
This allows for withdrawal of acceptance if the operator has failed to submit a proposed
revision to the Safety Case, either when there are relevant changes circumstances, or when
NOPSA has requested this, or when a period of 5 years has elapsed.
This allows for withdrawal of acceptance if the Safety Case has not been properly revised to
take account of any of the circumstances listed in the preceding paragraph, such that
NOPSA has refused to accept the proposed revision.
The word may is used in relation to withdrawal of acceptance, to indicate that it is an option
that is open to NOPSA, but that it is not a legal requirement in any of the circumstances that are
listed. For example, if an operator was considering a major modification to a facility, and had
submitted a proposed revision to the Safety Case in advance, then it is unlikely that a refusal to
accept the proposed revision would be a reason to withdraw acceptance of the existing Safety
Case. Conversely, if a series of minor modifications had already been made, and NOPSA had
requested a revision to the Safety Case to account for these modifications, then a refusal to
accept the proposed revision might cause NOPSA to consider withdrawing acceptance of the
existing Safety Case.
A decision to withdraw acceptance of a Safety Case may be based on an assessment using the
criteria in Part 2 of these Guidelines. However, given that the need to make decision is likely to
arise only in highly specific circumstances, it is likely that only a selection of the criteria would
apply, and also that other factors (outside of the criteria) would need to be taken into account.
44
September 2004
Notice of Acceptance
Once NOPSA has decided to accept a Safety Case (or a proposed revision to a Safety Case) it
must give notice of that decision to the operator. If the Safety Case is only accepted for some of
the stages for which it was submitted, or is accepted with limitations or conditions, then the
notice must also state what stages the Safety Case is accepted for, what limitations or conditions
apply, and the reasons for this.
4.5.2
Regulatory Oversight
Once a Safety Case is accepted it becomes the Safety Case that is in force. As such, the
operator must act in accordance with what is stated in the Safety Case, and in accordance with
the safety management system that is described in the Safety Case.
NOPSA will at this stage prepare a plan for on-going oversight of the operators activities, based
on what is stated in the Safety Case, and on the report of its assessment. This plan will address
such matters as:
the frequency of audits etc at the operators offices, and at other relevant premises;
the matters to be the subject of these audits etc (e.g. the design of facility modifications, or
changes to the corporate management system as it affects OHS); and
the arrangements for involvement of other relevant government agencies (e.g. those
responsible for maritime and aviation safety, and the Designated Authorities).
These plans will be updated at least yearly, dependent on the findings from the oversight
activities. Both the original plan and any update would be developed in consultation with the
operator and the workforce.
As well as activities under the oversight plan, NOPSA may make unannounced inspections/ audits
at the operators offices or the facility, or may inspect/investigate in response to any
incident/occurrence that has been reported, or any complaint that has been received.
4.5.3
The operator of a facility must submit a proposed revision of the Safety Case to NOPSA as soon
practicable after any of the following circumstances arise:
nopsa Safety Case Guidelines
45
September 2004
if there are developments in relevant technical knowledge, such as the standards for design
and operation of the facility
if there are developments in the systems for identifying or evaluating risks of major
accident event, such as those used in the Formal Safety Assessment, Fire Risk Analysis and
Escape, Evacuation and Rescue Analysis;
if any modification is proposed which by itself may significantly alter the risk of any individual
MAE;
if the operator proposes to make a significant change to the safety management system for
the facility. This would include changes to the facility safety management system, or any
change to the corporate safety management system that may affect safety at the facility;
if the operator proposes to carry out activities at the facility that are different from those
addressed by the Safety Case that is in force. Note that the difference does not have to be
significant; or
if the operator proposes to decommission or otherwise modify the facility in a way that is not
already addressed by the Safety Case that is in force. In practice this clause duplicates the
requirements of earlier clauses.
The first two clauses relate to changes in technology generally, which may occur either within or
outside of the operators organization. These clauses effectively impose a requirement on the
operator to keep up to date with technology developments, and to adopt them when practicable.
The remaining clauses relate to changes instigated by the operator, and impose a requirement to
revise the Safety Case in line with these changes.
NOPSA can request a revision of a Safety Case if the circumstances set out in the points above
have occurred, yet the operator has not proposed a revision to the Safety Case. Such action by
NOPSA is a form of enforcement, which may be taken in isolation, or may be taken in
conjunction with other types of enforcement action under Schedule 7 of the PSLA.
A request by NOPSA for the operator to prepare and submit a proposed revision to a Safety Case
must be in writing and must state the matters to be addressed by the revision, the grounds for
the request, and the date by which the proposed revision must be submitted. Within 21 days (or
a longer period if allowed by NOPSA) the operator may make a submission stating reasons why
the operator believes the revision is not necessary, or that a different form of revision should be
prepared, or that a later date should apply. NOPSA is obliged to consider any such submission by
the operator.
46
September 2004
As part of their overall management systems, operators are advised to develop processes and
procedures for preparation, upkeep and maintenance of their Safety Case(s). These processes
and procedures should address at least the following:
required contents and format what information must the Safety Case contain (not
necessarily limited to that required by the Regulations), and in what format;
custodianship who is responsible for preparing and maintaining the Safety Case;
approvals who is responsible for approving the Safety Case and its submission;
document control procedures how are revisions tracked, copies kept up-to-date; and
47
September 2004
reasons for revision what are the companys triggers for initiating a revision to the Safety
Case, and for submitting this to NOPSA.
These processes and procedures should interface with the processes and procedures for making
modifications to the facility, its activities and management (i.e. the companys overall
management of change process).
Draft processes and procedures could be discussed with NOPSA with a view to reaching an
agreement. If desired, the processes and procedures could be set out in the Safety Case itself,
although this is not a regulatory requirement.
48
September 2004
SEPTEMBER 2004
49
September 2004
Introduction
This section of the Safety Case Guidelines contains guidelines on the content of a Safety Case. It
has been written so that operating companies who are preparing or revising a Safety Case
understand the key principles that lie behind the requirements of the regulations. NOPSA
assessors will also conduct assessment of submitted Safety Cases according to these principles.
The content guidelines are divided into 4 sections:
Safety Case assessment might commence with the facility description, to gain an
understanding of the facility, as well as to check compliance;
The Formal Safety Assessment might be assessed next, to gain an understanding of the
hazards and risks, as well as to check compliance;
The SMS might then be assessed, to confirm that the hazards and risks are being
appropriately managed; and
The overall content might be assessed last, once the individual aspects have been checked
for compliance and been properly understood.
There is also a section on Validation, but where validation is required, it is not necessary to
describe this process in the Safety Case.
In each section, there is some descriptive text giving an overview of the key technical issues and
some feedback on common weaknesses seen historically in some Australian offshore Safety
Cases. Following the descriptive text, there is a set of principles given for each area.
For each Principle, the guidance notes include:
A statement of the Principle itself. These have been generated based on industry best
practice. As a set, the Principles give an overall picture of Safety Case requirements for any
facility. As a general guide, a Safety Case must meet the requirements of each Principle to be
accepted by NOPSA.
50
September 2004
The Reason for the Principle. The principles are linked back to the regulatory requirement.
In some cases these are very specific, but in others are quite general.
Examples of evidence have been included for each Principle to give some ideas of how the
Principle may be put into practice. These lists are not exhaustive and any or all of the items
on the lists may be applicable in any given case. Some examples of evidence may be more
or less relevant at particular stages of the life of a facility. Nevertheless many of the examples
of evidence are generally applicable, for example it is difficult to foresee a situation where
distribution of Safety Alerts around an operating organisation (SC-02, first example) would
not be necessary.
In preparation of these guidance notes consideration has been given to the range of facility types
and operating arrangements currently in place in Australian waters. It is not possible, however,
to anticipate every possible arrangement that may be in place in the future and hence the
Principles should not be seen as mandatory or comprehensive for every possible project, facility
or operation.
51
September 2004
2.1 Introduction
The Safety Case is a record of the case for safe operation for the facility in question. It generally
consists of 3 related parts:
52
September 2004
Historically, the Safety Case has taken an engineering systems approach to safety. This
perspective emphasises the inter-linkages between various items of engineering hardware and
the management systems in place to design, construct, install, operate, maintain, modify and
decommission offshore facilities. The role of people in this perspective tends to be related to
consideration of a specific error that an individual might make, and the hardware or system
improvements that can be made in order to minimise the potential for such an error.
A broader system view includes consideration of the people collectively - in terms of an
organisation. This perspective acknowledges that decisions made remote in both time and place
from the facility, can be key casual factors to an incident at the facility, and that effective system
safety strategies must take this into account.
The organisational systems view also emphasises the importance of comprehensive change
management. Changes such as outsourcing, business process reengineering, centralisation,
decentralisation and multi-skilling must be assessed to determine possible effects on the risk to
people on the facility.
This wider systems view is consistent with the general Safety Case requirements and this
document therefore includes criteria that address organisational error.
2.1.2
The relationship of the Safety Case to the Safety Management System is often misunderstood.
NOPSA considers the relationship to be as follows:
Although the Safety Case contains a description of the Safety Management System, the
Safety Case is in fact subordinate to the SMS. The SMS is the fundamental basis for
ensuring all aspects of safety at the facility. The Safety Case simply specifies and describes
the SMS that applies.
In this context, the SMS is taken to include not only the procedures and work instructions
that govern the day-to-day activities at the facility (which are sometimes collectively referred
to as the works management manual or the facility management system) but also those
management processes that address organisational structure, recruitment, training, facility
design, construction quality, etc (which are sometimes collectively referred to as the
corporate management system).
Whilst the Safety Case must specify or contain the Formal Safety Assessment, the Fire Risk
Analysis and the Escape, Evacuation and Rescue Analysis for the facility, it is the SMS that
contains and defines the procedures for initiating and conducting these studies
Although not an explicit requirement of the Regulations, the SMS should also contain the
procedures for preparing and maintaining the Safety Case.
53
September 2004
The conclusion of the Safety Case must be that, with certain systems in place and perhaps certain
improvements made, the risk to people on the facility is as low as reasonably practicable
(ALARP).
The components required to reach this conclusion will vary depending on the number and
complexity of hazards present on the facility. For a very simple facility with few hazards that are
well understood, a significant part of the demonstration that risk is ALARP may be reliance on
good practice, engineering judgement and adherence to codes and standards. In this case, very
detailed numerical risk assessment may add little to the understanding of issues related to the
safety of the people on the facility.
For more complex facilities with significant inventories of high pressure hydrocarbons, a
quantitative (numerical) assessment of consequences, escalation potential, frequency and risk is
likely to be necessary in order to have confidence that risk to people has been reduced to a level
where further risk reduction cannot be justified. In this case, some form of cost benefit review of
potential additional control measures is often useful.
2.1.4
Many MODUs that are moving into Australian waters have a Safety Case in place that has been
prepared to meet requirements for operation in the North Sea. Such Safety Cases may have
been prepared in accordance with the North West European HSE Case Guidelines for MODUs
issued by the International Association of Drilling Contractors (North Sea Chapter) i.e. IADC.
Safety Cases that meet the requirements of the IADC guidelines are generally likely to meet the
requirements of these guidelines, provided that they properly address the specific hazards and
risks of the activities that they will be performing in Australian waters, the local geotechnical and
metocean conditions, and the local emergency response issues.
The IADC Guidelines provide a quite specific template for a MODU Safety Case, which may be
useful in preparation of a Safety Case to meet Australian requirements. However, it should be
noted that the North West European (NWE) requirements for Safety Cases are broader than the
Australian requirements in two areas. Firstly, some NWE coastal states require the Safety Case to
address environmental management in addition to safety and health. Secondly, the equivalent of
the Formal Safety Assessment (called the Risk and Environmental Impact Assessments) covers
Major Hazards, called Major Accident Events in the Australian regime; and
Other Workplace Hazards, i.e. those with a safety impact less than a Major Hazard. As noted
earlier, these do not have to be addressed in the FSA in the Australian context, but have to
be covered by the operators management system; and
Environmental hazards. These are covered by other regulations in the Australian context.
54
September 2004
Bridging Documents
Since the Facility Description defines the envelope of activities covered by the Safety Case,
and the safe operational envelop of the facility, any activity, operation or location that falls
outside that envelope will require preparation of a bridging document.
Likewise, since the FSA identifies the hazards, assesses the risks and determines the
necessary control measures for the activities that the facility will conduct, it is likely that the
FSA will require amendment via a bridging document.
The SMS may not always require amendment to account for particular operational activities.
In many cases, in particular if the facility is operating stand-alone the general SMS may
remain appropriate. However, if working in conjunction with other facilities (e.g. working
over a well on an operational platform) it would be necessary to amend the SMS to account
for the interface with the management systems that apply at the other facility. In addition,
emergency response plans are likely to change, according to the nature, location etc of the
activities.
Note that the term bridging document does not appear in the legislation, but is a term that has
been adopted by many operators and regulators in Australia to describe the revision to the safety
case that is necessary to accommodate site-specific activities by a mobile drilling unit. In
practice, the bridging document requirement can be met in a number of different ways, as
discussed in Part 1 of the document.
2.1.6
Common weaknesses
55
September 2004
Poor integration between the SMS and other relevant business systems such as
human resources, particularly when it comes to change management.
Some organisations prepare a Safety Case outside of their business systems to meet a
specific business need for Safety Case acceptance. This is likely to be unacceptable in the
longer term, if the requirements for hazard management identified in the Safety Case are not
integrated with day-to-day operations. This is because gaps are likely to develop between
what is actually done and what the Safety Case says is or should be done.
2.2 Preparation and Assessment Principles for the Overall Safety Case
Process
Principle SC - 01: The Safety Case must contain
a Facility Description,
56
September 2004
Reason
a) Specific requirements of regulation 9 (1).
Examples of Evidence
a) Paper or electronic documents exist.
b) A summary of the SMS exists with reference to the details.
c) A summary of the FSA exists that includes the following:
d) A description of the overall safety case philosophy and the linkages between the various
documents.
57
September 2004
Reason
a) Regulation 9 (4)(c) requires continual and systematic identification of hazards. This requires
appropriate procedures in the management system, but also an appropriate organisational
culture.
Examples of Evidence
a) A visible commitment to safety could be demonstrated by policies and procedures covering
such issues as:
b) There is a system for sharing Safety Alerts, incident learnings or similar information between
various parts of the organisation.
c) A range of safety communication platforms are used such as safety meetings, toolbox
meetings etc. that keep an emphasis on the company policies and procedures with respect to
safety.
d) Policies and procedures encourage personnel to report safety issues and potential problems
eg Feedback is given to the workforce about the status of safety issues identified.
e) Policies and procedures encourage managers to actively look for areas of safety
improvement, rather than attempting to demonstrate that their areas are perfect.
f)
There is a system for identification of plant, process and people related hazards by everyone
on-site.
58
September 2004
Safety performance indicators do not just measure reactive / negative outcomes (eg. number
of injuries), they also track and monitor positive proactive indicators (eg. the number of risk
assessment items actioned, number of safety issues identified and resolved, training and
competencies, etc). This information is communicated.
59
September 2004
Reason
a) Regulation 15 requires employees to be involved to a level such that they can arrive at an
informed opinion about the risks and hazards to which they are exposed.
b) Regulation 10 requires that systems are in place to ensure that the SMS is effective. Whilst
workforce involvement is not specifically mentioned, it would be difficult to argue that a
system was effective without involvement of employees.
c) Note that the Petroleum (Submerged Lands) Act includes specific requirements for processes
for workforce consultation and representation (including the role of Health and Safety
Representatives). The specific consultation requirements for this criterion should be met
within this wider framework. See specifically P(SL)A Schedule 7, clauses 12, 13, 15, 19(1),
20, 24 and 25.
Examples of Evidence
a) Documentary evidence of employee participation in Safety Case workshops.
b) Procedural requirements for employees to be involved in risk assessment sessions eg HAZID,
HAZOP.
c) Formal training for employees includes references to Safety Case processes and results to
foster an understanding of:
The hazards that affect them and the control measures in place.
The overall risk to which they are exposed and the main contributors to that risk.
d) Procedures exist that require field staff have been involved in preparation of procedures for
tasks that they perform.
60
September 2004
61
September 2004
Principle SC 04: The Safety Case processes must be integrated with the
Operators overall business management systems and practices (including
effective change management) in order to ensure that the case for safety
remains valid.
Reason
a) Regulation 9(4)(d) requires that the Safety Management System includes processes for
continual and systematic identification of hazards and assessment of risks.
b) Changes to the facility equipment or management practices and systems require
reassessment of risks to ensure that the risk remains as low as reasonably practicable.
Examples of Evidence
a) The safety assessment methods used in the safety case are built into the organisations
corporate SMS and the facility-specific SMS.
b) Design and project procedures include safety assessment processes that are consistent with
the safety case approach.
c) Guidelines exist within the SMS and/or project procedures that detail when the safety case
risk assessment needs to be updated (eg. For significant changes).
d) The hazard register used as a basis for the safety case is a live document that is updated as a
result of projects, maintenance changes and other changes where required.
e) Management of change processes and procedures refer to the need to update the Safety
Case including items such as the hazard register (or bow ties if used, etc).
f)
The training system (needs analysis, retraining program etc) incorporates the training
requirements for the operator to ensure:
New employees receive the training on the hazards, risks and controls as required by
the safety case regime.
Existing employees receive re-training in line with the re-training philosophy for the
facility.
62
September 2004
Reason
a)
Regulation 18 (2) requires that equipment is fit for purpose. This criterion requires
demonstration of this in the Safety Case
Examples of Evidence
a) Verification processes and records.
b) Management system records for inspection and testing.
c) Appropriate codes and standards have been used.
d) Where significant changes have been made to the standards and codes, the implications of
these changes have been assessed.
e) Survivability assessment for those items that need to respond in an emergency.
f)
63
September 2004
Management commitment
Benchmarking
Peer review
Reason
a) Regulation 9 (4) (e) requires that risks to people on the facility are reduced so far as
reasonably practicable. This applies to all risks, not just MAE risk.
Examples of Evidence
a) The Safety Case documentation has been approved and signed by senior management.
b) The commitment of management is demonstrated through:
c) The Safety Case includes a demonstration that the previous safety record of the
facility/organisation has been critically reviewed and that root causes have been
systematically addressed.
d) The Safety Case includes an implementation plan for improvements including specific
responsibilities and timing (or reference to such a plan).
e) There is a review process that manages the implementation plan for improvements.
64
September 2004
The Operator clearly shows ownership and overall responsibility for the content of the Safety
Case and does not attempt to devolve that to others (eg design contractors or specialist
consultants).
g) The FSA provides a thorough and systematic assessment of the overall risk for the facility,
identifies the key risk contributors and the exposure to the various working groups.
h) The risk is compared against risk criteria that are benchmarked against industry and other
regulatory criteria.
i)
Risk control measures are selected or rejected based upon the risk reduction achieved, the
cost effectiveness and the hierarchy of controls.
65
September 2004
Reason
a) Reg 9 (4) (i) requires that performance standards exist for the SMS itself.
b) Reg 24 (2) (b) requires performance standards for the emergency response plan (which is
typically a critical control).
Examples of Evidence
a) The FSA includes a process to determine which of the risk control measures are most critical.
b) The Safety Case references performance standards for the SMS itself eg audit schedules,
requirements for system training etc.
c) The Safety Case references performance standards for the emergency response plan such as
number of different types of drills, frequency of updates to contacts listing etc.
d) The Safety Case references required performance standards (such as the nominated testing
and maintenance frequencies) for critical control measures identified in the FSA such as:
fire and gas detection systems, heating, ventilation air conditioning (HVAC) and
maintenance system(s)
corrosion monitoring
66
September 2004
Meetings held at defined intervals to review the performance of the control measures
versus the performance standards and to drive improvements.
67
September 2004
Facility Description
3.1 Introduction
3.1.1
Purpose
The purpose of the Facility Description is to document the factual information about the facility
that provides the basis of the Formal Safety Assessment and the Safety Management System. In
the sense that development of the FSA and SMS may result in a decision to modify the physical
facility, the FD also documents some of the outputs of the FSA and SMS development processes.
In order to provide an effective basis for, and documentation of the output of, the other parts of
the Safety Case, it is generally required that the design basis and philosophy are described, rather
than just the output of the design process. The implications of these decisions may result in
residual risks and controls that will be discussed in the other sections of the Safety Case.
Example
Overpressure protection philosophy is a typical example. The process facilities on an FPSO
may be designed to the maximum Shut In Tubing Head Pressure (SITHP) of the reservoir up
to a point on the separator outlet to crude storage. A description of this philosophy provides
better background to the FSA (and a lead in to discussion of the potential for overpressure of
the tanks and associated controls), than a simple listing of the design pressure of various
parts of the process.
Many Operators discover that the FD becomes a useful document for providing internal and
external stakeholders with an introduction to the facility.
3.1.2
The FD can be considered to be a description of the design and operating envelope of the facility
and all related activities. The design envelope for a facility, equipment item or activity is the set
of combinations of conditions that describe the boundary between safe and unsafe operation.
The operating envelope is the set of combinations of conditions that describe normal operations.
The difference between the two envelopes is the safety margin (in addition, there is often also a
safety margin between the design envelope and actual failure of the system).
This concept applies equally to the design pressure and temperature range of the process
equipment, the weather window for marine or helicopter operations or the range of lifts that can
be made by a facility crane. The metocean conditions chosen for the overall facility structural
design are also included.
68
September 2004
Preparation of the FD involves a balance between providing a readable document that contains
useful information for the reader, and putting in so much detail that the document becomes
quickly out of date and/or requires many revisions.
In managing the content of the document, it is again important to remember that the focus of
the FD is on the design and operating philosophy and envelope and these are unlikely to be
subject to frequent changes.
Some of these issues are eliminated if the FD is prepared as an electronic document with live
links to the master copies of other information such as drawings.
3.1.4
Common Weaknesses
Provision of too much operational detail so that the document is difficult to keep up to
date
Inclusion of vague statements, rather than specific facts about the facilities
Including assertions about the overall acceptability of the facility design features
independent of the risk assessment.
69
September 2004
activities (current and planned) that are covered by the Safety Case;
Reason
a) Regulation 9 (2) requires the Facility Description to include this information.
b) Regulation 9 (3) (a) requires that the FSA covers all hazards having the potential to cause a
major accident event. This includes the facility itself, but also hazards that arise through
interactions with the surrounding environment and facilities. Since the FD provides the factual
input and output of the FSA process, it must cover all relevant environmental factors.
c) Regulation 9 (4) (g) requires that the Safety Case address communications facilities.
d) Regulation 18 (1) requires that the Safety Case specifies equipment that relates to, or may
affect, the safety of the facility.
e) Regulation 20 (1) requires that the Safety Case contains details of the lifesaving equipment
eg number of life rafts and launch/access arrangements.
Examples of Evidence
a) The Facility Description includes a list and brief description of the range of activities covered
such as operation, construction, maintenance, well interventions, marine operations,
helicopter operations etc.
b) The Facility Description includes specific information about each activity such as the
maximum number of people on the facility at that time and the frequency or duration of the
activity.
c) Drawings included in the FD show signs that they are checked as built.
d) The FD has been through a process of checking and approval, which is recorded.
70
September 2004
The Facility Description contains details of the blast rating and heat resistance over time of
passive fire and explosion barriers.
g) The Facility Description contains details of the main active fire protection system such as
location and type of fire water pumps, level of redundancy, overall system reliability, deluge
capacity and design philosophy.
h) The Facility Description contains details of active and passive fire protection systems for
enclosures, rooms and spaces such as location and type of fire suppression systems, level of
redundancy, overall system reliability, capacity and design philosophy.
i)
The Facility Description includes information under the appropriate headings such as:
general description
subsurface conditions
staffing
primary functions
drawing set
71
September 2004
Examples of Evidence
a) The Formal Safety Assessment and Safety Management System sections of the Safety Case
contain cross-references to the relevant parts of the FD for example it may state the
maximum number of people on board. This could be cross-referenced in the FSA (as one of
the inputs to the risk assessment) and in the SMS (with regards to any procedure required to
manage numbers on board).
b) The description of the safety features contains the design philosophy including:
when and how safety features and systems are activated in an emergency, and
where from manual, auto-electric, air etc
These safety measures are listed in the FSA as control measures and the design philosophy
considered as an integral part of demonstrating fitness for purpose.
c) Performance standards for critical controls may be contained in the Facility Description, but
referenced from and justified in the Formal Safety Assessment eg conclusions regarding the
required test frequency for a critical instrumented system.
d) The Facility Description details the design envelope for various parts of the system and the
Formal Safety Assessment specifically addresses possible hazards leading to a departure from
the design envelope, eg design pressure/temperature envelope for sections of the process
specified in the FD and operating conditions such as introduction of nitrogen into liquid LPG
systems that could lead to very low temperatures.
72
September 2004
Criterion FD-03: The Safety Case must list or refer to all Australian or
international Standards to be applied in the design, construction,
installation, modification, operation and decommissioning of the facility or
plant used on or in connection with the facility.
Reason
a) Specific requirement of Regulation 11.
b) Use of engineering judgment in the form of codes and standards is a valid part of the
demonstration that risk to people on the facility has been reduced to a level that is as low as
reasonably practicable.
Examples of Evidence
a) The Safety Case contains a list of the relevant codes and standards (including revision
number / date) or a reference to some other system or systems that record the relevant
codes and standards.
b) The basis for selection of a specific standard is given.
c) Where deviations from the standards do occur, this decision is justified by risk assessment.
d) An understanding exists as to the level of compliance with these standards.
e) A system exists to ensure that compliance with the relevant codes and standards is
considered as part of any modification to the facility.
f)
A system exists to ensure the safety implications of major changes to relevant codes and
standards are identified and considered.
73
September 2004
Criterion FD-04: The Safety Case must specify an office or position on the
facility, the occupant of which, when on duty:
Reason
a) Specific requirement of Regulation 12 (1) (a).
b) Part of a modern safety management system approach is to clearly define responsibilities.
This must be seen to start from the top of installation management.
Examples of Evidence
a) The Facility Description includes information about the organisation structure on the facility
including the name of the position of the person in charge or a reference to the location of
this information.
b) The Safety Case includes information about the specific safety responsibilities of the
management team on the facility or a reference to the location of this information.
c) Contingency arrangements are in place to cover the incapacitation of key personnel during an
emergency to ensure the continuance of a chain of command.
74
September 2004
Criterion FD-05: The Safety Case must specify the medical and
pharmaceutical supplies and services, sufficient for an emergency
situation, that must be maintained on, or in respect of, the facility.
Reason
a) Specific requirement of Regulation 17.
Examples of Evidence
a) The Facility Description includes a list of the specific supplies including location, quantity,
storage arrangements and authorised users or a reference to a document that includes this
information.
b) The Facility Description includes a list of the specific medial services that are available
including location, type and availability or a reference to a document that includes this
information.
75
September 2004
facility overview
structure
geographical location
water depth
wind
geotechnical
foundation strength
geotechnical data
anchoring
seabed conditions
76
September 2004
Structure Layout:
platform orientation
elevation/plan views
equipment
accommodation
well bays
riser(s)
helipad
cranes
Vessel layout (include the following where applicable for Floating Production Storage and
Offloading Vessels):
mooring patterns
77
September 2004
Completion arrangements
4. Staffing
This should include a description of the organisational structure for the facility, and for relevant
parts of the company management. It should indicate the incumbents of key positions, and state
their competency and selection criteria.
Checklist of typical items included or referenced:
numbers and location of people taking into account fluctuations with shifts, maintenance
activities, visitors
Shift arrangements.
5. Primary Functions
For each function, the description should include systems, equipment, controls, arrangements,
policies, procedures and supporting design criteria as appropriate with an emphasis on their role
in prevention, reduction and mitigation of major accident events.
Special attention should be paid to the stated limits of operation of each function (maximum,
minimum, level or redundancy etc)
78
September 2004
process systems:
safety control systems for use during emergencies for example controls at the
temporary refuge or emergency assembly area
downhole equipment
utility systems:
power generation and distribution (including supply and safety critical equipment)
emergency lighting
potable water
navigation lighting
chemical injection
drilling systems:
79
September 2004
marine functions/systems:
supply/service vessels
standby vessels
diving operations
aircraft operations:
onshore base
capability of aircraft
helicopter refuelling
helideck
reservoir fluids
pipelines fluids
process fluids
process fluids
other substances
The range of sizes of isolated inventories in the event of a platform shutdown shall be given.
Material safety data sheets should be referenced in the safety management system section of
the safety case.
80
September 2004
detection systems
toxic detection
heat detection
smoke detection
drilling
subsurface shutdown
surface shutdown
fire pumps
deluge system
sprinkler system
inert systems
instrumentation systems
pharmaceutical supplies
81
September 2004
Ballasting systems
8. Drawing Set
A drawing set is essential to understanding. The drawings provided in/ with the Safety Case
should be sufficiently comprehensive and details to enable NOPSAs assessment, but need not
contain all engineering details.
Checklist of typical items included or referenced:
A typical drawing set could include:
quarters layout
mooring layout
heating ventilation and air conditioning system (HVAC) (intakes and vents).
process schematic
82
September 2004
4.1 Introduction
4.1.1
The safety management system (SMS) is the method by which safety is managed on the facility.
Having said that, an SMS is much more than simply a set of procedures. The thing that makes
the system is the way that all the documentation links together and links to the risks that it is
designed to address.
From a risk assessment perspective, the SMS is the method of reducing risk and ensuring that it
remains As Low As Reasonably Practicable over the life of the facility.
One of the key features of an SMS is the continuous improvement cycle. This means that the
starting point for development of an SMS is the definition of the policy and objectives of the
system. Once these are set, the next step is planning, which involves determination of the
resources required to achieve the objectives that have been set. In an SMS, risk assessment is
usually one of the planning elements as the risk exposure, and hence risk control strategies,
determines much of the rest of the system.
Planning
Continuous
Improvement
Policy
& Objectives
Implementation
83
An effective management
structure and systems are in
place for delivering the policy.
There is a shared common
understanding of the
organisations vision, values &
beliefs.
September 2004
84
September 2004
UK Health and Safety Executive publication HSG65. Successful health and safety
management.
North West European HSE Case Guidelines for MODUs. issued by the International
Association of Drilling Contractors
Another key aspect of an SMS is that the continuous improvement loop applies not only to the
system as a whole, but also to each individual element. An example of this would be Emergency
Response where part of the policy for emergency response might be that all major types of
scenarios (as identified in the FSA) are tested annually. The planning for this would be covered
by the schedule for emergency exercises. Processes should check that the exercises have been
done and results recorded. Continuous improvement would be demonstrated by ensuring that
recommendations made as a result of the exercises are actioned and systems are re-tested as
appropriate in the next scheduled period.
To cover these principles, management system documentation is typically organised into (at
least) 3 tiers or levels:
The second level is typically a set of guidelines (one for each element) that describe
policy, planning etc for that element.
The bottom level (or levels) of the system is the detailed procedures.
Whilst the above discussion has focussed on how the documentation is organised, in a broader
system sense a key issue is leadership and management commitment. The management system
must ensure that appropriate people are hired; that they are trained to acquire the appropriate
skills, and that they are motivated on safety issues by appropriate leadership.
85
September 2004
The Formal Safety Assessment is a study or set of studies conducted in order to gain an
understanding of the Major Accident Events, to determine whether there are sufficient risk
controls in place, and to determine which are the most important risk controls.
As the SMS must cover management of all safety related issues, there are 2 important links to the
FSA:
The processes used to prepare and update the FSA, and the rest of the Safety Case,
must be included in the SMS
The risk controls identified will include management system elements, either because the
controls are themselves procedures or administrative systems, or because a hardware
control needs to have a system in place to describe the related training, operation and
maintenance.
It should be noted that the SMS must cover ALL safety-related issues, not just those related to
Major Accident Events.
4.1.3
86
September 2004
The documentation submitted on the subject of the SMS as part of the Safety Case itself should
be a demonstration that the system in place generally addresses the SMS Principles from Section
4.2. In other words this can be a description of the system, rather than large sections of the
system documentation itself.
Another issue with submitting sections of the SMS itself is the need to control revisions.
4.1.5
Common weaknesses
Too much focus on documentation, too little focus on active leadership in the field
Gaps identified but no system in place for prioritisation and close out
87
September 2004
Reason
a) Regulation 9 (4) (a) requires that the SMS is comprehensive and integrated.
b) Coverage of the management system loop is a requirement of Regulation 10 for the system
as a whole.
Examples of Evidence
a) The Safety Management System includes a documented policy authorised by the accountable
chief executive that clearly states strategic safety objectives and a commitment to continual
safety performance improvement.
b) The Safety Management System includes (or references) plans made by the organisation to
ensure that the policies etc are implemented. Issues that should be addressed include
leadership, commitment, workforce involvement, resourcing and roles and responsibilities.
c) The Safety Management System includes (or references) systems and procedures covering
both people and technology to ensure that the desired safety outcomes can be achieved in
the workplace.
d) The Safety Management System includes (or references) performance standards against
which the actual performance can be compared. Note that this applies at both a total
system, element and individual procedure level
e) The Safety Management System includes (or references) a step that ensures overall system
improvements are identified by methods such as external benchmarking, systemic review of
incident and/or performance data, internal and external audit.
f)
The Safety Management System follows the structure of an established model or standard
such as:
88
September 2004
UK Health and Safety Executive publication HSG65. Successful health and safety
management.
North West European HSE Case Guidelines for MODUs. issued by the International
Association of Drilling Contractors
89
September 2004
Principle SMS-02: The Safety Management System should also address the
management system loop (policy, objectives, planning, implementation,
monitoring and review) for each element, and for the system as a whole.
Reason
a) Regulation 9 (4) (a) requires that the SMS is comprehensive and integrated. Use of the
management system loop part of best practice for SMS development.
Examples of Evidence
a) Documentation of specific SMS elements includes not only the specific requirements and
activities to be carried out, but also some statement of policy, purpose or the overall aim of
the element in question.
b) The SMS reflects top management commitment and culture and how this is driven down into
the management of safety.
c) The SMS details how the SMS fits into the overall management of the organisation.
d) The documentation clearly describes roles and responsibilities of personnel involved in
implementing each element of the SMS, and in overall management of the SMS, allocated at
an appropriate level to demonstrate commitment and drive a positive safety culture.
e) Roles and responsibilities are incorporated into the job descriptions for key personnel.
f)
SMS elements and procedures detail when, how and the resources required to manage the
activities associated with them.
j)
Documents describe how improvement plans, audits etc are scheduled, resourced and
allocated and implementation monitored.
k) Documentation of specific elements includes references to how the performance of the SMS
element is monitored.
l)
90
September 2004
4.2.2
91
September 2004
4.2.3
Planning
Examples of Evidence
a) The SMS describes how safety is managed for all the activities described in the facility
description (eg. Marine, cranes, general operations etc).
b) The SMS applies to all stages of life-cycle of the facility as described.
c) Systems and operating procedures are available for normal and abnormal operations
described in the FD.
d) Safe operating limits (such as Critical Operating Parameters) are defined for all activities.
e) The incident investigation and reporting procedures call for investigations to be conducted
where the plant operating envelope, as described in the FD, is exceeded.
f)
Management of change covers all aspects of the operations and facilities described in the FD.
g) The design philosophies described within the facility description are consistent with the SMS
(and related documents) elements associated with facilities design. For example:
performance criteria for emergency systems listed in the FD should be linked back to
the safety management system.
Design QA requirements listed in the FD are described in the SMS and related
documents.
h) SMS elements are consistent with the organisational structure and staffing arrangements.
For example, the roles and responsibilities described in the SMS elements match the
organisation as described in the FD.
92
September 2004
Principle SMS - 05: The Safety Management System must address risk to
people on or near the facility due to all hazards (not just MAEs).
Reason
a) Regulation 9 (4) (c), (d) and (e) generally require that the SMS covers hazard and risk
management for all risks to people on the facility
Examples of Evidence
a) Processes used in preparation of the FSA are documented as part of the SMS.
b) Management system documents exist detailing the procedure to be followed in updating the
FSA, including triggers for a revision.
c) The Safety Management System includes risk assessment process other than the FSA such
as:
Hazop
and the results of these processes are linked to the risk controls in the SMS.
93
September 2004
Reason
a) Regulation 10 requires that systems are in place to ensure that the SMS is effective.
b) Regulation 15 requires persons involved with the facility to be involved to a level such that
they can arrive at an informed opinion about the risks and hazards to which they are
exposed.
c) Note that the Petroleum (Submerged Lands) Act includes specific requirements for processes
for workforce consultation and representation (including the role of Health and Safety
Representatives). The specific consultation requirements for this Principle should be done
within this wider framework. See specifically P(SL)A clauses 12, 13, 15, 19(1), 20, 24 and 25.
Examples of Evidence
a) Field based employees (or their representatives) have been involved in development of
procedures for tasks that they perform.
b) Contractor representatives have been involved in development of links between the systems
of the operator and those of the contractor organisation where interfaces exist.
c) General staff such as field based employees and design engineers have been trained in the
principles of the safety management system and their responsibilities and accountabilities
within that system.
d) Where specialist expertise external to the Operator has been used to develop all or part of
the SMS, operating company personnel can demonstrate a clear understanding of the
purpose and requirements of the system.
e) Systems are in place to ensure that personnel have the appropriate level of competency and
knowledge to carry out the tasks required of them.
f)
For critical activities competency is assessed prior to the individual being permitted to carry
out a task.
94
September 2004
Reason
a) Storage of copies of the Safety Case itself is a specific requirement of regulation 27.
b) Regulation 9 (4) (a) requires the SMS to be comprehensive and integrated. A comprehensive
system must be controlled sufficiently to ensure that personnel are using accurate and up to
date systems, procedures and forms.
Examples of Evidence
a) Documentation includes a revision record showing who wrote the document, who reviewed it
and who has authorised its use.
b) All documentation including forms and other things used in the field are clearly labelled with
revision identification.
c) The revision record shows that the documentation has been updated and reissued as
necessary.
d) An up to date audit plan exists.
e) The audit schedule cover all aspects of the SMS and Safety Case.
f)
An action management system is in place to document actions taken and close out.
95
September 2004
Principle SMS - 08: The Safety Management System should detail roles,
responsibilities and reporting structures affecting safety. In particular, the
Safety Case must describe (or reference) the arrangements for command
of the facility in normal operation and in an emergency including:
Reason
a) Requirement of regulation 12 (2).
Examples of Evidence
a) The facility description provides an organisational chart for the facility and who is in
command.
b) Backup personnel are defined in the event of absence of the person in command or their
incapacitation during an emergency.
c) Training needs of the person in command are defined in the Job Description and/or training
needs analysis.
d) A current emergency response contact list exists and available at emergency control centres.
96
September 2004
Principle SMS - 09: The Safety Case must include a description of the
provisions made to ensure that each employee has the appropriate skills,
training and ability for the range of tasks that he or she may reasonably be
asked to perform, including specifically:
Reason
a) Skills, training and ability of personnel to perform tasks is a requirement of regulation 13.
Note that the most general interpretation of the requirements of this regulation covers
onshore engineering and management decision making in addition to employees offshore.
b) Actions required in an emergency is specifically addressed in regulation 24 (4)
c) Competency in permit to work requirements is specifically addressed in 14 (2)(c).
Examples of Evidence
a) Procedures exist regarding selection of personnel for safety critical positions.
b) Training requirements have been defined based on safety critical tasks including
Induction
Initial training
Emergency scenarios / desk top audits are conducted to assure readiness and confirm
competency for emergency response actions.
97
September 2004
Principle SMS - 10: The Safety Case should include a demonstration that
the number of personnel on the facility is adequate for the range of tasks
that may be required to be performed simultaneously on the facility, both
in normal operation and in an emergency.
Reason
a) Skills, training and ability of personnel to perform tasks is a requirement of regulation 13.
The number and type of simultaneous activities required to be undertaken by any individual
has a direct impact on then ability to perform the tasks adequately.
Examples of Evidence
a) Systematic studies of tasks required to be done simultaneously have been conducted and
assessed relative to the staffing and competency levels likely to be present on the facility.
b) The studies have included the range of potential emergency scenarios that exist.
c) Task analysis studies to identify the range of cognitive skills required by individuals who are
required to perform simultaneous tasks.
d) In considering emergency response consideration is given to fatigue, workload, stress on the
ability of the person to identify and diagnose problems.
98
September 2004
4.2.4
Implementation
Reason
a) Regulation 25 requires this for pipelines.
b) Regulation 26 requires this for vessels and aircraft operations.
c) Regulation 9 (4) requires the SMS to be comprehensive and integrated.
Examples of Evidence
a) Procedures exist for all key activities and modes of operation..
b) Procedures are present to control risks during all phases of the facilitys life including design,
construction, commissioning, operation and abandonment.
c) The safe operating procedures cover both abnormal and normal operation.
d) The safe operating procedures acknowledge the hazards identified during the FSA and
emphasise the control measures used to protect against the hazard.
e) Procedures contain:
Details of the consequences of exceeding the limits and actions to be taken to should
they be exceeded.
99
September 2004
Examples of Evidence
a) Policy available that details the objectives for control of integrity, measurable performance
targets and management commitment.
b) Documentation exists detailing the maintenance and inspection philosophy. (eg. Risk based
versus fixed interval)
c) Documentation is available that details what equipment is included and excluded from the
integrity program
d) Adequate resources are supplied as demonstrated by the completion of the PM and
inspection programs.
e) Responsibilities for management of these systems are included in procedures and job
descriptions.
f)
g) A management system exists to plan, implement and report on inspection and maintenance
activities.
h) Reports are available that detail the performance of inspection program.
100
September 2004
Examples of Evidence
a) An approved list of equipment & materials suppliers and contractors is available that is
endorsed by appropriately qualified and competent personnel.
b) All contractors pre-qualified before being offered the opportunity to tender. This pretendering process could include:
c) Procedures require that contractor employees and subcontractors have completed the site
induction and relevant safety training.
d) Audits are conducted on contractors in the same way as the organisations employees.
Audits include:
Work Permits
e) Contractors and subcontractors use the same system for reporting and investigation of
incidents.
f)
The management of change system includes changes in materials, contractors and suppliers.
101
September 2004
Principle SMS-14: The Safety Case must describe the operational and
emergency communications systems between the facility and:
Onshore installations
Other facilities.
Reason
a) Regulation 9 (4) (g) requires that the SMS makes provision for the communications between
the facility and appropriate onshore installations, appropriate vessels and aircraft and other
appropriate facilities.
b) Regulation 22 provides for the specification of emergency communication systems.
Examples of Evidence
a) The Safety Case contains or references details of communications system such as capacity,
operating constraints/limits (if any), reliability, redundancy, hierarchy of operation.
b) The Safety Case contains as assessment of the survivability of each communications system
in an emergency.
102
September 2004
Examples of Evidence
a) Management of Change (MOC) processes are documented which provide for appropriate
levels of review, authorization and training prior to implementing a change.
b) Change is defined in the procedure to cover changes in personnel, organization structure,
plant, processes and process variables, materials, equipment, operating and maintenance
procedures, software, other aspects of design or external influences.
c) The MOC procedure includes temporary, emergency, and permanent changes and associated
time period for the change where a temporary change is required.
d) The MOC requires documentation of the technical basis for the proposed change, EHS,
engineering, and operational reviews, as well as authorisations.
e) The MOC has a post implementation review to assure that documentation is updated and that
the change has achieved objectives and actions closed out.
f)
A system is in place such that when a new facility or a significant modification to the existing
facility occurs that assurance is provided that:
A risk assessment has been conducted and actions completed prior to startup.
103
September 2004
Cold work
Electrical work
Diving operations.
Reason
a) Regulation 14 (1) and (2) requirements.
Examples of Evidence
a) A documented permit to work systems is provided that addresses the areas listed above as
minimum.
b) Procedures address roles and responsibilities for issuing, receiving and performing work
under the permit, including hand-back and recommissioning.
c) The permit procedures and permit should address:
d) The PTW system includes monitoring and audit requirement to assure the effectiveness of the
system.
e) The permit should address:
Equipment involved
PPE requirements
104
September 2004
The PTW system details the training requirements for personnel involved in the issue or
receiving of the permits as well as those undertaking the work.
105
September 2004
Access to equipment
Structural integrity
Reason
a) Requirement of regulations 16 (1) and (2) (a), (b) and (c)
Examples of Evidence
a) Systems are in place that require the use of relevant engineering and design standards.
b) Systems are in place that require HSE studies and reviews, including Hazard Identification
and Risk Assessment.
c) The system provides for hazard studies to consider the lifecycle of a facility or project
including design, procurement, construction, commissioning phases and post commissioning.
d) The system provides for the identification of EHS Critical plant, equipment, structures,
instrumented systems and control systems, including software so that they may be
appropriately controlled on an ongoing basis.
e) design principles, practices and engineering standards are documented.
f)
A design review and approval process is in place that ensures that all affected personnel are
involved.
g) Changes required in the design are required to be documented, reviews and approved via a
change management process (eg. Engineering change request or similar).
h) Procedures are in place to ensure that the facilities are designed and constructed to approved
specifications, standards and procedures.
i)
QA procedures are in place to assure that vendor supplied equipment and site construction
work are fit for purpose. This include appropriate use of NDT, external certification and
inspections.
106
September 2004
Examples of Evidence
a) A drugs and alcohol policy exists that:
Describes the unacceptability of coming to work under the influence of drugs and
alcohol that inhibit performance of duties in a safe and efficient manner.
A framework for constructive intervention, where drug and alcohol issues exist,
enabling employees to seek early treatment and return to their appropriate place
within the work force.
107
September 2004
Examples of Evidence
a) An emergency response plan is available.
b) The emergency response plan has been developed based on an assessment of emergency
situations that might arise from facility activities and strategies have been developed for
those situations. These may include
medical emergency
utility failure
security threats
c) Systems are in place to rapidly warn people present on the facility. This includes:
F&G systems
Communication systems
Emergency alarm
d) The emergency plan describes the organisational structure, authorities and responsibilities.
e) The organisational structure is described in the Safety Case and is also clearly displayed on
the facility.
f)
Communications failure
108
September 2004
A system is in place to ensure that new personnel are inducted as to the location of alarms,
alarm tones and required response.
j)
A system is in place to ensure that facility personnel are provided sufficient training for their
role in the emergency.
109
September 2004
4.2.5
Monitoring
Examples of Evidence
a) System in place for pre-employment medicals and regular checks.
b) System in place for identification of health hazards and addressing them via a hierarchy of
controls approach.
c) Specific monitoring and analysis for residual health hazards eg noise and hearing loss,
hazardous substances and exposure effects.
d) Policy in place on fitness for duty including fatigue.
110
September 2004
4.2.6
Examples of Evidence
a) The Safety Management System includes (or references) performance standards against
which the actual performance can be compared. Note that this applies at both a total
system, element and individual procedure level
b) The Safety Management System documentation includes audit schedules, protocols and
results.
c) There is a system in place for tracking audit actions to close out.
d) A system exists for employees to raise problems with the system and for such issues to be
evaluated and actioned as appropriate.
e) A performance review process exists that includes a review of the SMS performance
measures and indicators. Deficiencies are identified from this process.
f)
There is a system in place for tracking the status of incident investigations and the action
items arising from them.
g) The incident investigation process involves a root cause analysis to detect system faults.
111
September 2004
Examples of Evidence
a) The Safety Management System includes (or references) performance standards against
which the actual performance can be compared. Note that this applies at both a total
system, element and individual procedure level
b) The Safety Management System includes (or references) a step that ensures overall system
improvements are identified by methods such as external benchmarking, systemic review of
incident and/or performance data, internal and external audit.
c) A system exists for employees to suggest changes to improve the system and for such
suggestions to be evaluated and actioned as appropriate.
112
September 2004
5.1 Introduction
5.1.1
Purpose
The purpose of the Formal Safety Assessment is to demonstrate that, in relation to major
accident events, all reasonably practicable controls have been identified in order ensure that risk
is as low as reasonably practicable (ALARP). Note that implementation and ongoing
management of controls is covered by the SMS.
As part of this it is necessary for the operator to ensure, through appropriate analysis and
assessment, and through implementation of the findings of those assessments, that:
the exposure of employees on the facility to hazards has been minimised, firstly through
elimination of hazards and secondly through control of remaining hazards
the integrity of the temporary refuge, fire protection and detection systems, escape
routes, evacuation / embarkation points and lifeboats/liferafts under accident conditions
is maintained so far as is reasonably practicable
all reasonably practicable steps have been taken to ensure the safety of persons in the
temporary refuge, using the escape routes and at the embarkation points, until such time
as all employees have reached a place of safety or have left the facility
there are adequate facilities within the temporary refuge to expedite safe escape and
evacuation of employees during a major accident event.
In this context, Formal Safety Assessment is taken to include the Fire Risk Analysis that is
required by regulation 23, and the Escape, Evacuation and Rescue Analysis that is required by
regulation 26.
5.1.2
Concepts of Risk
Risk may be defined as the likelihood of a specified undesired event occurring within a specific
period or in specified circumstances. It may be expressed as a frequency, being the number of
the specified event that can be expected to occur in a given period. Alternately, it may be
expressed as a probability, being the probability of the specified event arising in particular
circumstances. Thus we can talk about the risk of boat collision during unloading operations,
meaning the probability that there will be a boat collision whilst unloading is occurring, or the risk
of a gas leak due to corrosion, meaning the average annual frequency of such leaks.
In the context of the Formal Safety Assessment, the overall risk of interest is the risk of fatality
due to all possible Major Accident events (of which there may be many, 2 of which may be boat
collision and gas leak due to corrosion).
nopsa Safety Case Guidelines
113
September 2004
In numerical terms, the risk from a particular MAE is the product of frequency and consequence.
The likelihood, consequence and risk may each be expressed either qualitatively or quantitatively.
Qualitatively, terms such as below are typically used:
Likelihood Not credible, unlikely, likely, very likely
Consequence Minor, Significant, Major, Catastrophic
Risk Low, medium, high, very high
These may be combined in matrix format, for example as follows:
Minor
Significant
Major
Catastrophic
Very likely
High
High
Very High
Very High
Likely
Medium
High
High
Very High
Unlikely
Medium
Medium
High
High
Not credible
Low
Medium
Medium
High
Acceptability of risk would be based on the low, medium, high, very high categorisation. The
categories of likelihood and consequence might also be assigned numeric values, which would be
estimated based on judgement, historic data or quantitative assessment.
Typical quantitative measures of risk used for offshore petroleum facilities are as follows:
IRPA Individual Risk Per Annum, being the probability (typically averaged over the entire
crew or over a particular team) that an individual person will be killed over a one-year
period. Risk expressed in this way can readily be compared to the risks of, say, driving,
flying, house fires, diseases, etc. Typical risk levels for the offshore industry lie in the region
0.0001 per year to 0.001 per year, i.e. between 1 in 10000 and 1 in 1000 per year. It is
common to set a limit of 0.001 per year above which the risk is considered intolerable; this
roughly corresponds to the risk level that is observed in Australia in recognised high-risk
industries such as forestry and fishing, but greater than the risk in mining and construction.
PLL Potential Loss of Life, being the number of fatalities that are expected to occur on
average in a one-year period. This measure of risk depends on the number of persons
exposed; for a facility that has a workforce of 100 (summed over all shifts), a typical PLL is
nopsa Safety Case Guidelines
114
September 2004
In the context of MAE risk as addressed in the FSA, the demonstration that risk is as low as
reasonably practicable is based on the concept:
Between these 2 risk levels there is a grey area where the risk may be accepted by a
company or individual provided that the risk as be shown to be as low as reasonably
practicable. This is commonly called the ALARP region.
In the ALARP region, principles of continual improvement apply. This means that risk reduction
measures should be adopted until the difficulty and cost of adoption exceeds their benefit.
Further, where the risk level is close to the tolerability / acceptance criteria, control measures
should be adopted unless their difficulty and cost grossly outweighed their benefit. Except in
exceptional circumstances it would be expected that all control measures set out in industry
standards are adopted.
Note that the demonstration that MAE risk is ALARP is a 2 step process, firstly to determine
where the risk falls (intolerable, in the ALARP region, broadly acceptable) and secondly to
determine what further risk reduction can be justified. Simply determining that the risk falls into
the ALARP region does not mean that the second stage of the process can be skipped.
Some organisations have a system of management reporting, monitoring or sign off for hazards
determined to pose significant risk eg anything in the high or very high area of the risk matrix.
Whilst management focus (particularly on controls for these hazards) is good, it is not in itself a
demonstration that the risk has been reduced as far as reasonably practicable.
The process described can be used qualitatively eg in the form of a risk matrix or to judge the
results of a numerical assessment ie QRA. One disadvantage of the risk matrix approach is that
MAEs are judged individually and it is difficult to address the overall level of risk to people on the
facility in this form of analysis. Some form of approximate cumulative analysis is likely to be
required, firstly to justify the boundaries in the risk criteria and secondly to show that the overall
assessed risk is reasonable (in addition to the risk from each MAE).
If risks are quantified, then generation of ALARP criteria is easier and the key issue becomes the
accuracy of the risk calculations and the assumptions made.
nopsa Safety Case Guidelines
115
September 2004
A third aspect that should be considered in the risk criteria adopted is the relative aversion of
society to high consequence low frequency events, compared to low consequence high frequency
events. This means that extra consideration should be given to scenarios that can lead to large
numbers of fatalities, even if the overall risk is judged to be low (based on the very low
frequency).
It should be noted that the demonstration that all risks to people on the facility are as low as
reasonably practicable lies with the Safety Case as a whole, not just the FSA. Assessment of MAE
risk is a key aspect of a demonstration of ALARP, but other aspects may be at least as important
(refer to criterion SC-06).
5.1.4
Process
The FSA process typically includes the following steps (see figure):
Hazard Identification
This step involves the identification of the hazardous events that may occur at the facility. For the
purpose of later analysis, the hazardous events are often categorised as hydrocarbon hazards
and non-hydrocarbon hazards, within which there may be sub-groups. For example, blow-out,
process loss of containment, fire, explosion, etc might be sub-groups of the hydrocarbon hazards,
whilst dropped objects, structural failure, ship collision, loss of stability, etc would be sub-groups
of the non-hydrocarbon hazards. A data base or similar is then developed to record the details of
all of the identified hazardous events; this is frequently referred to as a hazard register.
At this stage in the process the measures in place to control risk and assumptions made about
their performance should also be recorded.
116
September 2004
OBJECTIVES
PROCESS
*Overall FSA Process
*Safety Goals/Criteria
HAZARD
IDENTIFICATION
*Hazard Listing
*Hazard Ranking
HAZARD
DOCUMENTATION
MAE's
*Consequence Studies
*Risk Assessment Studies
*Sensitivity Studies
OTHERS
ASSESSMENT OF
RESULTS
*Major Risk Contributors
*Potential Risk Reduction
Measures
RISK
REDUCTION
PROCESS/MEASURE
*Risk Reduction Methods
Adopted
*Assess
acceptability
against criteria
APPLY ALARP
PRINCIPLES
[HOLD: THIS HAS BEEN TAKEN FROM THE EXISTING GUIDELINES, AND NEEDS UPDATING.]
117
September 2004
Identifying the various circumstances in which the hazardous events may occur, i.e. the
potential causes of the events and the controls in place. Note that some practitioners use
the word hazard to refer to the cause, whilst others use the term threat.
Estimating the likelihood or probability of those events occurring, and the likelihood of
each cause leading to the event. These estimates may again be based on judgement, or
on quantitative analysis, or a combination of the two.
Estimating the consequences of the hazardous events and their potential impact. These
estimates may again be based on judgement, or on quantitative analysis, or a
combination. The consequences of hydrocarbon events are usually estimated first in
terms of the size of the fire or explosion, and the extent of harmful levels of heat, smoke,
overpressure, etc. From these estimates, further estimates are made of the impact on
persons how many may be harmed and how badly due to immediate effects or through
escalation or the need to evacuate.
It is important that the hazard identification, and the hazard/risk analysis, both address all the
MAEs at the facility. For this purpose these studies should encompass:
well operations
construction
118
September 2004
Any activity not considered in the FSA will require a revision to the FSA before going ahead if the
MAE risk may change as a result of the activity.
The Operator should record the assumptions made during the hazard ranking process and during
the more detailed assessment of major accident events. Assumptions may be made about the
facility and the way it is operated and about how particular events should be modelled.
Assumptions about the facility may draw on the Operator's procedures described in the safety
management system or facility description parts of the Safety Case, for example:
It might be assumed that well test facilities are on line and pressured for 20% of the time
and otherwise are hydrocarbon filled, but depressured.
Assumptions about modelling may include such things as the leak hole sizes modelled to cover
the full range of possible leak scenarios or the flame length modelling parameters used.
At this stage the analysis for an existing facility would normally be based on the assumption that
risk control measures that are already in place operate with a certain degree of reliability. This is
a key assumption and should be backed up by some level of demonstration of the current level of
adequacy of the control eg reference to test records.
The results of hazard and risk assessment studies are used to identify and rank the major risk
contributors, in terms of their individual impact (e.g. number of fatalities), their risk level
(frequency of fatalities), or a combination of both. Also at this stage sensitivity studies may be
carried out, relative to the assumptions that have been made. This identifies the assumptions
that most significantly influence the results, which can then be checked.
119
September 2004
what other control measures could be adopted to reduce the likelihood of MAEs
what other control measures could be adopted to reduce the consequences of MAEs
what other control measures could be adopted to better protect persons from the effects
of MAEs
Note that the other control measures identified may be new things or changes/upgrades to
existing risk controls to increase reliability or functionality in a way that reduces risk.
Further sensitivity studies may then be carried out to assess the benefits of the various risk
reduction options that have been identified. It is possible that engineering modifications are not
reasonably practicable (for example, elimination, intensification, alleviation, substitution and
simplification). In such cases, more reliance may have to be placed upon procedural or system
controls. These controls should provide equivalent levels of risk reduction compared to
engineering modifications. The level of residual risk needs to be linked to the operators risk
acceptance criteria, and the safety management system for its management.
The final step is to determine which of the additional identified control measures should be
adopted. The principle of ALARP means that risk reduction measures should be adopted until the
difficulty and cost of adoption exceeds their benefit. Further, where the risk level is close to the
tolerability / acceptance criteria, control measures should be adopted unless their difficulty and
cost grossly outweighed their benefit. Except in exceptional circumstances it would be expected
that all control measures set out in industry standards are adopted.
The effectiveness of risk reduction measures may be determined individually and in groups. It is
possible that risk reduction measures may not be independent, for example introduction of
emergency shut down valves to reduce inventory available for release and passive fire protection
to surrounding members may each be practicable measures, but carrying out both may not be
reasonably practicable.
120
September 2004
5.1.5
Hierarchy of Controls
The overall demonstration that has been reduced to a level that is as low as reasonably
practicable should consider the suite of controls used for the most significant risks. The preferred
approach is to have a range of controls giving defence in depth. This means that it is desirable to
have controls in place some of which are procedures, some administrative systems (like Permit to
Work) and some hardware items like PSVs.
It is also desirable to have a range of controls that address causality as well as the potential
outcomes of an MAE. This can be considered in terms of a hierarchy such as:
Elimination
Prevention
Reduction
Mitigation
That is, the potential for MAEs should be eliminated if possible. If this is not possible, then the
MAEs should be prevented from occurring, or their likelihood of occurrence reduced, for example
by eliminating some causes. Next, there should be a reduction in the consequences of MAEs, for
example by limiting quantities and pressures or flammable materials, or by improving fire and
explosion detection and protection systems. Finally, further measures should be taken to
mitigate the consequences and the impact on personnel, for example by improving the protection
of personnel, and by better enabling their escape, evacuation and rescue.
Measures for the elimination, prevention, reduction and mitigation of hazard, are discussed
further below.
121
September 2004
Fire and gas detection (to promptly detect leaks, and enable effective shutdown)
Mitigation
It may not always be possible to intervene in the sequence of events to avoid the major accident
event starting. In such cases measures should be taken to mitigate and minimise the
consequences and impact of the major accident event. Such measures will have effect only after
the major accident event has started.
Such measures could include:
nopsa Safety Case Guidelines
122
September 2004
Alarm and public address/communications system (to warn and instruct personnel)
5.1.6
Human Error
In considering the potential causes of an MAE, the potential for both human and organisational
error should be taken into account. In considering the potential for human error to cause a MAE,
it is useful to firstly consider the various generic types of human error that are possible. The
following table describes slips, lapses, mistakes and violations (HOLD insert reference to James
Reason).
Description
Example
Slips
Lapses
Mistake:
Rule based
Knowledge based
Violations:
Routine
Exceptional
123
September 2004
124
September 2004
MISTAKE
UNINTENTIONAL
DESCRIPTION
VIOLATION
INTENTIONAL
OCCURANCE
COMMON
CAUSES
ENVIRONMENTAL FACTORS:
noise, weather conditions, degree of
comfort, time of day
OPERATIONAL PRESSURES:
rushing, taking short-cuts to get job
done faster
POOR VISUAL CUES: misleading or
poor signage
MOST SUITABLE
CONTROLS
Training
Experience level
5.1.7
Organisational error
This view of accident causation takes into account the organisation as a whole and the effect of
the organisation on the technology and people that operate within it.
nopsa Safety Case Guidelines
125
September 2004
Organisations are made up of people, processes, and technology. These three components
interact to produce the outputs of what is called the socio-technical system. The organisational
perspective considers this interaction of people with people, people with processes, and people
with the technology. It sees these factors as integrated components of the one entity. As such
human error by management and operational staff is a product of the interaction of the different
parts of the system and needs to be addressed within that context. An understanding of this
approach is essential to developing an understanding of how serious incidents and accidents
develop in organisations and therefore, how they might be prevented.
Accidents in complex socio-technical systems (like offshore operations) have multiple and varied
causes. Even though these organisations tend to be well defended - using the best on offer in the
form of engineering and other organisational defences they can experience accidents with often
catastrophic outcomes. The figure below illustrates how these accidents are generated (HOLD
insert reference to James Reason).
Organisation
Workplace
Management
decisions
&
organisational
processes
Error- and
violationproducing
conditions
Person/team
Defences
Outcome
Errors
(slips, lapses,
mistakes)
Incidents /
INCIDENT /
Accidents
ACCIDENT
&
Violations
latent
failure
pathway
active
failure
pathway
These accidents have their origins, not at the workplace level and the unsafe acts of operational
staff, but at the organisational level: eg. Strategic decision making, processes to do with
forecasting, budgeting , allocation of resources, planning, scheduling, communicating, managing,
auditing, and organisational culture etc. These factors are often called General Failure Types
(GFTs) and latent failures as they sit dormant within the organisation for long periods of time
before combining with other chance events to lead to an accident. The outcomes of decisions at
the organisational level are then communicated to individual workplaces - eg. control rooms,
maintenance facilities and so on. Here they reveal themselves as factors that promote unsafe
acts. - eg. time pressure, inadequate tools, poor human-computer/machine interfaces, insufficient
training, inadequate supervision and so on. Organisations working with safety critical technology
must take this complexity into account and work to mitigate the potential for this kind of error.
126
September 2004
Any quantified risk assessment should be conducted with the knowledge that QRA is not an exact
analytical tool. Despite advances in the quality of analytical techniques and input data in recent
years it remains, principally, a tool for making comparisons between options.
The results from QRA are highly dependent on the quality of the input data, and the integrity of
the modelling of the event sequences. Hence, reliance on the use of QRA in absolute terms
should generally be avoided, but QRA can be used with more confidence when comparing the risk
reduction benefits of two or more alternatives.
Whilst QRA does aid the assessment of risk and the evaluation of control measures, it should not
be used in isolation. Rather, it should be used in conjunction with engineering analysis of specific
failure mechanisms, qualitative assessments of risk, consideration of potential for human and
organisational error in the system.
5.1.9
Common Weaknesses
Failing to consider the hazardous events that may arise during maintenance
Analysis Stage
Underestimating the risk by assuming that all risk control measures function perfectly
Assessment Stage
Assuming that ALARP is achieved merely by demonstrating that risk is below the
intolerable level
Overall
The FSA comprises separate studies with weak linkages between them
The FSA does not address all of the expected activities at the facility
127
September 2004
Examples of Evidence
a) The hazard identification process clearly and explicitly encompasses the range of activities
and physical extent of the Safety Case described in the Facility Description.
b) The process used for hazard identification has considered the various operating phases or
activities explicitly.
c) Identified hazards include items other than normal operation (such as maintenance, marine
operations, construction etc).
d) Assumptions regarding the number of people on the facility include people other than the
normal operating crew (such as construction, painting, diving etc).
e) Personnel relevant to the various operations, activities and operating phases have been used
during the hazard identification process.
128
September 2004
Principle FSA - 02: The Formal Safety Assessment must address risk to
people on or near the facility due to MAEs.
Reason
a) Regulation 9 (3) (a) requires identification of all hazards having the potential to cause a
major accident event. The risk assessment activities all flow from this hazard identification
step.
b) The focus in the Formal Safety Assessment (unlike the Safety Case as a whole) is on
identification, assessment and management of large events. (MAEs are defined as events
with the potential to cause multiple fatalities.)
Examples of Evidence
a) The process used for hazard identification describes the criteria used to screen identified
hazards in and out of MAE listing.
b) The record of the hazard identification processes includes a listing of items screened out.
c) The safety assessment process maps the impact of MAEs to affected personnel.
129
September 2004
Reason
a) Many of the processes required by the regulations (eg 9 (3)) such as hazard identification and
risk assessment involve professional judgement of various kinds. These judgements are
made sometimes individually and sometimes by a group. If people with appropriate
experience are not involved, the validity of the outcome of the FSA process can be called into
question.
b) Regulation 15 requires persons involved with the facility to be involved to a level such that
they can arrive at an informed opinion about the risks and hazards to which they are
exposed.
c) Note that the Petroleum (Submerged Lands) Act includes specific requirements for processes
for workforce consultation and representation (including the role of Health and Safety
Representatives). The specific consultation requirements for this Principle should be done
within this wider framework. See specifically P(SL)A clauses 12, 13, 15, 19(1), 20, 24 and 25.
Examples of Evidence
a) Field based workforce have been involved in FSA processes for identification of hazards,
assessing the effectiveness of existing control measures and identification and selection of
potential new control measures.
b) FSA workshops and other processes have included contractor representatives where
contractors play a role in preventing or mitigating risks.
c) General staff such as field based employees and design engineers have been trained in the
principles of the safety case philosophy and risk based design and on their responsibilities
and accountabilities in the process ie attendance at HAZIDS, ALARP workshops, HAZOPS etc.
d) Where specialist expertise external to the Operator has been used, operating company
internal documentation demonstrates a clear understanding of the methods used and results
obtained. This applies to both risk assessment consultants who may have assisted in the
overall process, and technical specialists who may have assessed particular hazards.
130
September 2004
Be documented
Be reasonable
Be justified
Reason
a) Regulation 9 (3) (b) requires that the Formal Safety Assessment is detailed and systematic.
Whilst it is necessary to make many assumptions (with regards to both conditions on the
facility and modelling of specific MAEs) in conducting a Formal Safety Assessment, the
process must include a system to ensure that the assumptions are and remain valid.
b) Regulation 9 (4) requires that the Safety Management System makes provision for continual
and systematic identification and assessment of hazards. Again, such a process is not
effective unless assumptions are reasonable and changes controlled effectively.
Examples of Evidence
a) The Safety Case documentation includes a paper or electronic list of assumptions.
Alternatively assumptions are detailed where they appear in management system
documentation.
b) Assumptions are recorded for modelling data (eg hole sizes chosen in a QRA) and input data
(eg proportion of time that the test system is on line),
c) Input assumptions are referenced back to the Facility Description.
d) The logic behind the assumptions is provided along with the sources, suitability and reliability
of the information used to support the assumption and the limits of validity of the
assumptions.
e) The assumptions list or discussion has been signed off by relevant and competent people eg
Operations personnel for operating assumptions.
f)
The sensitivity of the risk assessment results to the assumptions made has been tested.
g) Modelling assumptions have been justified by review against the range of industry methods
available.
nopsa Safety Case Guidelines
131
September 2004
A system exists to ensure that changes to industry practices and experience are reviewed and
any necessary changes in assumptions identified (eg new research on effects of water on
smoke suppression, assumed frequency of blowouts during wireline).
j)
The Safety Case includes discussion about variations in available data such as the range of
leak frequency information from various sources and a justification for the chosen data.
k) QRA calculations take into account the reliability and availability of physical control measures
such as blowdown, emergency shutdown systems, fire water systems etc.
132
September 2004
Reason
a) Many of the processes required by the regulations such as hazard identification and risk
assessment involve assimilation of large amounts of information from various parts of an
operating organisation. This information is then processed to produce a potentially large
number of actions and findings. If quality assurance principles of control of information,
repeatability, and tracking of outputs are not followed, the validity of the outcome of the FSA
process can be called into question. This would be inconsistent with regulation 9 (3).
Examples of Evidence
a) A system is in place to assure the accuracy of input data such as facility details, operating
conditions and process drawings.
b) Paper and electronic documents are managed under a document control system and
includes:
Revision numbering
c) The quality assurance process covers all aspects of the safety case including assumptions,
calculations, reports etc.
d) A quality control plan has been prepared and an individual assigned to ensure its
implementation. This would detail the required activities to support the safety assessment,
the personnel and competence required to undertake the work and describe the approval
process.
e) Systems are in place for checking risk calculations done using either proprietary software
products or spreadsheet-based software. Checking may include detailed checking of the
accuracy of the calculations, checking input data and/or a check of the results using some
other method.
f)
133
September 2004
There is clear linkage between the hazard identification, the evaluation of the risks, the
assumptions, the control measures in place or proposed and the ALARP demonstration.
j)
The validation process includes verification that control measures are in place and working as
outlined in the Safety Assessment.
134
September 2004
Reason
a) Regulation 9 (4) (e) require risks to be reduced to a level that is as low as reasonably
practicable. Since part of this process is typically a cost/benefit analysis and the cost of
changes at the concept stage of a project is much less than in the operational stage,
consideration of the risk profile should commence at the beginning of the project.
b) Regulation 16.(2) (d) requires the design to take into account the results of the Formal Safety
Assessment.
c) Regulation 21 (g) requires the design to take into account the results of the Fire Risk
Assessment.
Examples of Evidence
a) The FSA shows how the risk profile has changed as the design has proceeded from concept
selection through concept design and detailed design.
b) The FSA shows how safety considerations were taken into account as part of the concept
selection.
c) The FSA shows how the design has been changed due to the output of the FSA process.
d) The Field Development Plan shows risk-based criteria used in selection of the preferred field
development concept.
e) The Safety Case describes what safety improvements/options were considered at each phase
and the basis for selection or rejection.
f)
Evidence of the consideration of the principles inherently safer design at the conceptual
design phase (eg. Reduction of inventories, process steps etc).
135
September 2004
Reason
a) Regulation 9 (3) (a) requires identification of all hazards having the potential to cause a
major accident event. The only way to demonstrate that an attempt has been made to
identify ALL hazards is for the process used to be thorough and the results clearly recorded in
detail.
Examples of Evidence
a) The hazard identification process used that is appropriate to the complexity of the
installation, the stage in the lifecycle and the nature of the hazards. It will be some
combination of:
checklist
136
September 2004
dropped objects
137
September 2004
Principle FSA - 08: The processes used for identification of hazards must
take into account the operating history of the facility, or similar facilities,
owned by the facility Operator or others.
Reason
a) Regulation 9 (3) requires identification of all hazards having the potential to cause a major
accident event.
Sources of information that should be considered about what can go wrong include the past
operating history of the facility in question or similar facilities in industry. Care should be
exercised in dismissing past incidents as not relevant due to changes made in the interim or
differences between facilities. Most MAE scenarios have a complex causal chain and it is
unlikely that the same specific chain of events will occur on another facility. On the other
hand it is possible that some of the same factors, and hence hazards, may be present on
another facility.
Examples of Evidence
a) Any QRA work includes benchmarking of overall predicted leak or fire frequencies (or similar)
with actual facility operating data or that of equivalent facilities within the organisation
b) Records of hazard identification workshops include specific consideration of company
historical data including near misses on company facilities.
c) Records of hazard identification workshops include specific consideration of industry historical
data.
138
September 2004
Principle FSA - 09: The processes used for identification of hazards must
foster creative thinking about possible hazards that have not previously
been experienced.
Reason
a) Regulation 9 (3) requires identification of all hazards having the potential to cause a major
accident event.
Since major accident events are by their nature rare, not all possible hazards leading to an
MAE have been experienced. A key part of any FSA process is to foster thinking about what
might go wrong, not just about what has occurred in the past.
Examples of Evidence
a) Hazard identification processes include brainstorming techniques such as What if studies.
b) Hazard identification techniques have included workshops involving multi-disciplinary teams.
c) The hazards considered in the FSA include:
hydrocarbon releases
toxic release
dropped objects
well control
marine incidents
139
September 2004
Principle FSA - 10: The processes used for identification of hazards must
include the potential for human and organisational error in addition to
equipment and system faults and failures.
Reason
a) Regulation 9 (3) requires identification of all hazards having the potential to cause a major
accident event.
These relate to all causes including the human factor, both individually and in an
organisational setting.
Examples of Evidence
a) Hazard identification processes such as checklists or Hazop studies include consideration of
slips, lapses and violations as sources of hazard.
b) Past incidents and/or near misses have been analysed to determine organisational causal
factors and these have been included in the Safety Case as potential causes of hazard.
c) A safety culture review has been conducted to assess any strengths, weaknesses or other
issues.
d) Human factors assessments are conducted to identify any potential hazards. Areas of
potential concern include:
Alarm overload
140
September 2004
Principle FSA - 11: The FSA must include a detailed, systematic, reasonable
and transparent assessment of the frequency, consequence and risk of
each identified MAE.
Reason
a) Regulation 9 (3) (b) requires this.
b) Any demonstration that the overall risk is as low as reasonably practicable requires
consideration of the risk from each contributing hazard.
Examples of Evidence
a) The FSA details the relationship between any separate studies by detailing linkages between
the studies to ensure the assessment is integrated and consistent.
b) The FSA includes a detailed example calculation showing all the stages of the assessment for
one or more specific cases.
c) Uncertainties in the input data and modelling is recognised and the sensitivity of the risk
assessment to this data is assessed and discussed.
d) For hydrocarbon/flammable events, where applicable, the following aspects of the event and
its consequences could be analysed:
flame effects - emissivity, surface extent, width and length, and the radiation
levels at various distances from the flame surface
smoke generation
blast effects
toxicity
congestion on the facility ( for example process area, - blast pressure generation)
nature of boundaries separating areas of the facility ( for example fire/blast walls,
& deck type grating or plate)
141
September 2004
The analysis shows the probable location of employees at the start of any
incident and justifies those locations.
e) Base event data (including hydrocarbon leak frequencies) are justified in the context of the
installation-specific circumstances. Variation from generic data occurs where facility specific
mechanisms and controls justify. Eg vulnerability of pipeline risers to boat impact, depending
on fender design and boat management practices.
f)
Consequence models, data and assumptions are described and justified for the range of
scenarios considered. Any limits to applicability are noted.
g) Appropriate consideration has been given to the range of fire and explosion types that could
exist.
h) Criteria used for the assessment of harm to people and damage to equipment and structures
due to fire and explosion are appropriate and correctly used.
142
September 2004
Principle FSA - 12: The FSA process should include identification of the
existing risk control measures relevant to each hazard.
Reason
a) Regulation 9 (3) (c) requires that the Formal Safety Assessment describes measures taken to
ensure that risk is as low as reasonably practicable.
b) Regulation 21 (2) (b)-(f) require that measures for detection, elimination and reduction of fire
and explosion hazards are specified.
Examples of Evidence
a) The hazard register lists the control measures that are present to protect against each
hazard.
b) The hazard register may include reference to specific management system procedures,
including procedure numbers.
c) The hazard register may include electronic links to specific management system procedures.
d) Bow ties or similar are used to show the links between specific hazards and specific controls.
e) Control measures on the hazard register cover the full spectrum of the hierarchy of control.
143
September 2004
Principle FSA - 13: The assessment of risk from each scenario must take
into account the effectiveness and viability of each control measure during
such a scenario.
Reason
a) Required by regulation 18(2)(b) for equipment, machinery and instrumentation.
b) Required by regulation 22(2) for emergency communications.
c) Required by regulation 23 for a range of specific control systems
d) To accurately reflect the risk of a scenario requires consideration of how systems on the
facility may interact as a scenario develops. This includes consideration of both machinery
and human aspects.
Examples of Evidence
a) Failure modes of critical controls are explicitly covered in the risk assessment. This includes:
Blowdown system
Process trips
b) The risk assessment takes into account movement of smoke in the event of a fire and the
possible effect on the ability to use the evacuation facilities
c) Assumptions regarding the emergency shutdown system take into account the failure mode
of the system.
d) Assumptions regarding actions required by people in the event of an emergency include
consideration of human factors such as access, number of people with required skill, other
emergency actions required at the same or similar time and stress.
e) The hazard and risk assessment studies has considered the vulnerability and endurance
under major accident event conditions of the following:
144
September 2004
f)
Where a HIPPS system is installed will it operate within the timeframe required.
i)
j)
Where human performance is part of a control that consideration is given to the performance
influencing factors (eg. Environment) that may impact their ability to conduct that activity.
145
September 2004
Principle FSA - 14: The assessment of risk from each scenario must take
into account the potential for escalation of the scenario to key structures
and major inventory holders.
Reason
a) The general requirement to demonstrate that risks to personnel are as low as reasonably
practicable requires that all effects of an MAE should be considered.
Examples of Evidence
a) The risk results for each MAE include the potential for fatalities due to immediate effects,
delayed effects, and evacuation.
b) The risk assessment process includes a systematic structured approach to escalation analysis.
c) The risk assessment contains discussion on how the event could impact on key systems or
facilities (eg. Structures, temporary refuge, escape, fire protection)
d) Risk assessment work includes a review of:
Escape routes
Temporary refuge
e) The risk assessment takes into account the type and duration of the event, the design of key
facilities and the probability of escalation.
f)
g) The risk assessment could include details of emergency response scenario training and
exercises as evidence that personnel are prepared.
146
September 2004
Principle FSA - 15: The assessment of risk from each scenario must take
into account the risk due to evacuation, escape and rescue including:
Reason
a) Regulation 20 (2) specifically requires consideration of risks due to evacuation, escape and
rescue.
b) Regulation 21 (2) requires that the analysis of fire and explosion risks includes consideration
of the performance of the evacuation, escape and rescue facilities.
c) The general requirement to demonstrate that risks to personnel are as low as reasonably
practicable requires that all effects of an MAE should be considered.
Examples of Evidence
a) The risk results for each MAE include the potential for fatalities due to immediate effects,
delayed effects, and evacuation.
b) Risk assessment work includes a review of:
escalation potential.
c) An analysis of the functionality of the escape, evacuation and rescue routes, and facilities has
been completed. Various techniques may be used including simulation or a scenario-based
desk top review.
147
September 2004
Back-up communications.
148
September 2004
Principle FSA - 16: The FSA must include a systematic and transparent
assessment of the overall level of risk to personnel on the facility due to
the identified MAEs.
Reason
a) Demonstration that overall level of risk (as well as the risk from each MAE) is within
acceptable limits is part of the demonstration that risk to personnel has been reduced to a
level that is as low as reasonably practicable as required by Regulation 9 (4) (e).
Examples of Evidence
a) Overall risk results are reported numerically using measures such as Potential Loss of Life
(PLL) and Individual Risk Per Annum (IRPA).
b) The FSA demonstrates a clear understanding of the major risk contributors including
whether the risk is dominated by a single (or few) scenarios or is more evenly
distributed across the various scenarios.
c) The FSA demonstrates how the risk is distributed across the various working groups
including:
What are the factors that most influence the high risk groups.
d) The analysis has included consideration of any common pathways between the major risk
contributors eg a weak point in the structure that may be vulnerable to a number of fire
cases.
e) The facility has the same hazards and comparable risks with other facilities of a similar type.
f)
149
September 2004
Principle FSA - 17: The FSA must detail the risk acceptance criteria
chosen, the rationale for selection and how the criteria are to be used.
Reason
a) Regulation 9 (4) (e) requires risk to be reduced to a level that is as low as reasonably
practicable. As organisations will have various interpretations of this requirement based on
corporate preferences and facility types, the specific risk criteria chosen and how they are to
be applied must be set out in the Safety Case.
Examples of Evidence
a) Risk acceptance criteria are defined in the FSA and the selection is justified in terms of:
b) Tools, such as a risk matrix, that are used to determine risk acceptance and whether action is
required are clearly anchored to relevant risk criteria. Such assessments are based on a
quantitative judgment of frequency and consequence.
c) Risk criteria may support the concept that new facilities may achieve lower residual risk levels
than existing facilities. Existing facilities can be constrained by the higher costs of retrofitting
equipment, or upgrading, compared to making a design change to a new facility.
d) The basis for accepting, selecting and rejecting control measures on the basis of risk is
described.
e) Examples exist where the criteria have been used to determine the need for additional, or
more robust, measures in order to demonstrate ALARP.
f)
The criteria are set that lead to a positive trend in reducing levels of residual risk in both
existing and new facilities. New facilities can take advantage of technological advances in
equipment and facilities and enhanced knowledge and understanding of key risk drivers.
g) The risk criteria take into account societal risk aversion for credible events with very high
consequences. The risk criteria are used sensibly with a clear level of understanding of the
uncertainty of the risk results. Consequently, risk criteria can only assist judgements, and the
decision-makers should bear in mind the uncertainties involved. Risk criteria should therefore
be used as guidelines for decision-making, and not as inflexible rules.
h) Layers of protection/SIL study type studies have their risk criteria justified in relation to the
overall risk criteria.
150
September 2004
151
September 2004
Principle FSA - 18: The FSA should detail the range of additional risk
control measures considered and the reasons for implementation or
rejection of each.
Reason
a) this is a general requirement for demonstration that risk is as low as reasonably practicable
as required by regulation 9 (4) (e).
Examples of Evidence
a) The operator should show that the risk to employees is as low as reasonably practicable by
describing risk reduction measures and showing that the cost associated with adopting
further control measures is disproportionate to the accrued benefits. The assessment of the
benefit of each risk reduction may take into account:
the risk in installing and maintaining the measure (particularly relevant for sub-sea
measures)
b) Consideration of risk reduction measures takes into consideration and is consistent with the
FSA risk criteria.
c) Consideration of control measures takes into account the hierarchy of controls:
Similar for systems that reduce risk the typical hierarchy in decreasing order of
preference are:
i. Passive systems
ii. Active systems
152
September 2004
153
September 2004
Validation
6.1 Introduction
6.1.1
Purpose
Validation is a form of independent certification of agreed parts of the facility, and of agreed
items of equipment on the facility. It is a means of providing NOPSA with an increased level of
assurance that the agreed parts of the operators facility and its equipment fulfil their safety
functions.
This increased assurance is provided by the person(s) conducting the validation having suitable
qualifications and experience in the relevant matters, and sufficient independence from the
project. Evidence is provided in the form of a written statement or certificate. The validation
certificate establishes, in the opinion of the validator(s), the soundness and efficacy of the
matters specified.
In the case of a proposed facility the regulations require two broad matters to be validated:
That the design, construction and installation of the facility (including instrumentation,
process layout and process control systems) incorporates measures that will protect the
health and safety of persons at the facility; and
That the design, construction and installation of the facility (including instrumentation,
process layout and process control systems) is consistent with the Formal Safety
Assessment.
In the case of an existing facility (i.e. where there is a proposal to make a modification), there is
only one broad matter to be validated that the facility will continue to include measures that
protect the health and safety of persons at the facility.
6.1.2
Validation has been part of the Australian offshore petroleum safety regime since commencement
of development activities in Australian waters.
At that time, the petroleum and safety regulatory authorities established the system of third-party
validation specifically to address those aspects of facility design and construction in which they
considered themselves to have insufficient experience to make the necessary judgements.
On that basis, a typical scope of validation was established to be as follows:
154
September 2004
The above scope of validation was developed at a time when State and Northern
Territory OHS agencies provided validation of plant such as pressure vessels, boilers
and cranes. This is no longer the case. Therefore, high hazard plant of this type may
now need to be included in the scope of validation.
The standard scope of validation may be inadequate for mobile facilities such as mobile
offshore drilling units, and for floating production storage and offloading facilities.
NOPSA may require the scope of validation to include the hull, buoyancy and ballasting
systems of mobile and floating facilities, being the equivalent of the primary structure
for a fixed facility.
The standard scope of validation does not address drilling and well intervention systems
only the safety systems that are listed above, so far as they relate to drilling or well
intervention. Where novel drilling / well intervention systems are proposed, or where the
proposed well activities appear to be of particularly high potential risk to health and
safety, NOPSA may require validation of parts of these systems.
NOPSAs currently preferred scope of validation is set out in the following document:
HOLD: Link to be inserted here.
It may be seen that the NOPSA preferred scope of validation remains largely based on the
established practice, taking account of the factors noted in relation to plant, mobile facilities and
drilling / well intervention.
6.1.3
The regulations require that the persons(s) conducting the validation should have a sufficient
level of competence in the relevant matters, and also a sufficient level of independence from the
project (or aspects of the project) that they are validating.
The necessary level of competence and independence is a matter to be agreed between NOPSA
and the facility operator. The agreement would need to be reached for each new facility,
although for change projects NOPSA and the operator may reach a more general agreement. For
clarity, any such agreement should be documented in the Safety Case.
It is often the case that the person(s) conducting the validation are contracted from a separate
company, typically one that specialises in design verification, vessel classification and/or quality
nopsa Safety Case Guidelines
155
September 2004
The regulations require the validator to have suitable free access to the necessary information.
Otherwise, they specify no particular requirements regarding how validation should be conducted,
but the following factors will be of interest to NOPSA when confirming first that the scope of
validation is suitable, and later whether the necessary level of assurance has been provided:
The location of the person(s) conducting the validation, relative to the design, safety
assessment, procurement and construction activities
The manner in which the person(s) conducting the validation are integrated into, or
otherwise interface with, the project team
6.1.5
A mobile facility may be certified against class rules. It is NOPSAs expectation that this will
provide a suitable scope of validation for the vessel, and a suitable level of competence and
independence. However, it would still be necessary to agree the scope in advance with NOPSA,
and to provide suitable examples of evidence for the purpose of Safety Case assessment.
156
September 2004
Reason
a) There is a legal requirement to validate to a previously agreed scope (reg ???)
b) The validation should provide confirmation of adequate design and construction for those
aspects of the facility that most influence risk, or where there is greatest uncertainty.
Examples of Evidence
a) In all cases there is a written prior agreement of the scope with the Safety Authority
b) The normal scope of validation has been specified
primary structure,
fire/gas detection,
emergency shutdown,
c) The scope addresses high-risk aspects of the facility, as determined by risk assessment, and
as set out in the Safety Case
d) The scope has been defined so as to address novel aspects of the facility, where there is
uncertainty about the risk
e) There is an agreement with NOPSA as to the general matters to be validated during change
projects
f)
g) In all cases, the certificate of validation should confirm that the scope of validation complies
with the prior agreement with NOPSA.
157
September 2004
Reason
a) Requirement of regulation 28L(3)
b) Technical competence is necessary to conduct appropriate validation.
Examples of Evidence
a) Evidence of suitable formal qualifications, including membership of appropriate professional
organisations, relative to the scope of validation
b) Evidence of training and accreditation as an independent auditor
c) Documented experience in relevant industries, for an appropriate time
d) Employed at a suitably senior level in a quality-assured organisation
158
September 2004
Principle VAL-03: The persons who conducted the validation must be given
access to the necessary information
Reason
a) Requirement of regulation 28L(3)
b) Access to data is necessary to conduct appropriate validation.
Examples of Evidence
a) The validators worked within the offices of the design/construction contractor
b) The validators were provided with controlled copies of documents
c) The validators were on the circulation list for squad checks etc
d) The validators were involved as part of the change management process for the project
159
September 2004
Reason
a) Requirement of regulation 28L(3)
b) Independence is necessary to conduct appropriate validation.
Examples of Evidence
a) The validators are employed in a separate organisation to the title-holder, operating company
and design/construction contractor
b) Although employed within the title-holder, operating company or design/construction
contractor, the validators are employed within a separate group and appropriate
management systems exist to ensure independence (e.g. quality accredited)
c) Written statement from validator confirming independence
160
September 2004
Principle VAL-05: The validation must indicate that the facility (or
modification) is fit for the purpose of protecting health and safety
Reason
a) Requirement of regulation 28L(4)
b) The purpose of validation is to provide increased confidence that the facility is safe.
Examples of Evidence
a) The certificate of validation confirms that suitable standards were adopted
b) The certificate of validation confirms that the standards were adhered to
c) The certificate of validation confirms that appropriate risk assessments have been conducted,
and the findings acted upon
161
September 2004
Principle VAL-05: The validation must be consistent with the formal safety
assessment
Reason
a) HOLD
b)
Examples of Evidence
a) HOLD
b)
c)
d)
162
September 2004
SEPTEMBER 2004
163
Definitions
The following glossary of definitions covers specialist terms related to safety cases and safety
management system, and terms that are unique to the Australian petroleum industry. It does not
attempt to define standard industry terms.
Some terms and definitions used in this document may vary from those adopted by individual
operators or in other standards. When an operator uses different terms in a safety case, the
safety case should clearly define those terms.
Definitions marked * are taken from the Petroleum (Submerged Lands) (Management of Safety
Adjacent Area
Audit
Control measures
164
September 2004
Designated Authority
Emergency
Escape
Evacuation
Hazard
Hazard identification
Hazard register
control measures.
nopsa Safety Case Guidelines
165
September 2004
Individual risk
safety;
Monitoring
review process.
Performance Standard
Place of safety
166
September 2004
Risk.
Rescue
place of safety.
Review
Risk
167
September 2004
Validation
168
September 2004
Abbreviations
ALARP
AS
Australian Standard
FD
facility description
FPSO
FSA
FSO
HAZIDS
HAZOP
IRPA
ISM Code
MAE
MODU
NORM
OHS
PLL
PPE
PSLA 1967
PSLA 1982
PSV
QRA
SMS
SSIV
169
September 2004
References
The following sources of reference are provided, which persons developing or assessing offshore
Safety Cases may find useful. However, it should be noted that reference material is constantly
changing, that the sources of references listed here are not exhaustive, and that all the
information is subject to change.
If any of these links is broken, please inform NOPSA by e-mailing HOLD. Suggestions for
additional links may be sent to the same address.
Commonwealth Government Authorities
National Offshore Petroleum Safety Authority
www.nopsa.gov.au
www.ditr.gov.au
www.amsa.gov.au
www.nohsc.gov.au
www.nicnas.gov.au
www.minerals.nsw.gov.au
Northern Territory
www.dme.nt.gov.au
Queensland
www.nrm.qld.gov.au
South Australia
www.pir.sa.gov.au
Tasmania
www.mrt.tas.gov.au
Victoria
www.dpi.vic.gov.au
Western Australia
www.doir.wa.gov.au
Industry Associations
American Petroleum Institute
www.api.org
www.appea.com.au
www.aip.com.au
www.fpaa.com.au
www.iadc.org
www.imca-int.com
www.imo.org
www.ogp.org.uk
www.ukooa.co.uk
www.petroleum.co.uk
www.nfpa.org
170
September 2004
www.sfpe.org
Standards Associations
American Petroleum Institute
www.api.org
www.asme.org
Australian Standards
www.standards.com.au
www.bsi-global.com
www.iec.ch
www.iso.org
www.standard.no/imaker.exe?id=244
http://info.ogp.org.uk/standards/
International Regulators
Petroleum Safety Authority Norway
www.ptil.no/English/Frontpage.htm
www.hse.gov.uk
www.mms.gov
http://ohs.anu.edu.au
www.fabig.com
www.pet.hw.ac.uk
www.hse.gov.uk/offshore/index.htm
www.abdn.ac.uk/oilgas
www.oil-gas.uwa.edu.au
Legislation
Commonwealth Law
http://scaleplus.law.gov.au
www.legislation.nsw.gov.au
NT Law
www.nt.gov.au/...legislation.shtml
Queensland Law
www.legislation.qld.gov.au/...htm
www.parliament.sa.gov.au/leg...shtm
Tasmania Law
www.thelaw.tas.gov.au
Victoria Law
www.dms.dpc.vic.gov.au
www.slp.wa.gov.au/statutes/swans.nsf
Other
UK Step Change in Safety
http://step.steel-sci.org
171
September 2004
SEPTEMBER 2004
172
September 2004
The Commonwealth Navigation Act 1912 and the Commonwealth Occupational Health
and Safety (Maritime Industry) Act 1993 are both disapplied in respect of offshore
petroleum facilities by Section 11A of the PSLA, whilst the facilities are engaged in
petroleum activities, whether or not the facilities are capable of independent navigation.
The equivalent maritime law of each State and the Northern Territory is also disapplied
by the PSLA of each State and of the Northern Territory, in the same way, and with the
same exclusion.
Notwithstanding the above, the relevant maritime law applies to the transfer of goods
between a facility and a vessel (assuming that the vessel is ordinarily governed by that
maritime law).
Certain types of vessels that service petroleum facilities, such as supply vessels and off-take
tankers, are specifically excluded from the definitions of facility and associated offshore place
in Schedule 7 of the PSLA see section 3.10.1 of Part 1 of these Guidelines. All vessels that are
excluded from the definition of facility in this way are governed by relevant maritime law,
including its OHS aspects, and not by Schedule 7 of the PSLA, or by the requirements of any of
the safety related regulations under the PSLA.
Mobile facilities, when under way, would fall under the relevant maritime law, but would transfer
to the PSLA law (subject to the above exclusions) when they reach the petroleum area and start
to prepare for petroleum activities.
It is important to recognise that the relevant maritime law may be the Commonwealth
Navigation Act or the equivalent law of a State or NT. However, if a vessel is foreign flagged, has
below a certain proportion of Australian crew, and meets certain other criteria it does not fall
under Australian maritime law.
It should be noted that seismic survey vessels, although they fall under Petroleum (Submerged
Lands) legislation generally when engaged in petroleum-related activities, are excluded from the
definition of facility and hence continue to fall under the OHS provisions of the relevant
maritime law.
173
September 2004
Acts of violence;
Causing death;
More details of the application of Petroleum Submerged Lands law and Maritime law, and the
interfaces between them, may be found in (HOLD provide link to more detailed explanation).
Back
174
September 2004
(Occupational Health and Safety) Regulations and the list of materials prohibited under the
customs regulations have the same origin, the application of the customs law makes little
practical difference.
The Industrial Chemicals (Notification and Assessment) Act 1989 also applies. This Act
establishes the National Industrial Chemicals Notification and Assessment Scheme (NICNAS),
which is the Australian Government regulatory authority for industrial chemicals, and provides a
national notification and assessment scheme to protect the health of the public, workers and the
environment from the harmful effect of industrial chemicals. NICNAS assesses all chemicals new
to Australia and assesses those chemicals already used on a priority basis, in response to
concerns about their safety. No new chemicals are allowed into Australia unless tested and
approved under this scheme this would cover any movement of chemicals into Australia on an
offshore petroleum facility, and any transport of chemicals direct from overseas to an offshore
facility. These provisions are additional to those of the customs laws.
The Commonwealth Australian Radiation Protection and Nuclear Safety Act 1998 has relevance to
occupational health and safety only insofar as it establishes the Australian Radiation Protection
and Nuclear Safety Agency, which has a role in establishing radiation safety standards in
Australia. The Act establishes duties of care and other such requirements only in respect of
prescribed Commonwealth premises, Commonwealth employees, etc, and does not impose any
direct requirements on operators or other persons involved in offshore petroleum activities. It is
the radiation safety law of the adjacent State or NT that applies offshore.
Similar applies in areas such as food safety the relevant Commonwealth laws establish national
bodies, which in turn develop national standards or codes of practice. These standards or codes
of practice are not law in themselves, but are generally adopted into the law of each State and
Territory and will apply to offshore facilities unless specifically disapplied by listing in the
175
September 2004
The Commonwealth Occupational Health and Safety (Commonwealth Employment) Act 1991,
applies to NOPSA and its employees (who are Commonwealth employees). For example, NOPSA
has duties of care towards its employees under that Act. However, that Act does not impose any
duties or requirements on any other persons involved in offshore petroleum activities, such as
operators, and can therefore be disregarded for the purpose of these Guidelines.
FAQ 1.5.1 discusses the application of the Commonwealth Occupational Health and Safety
176
September 2004
Persons employed by the Commonwealth who work at offshore petroleum facilities (i.e.
NOPSA inspectors) are covered by the Commonwealth Safety, Rehabilitation and
Persons who are employed through contracts of employment entered into outside of Australia
are not covered by any of the Australian Workers Compensation laws. However, the
corresponding laws of their home countries may apply.
Currently, there are some inconsistencies in the coverage of Workers Compensation legislation of
Australian States and Territories where persons are working outside of the State or Territory
where they have been insured. There is a national policy that these inconsistencies should be
rectified, but this has not yet been achieved by all jurisdictions - Victorian law was modified on 1
July 2004, for example.
NOPSA has no role in the Workers Compensation schemes, and advice on this matter should be
sought from the relevant State or Territory WorkCover authorities.
Back
177
September 2004
1996 require the operator to conduct an assessment of escape, evacuation and rescue,
provide adequate emergency equipment and systems as a result of this, prepare an
emergency response plan, and have an emergency command structure. All these things
must be described or specified in the Safety Case.
These laws establish a framework for the control of and response to disasters, and establish
certain government emergency management agencies or committees, assigning particular areas
of responsibility to each. However, they do not generally impose any particular requirements on
operators or other persons involved in offshore petroleum activities.
In WA there is no relevant emergency management law, but the response to offshore
emergencies is managed according to the Offshore Petroleum Operations (Exploration and
Production) Emergency Management Plan, also known as WESTPLAN Offshore Petroleum. In
practice the arrangements in WA are similar to those in Victoria and Northern Territory.
Generally, it is the operators responsibility to control the emergency at the site of the offshore
petroleum operations, whilst the marine, emergency and (if necessary) military services of the
State, Territory and Commonwealth will be involved in the provision of necessary personnel,
equipment and resources, under the law and plans of the relevant jurisdiction. NOPSAs role will
generally be limited to the provision of advice during the emergency, and the conduct of any
resulting investigation.
Back
178
September 2004
FAQ 1.5.5 What are the Laws that Provide for Funding of NOPSA?
NOPSA is funded by levies and fees paid by industry. Primary funding is by an annual levy on the
operators of facilities that have an accepted safety case, and this is supplemented by levies for
the investigation of incidents and for the assessment of pipeline safety management plans. The
relevant legal provisions are as follows:
Section 7 of the Offshore Petroleum (Safety Levies) Act 2003 provides for there to be levy for
facilities in Commonwealth waters that have a safety case in force, the amount of which is
specified in or worked out in accordance with the regulations. Section 8 states likewise, but
applies to facilities in State and NT waters. Section 150YS of the PSLA states that these
levies become due and payable at the time specified or worked out in accordance with the
regulations.
Section 5 of the Offshore Petroleum (Safety Levies) Act provides for an investigation levy if
there is an inspection into a notifiable accident or occurrence in Commonwealth waters and
the condition or conditions specified in the regulations are satisfied, the amount of which
worked out in accordance with the regulations. Section 6 states likewise, but applies to
investigations of incidents that occur in State and NT waters. Section 150YR of the PSLA
states that these levies become due and payable at a time specified or worked out in
accordance with the regulations.
Section 9 and 10 of the Offshore Petroleum (Safety Levies) Act provide for a levy on the
licensee of any pipeline for which there is a pipeline safety management plan in force, again
worked out in accordance with the regulations, whilst Section 150YT of the PSLA provides for
regulations that specify the time of payment.
The safety case levy is an annual levy, paid quarterly, and which comprises two parts. The main
part is a levy on the operator of each facility for which there is a safety case in force, the amount
of which is determined by the type of facility and the portion of the year for which there is a
safety case in force. The other part is a levy on each operator regardless of the number of
facility safety cases that are in force, the amount of which does not depend on the number of
type of facilities (in effect, this part of the levy can be related to the companys management
system, which applies at all of its facilities).
The pipeline safety management plan levy applies only when NOPSA assesses and accepts a
pipeline safety management plan (including any major revision to such a plan), and the amount
depends on the type of pipeline.
179
September 2004
2004. The Regulations allow NOPSA to reduce the levies when appropriate.
In addition, Section 150YQ of the PSLA allows for regulations to provide for payment to NOPSA,
by any person, of fees for service. Again, the corresponding regulations are made in the Offshore
Petroleum (Safety Levies) Regulations 2004. The amounts and payment schedule are a matter
for agreement between NOPSA and the person requesting the service.
Back
180
September 2004
181
September 2004
(ii)
(iii) drilling or servicing a well or doing work associated with the drilling or servicing;
(iv) manufacturing, laying or maintaining petroleum pipes;
(v)
(vi) for any other purpose related to offshore petroleum operations that is prescribed.
Facilities therefore include fixed production platforms, floating production facilities, floating
storage facilities, mobile drilling units and drilling ships, pipe-lay barges, construction barges,
accommodation barges, units for tender-assisted drilling, and so forth. However, it should be
noted that a Safety Case may relate to 1 or more facilities, so that a single Safety Case might
relate to a production platform and associated floating storage unit, or to a production platform
and an associated wellhead platform. Note that no vessels or structures are currently prescribed
to be facilities as per item (vi).
A facility is taken to include any associated offshore place, which in turn is defined as:
Any offshore place near the facility where activities (including diving activities) relating to the
construction, operation, maintenance or decommissioning of the facility take place, but does not include:
(a)
another facility;
(b)
(c)
This means that a Safety Case for a facility must include any place where ancillary or supporting
activities are taking place, unless these are on another facility, or are on one of the types of
vessels or structures specifically listed as not being associated offshore places.
182
September 2004
any wells and associated plant and equipment by means of which petroleum processed or stored at
the vessel or structure is recovered; and
(b)
any pipe or system of pipes through which petroleum is conveyed from a well to the vessel or
structure; and
(c)
This means that, for example, the Safety Case for a production facility must also encompass any
secondary lines running to and from the facility, and any wells and associated plant and
equipment on those lines.
However, the following are not facilities for this purpose:
(a)
off-take tankers;
(b)
(c)
vessels or structures used for supplying a facility or otherwise traveling between a facility and the
shore; or
(d)
Vessels of the type referred to in (a), (b) and (c) are primarily governed by the Navigation Act,
and hence not required to comply with Schedule 7 of the PSLA or with the Regulations see
section 2.1 of the main document. Note that no vessels or structures are currently declared not
to be facilities as allowed by item (d).
As noted, an operator may be exempted from the requirement to have a Safety Case for a
particular facility. Such exemptions must be applied for individually, and would be considered by
NOPSA case by case.
Back
183
September 2004
FAQ 2.10.2 How Does the Safety Case Relate to the SMS?
The relationship of the Safety Case to the Safety Management System is often misunderstood.
NOPSA considers the relationship to be as follows:
Although the Safety Case contains a description of the Safety Management System, the
Safety Case is in fact subordinate to the SMS. The SMS is the fundamental basis for ensuring
all aspects of safety at the facility. The Safety Case simply specifies and describes the SMS
that applies, for the purpose of NOPSAs assessment.
In this context, the SMS is taken to include not only the procedures and work instructions
that govern the day-to-day activities at the facility (which are sometimes collectively referred
to as the works management manual or the facility management system) but also those
management processes that address organisational structure, recruitment, training, facility
design, construction quality, etc (which are sometimes collectively referred to as the
corporate management system).
Whilst the Safety Case must specify or contain the Formal Safety Assessment, the Fire Risk
Analysis and the Escape, Evacuation and Rescue Analysis for the facility, it is the SMS that
contains and defines the procedures for initiating and conducting these studies
Although not an explicit requirement of the Regulations, the SMS should also contain the
procedures for preparing and maintaining the Safety Case.
184
September 2004
FAQ 2.10.3 How does the Safety Case relate to other Regulations?
As noted in FAQ 2.10.1, the Petroleum (Submerged Lands) (Occupational Health and Safety)
Regulations support the definition of facility that is used throughout Schedule 7 to the PSLA and
its regulations, by listing specific vessels and structures, or types of vessels or structures, which
are or are not facilities. These Regulations therefore in part define the application of the Safety
Case requirements.
The P(SL)(OHS) Regulations also prescribe certain matters, such as the national ban on asbestos,
and a prohibition on drugs and alcohol. The safety management system that must be established
under the Petroleum (Submerged Lands) (Management of Safety on Offshore Facilities)
Regulations, and which must be described in the Safety Case, will need to include procedures
whereby the operator ensures compliance with those requirements.
Otherwise, there are no direct interfaces between the two P(SL)(OHS) Regulations and the
Management of Safety Regulations.
There is an overlap between the Petroleum (Submerged Lands) (Diving Safety) Regulations and
the Management of Safety Regulations, in that the Diving Regulations require the identification,
assessment, control and management of the risks associated with diving, and if the diving is
taking place from a facility these matters would also have to be addressed within the Safety Case
for the facility. However, this overlap should not impose unnecessary burden on operators, as
operators must approve the dive project plan for the facility-based diving, before that diving takes
place, and therefore will have sufficient knowledge of the diving risks to address these in a
revision to the Safety Case. In practice the Safety Case revision might simply be a reference to
the dive project plan and the corresponding diving safety management system.
There is also an overlap between the Petroleum (Submerged Lands) (Pipelines) Regulations and
the Management of Safety Regulations. The Pipelines Regulations require risks associated with
the whole of the pipeline to be identified, assessed, controlled and managed as part of the
Pipeline Management Plan. This includes risks to health and safety, as well as to production and
the environment. In addition, the risks from a pipeline to persons working at a facility must be
considered in the Safety Case for that facility. This includes describing the pipeline interface with
the facility, assessing the risk of major accident events at the platform involving the pipeline, and
including necessary procedures within the safety management system. More specifically the
Management of Safety Regulations require the Safety Case to provide for adequate means of
shutting down and isolating each pipeline in an emergency, and the test and inspection regime
for the shutdown valves.
nopsa Safety Case Guidelines
185
September 2004
There is a similar overlap between the Petroleum (Submerged Lands) (Well Operations)
Regulations and the Management of Safety Regulations. The Well Operations Regulations require
risks associated with well operations to be identified, assessed, controlled and managed as part of
the Well Operations Management Plan. This includes risks to health and safety, as well as to the
reservoir and environment. In addition, the health and safety risks from wells and well activities
must be considered in the Safety Case for any facility. In practice, the Safety Case should
consider the health and safety risks from well activities generally, and then the Well Operations
Management Plan should give more detailed consideration to the risks associated with particular
well operations. If these specific risks fall outside of the general risks considered in the Safety
Case, the WOMP can then be treated as an addendum (i.e. revision) to the Safety Case, without
any need for a new document. [HOLD for final form of Well Ops Regulations]
The only interface between the Safety Case requirements under the Management of Safety
Regulations and the requirements within the P(SL) (Resource Management) Regulations [HOLD
for final form of Resource Management Regulations] is that there must be an accepted Safety
Case in force for a facility before a consent to construct/install or to use that facility is issued
under the Resource Management Regulations.
Back
186
September 2004
FAQ 2.10.4 How Does the Safety Case Relate to OHS Standards?
Since the prescriptive requirements of the Schedule of Specific Requirements have been revoked
in favour of performance-based Regulations, there is relatively little in the petroleum submerged
lands law that prescribes standards to be followed in relation to occupational health and safety.
In this context standards is taken to mean design standards such as those issued by Australian
Standards or industry bodies such as the American Petroleum Institute. However, in a more
general sense, it may also include management system standards such as AS4801, and risk
management standards such as AS4360. Finally, it may also include standards for management
of specific risks, such as the National Standards and National Model Regulations for OHS that are
issued by the National Occupational Health and Safety Commission.
The decision not to enforce any particular design standards is deliberate, and reflects the
international nature of the offshore petroleum industry, as well as the trend to performancebased regulation. However, it is a requirement that the Safety Case specify the standards that
are to be applied in design, construction, use, modification and maintenance of the facility, and
the processes whereby compliance with these standards is to be ensured. Further, the
Regulations require validation of the facility, which may include a validation that the operators
selected standards have been adhered to.
The risk management processes that are required under the Management of Safety
Regulations are general, and must address all hazards, including those specific types of hazard
covered by individual NOHSC National Standards and Model Regulations. By comparison to the
Management of Safety Regulations, the NOHSC National Standards and Model Regulations are
quite prescriptive regarding the factors that must be considered when assessing different types of
risk, and also regarding the types of control measures that should be adopted to control those
risks. If an operators general risk management processes and outcomes under the Safety Case
do not appear to be suitable, NOPSA may request that these aspects of the National Standards be
adopted.
Likewise, the safety management system that is required under the Management of Safety
Regulations, together with the Duties of Care under Schedule 7, provide for a general
management system that is broadly compatible with standards such as AS4801. However, in this
case the requirements under the PSL are more specific, for example in relation to what
procedures should be included in the management system. An operator may choose to use the
structure suggested by AS4801 or a similar standard, but the management system must be
187
September 2004
The exposure standard for noise as set out in the National Standard for Occupational
Noise [NOHSC:1007(2000)], and the exposure standards for hazardous substances as set
out in the Exposure Standards for Atmospheric Contaminants in the Occupational
Environment Data Base [NOHSC:3008(1995)]
Back
188
September 2004
The Safety Management System that is described in the Safety Case properly reflects the
actual safety management practices and procedures that are applied at the facility, and that
those safety management practices and procedures have been developed taking the views of
the workforce into account, in particular the workforces views regarding the practicality and
effectiveness of the practices and procedures.
The workforce is able to arrive at informed opinions about the risks and hazards to which
they may be exposed on the facility. In general, this will require participation of relevant
members of the workforce in the risk management processes hazard identification, safety
assessment, and adoption of risk control measures. It will also require that each member of
the workforce is informed about the risks, and is trained in the risk control measures relevant
to their activities.
In reading the above it should be recognised that the workforce consultation requirements under
the regulations are simply one aspect of wider requirements established under Schedule 7 of the
PSLA, which require consultation regarding:
Once elected, HSRs are generally the focal point for workforce consultation regarding OHS.
However, the absence of elected HSRs does not absolve the operator from the requirement to
consult the workforce regarding any other matters.
Back
nopsa Safety Case Guidelines
189
September 2004
Appeals Tribunal Act 1967 are those made by the Minister in respect to Commonwealth external
territories (e.g. Ashmore and Cartier Islands). However, as it is NOPSA rather than the Minister
who makes decisions related to OHS, even these limited administrative review provisions do not
apply in relation to the Safety Case.
However, any decisions by NOPSA, including decisions in relation to a Safety Case, may be
subject to judicial review by the Federal Court under the Administrative Decisions (Judicial
Review) Act 1997 of the Commonwealth. This is not limited to decisions made under the
Commonwealth PSLA; in accordance with Schedule 3 of the AD(JR) Act it includes decisions made
by NOPSA under State or NT PSLAs, where the relevant State or NT has agreed to this.
NOPSA is preparing separate guidelines related to reviews and appeals, addressing the whole
range of decisions that NOPSA and its OHS inspectors may make, including decisions relating to
Safety Cases, Diving Safety Management Systems, etc, and also Notices issued by OHS
Inspectors under Schedule 7 of the PSLA.
Back
190
September 2004