SafetyCaseGuidelines PDF

NATIONAL OFFSHORE PETROLEUM
SAFETY AUTHORITY
SAFETY CASE GUIDELINES
SEPTEMBER 2004
nopsa Safety Case Guidelines
September 2004
National Offshore Petroleum Safety Authority
Purpose of this Document

This document has been prepared to provide guidance on the preparation, submission and
assessment of Safety Cases for petroleum facilities in Australian offshore waters. It has been
prepared by the National Offshore Petroleum Safety Authority, in consultation with a Technical
Working Group comprising representatives of Australias offshore petroleum industry, the
State/NT designated authorities, and the offshore workforce. Following these guidelines should
assist in achieving compliance with the relevant law.
These Guidelines are currently in draft form only, and will remain draft until 1 January 2005,
when NOPSA assumes control of offshore petroleum safety regulation, and corresponding
amendments to the law come into force. This draft has been issued prior to the transition date to
ensure that operators currently developing or revising a Safety Case understand the changes that
will be occurring. Areas where guidance material is currently incomplete are indicated by the
word HOLD.
When formally issued on 1 January 2005, these new Guidelines will replace the current guidelines
published by the Commonwealth Department of Industry, Science and Resources: Guidelines for
the Preparation and Submission of Facility Safety Cases, 2nd edition, August 2000, ISBN 0 642
72091 6; and Guidelines for the Preparation and Submission of Mobile Offshore Drilling Unit
Safety Cases, August 2000, ISBN 0 642 72085 1

These new Guidelines are not exhaustive. Operators of offshore facilities and other stakeholders
may address queries to NOPSA, who will answer them, seeking legal advice where necessary.
Subject to any confidentiality requirements, answers will be published on the NOPSA web-site
(www.nopsa.gov.au), and incorporated into a revision of these Guidelines if appropriate.
Format of this Document

This document comprises three main Parts:
Part one explains the legislative framework, provides detailed guidance on the Safety Case
Regulations, and explains the administrative processes associated with submission,
assessment and acceptance of Safety Cases;
Part two provides detailed guidance for assessment of Safety Cases, addressing the Safety
Case as a whole, and also its constituent parts: the descriptions of the Facility, the Safety
Management System and the Formal Safety Assessment; and
Part three provides definitions, abbreviations and useful references.
September 2004
TABLE OF CONTENTS
Part 1 : Guide to the Legislation ..........................................................5
1
The Regulatory Framework .............................................................................................6
1.1
Jurisdictions and the Application of these Guidelines ...................................................6
1.2
The Petroleum OHS Legal Framework........................................................................7
1.3
The Petroleum OHS Legal Framework from 1 January 2005....................................... 11
1.4
Application of State and NT OHS Law ...................................................................... 13
1.5
Frequently Asked Questions.................................................................................... 15
Guide to the Management of Safety Regulations ............................................................. 16
2.1
Introduction .......................................................................................................... 16
2.2
Preliminary ............................................................................................................ 16
2.3
Safety Case Administration ..................................................................................... 17
2.4
Safety Case Contents ............................................................................................. 20
2.5
Further Requirements of the Safety Case ................................................................. 21
2.6
Validation.............................................................................................................. 25
2.7
Incident Reporting ................................................................................................. 25
2.8
Miscellaneous ........................................................................................................ 26
2.9
Penalty Provisions .................................................................................................. 27
2.10
Exclusions and Exemptions ..................................................................................... 27
2.11
Stages and Types of Safety Cases.................................................................................. 29
3.1
Introduction .......................................................................................................... 29
3.2
Fixed Production Facilities....................................................................................... 29
3.3
Mobile Drilling Units ............................................................................................... 33
3.4
Construction Facilities............................................................................................. 34
Safety Case Administrative Processes ............................................................................. 36
4.1
Pre-Submission...................................................................................................... 36
4.2
Submission of a Safety Case ................................................................................... 36
4.3
Assessment of Safety Cases.................................................................................... 38
4.4
Safety Case Acceptance and Non-Acceptance ........................................................... 40
4.5
Processes Following Acceptance of a Safety Case ..................................................... 45
4.6
Part 2 : Guide to Safety Case Contents ..................................... 49

1
Introduction................................................................................................................. 50
Overall Safety Case Process........................................................................................... 52
2.1
Introduction .......................................................................................................... 52
September 2004

2.2
3
Preparation and Assessment Principles for the Overall Safety Case Process ................. 56
Facility Description ....................................................................................................... 68
3.1
Introduction .......................................................................................................... 68
3.2
Preparation and Assessment Principles for the Facility Description.............................. 70
Safety Management System .......................................................................................... 83
4.1
Introduction .......................................................................................................... 83
4.2
Preparation and Assessment Principles for the Safety Management System................. 88
Formal Safety Assessment........................................................................................... 113
5.1
Introduction ........................................................................................................ 113
5.2
Preparation and Assessment Principles for the Formal Safety Assessment ................. 128
Validation .................................................................................................................. 154
6.1
Introduction ........................................................................................................ 154
6.2
Assessment Principles for Validation ...................................................................... 157
Part 3 : Definitions, Abbreviations and References ...... 163

1
Definitions ................................................................................................................. 164
Abbreviations ............................................................................................................. 169
References................................................................................................................. 170
Part 4 : Frequently Asked Questions.......................................... 172

FAQ 1.5.1 Does Maritime OHS Law Also Apply? .................................................................. 173
FAQ 1.5.2 What Other Commonwealth OHS Laws are Relevant? .......................................... 175
FAQ 1.5.3 What Workers Compensation Law Applies? ........................................................ 177
FAQ 1.5.4 What Emergency Management Law Applies?....................................................... 178
FAQ 1.5.5 What are the Laws that Provide for Funding of NOPSA? ....................................... 179
FAQ 1.5.6 What is a Safety Case, and why is it Required? ................................................... 181
FAQ 2.10.1 Which Facilities Require Safety Cases?............................................................... 182
FAQ 2.10.2 How Does the Safety Case Relate to the SMS? ................................................... 184
FAQ 2.10.3 How does the Safety Case relate to other Regulations? ....................................... 185
FAQ 2.10.4 How Does the Safety Case Relate to OHS Standards? ......................................... 187
FAQ 2.10.5 What is the Workforce Involvement in the Safety Case? ...................................... 189
FAQ 4.6.1 What Review and Appeal Processes Exist? .......................................................... 190
September 2004

SAFETY AUTHORITY

Part 1 : Guide to the Legislation
SEPTEMBER 2004
September 2004
National Offshore Petroleum Safety Authoritys
The Regulatory Framework
1.1 Jurisdictions and the Application of these Guidelines

This document applies to petroleum facilities located in Australian offshore waters, which extend
from the base line to the outer limit of the exclusive economic zone.
Commonwealth has rights to the petroleum resource under the sea in all of this area, but
Commonwealth law does not apply throughout - in the first 3 Nm seaward from the base line the
law of the adjacent State or Northern Territory applies, whilst Commonwealth law applies beyond
3 Nm. However, recognising the difficulties that this may otherwise cause, the Offshore
Constitutional Settlement requires that the Petroleum (Submerged Lands) Act 1982 of each State
and Northern Territory be aligned so far as possible with the Petroleum (Submerged Lands) Act
1967 of the Commonwealth, so as to minimise legal inconsistencies.

As discussed later, each State or Northern Territory administers and enforces the law in respect
to petroleum activities within the waters that are adjacent to it, both in the 3 Nm zone and
beyond. Therefore it administers and enforces its own law within the 3 Nm zone, and it
administers and enforces Commonwealth offshore petroleum law (including any State or Territory
law that the Commonwealth law adopts) in the area beyond 3 Nm. This is with the exception of
law related specifically to occupational health and safety, which is administered and enforced by
the Commonwealths National Offshore Petroleum Safety Authority (NOPSA).
The base line generally corresponds to the low water line, but in accordance with international
convention encloses river mouths, bays and some archipelagos and offshore islands. Inside the
base line, the States and Territories have rights to the petroleum, and have legal jurisdiction.
Because the base line encompasses some islands etc, there are some offshore installations
within it. Such facilities are not governed by Petroleum Submerged Lands legislation, but are
instead governed by the petroleum mining and other laws of the State or Northern Territory,
which may not contain the same provisions.
However, the Petroleum (Submerged Lands) Act 1967 of the Commonwealth, which establishes
NOPSA, enables NOPSA to regulate safety in inshore areas not under the submerged lands law, if
the relevant State/NT and NOPSA agree. It is proposed to do this in the case of the extensive
non-PSLA waters of the North West Shelf. Whilst this document may not specifically address the
relevant legal provisions applying in those areas, Part 2 should provide useful information related
to the preparation or assessment of safety cases for petroleum facilities located in these waters,
as well as for the PSLA facilities.
September 2004
1.2 The Petroleum OHS Legal Framework

1.2.1
Introduction
The principal legislative instruments governing petroleum activities offshore Australia are the
Petroleum (Submerged Lands) Act 1967 of the Commonwealth, and the Petroleum (Submerged
Lands) Act 1982 of each State and of the Northern Territory. However, to simplify the regime,
the Offshore Constitutional Settlement of 1975 requires that the PSLA 1982 of each State and of
NT be made consistent with the PSLA 1967 of the Commonwealth, so far as possible within the
legal constraints of each jurisdiction.
More generally, Australian law applies offshore in accordance with the Constitution. Thus laws
that address matters assigned to the Commonwealth by the Constitution taxation, immigration,
customs, etc apply throughout the offshore area, both within and outside the 3 Nm limit. At
the same time, laws that address matters assigned to the States and Territories by the
Constitution which normally include OHS laws apply for the first 3 Nm only.
However, to create a complete set of laws for offshore petroleum activities, sections 9, 11 and
140H of the Commonwealth PSLA apply all laws of a State or Territory to petroleum activities in
the adjacent waters, beyond the 3 NM limit. Thus there is a complete set of laws in all offshore
petroleum activities, and these laws are consistent throughout the waters off a particular State or
off the Northern Territory.
1.2.2
Development of the PSLA OHS Laws
The following sets out a brief history of the OHS laws applying to Australias offshore petroleum
activities. In reading this section, it should be noted that (as discussed later) some of the laws no
longer apply.
Good Oil-Field Practice and DA Directions

Since their introduction, the PSLAs have required persons conducting petroleum activities offshore
Australia to do so in accordance with good oil-field practice, which is defined as meaning all
those things that are generally accepted as good and safe - see Section 97 of the
Commonwealth PSLA 1967. These persons have also had to comply with a range of Directions
that have been issued from time to time, in particular those in the Schedule of Specific
Requirements as to Offshore Petroleum Exploration and Production. These Directions have

mandated certain matters, including some related to OHS.
September 2004

State and NT OHS Laws
Until 1 January 2005, the OHS law of each State and NT automatically applied in its own right to
all activities (petroleum and other activities) within the first 3 Nm of the relevant adjacent area,
and was applied to petroleum activities beyond 3 Nm in that adjacent area by virtue of Sections 9
and 11 of the Commonwealth PSLA. However, detail of this law varied between jurisdictions, as
did its suitability to offshore petroleum activities.
PSLA OHS Laws

To address the variable detail and suitability of the different existing OHS laws, Schedule 7 was
added to the PSLA 1967 in 1993. This Schedule introduced duties of care, consultative
arrangements and enforcement provisions for OHS that were based on those in the Occupational
Health and Safety (Commonwealth Employment) Act 1991. The Petroleum (Submerged Lands)
(Occupational Health and Safety) Regulations 1993 were also introduced, again based on
Commonwealth Employment legislation, which supported Schedule 7 by setting out detailed
procedures for compliance.
Precedence between PSLA and State/NT OHS Laws

At the same time that Schedule 7 was introduced, an option was created under Section 140H of
the Commonwealth PSLA 1967, whereby Schedule 7 would ordinarily apply, but the OHS laws of
the adjacent State or Northern Territory could apply if they contained equivalent provisions.
Consistent law was then possible in any an adjacent area in either of two ways:
A State or NT could apply their OHS law to petroleum activities, both within and outside the 3
Nm limit, using the option under Section 140H for Commonwealth waters. Victoria and
Northern Territory adopted this option.
A State or NT could apply Schedule 7 outside of the 3 Nm limit, and make a Direction to
apply equivalent law within 3 Nm. Western Australia adopted this option, using a Schedule of
General Requirements as to Offshore Petroleum Exploration and Production.

All other laws of the States and NT remained in force, in their own right in coastal waters, and
through Sections 9 and 11 of the PSLA 1967 in Commonwealth waters. As noted previously, this
included some laws that, whilst not specifically related to occupational health and safety, in effect
include some OHS provisions. Radiation safety law is an example.
Performance-Based Regulations
Since 1993, the Commonwealth has worked to reduce the level of prescription under the PSLA
1967. In relation to OHS, a number of the Directions in the Specific Schedule have been revoked
with the progressive introduction of these performance-based regulations:
The Petroleum (Submerged Lands) (Management of Safety on Offshore Facilities) Regulations

1996;
The Petroleum (Submerged Lands) (Pipelines) Regulations 2001;
September 2004
The Petroleum (Submerged Lands) (Diving Safety) Regulations 2003; and
The Petroleum (Submerged Lands) (Well Operations) Regulations 2004
By 1 January 2005 the States and NT will mirror all these regulations, and Directions related to
OHS will have been revoked, thereby forming a single performance-based OHS regime.
1.2.3
Administration of the Law
The PSLA 1967 initially established two administrative decision-making bodies for the offshore
petroleum industry a Joint Authority and a Designated Authority.
A State or the Northern Territory Minister is the Designated Authority (DA) for the Commonwealth
waters adjacent to the individual State or the Northern Territory, whilst the Commonwealth
Minister responsible for resources and the relevant State or Northern Territory Minister together
comprise the Joint Authority (JA) for that area1.
The JAs were established as the principal decision making bodies to administer the offshore
petroleum legislation in the waters off each State and the Northern Territory, whilst the DAs took
any necessary day-to-day action to apply and enforce the legislation:
The JA grants titles to explorers and developers, determining conditions and monitoring
these, thus providing a legal basis for companies offshore petroleum activities.
Each DA handles the day-to-day operational and administrative matters relating to petroleum
activities in each adjacent area.
For the Territory of Ashmore and Cartier islands the only external territory of Australia where
there is petroleum activity - there is no JA. In this case the Commonwealth performs the
equivalent functions of both JA and DA, but for reasons of practicality the NT DA performs dayto-day functions on behalf of the Commonwealth.
Except in relation to OHS, the arrangements described above remain in place from 1 January
2005. However, from that date the DAs will cease to administer and enforce the OHS aspects of
the law in their respective adjacent areas, and the National Offshore Petroleum Safety Authority
(NOPSA) will have that responsibility.
The Joint Petroleum Development Area of East Timor and Australia is regulated and administered
separately. This document does not apply to petroleum activities in this area.
Whilst the Ministers are responsible for the functions, in practice the necessary activities are delegated to
senior officers within the relevant Departments.
September 2004

1.2.4
The Requirement for Safety Cases
A safety case regime for Australias offshore petroleum industry was first established in 1993,
through amendment of the Schedule of Specific Requirements as to Offshore Petroleum
Exploration and Production, which were applied throughout each adjacent area by Direction from
each DA. Subsequently, the requirement for Safety Cases was removed from the Schedule and
incorporated instead into the Commonwealth Petroleum (Submerged Lands) (Management of
Safety) Regulations 1996.

Under these new provisions it became an offence to construct/install, use, modify or
decommission a petroleum facility in Australian waters unless there was a Safety Case in force
(i.e. accepted by the relevant authority) for the corresponding activity at the facility. At the time
of writing the Safety Case has been a key feature of the Australian offshore petroleum OHS
regulatory regime for 10 years.
1.2.5
Recent Changes
In 2000 a team of international experts independently reviewed the Australian offshore petroleum
safety case regime. Their report made two key recommendations for change:
formation of a national offshore petroleum OHS regulator; and
development of consistent OHS law to apply in the different offshore areas.
These recommendations were subsequently endorsed by the Ministerial Council for Minerals and
Petroleum Resources (MCMPR) and are being implemented by 1 January 2005.
NOPSA itself was created in late 2003, when the Petroleum (Submerged Lands) Amendment Act
2003 made the necessary amendments to the PSLA 1967. The PSLA 1967 was also amended to
give NOPSA functions and powers with respect to OHS for petroleum activities in Commonwealth
waters from 1 January 2005. The OHS laws that NOPSA will administer in Commonwealth waters
were defined, being an improved Schedule 7, as well as the performance-based regulations or
parts of those regulations that related to OHS. The option under Section 140H to apply State or
Northern Territory OHS law was removed.
By 1 January 2005 the States and Northern Territory will have mirrored the amendments to the
Commonwealth PSLA 1967, creating consistent OHS law within Commonwealth, State and NT
PSLA 1982 waters, and giving NOPSA responsibility and powers to administer and enforce these
laws these areas.
These revised Guidelines reflect these changes to the law and its administration.
10
September 2004
1.3 The Petroleum OHS Legal Framework from 1 January 2005

In summary the OHS legal framework for offshore petroleum from 1 Jan 2005 is as follows:
NOPSA has been created, and its institutional form and governance arrangements defined,
through the Commonwealth PSLA 1967. NOPSA is funded by levies on operators, the
provisions to achieve this being in the Commonwealth PSLA 1967 and in the Offshore
Petroleum (Safety Levies) Act 2003.
NOPSA administers the OHS aspects of the Commonwealth PSLA 1967 and its regulations.
Equivalent provisions in each State and Northern Territory PSLA 1982 will give NOPSA the
powers to administer the OHS aspects of that body of law also.
Apart from OHS laws, State or NT law applies to all activities within the 3 NM limit in its own
right, and the Commonwealth PSLA 1967 then applies the same law to any petroleum
activities in the Commonwealth part of the respective adjacent Commonwealth waters.
These provisions are essentially unchanged from 1 January 2005.
The laws of each State and NT that are wholly or significantly related to OHS do not apply to
offshore petroleum activities. This is a significant change, made by the amended sections 9
and 11 of the Commonwealth PSLA, and by corresponding provisions in the PSLA 1982 of
each State and Northern Territory. These provisions remove the duplication in the applicable
OHS laws that had caused much confusion.
The OHS laws that apply to offshore petroleum activities in Commonwealth waters are:
o
Schedule 7 of the Commonwealth PSLA;
The P(SL) (Occupational Health and Safety) Regulations 1993;
The P(SL) (Management of Safety on Offshore Facilities) Regulations 1996;
The P(SL) (Diving Safety Regulations) 2003; and
The P(SL) (Pipelines) Regulations 2001, so far as they relate to OHS.
The same provisions apply in the State and NT 3 Nm zones, either by adopting or mirroring
the listed Commonwealth laws.
NOPSA and its inspectors have the power to enforce compliance with the listed laws in
Commonwealth, State and NT PSLA waters.
Where State and NT law contains OHS provisions amongst other matters, and the relevant
parts have not been disapplied, this law would be enforced by the relevant State or NT
agency under an agreement with NOPSA.
The listed OHS laws that apply contain the following broad provisions:
Schedule 7 of the Act
Establishes duties of care for operators, employers and others;
Sets out consultative arrangements in relation to designated work groups, health and safety
representatives, OHS committees, etc;
11
September 2004
Defines the powers of OHS inspectors, enabling them to make inspections, take samples,
seize evidence, issue notices, etc;
Establishes the prosecutions powers of NOPSA; and
Establishes duties to report accidents and dangerous occurrences.
PSL (Occupational Health and Safety) Regulations 1993
Defines prescriptive limits to certain OHS risks, for example by prohibiting certain materials,
defining certain exposure standards, etc;
Defines processes for the election of health and safety representatives;
Prescribes that certain vessels or structures are, or are not, facilities for the purpose of
Schedule 7 and the regulations;
Lists the laws of the States and Northern Territory that do not apply at offshore petroleum
facilities because they are OHS laws;
Defines the processes to be applied when granting persons exemptions from Schedule 7
requirements; and
Defines the forms of improvement notices, and of OHS Inspector identity cards.
PSL (Management of Safety on Offshore Facilities) Regulations 1996
Establishes a requirement to have an accepted safety case for each offshore petroleum
facility, and for the facility operator to act in accordance with this case;
Defines the procedures for submission, revision, assessment, withdrawal etc of safety cases;
Sets out the required contents of safety cases;
Sets out the required provisions for safety and emergency management at facilities; and
Defines further requirements for reporting of accidents and occurrences at facilities.
PSL (Pipelines) Regulations 2001
Establishes a requirement to have an accepted pipeline safety management plan (as part of
an overall pipeline management plan) and to operate in accordance with this;
Defines the procedures for NOPSA involvement in assessment of pipeline plans; and
Defines further requirements for reporting of accidents and occurrences on pipelines.
PSL (Diving Safety) Regulations 2002
Establishes a requirement to have an accepted dive safety management system and dive
project plan, and to operate in accordance with these;
Defines procedures for submission, revision, assessment, withdrawal etc of the safety
management system and project plan.
Defines the required contents of the safety management system and project plan; and
Defines detailed requirements for reporting of accidents and occurrences during diving.
12
September 2004

The various laws interface with each other, and the following should be noted:
All persons must comply with each set of Regulations, as the requirements of one set of
Regulations do not override those of any other, unless this is explicitly stated.
Acceptance by a regulatory authority of a matter under one set of Regulations does not
necessarily mean that the corresponding matter has been accepted for the purpose of other
Regulations.
Action by a regulatory authority under one part of the body of law (e.g. acceptance of a
Safety Case) can be conditional on a persons compliance with other parts of the body of law
(e.g. Schedule 7), but only if stated explicitly.
If a person has provided a regulatory authority with information under one set of Regulations,
then that person is not required to resubmit the information to meet a requirement under
another set of Regulations.
1.4 Application of State and NT OHS Law

The laws of the States and NT that have been disapplied because they are wholly or substantially
OHS laws are as follows:
New South Wales
Dangerous Goods Act 1975

Electricity Safety Act 1945
Explosives Act 2003
Occupational Health and Safety Act 2000
Northern Territory
Dangerous Goods Act

Part 5 of the Electricity Reform Act
Part IIIA of the Petroleum Act
Part IV of the Work Health Act
Queensland
Dangerous Goods Safety Management Act 2001

Electrical Safety Act 2002
Explosives Act 1999
Petroleum Act 1923 (to the extent that it relates to OHS)
Workplace Health and Safety Act 1995
South Australia
Dangerous Substances Act 1979

Electricity Act 1996 (to the extent that it relates to OHS)
Explosives Act 1936
Occupational Health, Safety and Welfare Act 1986
Petroleum Act 2000
13
September 2004

Tasmania

Electricity Industry Safety and Administration Act 1997
Gas Act 2000 to the extent that it relates to OHS)
Gas Pipelines Act 2000 (to the extent that it relates to OHS)
Workplace Health and Safety Act 1995
Victoria

Electricity Safety Act 1998
Gas Safety Act 1997
Occupational Health and Safety Act 1985
Western Australia
Dangerous Goods Safety Act 2004

Electricity Act 1945 (to the extent that it relates to OHS)
Explosives and Dangerous Goods Act 1961
Occupational Safety and Health Act 1984
Petroleum Act 1967 (to the extent that it relates to OHS)
Petroleum Pipelines Act 1969 (to the extent that it relates to OHS)
Petroleum Safety Act 1999
Some of the remaining State and NT law contains provisions related to OHS; these provisions
have been retained, as they could not be disapplied without also disapplying provisions not
related to OHS. Operators and others must also comply with this law, which may include the
following in each State and NT (note that only generic titles are given):
Health Acts
Except that in some areas the application of the Act does not
extend offshore because is limited to Municipal areas.
Food Safety Acts
Except that in some areas the application of the Act does not
extend offshore because is limited to Municipal areas
Gas Safety Acts
Except that in some areas the application of the Act, or parts of

the Act, will exclude offshore activities because the definition of
gas is limited to gas for commercial use
Electricity Safety Acts
Except that in some areas the application of the Act, or parts of

the Act, will exclude offshore activities because the electricity
that is generated is used on-site
Radiation Safety Acts
The Act of each area appears to apply offshore.
NOPSA will administer these laws in conjunction with the relevant State or NT agency, under a
Memorandum of Understanding. Operators and other duty holders may seek exemption from
14
September 2004

these requirements from the relevant State or NT agency, and NOPSA would be involved in
assessing any such application for exemption.
1.5 Frequently Asked Questions

1.5.1
Does Maritime OHS Law Also Apply?
1.5.2
What Other Commonwealth OHS Laws are Relevant?
1.5.3
What Workers Compensation Law Applies?
1.5.4
What Emergency Management Law Applies?
1.5.5
What are the Laws that Fund NOPSA?
1.5.6
What is a Safety Case, and why is it Required?
15
September 2004
Guide to the Management of Safety Regulations
2.1 Introduction
This summary guide expands upon the Readers Guide that appeared in the Commonwealth
Petroleum (Submerged Lands) (Management of Safety on Offshore Facilities) Regulations from

1996 to 2004. On 1 January 2005 the Readers Guide was removed from the Regulations,
transferred to this document so that it may be more readily updated, and expanded as
appropriate.
The main purpose of the guidance material in this section is to assist readers, particularly those
who may not be familiar with the practice relating to Safety Cases, in understanding the basic
structure and requirements of the Regulations.
2.2 Preliminary
Part 1 of the Regulations establishes their commencement date and their objectives, and defines
a number of terms and phrases that have specific meaning within the Regulations.
Part 22 sets out the processes for registration of operators of facilities. A facility owner or the
titleholder of the area where the facility is to operate may nominate an operator for the facility,
and NOPSA will register that person as the operator is satisfied that the person has or will have
appropriate management and control of the facility. There are provisions for changing the
nominated operator.
Part 3 of the Regulations establishes the requirements in relation to Safety Cases, safety
management and emergency management at offshore facilities, which are the main substantive
requirements of these Regulations. The provisions of this Part establish the required content of
Safety Cases, and also the processes for submission of Safety Case, their acceptance or rejection,
revisions to Safety Cases, and withdrawal of acceptance. The provisions are discussed in more
detail in sections 2.3 and section 2.4 of this document.
Part 4 of the regulations relates to validation. The provisions of this Part are discussed in section
2.4 of this document.
Part 5 of the Regulations defines the types of accidents and dangerous occurrences that have to
be reported under the Schedule 7 of the Act.
2
Part 2 of the Regulations formerly related to the grant of consents to construct/install/use a facility. From
1 January 2005 those provisions are to be contained within the Petroleum (Submerged Lands) (Resource
Management) Regulations 2004, administered by the Designated Authorities.
16
September 2004
Part 6 of the Regulations establishes offences and associated penalties. For example, that it is an
offence to construct, install, operate, modify or decommission a facility unless there is a
registered operator for the facility, and a Safety Case in force for the facility.
Part 7 covers some administrative arrangements
Part 8 establishes transitional provisions for the 1 January 2005 amendments to the Regulations,
to ensure that decisions made under the previous version of the Regulations remain valid and in
force, and to provide a period for operators and others to comply with any new or expanded
provisions.
2.3 Safety Case Administration

Part 6 requires activities at (or in relation to) a facility to be in accordance with an accepted
Safety Case, or as otherwise approved by NOPSA:
An operator must not construct, install, operate, modify or decommission a facility unless
there is a safety case in force for the facility that relates to the corresponding activity
(regulation 48).
The operator must not construct, install, operate, modify or decommission a facility in a way
that is contrary to the safety case in force for the facility, or in a way that is contrary to any
limitation or condition applied by or under the Regulations (regulation 49), except if NOPSA
has given consent for this in writing.
The operator must not continue to construct, install, use, modify or decommission a facility in
the presence of a significant new risk to health and safety or in the presence of a significant
increase in an existing risk, unless that new or increased risk is accounted for by the safety
case in force for the facility, or by a proposed revision to the safety case (regulation 50).
Division 2 of Part 3 establishes the processes for submission and acceptance of a safety case:
In order for a safety case to be accepted by NOPSA, it must first be submitted to NOPSA by
the operator (regulation 28). The safety case may relate to 1 or more of the stages of the
life of the facility, which means one or more of construction, installation, operation,
modification and decommissioning. The safety case may also relate to 1 or more facilities.
After having received a Safety Case, NOPSA may request that more information be provided,
giving at least 30 days notice. Any such information, once received, is then treated as being
part of the Safety Case (regulation 29)
NOPSA must accept the Safety Case if there are reasonable grounds for believing that it is
appropriate to the facility, it complies with the requirements of Division 1 of Part 3, and that
any validation meets the legislative requirements (regulation 30). NOPSA must give the
operator a reasonable opportunity to change and resubmit a Safety Case that does not
17
September 2004

initially meet the requirements. NOPSA also has the option to accept a Safety Case for
particular stages of the life of the facility, or to impose limitations or conditions.
NOPSA has 90 days from receipt of a Safety Case in which to notify the operator of its
decision either to accept the Safety Case (fully, for selected stages, or with conditions),
refuse to accept it, or give notice that more time is required (regulation 31).
Division 2 of Part 3 also establishes a mechanism whereby NOPSA may authorise departure from
an accepted Safety Case. Specifically, regulation 32 allows NOPSA to give consent for an
operator to work other than in accordance with an accepted Safety Case if satisfied that there will
not be an occurrence of a significant new risk or increased risk to health and safety,
notwithstanding the offences established in Part 6.
Division 3 of Part 3 establishes provisions relating to the revision of a Safety Case:
The operator of a facility must submit a proposed revision of the Safety Case as soon as
practicable after any of the specified circumstances arise (regulation 34). The relevant
circumstances include new technical knowledge, or new methods for identifying and
assessing risks of major accident events, that make the Safety Case outdated. They also
include proposals to make a change or changes to the facility, or to the activities that are
carried out, or to the safety management system, if the Safety Case does not already address
those changes. A revision to a Safety Case may take the form of a revision to a part only of
the Safety Case, with the agreement of NOPSA (subregulation 34(3)).
In addition, NOPSA may request in writing that the operator submit a proposed revision to
the Safety Case (regulation 35). In such cases, the operator is allowed to make a submission
that a revision is not needed, or that a different revision should be made, and NOPSA must
take account of that submission before deciding whether a revision is required and what the
revision must consider.
Further, the operator must submit a proposed revision of the Safety Case every 5 years,
regardless of whether revisions have been made for other reasons in the intervening period
(regulation 36). Such revisions must specifically address the long term integrity of control
measures.
18
September 2004

The processes for dealing with revised Safety Cases are similar to those for deailing with initial
Safety Cases
After having received a revised Safety Case, NOPSA may request that more information be
provided, giving at least 30 days notice. Any such information, once received, is then treated
as being part of the revised Safety Case (regulation 37).
NOPSA must accept the revised Safety Case if there are reasonable grounds for believing that
it is appropriate to the facility, it complies with the requirements of Division 1 of Part 3, and
that any validation meets the legislative requirements (regulation 38). NOPSA must give the
operator a reasonable opportunity to change and resubmit a revised Safety Case that does
not initially meet the requirements. NOPSA also has the option to accept a revised Safety
Case for particular stages of the life of the facility, or to impose limitations or conditions.
NOPSA has 30 days from receipt of a revised Safety Case in which to notify the operator of its
decision either to accept it (fully, or for selected stages, or with limitations or conditions),
refuse to accept it, or give notice that more time is required to make a decision (regulation
39).
A key point to note is that, if a revised Safety Case is not accepted, then the existing Safety Case
remains in force (regulation 40).
Division 4 of Part 3 establishes provisions for withdrawal of acceptance of Safety Cases:
NOPSA is able by written notice to inform the operator of a facility that it withdraws
acceptance of a Safety Case (regulation 41). Valid grounds for this are that there has been a
failure to comply with:
o
relevant provisions of the Act,
a notice issued by an OHS inspector under Schedule 7, or
regulations 34, 35 or 36 (operator compliance with the Safety Case)
or that NOPSA has rejected a revised Safety Case.
Before withdrawing acceptance of a Safety Case NOPSA must give at least 30 days notice to
the operator and to any other persons it thinks fit (regulation 42). The notice must indicate
the date by which the operator or other persons may submit further information to NOPSA
about the matter. NOPSA must take account of any such information before making its
decision.
Note that NOPSA is not compelled to withdraw acceptance in the circumstances specified in
regulation 41 it is merely allowed to do so. Withdrawal of acceptance of a Safety Case is only
likely to occur in extreme circumstances, all other compliance and enforcement measures having
failed to have effect.
19
September 2004
2.4 Safety Case Contents

Division 1 of Part 3 establishes the required contents of Safety Cases, and prescribes that certain
safety management arrangements must be in place.
The overarching requirement is that a Safety Case for a facility must contain a description of the
facility, a detailed description of a formal safety assessment for the facility, and a detailed
description of the safety management system that is used at the facility (regulation 9).
The facility description must comply with subregulation (2), the description of the formal safety
assessment must demonstrate (provide evidence) that the assessment complies with
subregulation (3), and the description of the safety management system must demonstrate that
the system complies with subregulation (4).
The requirements for these three basic elements of the Safety Case are then set out in
succeeding sub-regulations.
Facility Description
Subregulation (2) states that the description of the facility must give details of the layout of
the facility, the control measures for major accident events (i.e. those identified by the formal
safety assessment), the activities to be carried out at the facility, and any other relevant
matters.
Formal Safety Assessment
Subregulation (2) states that the formal safety assessment that is described in the Safety
Case must be an assessment (or series of assessments) that:
o
identifies all hazards relevant to major accident events;
is a detailed and systematic assessment of risk associated with those hazards; and
identifies the control measures that will reduce risk as low as reasonably practicable.
Safety Management System
Subregulation (2) states that the safety management system that is described in the Safety
Case must be comprehensive and integrated, and must provide for (e.g. have systems and
procedures for)
o
all activities at the facility;
continual and systematic identification of hazards to safety and health;
continual and systematic assessment of risk of injury or illness;
the reduction of risks to persons to as low as reasonably practicable;
the inspection, maintenance and testing of control measures for those risks;
adequate communications with relevant facilities, installations, vessels and aircraft;
20
September 2004

o
any other matters that are reasonably necessary.
The safety management system must also specify the performance standards that apply.
In general, a Safety Case or revision that is submitted to NOPSA must address the next stage of
the life of the facility, so that the relevant activities may commence as soon as the Safety Case is
accepted. However, there when submitting a Safety Case for construction or installation or of a
facility, the Safety Case must address the operations stage (so far as is practicable at the time) as
well as the construction and installation stage (subregulation (5)). This provides for early
consideration of the hazards and risks of the operations stage.
Note that the safety management system that is described in the Safety Case must be a system
for the management of all hazards and risks to health and safety - it is not limited to potential
major accidents. However, the Formal Safety Assessment that is described in the Safety Case
need only relate to major accident events. The facility description should be general, but with an
emphasis on the design features (e.g. layout and other control measures) that relate to major
accident events.
As well as the matters set out in regulation 9, the Safety Case must also demonstrate that there
are effective means of ensuring the implementation, monitoring and improvement of the safety
management system (regulation 10).
2.5 Further Requirements of the Safety Case

Regulations 11 to 26, which form subdivisions B to D of Division 1 of Part 3, set out further and
more specific requirements for the Safety Case. Subdivision B relates to safety measures,
subdivision C relates to emergencies and subdivision D relates record-keeping.
Safety Measures
The Safety Case must specify the standards applied to the design, construction, installation,
modification and operation of the facility, and of plant used on or in connection with it (regulation
11).
The Safety Case must specify an office or position of the person in command of the facility and
responsible for its safe operation, an office or position of the person responsible for implementing
and supervising emergency procedures, and the command structure that applies in an emergency
(subregulation 12(1)). The same person may occupy the two offices or positions. The Safety
Case must also describe how the operator ensures the person(s) occupying the offices or
positions have the necessary skills etc, and how the persons, names are made known to the
workforce (subregulation 12(2)). In addition, it must describe how the operator ensures that
other members of the workforce are competent to undertake routine and non-routine tasks that
21
September 2004

may reasonably be expected of them in normal, abnormal and emergency conditions (regulation
13).
The Safety Case must provide for the establishment and maintenance of a permit to work
system that controls and coordinates safe performance of work activities, including welding, other
hot work, physical isolation, electrical work, etc. This system must form part of the safety
management system, identify the persons having responsibility under it, and ensure that the
involved persons are competent (regulation 14).
The operator must demonstrate to NOPSA that there was effective consultation with (and
participation of) members of the workforce in the development or revision of the Safety Case,
and that the Safety Case provides for adequate consultation and participation so that these
persons are able to arrive at informed opinions about the hazards and risks to which they may be
exposed at the facility (regulation 15). It is not an explicit requirement for the demonstration to
be part of the Safety Case, but this would be preferred.
The Safety Case must describe how the operator ensures the adequacy of design, construction,
installation, maintenance and modification of the facility for the relevant stages of the facility life
(regulation 16). Specifically, this must address inventory isolation, pressure relief, access for
servicing and maintenance, structural integrity and the implementation of control measures.
The Safety Case must specify the medical and pharmaceutical supplies and services maintained
on the facility, sufficient for an emergency situation (regulation 17).
The Safety Case must specify the equipment required on the facility that relates to or may affect
the safety of the facility (regulation 18). The equipment is required to be fit for its function or
use in normal conditions, and also for any emergency conditions under which it is intended to
function.
The Safety Case must describe how the operator ensures the securing, supplying and monitoring
of therapeutic drugs, and the preventing the use of other controlled substances and intoxicants
(regulation 19).
22
September 2004

Emergencies
The Safety Case must contain a detailed description of an analysis of evacuation, escape and
rescue for the facility (regulation 20), and a detailed description of a fire and explosion risk
analysis (regulation 21). Specific requirements of these regulations are discussed further below.
The Safety Case must provide for adequate systems for emergency communication within the
facility, and between the facility and relevant other offshore facilities, onshore installations,
vessels and aircraft (regulation 22). The communications system is required to be adequate to
handle any likely emergency, as well as the operational requirements, and to be protected so as
to be capable of operating to the extent specified by the Formal Safety Assessment.
The Safety Case must make adequate provision for back-up power supply, lighting, alarm
systems, ballast control and shut-down in the event of an emergency (regulation 23).
The Safety Case must describe a plan for response to the emergencies involving major accident
events (regulation 24), capable of ensuring the safety of persons on board. This regulation
further requires the Safety Case to make adequate provision for escape and fire drill exercises, in
which persons are adequately trained. A further requirement for Safety Cases for mobile facilities
is that they must specify adequate systems for shutdown or disconnect, together with appropriate
warning systems.
The Safety Case must specify adequate procedures and systems for emergency shutdown or
isolation of any pipelines that are connected to the facility (regulation 25), together with
adequate means of mitigating the risks associated with each such pipeline, and the inspection
and test schedule that applies to the relevant shut-down valves.
The Safety Case must describe a system that ensures, so far as reasonably practicable, the safe
performance of vessel and aircraft operations in relation to the facility (regulation 26). The
system is further required to meet the requirements identified by the formal safety assessment,
and to be described in the safety management system.
As noted, regulations 20 and 21 require there to be an evacuation, escape and rescue analysis,
and a fire and explosion risk analysis, both of which must be described in detail in the Safety
Case. The following paragraphs discussed these requirements in more detail.
The evacuation, escape and rescue analysis must first identify the possible types of emergencies
that could occur at the facility. The analysis must then assess the outcome of the possible
emergencies, taking into account a range of possible:
evacuation and escape routes for emergencies;
23
September 2004
alternate routes, in case the primary routes are not available;
procedures for responding to emergencies;
means and equipment for evacuation, escape and rescue;
amenities and communications facilities to be provided in a temporary refuge; and
live saving equipment, including life-rafts with launching and/or float free capability.
From this, the analysis must identify those control measures that reduce the risks associated with
emergencies to a level that is low as reasonably practicable.
Similarly, the fire and explosion risk analysis must first identify the possible types of fires and
explosion that could occur at the facility. The analysis must then assess the outcome of the
possible fires and explosions, taking into account a range of possible:
measures for detecting fires and explosions;
measures for eliminating or reducing fires and explosions;
automatic and manual systems for detection, control and extinguishment; and
means of isolating and safely storing hazardous substances.
It must also consider the results of the evacuation, escape and rescue analysis, relevant to fires
and explosions. From this, the analysis must identify those control measures that reduce the
risks associated with fires and explosions to a level that is low as reasonably practicable.
Record Keeping
Regulation 27 requires the Safety Case to include arrangements for making records of documents
and securely storing them for 5 years at a nominated address in a manner that facilitates their
retrieval.
The types of records that must be addressed by these provisions of the Safety Case are the
Safety Case itself, any revisions to the Safety Case, written audit reports related to the Safety
Case, and reports of accidents and incidents under subregulation 46(2).
Other Comments
It is useful to note at this point that regulations 11 to 27 all impose requirements for the Safety
Case to describe or specify or make provision for certain matters, but only 14 and 26 explicitly
state that the relevant matters must be part of the safety management system. However, in
practise, all the relevant matters should be addressed in the safety management system, in order
to meet the requirement that the safety management system is comprehensive and integrated.
Thus the safety management system should contain or refer to the methods of conducting a fire
risk analysis and an evacuation, escape and rescue analysis. Similarly, the safety management
system should contain or refer to the design standards for the facility.
24
September 2004

It should also be noted that, throughout this Division of the regulations, the operator is required
to describe, specify or make provision for adequate or appropriate or suitable procedures,
equipment etc. Thus it is not sufficient for the Safety Case merely to describe what procedures
or equipment exist or will exist it is necessary for the procedures or equipment to be adequate
or appropriate or suitable, otherwise the Safety Case will not meet the requirements and will not
be accepted.
2.6 Validation
Part 4 of the Regulations (regulation 44) establish the requirements for validation.
Validation is a means of providing NOPSA with assurance that agreed elements of the operators
systems and equipment described in the Safety Case meet the management of safety objectives
required by the Regulations. The starting point is agreement on the scope of validation between
the operator and NOPSA (subregulation 44(1)); the remaining provisions of regulation 44 then
come into play.
In effect, validation is a form of certification of certain matters concerning a facility (subregulation
44(2)). The persons or persons providing the certification must have the necessary competence
and ability, proper access to the appropriate data, and a sufficient degree of independence
(subregulation 44(3)), and the validation must establish the soundness and efficacy of the
matters specified, to the level of assurance reasonably required by NOPSA (sub-regulation 44(4)).
In the case of a proposed facility there are two broad matters to be validated:
that the design, construction and installation (including instrumentation, process layout and
process control systems) of the facility are fit for purpose; and
that the design, construction and installation (including instrumentation, process layout and
process control systems) of the facility are consistent with the Formal Safety Assessment
In the case of an existing facility (i.e. where there is a proposal to make a modification), there is
only one broad matter to be validated that the facility will remain fit for purpose.
The regulations do not set out what an acceptable scope of validation might be, and what level of
competence and independence the person(s) conducting the validation should have. This is
discussed in Part 2 of this document.
2.7 Incident Reporting

Part 5 deals with the notification and reporting of health and safety incidents.
25
September 2004

In summary, the operator of a facility must report to NOPSA any accident or dangerous
occurrence at the earliest practicable opportunity, and must follow-up with a written report of the
accident or incident. The written report must contain details of the matters to be set out in a
gazetted notice. Each month the operator must report a summary of the accidents and incidents
that occurred during the previous month.
Schedule 7 and subregulation 45(1) to the Act defines an accident for this purpose as being any
incident involving death, serious injury, or incapacitation for 3 days.
Subregulation 45(2) defines dangerous occurrence for this purpose as being anything that could
reasonably have resulted in an accident, plus any of the events listed in 45(2)(b), plus anything
that a reasonable operator would consider requires investigation.
2.8 Miscellaneous
Parts 7 and 8 of the Regulations deals with a range of administrative matters. Part 7 (regulation
54) sets out specific details that must be provided in any submission to NOPSA. Part 8
establishes transitional provisions for the period immediately after 1 January 2005.
Division 2 of Part 8 sets out transitional arrangements for the hand-over of OHS regulatory
responsibility from the Designated Authorities to NOPSA. In essence, the regulation requires
NOPSA and the Designated Authority to consult over the hand-over of documents, and lists the
types of documents that must be handed over. The Division (regulation 57) also establishes that
a notice or request issued by a Designated Authority before 1 January 2005 and not complied
with by that date continues in effect as if it had been issued by NOPSA.
Division 3 of Part 8 sets out the transitional arrangements regarding Safety Cases:
Existing Safety Cases and revisions, already accepted by a Designated Authority, remain in
force, subject to any limitations and conditions imposed by the Designated Authority
(regulation 58).
Applications for acceptance of Safety Cases and revisions made to a Designated Authority
before 1 January 2005, which the Designated Authority has not made a decision, are treated
as if they were applications made to NOPSA on 1 January 2005.
Divisions 4 and 5 of Part 8 sets out the transitional arrangements regarding operators and
facilities:
A person registered as an operator at 31 December 2004 continues to be registered until 1

April 2005 (regulation 60). By that date, either the same person must be reregistered, or a
new registration made. If no person was registered, the title-holder is registered as the
operator for the interim period.
26
September 2004
If a structure or vessel becomes a facility for the first time on 1 January 2005, or first
enters Australias waters within the first 3 months of 2005, then there are automatic
exemptions as follows:
o
There is no requirement for an operator to be registered for the first 3 months;
No Safety Case needs be in force, provided one is submitted to NOPSA by 1 July 2005
(and provided NOPSA does not reject the Safety Case).
2.9 Penalty Provisions

The penalty provisions of the Regulations are set out in Part 6, under the individual regulations
that create each offence. Penalties are expressed in terms of a penalty unit which, at the date of
commencement of these Regulations, was $100, but which at the date of writing these Guidelines
is $110 (Crimes Act 1914, s. 4AA).
If the court thinks fit, a penalty of up to 5 times the specified penalty may be imposed on a
defendant that is a body corporate (Crimes Act 1914, s. 4B). Further, a court may consider that
some of the penalties, for example those in regulations 47 and 48, are daily penalties.
Some offences under the regulations are stated to be offences of strict liability (for example,
those for regulations 49, 51 and 52), meaning that:
Lack of fault is not a defence. That is, a person may be taken to have committed an
offence even though they had no intention or knowledge about the offence, and did not
display recklessness or negligence.
Mistake of fact is a defence. That is, it is a defence to have reasonably relied on

information that proved to be false. Other standard defences are also available (sections 5.1,
6.1 and 9.2 of the Criminal Code)
2.10 Exclusions and Exemptions

The following provisions exist for granting of exemptions, or similar:
Clause 2A(4) of Schedule 7 of the PSLA 1967 allows particular vessels and structure, or
vessels and structures that carry out certain types of activities to be declared under the
regulations not to be facilities. Schedule 7 would not apply to these vessels and structures,
and neither would the Management of Safety Regulations, and hence there would be no
requirement for a Safety Case. However, currently, there are no such declarations.
Clause 27A of Schedule 7 to the PSLA allows NOPSA to exempt persons from the
requirements of Part 3 of that Schedule the part that sets out the required consultative
arrangements. This provision recognises that it may not always be practicable to comply with
the consultative requirements, for example at a not-normally staffed facility. The processes
whereby such exemptions may be granted are set out in the P(SL)(OHS) Regulations. There
are no exemption provisions from the remainder of Schedule 7.
27
September 2004
Regulation 43 allows for partial or total exemption from the Safety Case requirements of the
Management of Safety Regulations, on a case by case basis for which an operator would
need to apply. Thus NOPSA may decide, in some circumstances, that a particular aspect of a
Safety Case is not relevant or necessary, or that the requirement for a Safety Case can be
dispensed with. There are no provisions to exempt operators or others from the remaining
requirements of these regulations, such as those related to accidents and dangerous
occurrences.

2.11.1
Which Facilities Require Safety Cases?
2.11.2
How Does the Safety Case Relate to the SMS?
2.11.3
How Does the Safety Case Relate to the other PSL Regulations?
2.11.4
How Does the Safety Case Relate to OHS Standards?
2.11.5
What is the Workforce Involvement in the Safety Case?
28
September 2004
Stages and Types of Safety Cases
3.1 Introduction
Safety Cases may be prepared for one or more of the following stages in the life of a facility:
Construction/installation;
Operation;
Modification; and
Decommissioning.
and must be in force for a particular stage before that stage can commence.
In practice, these four stages apply only in the case of fixed facilities; the stages of a Safety Case
for such facilities are discussed in section 3.2. Later sections address Safety Cases for mobile
facilities (including mobile drilling units (section 3.3), construction barges and accommodation
barges (section 3.4)) which generally only require a Safety Case for the operational (or use)
stage, and possibly also for modifications.
3.2 Fixed Production Facilities

The life of a fixed production or infrastructure facility may be considered to comprise the
following four stages:
Construction/Installation;
Operation (use);
Modification; and
Decommissioning.
As noted, a Safety Case may address one or more of these stages. Individual sub-sections below
discuss each these stages, and also the earlier design stage.
3.2.1
Design
Many operators adopt the practice of preparing a Safety Case at an early stage in project
development, which is known either as a Design Safety Case or as a Stage 1 Safety Case. This is
often prepared for the purpose of gaining internal corporate or joint venture partner funding for
the project, prior to proceeding to detailed design, procurement and construction.
There is no requirement in the Regulations for such a Safety Case, but such a document may be
used to support the Field Development Plan that must be submitted to the Joint Authorities when
seeking a Production Licence or Infrastructure Licence under the PSLA.
Whether or not a Design Safety Case forms part of the Field Development Plan, NOPSA will work
with the Joint Authorities at this stage, by reviewing the safety implications of the proposed
development concept, and preparing the part of the Joint Technical Report that relates to safety.
29
September 2004
Any safety related recommendations made in the Joint Technical report would need to be
addressed by the time the Safety Case for Construction and Installation is submitted to NOPSA.
3.2.2
Construction and Installation
A Safety Case is required under the Regulations prior to commencing construction or installation
of a facility. In this context it should be noted that construction and installation is limited to the
construction and installation activities that take place at the petroleum site. It does not extend to
fabrication and construction in a shipyard etc, even if located in Australia.
The Safety Case for construction and installation of a fixed production or infrastructure facility is
not intended to address the risks of construction and installation. Those risks are to be covered
by a Safety Case for each of the construction facilities (transport barge, accommodation unit,
etc), or by a combined Safety Case for all facilities involved in the design and construction see
section 6.4. Rather, the Safety Case for construction and installation should address the risks of
the operational stage of the life of the facility, so far as practicable at the time.
NOPSA would expect this stage of the Safety Case to contain a complete Facility Description and
a complete Formal Safety Assessment, but would recognise that the Safety Management System
for the operational stage may not yet be fully developed and might only be able to be described
in summary. Accordingly, assessment of such a Safety Case would focus on the design and FSA
aspects, and the assessment of the SMS would be at a systems level only, checking that the
required procedures are developed or are being developed, without assessing their detailed
content or whether they are being implemented.
3.2.3
Operation
A Safety Case is required under the regulations prior to commencing operation or use of a facility.
Operation or use in this context would generally be taken to start either when drilling
activities commence at the facility, or (if there are no wells at the facility, or the wells were predrilled) when the first attempts are made to bring petroleum fluids onto the facility.
The Safety Case for operation or use of the facility needs to address the range of normal and
other foreseeable activities that might take place on the facility, and the risks associated with
these activities. There is benefit to all parties if this Safety Case can properly address the widest
possible range of activities, as this will limit the need for Safety Case revisions.
All aspects of this Safety Case would need to be complete and detailed, although NOPSA
recognises that, at this stage, there may be limited hard evidence to show that the operational
aspects of SMS are being implemented in practice.
30
September 2004

3.2.4
Revision and Modification of Safety Cases
Under the regulations a revision to the Safety Case has to be prepared and submitted to NOPSA
whenever the following conditions are met:
every 5 years;
if technical developments require it;
if there is a major modification to the facility (including to its activities or management);
if there is series of more minor modifications; or
if NOPSA requests.
Until accepted, any revision remains a proposed revision, but on acceptance becomes the
Safety Case that is in force.
In many cases such a Safety Case will, in effect, be no different from a Safety Case for
operations/use, in that it will need to address the on-going design, activities and management of
the facility, from the moment of revision onwards for a period of up to 5 years.
Some modifications may be only temporary, for example the use of a demountable wire-line or
snubbing unit to perform down-hole activities, or a period of campaign maintenance. In such
cases the revision to the Safety Case might more sensibly take the form of an addendum, which
is removed once the period of abnormal activities is complete.
3.2.5
Decommissioning
The Safety Case for decommissioning of the facility would need to address the same broad types
of hazards as the earlier Safety Cases, although the relative severity of the risks may change
during the course of the decommissioning and this would need to be accounted for. For
example, in the early stages of decommissioning, there may be significant hydrocarbon risks
associated with plugging and abandoning wells, emptying and cleaning process systems, etc, but
in the later stages the significant risks will be associated with the physical dismantling or removal
of the facility.
Various barges might be involved in the decommissioning, which would need to have their own
Safety Cases. Alternately, a combined Safety Case could be prepared for the barges and for the
facility that is being decommissioned.
3.2.6
General Discussion
The figure below shows the staged development of a Safety Case for a fixed production or
infrastructure facility, corresponding to the above discussion
Figure 1 Stages of the Safety Case for a Fixed Platform
31
September 2004
Development
concept
selection
Field Development
Plan
Includes concept
selection decisions
related to safety
Preliminary
Design
Detailed
Design
Construction
in shipyard
DA issues Production
Licence, with NOPSA
advice on safety
matters.
Construction /
Installation
Safety Case
Full Safety
Case for
construction
works
Complete FD, initial
Operation / Use
Safety Case
Complete FD,
complete FSA and
complete SMS for
the fixed facility
NOPSA accepts Safety

Cases. DA issues
consents.
Construction /
installation in
Field

Case. DA issues
consent to use.
Start-up and
Operations
Proposed revisions to
all relevant parts of
the Safety Case
Safety Case
Revisions
NOPSA accepts
proposed revisions to
Safety Case.
Modifications
Abandonment /
Decommissioning
Safety Case
Complete
Safety Case for
barges
Revised Safety Case
for fixed facility

Cases. DA issues
consents.
Abandonment
The same stages might also apply to a Floating Production Storage and Offloading (FPSO) vessel
or similar facility, notwithstanding that construction may in such cases be limited to installation
of the mooring and connection of the vessel to it.
In practice, the stages of the life of the facility, and hence the stages of the Safety Case, may not
be as well defined as discussed above. Accordingly, the information presented above is brief,
does not address all possible circumstances, and is for guidance only. Operators
contemplating complex development projects are advised to discuss these with
NOPSA, in order to reach agreements as to what may be the suitable stages for the
Safety Case.
It should be stressed that, although the Management of Safety Regulations list four stages of the
life of a facility, the Regulations simply state that a Safety Case may address 1 or more such
32
September 2004

stages. The overriding regulatory requirement is that, at any time, there is a Safety Case in force
(i.e. that has been accepted) that adequately addresses the facility as it then exists, the activities
that are taking place, and all of the associated hazards and risks. It is ultimately the
responsibility of the operator to determine how best to achieve this.
3.3 Mobile Drilling Units

3.3.1
MODU with no Production Facility
This section addresses the case where a mobile offshore drilling unit is operating stand-alone,
on a program of exploration or development drilling.
A Safety Case for such a facility needs to account for the design, routine activities, safety features
and safety management arrangements of the facility itself, and also for the particular drilling
program that is to be conducted. There are two possible approaches to this:
a single Safety Case is prepared, that addresses the drilling unit, the specific drilling program
to be conducted, and any issues related to the location of the work; or
the facility has a Safety Case that is generic to the normal range of activities that it may
undertake, and a separate document is prepared that addresses the issues specific to the
drilling program and the site. This separate document is often referred to as a Bridging
Document.
If the drilling unit is intending to conduct further drilling campaigns in Australian waters, the latter
option may be preferred, as this approach to the Safety Case is more flexible.
As well as the Safety Case under the Management of Safety Regulations, there is also a
requirement to prepare well operations management plans, under the Management of Well
Operations Regulations. The well operations management plans primarily address well and
reservoir integrity, and are a regulatory responsibility of the Designated Authorities.
Nevertheless, NOPSA and the DAs will liaise to ensure that proposed well operations are
compatible with the Safety Case that is in force.
3.3.2
MODU with Production Facility
This section addresses the case where a jack-up drilling unit is to be used to drill or service a well
at an existing production or wellhead platform. It is assumed that the production or wellhead
platform would already have its own Safety Case, accepted by NOPSA (or previously by one of
the Designated Authorities). The drilling facility may or may not have a Safety Case that has
been accepted in Australia.
The issue here is two-fold:
33
September 2004
The production/wellhead facility has to be safe in its own right, as does the drilling unit, and
this has to be demonstrated to NOPSA for both facilities, through the Safety Cases; and
The hazards and risks associated with the interface between the two facilities need to be
identified, assessed, controlled and managed, and the combined safety of the two facilities
operating simultaneously demonstrated to NOPSA.
The safety issues associated with such combined operations are numerous, and include:
The possible impact of drilling incidents on production personnel, and of production incident
on drilling personnel;
Possible escalation of incidents from one facility to the other;
Compatibility of the alarm and shutdown systems, fire protection systems, and escape
evacuation and rescue systems for the two facilities; and
Compatibility of the organisational structure, emergency command, management systems

and emergency procedures for the two facilities
Possible approaches are as follows:
If the drilling facility has its own Safety Case, and this has already been accepted in Australia,
then a Bridging Document could be submitted to NOPSA. The Bridging Document in effect
forms a proposed revision, both to the production/wellhead platform Safety Case, and to the
drilling unit Safety Case, and would apply for the duration of the drilling program only. On
completion of the drilling program, the previous, separate Safety Cases would revert to being
in force; or
If the drilling facility has its own Safety Case, but this has not yet been accepted in Australia,
then the same could apply, except that, in addition, the drilling unit Safety Case would also
have to be submitted to NOPSA. Alternately, the drilling facility Safety Case could be revised
to account for the particular drilling program, as well as the issues surrounding the units
interfaces with the production/wellhead facility.
The operator of the facility must submit the Safety Case. In this case there may be two
operators one for the production/wellhead facility and one for the drilling unit. They would
each be responsible for submitting their respective Safety Cases, and jointly responsible for any
Bridging Document or combined Safety Case.
3.4 Construction Facilities

Transport, accommodation and heavy lift barges that are used in construction of fixed production
or infrastructure facilities are facilities and hence require accepted Safety Cases.
Such Safety Cases are only needed for the operations stage of the life of these facilities, given
that these facilities are not constructed/installed (and also not decommissioned) at the petroleum
34
September 2004

site. In this context operations would include any modifications made during the course of the
work.
The Safety Cases for such facilities must address the hazards and risks associated with the
construction and installation activities. The nature of the activities, and the associated hazards
and risks, mean that a sensible approach is to prepare a single Safety Case for all of the facilities
involved in the construction and installation; this is allowable under the Management of Safety
Regulations. A separate Safety Case would be prepared in relation to the operational risks of the
facility that is being constructed, as discussed in section 3.2.
It is the operator of the facility who must submit the Safety Case. The various construction and
accommodation barges may have different owners, but NOPSA would normally register one
person or organization as the operator for the construction - the one in overall control of the
site. That person or organization would also be responsible for the Safety Case(s).
35
September 2004
Safety Case Administrative Processes
4.1 Pre-Submission
Any person who wishes to construct, install or operate a facility (or facilities) should consult with
NOPSA at an early stage, with a view to agreeing on:
the stages for each facilitys Safety Case;
the scope for each stage of each facilitys Safety Case;
the extent to which Safety Cases for facilities and for stages can be combined;
the required scope of validation for each facility; and
the necessary level of independence of the validator(s).
These consultations will assist the operator in developing Safety Cases that are satisfactory to
NOPSA. It will also assist NOPSA in planning its oversight and assessment activities, and
obtaining the necessary resources for these activities, including specialists as required.
Similar consultations would also be useful prior to Safety Case revision.
4.2 Submission of a Safety Case

4.2.1
Timing
Safety Cases may be submitted at any time, although operators are obviously advised to allow
sufficient time for a Safety Case to be assessed, prior to the scheduled commencement of the
activity to which the Safety Case relates.
It would generally be expected that an exploration permit would have been granted before a
Safety Case was submitted for use of a facility for exploration drilling. It would likewise generally
be expected that a production or infrastructure licence would have been granted before a Safety
Case was submitted for construction / installation of a facility, or for development drilling.
There is no prescribed link between the timing of submission of Safety Cases under the
Management of Safety Regulations, and the timing of submissions under the other PSLA
regulations of environmental management plans, pipeline management plans, diving safety
management systems, diving project plans and well operations management plans.
However, the Safety Case and all relevant management plans have to be accepted (by the
relevant DA or NOPSA, as appropriate) before the respective activities are allowed. This
therefore implies that the submissions under other performance based Regulations are likely to
coincide with either the initial or proposed revised Safety Case:
36
September 2004
The Safety Case, environmental management plan and well operations management plan for
a drilling program would all have to be accepted before the program could commence. An
initial Safety Case has a longer allowable period for assessment, but otherwise these
submissions would closely coincide; and
A diving project plan for a particular diving activity and the corresponding Safety Case
revision would both have to be accepted before the diving could occur at the facility. The
respective submissions would therefore coincide.
The figure in section 3.2.6 is relevant.

4.2.2
Roles and Responsibilities
Operator
It is the operator of the facility that is responsible for submitting the Safety Case to NOPSA, for
ensuring that the Safety Case meets the regulatory requirements, and (once the Safety Case is
accepted) for ensuring that operations are in accordance with the Safety Case. The operator may
engage others to assist in preparation of the Safety Case, but this would not alter the legal
responsibilities under the PSLA and Management of Safety Regulations.
Legally, the operator of a particular facility is the person who is registered by NOPSA as the
operator of the facility, in accordance with the procedures set out in the regulations. To be
registered, the person first has to be nominated by the title-holder, but the registration only
occurs if NOPSA believes that person to have overall management and control of the facility.
Person includes bodies corporate.
The title-holder may also be the operator, but this is not necessarily always the case. For
example, NOPSA may decided that the owner of a construction barge, accommodation barge,
mobile drilling unit or a pipe-lay barge has overall management and control of that facility,
notwithstanding that the owner is working under a contract with the title-holder. The same could
apply to a production facility, which could be managed by another person, on behalf of the titleholder, whether that other person or the title-holder owns the facility.
NOPSA and other Authorities

It is NOPSA that has the responsibility for deciding whether or not to accept a Safety Case, and
for informing the operator of the decision.
However, in making its decision, NOPSA may consult with other relevant authorities about certain
matters. For example, NOPSA may consult the Designated Authority, to confirm that the Safety
Case is consistent with submissions made to the DA (e.g. the Field Development Plan,
37
September 2004

Environmental Management Plan, etc). In addition, NOPSA may consult with a range of
Commonwealth, State and NT authorities, if it believes those authorities have relevant expertise
that can be used in assessment of the Safety Case. Specialist areas in which NOPSA may seek
advice from outside its own organization include radiation safety, aviation safety and marine
safety, for example.
4.3 Assessment of Safety Cases

4.3.1
Assessment Principles
Assessment of Safety Cases will be guided by the following principles:
all information will be treated as confidential, within the limits of FOI;
each assessment will be fair and technically competent;
there will be consistency between different assessments;
assessment processes will be transparent;
good project management practices will be applied;
good quality management practices will be applied;
the detail of assessments will be proportional to the level of risk;
the results of assessment will be presented to relevant stakeholders; and
actions taken in response to findings will be graduated, and proportionate to the risk.
4.3.2
Safety Case Assessment Management
Roles and Responsibilities

An OHS Inspector is identified as the lead assessor for each Safety Case, or revision to a Safety
Case, that is submitted to NOPSA. That person is responsible for the following:
in association with the relevant team leader, planning the assessment, including defining the
tasks to be conducted, assigning personnel to those tasks and establishing timescales for
completion;
all communications between the operator and NOPSA for the purpose of the assessment,
except for any formal communication that must, under the regulations, be made by the CEO
or delegate on behalf of NOPSA;
liaison with other agencies regarding matters pertinent to the assessment, including for
example maritime and aviation safety agencies, as well as the Designated Authority for their
PSLA waters; and
ensuring that records are kept of the assessment, and preparing a detailed and
comprehensive report of the assessment.
The lead assessor may be the OHS inspector ordinarily assigned to that operator, or may be
another OHS inspector.
38
September 2004
Team leaders are responsible for coordinating the work of their teams, including Safety Case
assessment. Where disputes and issues arise, they are the first point of reference for resolution.
Other OHS Inspectors, including Team Leaders, may be assigned specific tasks for the purpose of
a Safety Case assessment, according to their particular areas of expertise. For that purpose they
report to the Lead Assessor.
Ultimate decision-making regarding whether to accept the Safety Case, for what stages, and with
what conditions and limitations, resides with the CEO of NOPSA or a delegate. The CEO or the
delegate makes this decision taking account of the advice given by the lead assessor for the
Safety Case.
Safety Case Assessment Planning

Each Safety Case assessment is conducted to a project plan, setting out the following:
the tasks to be performed;
the personnel assigned to those tasks;
the deliverables expected; and
the timescale for completion.
The project plans are based on standard templates prepared by NOPSA, but modified so as to be
appropriate to the particular facility and the Safety Case that is submitted. The plans indicate the
area or areas of particular focus of the assessment.
Raising and Tracking of Issues

Issues raised during the course of a Safety Case assessment are recorded, and tracked until
closed-out. This includes both internal issues, for example any issues surrounding resources,
technical advice needed, and so forth. It also includes external issues such as requests for
clarification or more information from the operator and from external regulatory authorities.
Internal Quality Assurance

Safety Case assessment is subject to a quality assurance system, as part of the overall NOPSA
management system. This QA system includes the following:
planning of safety case assessments, both individually and holistically, including the
establishment of resource, training and competency requirements, and the setting of
performance standards;
internal third-party audits of NOPSAs compliance with its current safety case assessment
processes and procedures;
39
September 2004
internal and third-party reviews of NOPSAs safety case assessment processes and processes
against current good practice; and
maintenance of an actions data-base, setting out actions arising from audits and reviews,
assigning responsibility to these actions, and establishing time-frames for close-out.
More details of NOPSAs management systems, including its Safety Case assessment procedures
and procedures, may be found at this link : (HOLD To be inserted)
4.3.3
Safety Case Assessment Timescales
The Regulations set out timeframes within which NOPSA must make decisions regarding the
acceptability of Safety Cases as follows:
when a Safety Case is submitted for a new facility, NOPSA has 90 days in which to decide to
accept it, decide not to accept it, or inform the operator in writing that more time is needed
and setting out a timeframe for making the decision; and
when a proposed revision to a Safety Case is submitted, the corresponding deadline is 30

days.
Within those schedules, the following internal targets have been adopted by NOPSA:
acknowledge receipt of the Safety Case or proposed revision 3 working days; and
all requests for further information within 30 days for initial Safety Cases and within 14
days for proposed revisions to Safety Cases. Operators would be given a further 30 days and
7 days respectively to comply with such requests.
[HOLD These periods are to be confirmed.]

If a Safety Case or a proposed revision to a Safety Case is not initially accepted, NOPSA must give
the operator reasonable opportunity to amend and resubmit the Safety Case. Reasonable
opportunity would depend on circumstances, but as a general guide the following targets have
been adopted by NOPSA:
NOPSA will give the operator at least 30 days in which to resubmit a Safety Case; and
NOPSA will make a decision on the resubmitted Safety Case within a further 30 days.
4.4 Safety Case Acceptance and Non-Acceptance

Part 4 of these Guidelines provides criteria for assessment of Safety Cases and proposed
revisions to Safety Case. Section 4.4.1 below sets out the regulatory acceptance criteria.
Later sub-sections address the following issues:
the circumstances in which conditions and limitations may be applied when accepting a
Safety Case, as an alternate to refusing acceptance (section 4.4.2);
40
September 2004
what happens if NOPSA decides to refuse to accept a Safety Case, and the extent to which
such a decision may be subject to review and appeal (section 4.4.3); and
the criteria and processes for withdrawal of acceptance (section 4.4.4).

4.4.1
Acceptance Criteria
NOPSA must accept a Safety Case if there are reasonable grounds for believing that the
operator has complied with all clauses of the relevant regulation see regulation 30 for initial
acceptance of a Safety Case, and regulation 38 for acceptance of revisions. Accordingly, NOPSA
must be satisfied that:
The Safety Case is appropriate for the nature of the facilities, the activities to be conducted,
and the management arrangements.
The word appropriate means that, for it to be accepted, the Safety Case must provide
specific information about the design, proposed activities and management system of the
particular facility or facilities to which the Safety Case relates, as opposed to generic
information about the companys assets, operations and management systems. Similarly, the
risk assessments (formal safety assessment, fire risk analysis and escape evacuation and
rescue analysis) must address the particular hazards and risks of the facility or facilities to
which the Safety Case relates, under the range of operational conditions that is likely to be
experienced.
The Safety Case complies with subdivisions A, B and C of Division 1 of Part 3 for the stages
connected with the life of the facility for which the Safety Case is submitted.
The Safety Case must comply with regulations 9 to 26. As was discussed in section 2.4 of
these Guidelines, these particular regulations require certain matters to be contained,
described or specified within the Safety Case. However, as also discussed in section 2.4,
many of these regulations require the things described to be adequate or appropriate or
suitable etc. Therefore NOPSA may accept the Safety Case only it describes the various
matters to the satisfaction of NOPSA, and if NOPSA is satisfied that the matters described are
in themselves adequate or appropriate or suitable.
The Safety Case, or a part of it, complies with subdivision D of Division 1 of Part 3.
This means that the Safety Case must describe the record-keeping arrangements.
Where a validation has been required, the persons undertaking the validation meet the
criterion in subregulation 44(5) and the validation complies with subregulation 44.
41
September 2004
This means that NOPSA must be satisfied that the validation and the person or persons who
conduct it are in accordance with regulation 44
Reasonable grounds for believing means that NOPSA has to be satisfied on balance. It is not
necessary for NOPSA to be satisfied beyond reasonable doubt.
NOPSA may accept a Safety Case in part, meaning (for example) only for specified stages in the
life of the facility or specified activities. Also, when accepting a Safety Case, NOPSA may apply
limitations or conditions to the facility, its operation and management. Where it is possible to do
so, a decision to accept a Safety Case in part, or to accept it with limitations or conditions, would
be made in preference to refusing to accept the Safety Case. This applies both in relation to
initial Safety Cases, and to proposed revised Safety Cases.
The assessment principles set out in Part 2 of these Guidelines elaborate on the above. However,
they go beyond assessing whether the particular clauses of the regulations have been met, as the
assessment may also be used to decide whether there is potential to improve the Safety Case and
the operators safety management, and to inform NOPSAs on-going program of inspection and
audit.
4.4.2
Acceptance of a Safety Case in Part, or with Conditions/Limitations
A Safety Case may be accepted for fewer stages in the life of the facility than those for which it
was submitted. A Safety Case may also be accepted subject to limitations or conditions. This
might mean that a Safety Case is accepted, but only for some activities.
This might occur, for example, if a Safety Case is submitted for drilling and production at a
facility, but the information regarding production operations is inadequate. In that case, the
Safety Case may be accepted for drilling only, and a further submission would be required in
relation to the production operations.
Acceptance of a Safety Case can also be subject to conditions and limitations. A condition or
limitation could be used to address an issue such as discussed above (i.e. the Safety Case is
accepted, but a condition is attached that production does not commence until some addition
submission is prepared by the operator, and accepted by NOPSA). However, conditions and
limitations are more general compliance and enforcement tools, and may be used in a number of
ways. For example, they may be used to impose limits to the specific activities that are to be
carried out, over and above the operators own limits.
At a more detailed level, NOPSA might be generally satisfied with the content of the Safety Case,
42
September 2004

but concerned regarding a particular aspect of the safety management system or the risk control
measures. In this case acceptance of the Safety Case could be made conditional on identified
improvements being made to these aspects, by a certain date. In practice, this would be similar
to the issue of an Improvement Notice under Schedule 7.
4.4.3
Non-Acceptance of a Safety Case
If NOPSA is not satisfied to the necessary degree that the Safety Case meets the requirements of
the Regulations, and if it is not possible to accept the Safety Case in part, or with conditions or
limitations, then the only other option is to refuse to accept the Safety Case.
In the event that NOPSA decides to refuse to accept a Safety Case, the following would apply:
Where the refused Safety Case related to construction / installation, the proposed facility
could not be constructed / installed, because to do so would be in breach of the requirements
of regulation 47. It would also be in breach of the consent provisions in the Resource
Management Regulations, as consent could not be granted if no safety case is in force.
Where the refused Safety Case related to operation or use of a facility, it would not be
possible to use or operate the facility, meaning for example that drilling could not commence
at a MODU or at fixed facility, no petroleum could be introduced onto a production or
infrastructure facility, and no construction work could be carried out using a construction
barge. To do so would again be in breach of the requirements of regulation 47, and of the
consent provisions in the Resource Management Regulations.
Where the refused Safety Case is a proposed revision, the existing Safety Case remains in
force. This means that activities must remain in compliance with the existing Safety Case,
and that any proposed modifications addressed in the proposed Safety Case revision would
not be allowed. In some cases, for example if the Safety Case that has been refused is a 5
yearly revision, and there have been significant changes at the facility or developments in
technology in that time, then this may trigger the provisions for withdrawal of acceptance
(see section 4.4.4).
4.4.4
Withdrawal of Acceptance of a Safety Case
NOPSA can withdraw acceptance of Safety Cases. On withdrawal of acceptance of a Safety Case,
the operator would immediately have to cease activities as there is no longer a Safety Case in
force. This is a sanction that would be used only in extreme circumstances where all other
compliance and enforcement provisions have proved ineffective.
NOPSA may withdraw acceptance of a Safety Case on any of the following grounds (regulation
28I):
43
September 2004
The operator has not complied with the Act, or a notice issued by an OHS inspector under
Schedule 7 of the Act.
This does not mean a failure to comply with any element of the Act it is limited by the
scope and objectives of the Regulations to matters concerning management of safety. In
the main body of the Act, the only such provision is the requirement under section 97 to act
in accordance with good oilfield practice and good storage and transport practice. The
provisions of Schedule 7 are relevant, although the nature of the duties and obligations on
facility operators under the Schedule are varied, and in practice withdrawal of acceptance of
a Safety Case would only ever be considered following a serious breach of a duty of care, or
if (as stated) there is a non-compliance with a notice issued under Schedule 7.
The operator has not complied with regulations 34, 35 or 36.
This allows for withdrawal of acceptance if the operator has failed to submit a proposed
revision to the Safety Case, either when there are relevant changes circumstances, or when
NOPSA has requested this, or when a period of 5 years has elapsed.
NOPSA has refused to accept a proposed revision to a Safety Case.
This allows for withdrawal of acceptance if the Safety Case has not been properly revised to
take account of any of the circumstances listed in the preceding paragraph, such that
NOPSA has refused to accept the proposed revision.
The word may is used in relation to withdrawal of acceptance, to indicate that it is an option
that is open to NOPSA, but that it is not a legal requirement in any of the circumstances that are
listed. For example, if an operator was considering a major modification to a facility, and had
submitted a proposed revision to the Safety Case in advance, then it is unlikely that a refusal to
accept the proposed revision would be a reason to withdraw acceptance of the existing Safety
Case. Conversely, if a series of minor modifications had already been made, and NOPSA had
requested a revision to the Safety Case to account for these modifications, then a refusal to
accept the proposed revision might cause NOPSA to consider withdrawing acceptance of the
existing Safety Case.
A decision to withdraw acceptance of a Safety Case may be based on an assessment using the
criteria in Part 2 of these Guidelines. However, given that the need to make decision is likely to
arise only in highly specific circumstances, it is likely that only a selection of the criteria would
apply, and also that other factors (outside of the criteria) would need to be taken into account.
44
September 2004

The same provisions apply regarding reviews and appeals as for a refusal to accept a Safety Case
see section 4.4.1.
4.5 Processes Following Acceptance of a Safety Case

4.5.1
Notice of Acceptance
Once NOPSA has decided to accept a Safety Case (or a proposed revision to a Safety Case) it
must give notice of that decision to the operator. If the Safety Case is only accepted for some of
the stages for which it was submitted, or is accepted with limitations or conditions, then the
notice must also state what stages the Safety Case is accepted for, what limitations or conditions
apply, and the reasons for this.
4.5.2
Regulatory Oversight
Once a Safety Case is accepted it becomes the Safety Case that is in force. As such, the
operator must act in accordance with what is stated in the Safety Case, and in accordance with
the safety management system that is described in the Safety Case.
NOPSA will at this stage prepare a plan for on-going oversight of the operators activities, based
on what is stated in the Safety Case, and on the report of its assessment. This plan will address
such matters as:
the frequency of inspections to be carried out at the facility;
the matters to be the subject of these inspections;
the frequency of audits etc at the operators offices, and at other relevant premises;
the matters to be the subject of these audits etc (e.g. the design of facility modifications, or
changes to the corporate management system as it affects OHS); and
the arrangements for involvement of other relevant government agencies (e.g. those
responsible for maritime and aviation safety, and the Designated Authorities).
These plans will be updated at least yearly, dependent on the findings from the oversight
activities. Both the original plan and any update would be developed in consultation with the
operator and the workforce.
As well as activities under the oversight plan, NOPSA may make unannounced inspections/ audits
at the operators offices or the facility, or may inspect/investigate in response to any
incident/occurrence that has been reported, or any complaint that has been received.
4.5.3
Safety Case Revisions
The operator of a facility must submit a proposed revision of the Safety Case to NOPSA as soon
practicable after any of the following circumstances arise:
45
September 2004
if there are developments in relevant technical knowledge, such as the standards for design
and operation of the facility
if there are developments in the systems for identifying or evaluating risks of major
accident event, such as those used in the Formal Safety Assessment, Fire Risk Analysis and
Escape, Evacuation and Rescue Analysis;
if a series of relatively minor modifications is proposed, which individually would not be

expected to significantly alter the overall risk of an MAE occurring, but may do so in
cumulation;
if any modification is proposed which by itself may significantly alter the risk of any individual
MAE;
if the operator proposes to make a significant change to the safety management system for
the facility. This would include changes to the facility safety management system, or any
change to the corporate safety management system that may affect safety at the facility;
if the operator proposes to carry out activities at the facility that are different from those
addressed by the Safety Case that is in force. Note that the difference does not have to be
significant; or
if the operator proposes to decommission or otherwise modify the facility in a way that is not
already addressed by the Safety Case that is in force. In practice this clause duplicates the
requirements of earlier clauses.
The first two clauses relate to changes in technology generally, which may occur either within or
outside of the operators organization. These clauses effectively impose a requirement on the
operator to keep up to date with technology developments, and to adopt them when practicable.
The remaining clauses relate to changes instigated by the operator, and impose a requirement to
revise the Safety Case in line with these changes.
NOPSA can request a revision of a Safety Case if the circumstances set out in the points above
have occurred, yet the operator has not proposed a revision to the Safety Case. Such action by
NOPSA is a form of enforcement, which may be taken in isolation, or may be taken in
conjunction with other types of enforcement action under Schedule 7 of the PSLA.
A request by NOPSA for the operator to prepare and submit a proposed revision to a Safety Case
must be in writing and must state the matters to be addressed by the revision, the grounds for
the request, and the date by which the proposed revision must be submitted. Within 21 days (or
a longer period if allowed by NOPSA) the operator may make a submission stating reasons why
the operator believes the revision is not necessary, or that a different form of revision should be
prepared, or that a later date should apply. NOPSA is obliged to consider any such submission by
the operator.
46
September 2004

The operator must comply with the original request for a proposed revision, unless the request is
varied or withdrawn by NOPSA following the operator submission referred to in the previous
paragraph.
The operator must also submit a proposed revision to the Safety Case every 5 years, regardless
of whether proposed revisions referred in the previous sections have been submitted and have
been accepted by NOPSA. In practice, if the operator has complied fully with the review and
revision requirements in relation to facility modifications and new knowledge, then 5 yearly
submissions should only require minor further revision. However, the 5 yearly revisions provide
an opportunity to collate and rationalise the series of Safety Case revisions that may have been
made over the previous 5 years, as well as to review and as necessary revise the supporting risk
assessments.
All types of revision may, if appropriate, and with NOPSAs agreement, take the form of a revision
of a part only of the Safety Case.
Acceptance criteria for proposed revisions to Safety Cases are essentially the same as the criteria
for acceptance of initial Safety Cases see section 4.4.1. Timescales for acceptance of revised
Safety Cases are shorter than those for initial Safety Cases 30 days as opposed to 90 days,
although in both cases NOPSA is able to extend this.
As noted earlier, particular reasons for making a proposed revision to a Safety Case include that
there is a proposal to make a modification or series of modifications that significantly alters the
risk of MAEs. Significantly is not defined in any way, which is appropriate, as it would depend
on circumstances. For example, if the level of risk at a facility is relatively low, a 10% increase
may not be significant. However, if the level of risk is relatively high, a 10% increase may be
highly significant, perhaps resulting in an overall level of risk that exceeds the operators
acceptability criteria. It is suggested that operators should discuss this matter with NOPSA, to
reach an agreement for Safety Case revisions.
4.5.4
Management of the Safety Case
As part of their overall management systems, operators are advised to develop processes and
procedures for preparation, upkeep and maintenance of their Safety Case(s). These processes
and procedures should address at least the following:
required contents and format what information must the Safety Case contain (not
necessarily limited to that required by the Regulations), and in what format;
custodianship who is responsible for preparing and maintaining the Safety Case;
approvals who is responsible for approving the Safety Case and its submission;
document control procedures how are revisions tracked, copies kept up-to-date; and
47
September 2004
reasons for revision what are the companys triggers for initiating a revision to the Safety
Case, and for submitting this to NOPSA.
These processes and procedures should interface with the processes and procedures for making
modifications to the facility, its activities and management (i.e. the companys overall
management of change process).
Draft processes and procedures could be discussed with NOPSA with a view to reaching an
agreement. If desired, the processes and procedures could be set out in the Safety Case itself,
although this is not a regulatory requirement.

4.6.1
What Review and Appeal Processes Exist?
48
September 2004

SAFETY AUTHORITY

Part 2 : Guide to Safety Case Contents
SEPTEMBER 2004
49
September 2004
Introduction
This section of the Safety Case Guidelines contains guidelines on the content of a Safety Case. It
has been written so that operating companies who are preparing or revising a Safety Case
understand the key principles that lie behind the requirements of the regulations. NOPSA
assessors will also conduct assessment of submitted Safety Cases according to these principles.
The content guidelines are divided into 4 sections:
Overall Safety Case Process (see section 2)
Facility Description (see section 3)
Safety Management System (see section 4)
Formal Safety Assessment (see section 5)
There is also a section providing guidelines on validation (see section 6).

The sections are presented in the order given above, but the preparation or assessment of a
Safety Case need not follow that order. For example:
Safety Case assessment might commence with the facility description, to gain an
understanding of the facility, as well as to check compliance;
The Formal Safety Assessment might be assessed next, to gain an understanding of the
hazards and risks, as well as to check compliance;
The SMS might then be assessed, to confirm that the hazards and risks are being
appropriately managed; and
The overall content might be assessed last, once the individual aspects have been checked
for compliance and been properly understood.
There is also a section on Validation, but where validation is required, it is not necessary to
describe this process in the Safety Case.
In each section, there is some descriptive text giving an overview of the key technical issues and
some feedback on common weaknesses seen historically in some Australian offshore Safety
Cases. Following the descriptive text, there is a set of principles given for each area.
For each Principle, the guidance notes include:
A statement of the Principle itself. These have been generated based on industry best
practice. As a set, the Principles give an overall picture of Safety Case requirements for any
facility. As a general guide, a Safety Case must meet the requirements of each Principle to be
accepted by NOPSA.
50
September 2004
The Reason for the Principle. The principles are linked back to the regulatory requirement.
In some cases these are very specific, but in others are quite general.
Examples of evidence have been included for each Principle to give some ideas of how the
Principle may be put into practice. These lists are not exhaustive and any or all of the items
on the lists may be applicable in any given case. Some examples of evidence may be more
or less relevant at particular stages of the life of a facility. Nevertheless many of the examples
of evidence are generally applicable, for example it is difficult to foresee a situation where
distribution of Safety Alerts around an operating organisation (SC-02, first example) would
not be necessary.
In preparation of these guidance notes consideration has been given to the range of facility types
and operating arrangements currently in place in Australian waters. It is not possible, however,
to anticipate every possible arrangement that may be in place in the future and hence the
Principles should not be seen as mandatory or comprehensive for every possible project, facility
or operation.
51
September 2004
Overall Safety Case Process
2.1 Introduction
The Safety Case is a record of the case for safe operation for the facility in question. It generally
consists of 3 related parts:
The Facility Description

The Facility Description (FD) defines the intended range or scope of operation of the facility,
including physical aspects, activities on the facility, surrounding activities, types and numbers
of people present. The FD fixes the envelope or range within which the operator is
undertaking to run the facility. Operation outside this range or envelope is not covered by
the Safety Case and hence is not permitted without a revision to the Safety Case.
A summary of the Safety Management System

The Safety Case typically includes a high level description of the Safety Management System
(SMS) rather than encompassing the entire SMS. The case for safety for the facility
typically includes a demonstration that the SMS is comprehensive and integrated in the sense
that:
It covers all activities on the facility as defined by the Facility Description
It has the appropriate structure and processes to foster continual improvement on

safety performance
It is linked to the Formal Safety Assessment in that management of critical risk

control measures are given the appropriate priority.

The Formal Safety Assessment (FSA) is the systematic risk assessment of those hazards on
the facility that may have the most serious consequences for persons at or near the facility.
Specifically, the FSA must address hazards with the potential to cause more than one fatality
- such as fires, explosions, helicopter accidents etc. These hazards are given special
treatment in the Safety Case as they tend have complex causal pathways and multiple
possible outcomes, meaning that they require risk controls from a range of engineering
disciplines plus the overall management systems. Conducting a FSA means that the risk
control strategies are considered and evaluated on a scenario by scenario basis.
The fact that the FSA excludes hazards that could only credibly cause a single fatality, or
multiple serious injuries, does not mean that these are excluded from the scope of the Safety
Case, as the risk management processes of the operators safety management system must
address these hazards. However, these lesser hazards are outside the scope of the FSA.
52
September 2004

2.1.1
Organisational error and change management
Historically, the Safety Case has taken an engineering systems approach to safety. This
perspective emphasises the inter-linkages between various items of engineering hardware and
the management systems in place to design, construct, install, operate, maintain, modify and
decommission offshore facilities. The role of people in this perspective tends to be related to
consideration of a specific error that an individual might make, and the hardware or system
improvements that can be made in order to minimise the potential for such an error.
A broader system view includes consideration of the people collectively - in terms of an
organisation. This perspective acknowledges that decisions made remote in both time and place
from the facility, can be key casual factors to an incident at the facility, and that effective system
safety strategies must take this into account.
The organisational systems view also emphasises the importance of comprehensive change
management. Changes such as outsourcing, business process reengineering, centralisation,
decentralisation and multi-skilling must be assessed to determine possible effects on the risk to
people on the facility.
This wider systems view is consistent with the general Safety Case requirements and this
document therefore includes criteria that address organisational error.
2.1.2
Relationship between the SMS and the Safety Case
The relationship of the Safety Case to the Safety Management System is often misunderstood.
NOPSA considers the relationship to be as follows:
Although the Safety Case contains a description of the Safety Management System, the
Safety Case is in fact subordinate to the SMS. The SMS is the fundamental basis for
ensuring all aspects of safety at the facility. The Safety Case simply specifies and describes
the SMS that applies.
In this context, the SMS is taken to include not only the procedures and work instructions
that govern the day-to-day activities at the facility (which are sometimes collectively referred
to as the works management manual or the facility management system) but also those
management processes that address organisational structure, recruitment, training, facility
design, construction quality, etc (which are sometimes collectively referred to as the
corporate management system).
Whilst the Safety Case must specify or contain the Formal Safety Assessment, the Fire Risk
Analysis and the Escape, Evacuation and Rescue Analysis for the facility, it is the SMS that
contains and defines the procedures for initiating and conducting these studies
Although not an explicit requirement of the Regulations, the SMS should also contain the
procedures for preparing and maintaining the Safety Case.
53
September 2004

2.1.3
Overall demonstration that risk is As Low As Reasonably Practicable
The conclusion of the Safety Case must be that, with certain systems in place and perhaps certain
improvements made, the risk to people on the facility is as low as reasonably practicable
(ALARP).
The components required to reach this conclusion will vary depending on the number and
complexity of hazards present on the facility. For a very simple facility with few hazards that are
well understood, a significant part of the demonstration that risk is ALARP may be reliance on
good practice, engineering judgement and adherence to codes and standards. In this case, very
detailed numerical risk assessment may add little to the understanding of issues related to the
safety of the people on the facility.
For more complex facilities with significant inventories of high pressure hydrocarbons, a
quantitative (numerical) assessment of consequences, escalation potential, frequency and risk is
likely to be necessary in order to have confidence that risk to people has been reduced to a level
where further risk reduction cannot be justified. In this case, some form of cost benefit review of
potential additional control measures is often useful.
2.1.4
Safety Cases for Mobile Offshore Drilling Units (MODU)
Many MODUs that are moving into Australian waters have a Safety Case in place that has been
prepared to meet requirements for operation in the North Sea. Such Safety Cases may have
been prepared in accordance with the North West European HSE Case Guidelines for MODUs
issued by the International Association of Drilling Contractors (North Sea Chapter) i.e. IADC.
Safety Cases that meet the requirements of the IADC guidelines are generally likely to meet the
requirements of these guidelines, provided that they properly address the specific hazards and
risks of the activities that they will be performing in Australian waters, the local geotechnical and
metocean conditions, and the local emergency response issues.
The IADC Guidelines provide a quite specific template for a MODU Safety Case, which may be
useful in preparation of a Safety Case to meet Australian requirements. However, it should be
noted that the North West European (NWE) requirements for Safety Cases are broader than the
Australian requirements in two areas. Firstly, some NWE coastal states require the Safety Case to
address environmental management in addition to safety and health. Secondly, the equivalent of
the Formal Safety Assessment (called the Risk and Environmental Impact Assessments) covers
Major Hazards, called Major Accident Events in the Australian regime; and
Other Workplace Hazards, i.e. those with a safety impact less than a Major Hazard. As noted
earlier, these do not have to be addressed in the FSA in the Australian context, but have to
be covered by the operators management system; and
Environmental hazards. These are covered by other regulations in the Australian context.
54
September 2004

2.1.5
Bridging Documents
In using a MODU to undertake specific activities at a specific location, sometimes it is necessary

to prepare a bridging document to cover changes in hazards and risk controls (i.e. the
management system) when comparing the specific activity or location with the generic
considerations made in preparation of the overall MODU Safety Case.
Since the Facility Description defines the envelope of activities covered by the Safety Case,
and the safe operational envelop of the facility, any activity, operation or location that falls
outside that envelope will require preparation of a bridging document.
Likewise, since the FSA identifies the hazards, assesses the risks and determines the
necessary control measures for the activities that the facility will conduct, it is likely that the
FSA will require amendment via a bridging document.
The SMS may not always require amendment to account for particular operational activities.
In many cases, in particular if the facility is operating stand-alone the general SMS may
remain appropriate. However, if working in conjunction with other facilities (e.g. working
over a well on an operational platform) it would be necessary to amend the SMS to account
for the interface with the management systems that apply at the other facility. In addition,
emergency response plans are likely to change, according to the nature, location etc of the
activities.
Note that the term bridging document does not appear in the legislation, but is a term that has
been adopted by many operators and regulators in Australia to describe the revision to the safety
case that is necessary to accommodate site-specific activities by a mobile drilling unit. In
practice, the bridging document requirement can be met in a number of different ways, as
discussed in Part 1 of the document.
2.1.6
Common weaknesses
Over reliance on QRA results for demonstration of ALARP

Demonstration that risk is as low as reasonably practicable requires a broad consideration of
risk and safety management issues, not just a numerical demonstration that no further
hardware changes are justified on a cost benefit basis.
Over reliance on codes and standards for demonstration of ALARP

Codes and standards are important in managing risk as they represent the industry
knowledge in order to prevent past accidents from being repeated. The role of the Safety
Case is to try to minimise the potential for all incidents, including those that have not
occurred previously and those that are unique to a particular site or facility. Compliance with
codes and standards alone cannot address risk management for the full range of things that
might go wrong.
55
September 2004
No consideration of organisational error issues

An effective case for safety will include consideration of the organisation as a whole, not
just the operational engineering aspects, in determining causes of hazards and risk control
strategies. Many Safety Cases are excessively focussed on engineering hardware and
systems.
Insufficient workforce involvement

The Safety Case must address the actual condition of risk controls on the facility, including
the implementation of the safety management system. Consequently, workforce involvement
is essential.
Poor integration between the SMS and other relevant business systems such as
human resources, particularly when it comes to change management.
Some organisations prepare a Safety Case outside of their business systems to meet a
specific business need for Safety Case acceptance. This is likely to be unacceptable in the
longer term, if the requirements for hazard management identified in the Safety Case are not
integrated with day-to-day operations. This is because gaps are likely to develop between
what is actually done and what the Safety Case says is or should be done.
Inadequate links between hazards, risks, control measures (hardware and

software) and the safety management system
Since the management system is the way in which risks are controlled, the links between the
hazards, main risk contributors and measures in place to control them must be detailed and
explicit. Some Safety Cases make very general statements about how risks are controlled,
and do not provide links between the FSA and the SMS.
Only trivial or inappropriate risk reduction measures considered for

implementation for risks found to be in the ALARP region.
Risks found to be in the ALARP region are not considered to be ALARP until they have been
subjected to the ALARP process. This means that substantial additional risk controls must be
identified if possible and considered explicitly. Such measures can only be rejected if the cost
significantly outweighs the risk benefit that would be obtained.
2.2 Preparation and Assessment Principles for the Overall Safety Case
Process
Principle SC - 01: The Safety Case must contain
a Facility Description,
a summary of an appropriate Safety Management System, and,
a summary of a Formal Safety Assessment.
56
September 2004
Reason
a) Specific requirements of regulation 9 (1).
Examples of Evidence
a) Paper or electronic documents exist.
b) A summary of the SMS exists with reference to the details.
c) A summary of the FSA exists that includes the following:
A listing of the MAEs for the facility.
A brief description of the safety assessment methodology that demonstrates that it is

suitable for the nature of the facility and activities.
The overall risk for the facility
The distribution of this risk across the various working groups.
The key risk contributors.
A summary of the ALARP demonstration.
d) A description of the overall safety case philosophy and the linkages between the various
documents.
57
September 2004
Principle SC-02: The Safety Case should demonstrate that the

management of the Operator has a visible commitment to safety
improvement including appropriate safety leadership behaviours such as:
Fostering organisational learning from mistakes (just culture)
Articulation of company values towards safety
Communication of key issues to employees and contractors
Feedback to employees and contractors on safety issues raised
Active support for resolution of safety issues
Reason
a) Regulation 9 (4)(c) requires continual and systematic identification of hazards. This requires
appropriate procedures in the management system, but also an appropriate organisational
culture.
a) A visible commitment to safety could be demonstrated by policies and procedures covering
such issues as:
Senior management visits to the facility
Safety as an agenda item in management meetings
Senior management involvement in audits and incident investigations
Senior management review and comment on audit and incident reports
b) There is a system for sharing Safety Alerts, incident learnings or similar information between
various parts of the organisation.
c) A range of safety communication platforms are used such as safety meetings, toolbox
meetings etc. that keep an emphasis on the company policies and procedures with respect to
safety.
d) Policies and procedures encourage personnel to report safety issues and potential problems
eg Feedback is given to the workforce about the status of safety issues identified.
e) Policies and procedures encourage managers to actively look for areas of safety
improvement, rather than attempting to demonstrate that their areas are perfect.
f)
There is a system for identification of plant, process and people related hazards by everyone
on-site.
58
September 2004

g) There is a plan for action/improvement that personnel have contributed to and have access
to.
h) Investigations of serious incidents and accidents have a method for systematically identifying
the organisational contributions to error.
i)
Safety performance indicators do not just measure reactive / negative outcomes (eg. number
of injuries), they also track and monitor positive proactive indicators (eg. the number of risk
assessment items actioned, number of safety issues identified and resolved, training and
competencies, etc). This information is communicated.
59
September 2004
Principle SC 03: Safety Case processes must provide for effective

consultation with and participation of relevant employees from the facility
so that:
The Safety Case reflects accurately the actual state of operational

systems on the facility,
employees understand the risks to which they are exposed, the

measures for risk control and mitigation and their role in it.
Reason
a) Regulation 15 requires employees to be involved to a level such that they can arrive at an
informed opinion about the risks and hazards to which they are exposed.
b) Regulation 10 requires that systems are in place to ensure that the SMS is effective. Whilst
workforce involvement is not specifically mentioned, it would be difficult to argue that a
system was effective without involvement of employees.
c) Note that the Petroleum (Submerged Lands) Act includes specific requirements for processes
for workforce consultation and representation (including the role of Health and Safety
Representatives). The specific consultation requirements for this criterion should be met
within this wider framework. See specifically P(SL)A Schedule 7, clauses 12, 13, 15, 19(1),
20, 24 and 25.
a) Documentary evidence of employee participation in Safety Case workshops.
b) Procedural requirements for employees to be involved in risk assessment sessions eg HAZID,
HAZOP.
c) Formal training for employees includes references to Safety Case processes and results to
foster an understanding of:
The hazards that affect them and the control measures in place.
The overall risk to which they are exposed and the main contributors to that risk.
Their role in risk control.
d) Procedures exist that require field staff have been involved in preparation of procedures for
tasks that they perform.
60
September 2004

e) Systems exist for consultation with employees on major changes to equipment or operations
that have the potential to affect safety and records demonstrate that the systems are
followed.
f)
Employees are involved in investigation of incidents and development of findings.
61
September 2004
Principle SC 04: The Safety Case processes must be integrated with the
Operators overall business management systems and practices (including
effective change management) in order to ensure that the case for safety
remains valid.
Reason
a) Regulation 9(4)(d) requires that the Safety Management System includes processes for
continual and systematic identification of hazards and assessment of risks.
b) Changes to the facility equipment or management practices and systems require
reassessment of risks to ensure that the risk remains as low as reasonably practicable.
a) The safety assessment methods used in the safety case are built into the organisations
corporate SMS and the facility-specific SMS.
b) Design and project procedures include safety assessment processes that are consistent with
the safety case approach.
c) Guidelines exist within the SMS and/or project procedures that detail when the safety case
risk assessment needs to be updated (eg. For significant changes).
d) The hazard register used as a basis for the safety case is a live document that is updated as a
result of projects, maintenance changes and other changes where required.
e) Management of change processes and procedures refer to the need to update the Safety
Case including items such as the hazard register (or bow ties if used, etc).
f)
Records of changes include records of risk assessments undertaken.
g) Position descriptions incorporate responsibilities relevant to that position in relation to

ensuring the safety case continues to be effectively managed.
h) Management of the safety case is built into the safety policy/safety planning and control
process to ensure an ongoing emphasis is maintained.
i)
The training system (needs analysis, retraining program etc) incorporates the training
requirements for the operator to ensure:
New employees receive the training on the hazards, risks and controls as required by
the safety case regime.
New employees are made familiar with the safety case.
Existing employees receive re-training in line with the re-training philosophy for the
facility.
62
September 2004
Principle SC - 05: The Safety Case must contain an overall demonstration

that equipment on the facility that relates to, or may affect, safety:
Is fit for purpose in normal operation, and
Is fit for use in an emergency to the extent intended.
Reason
a)
Regulation 18 (2) requires that equipment is fit for purpose. This criterion requires
demonstration of this in the Safety Case
a) Verification processes and records.
b) Management system records for inspection and testing.
c) Appropriate codes and standards have been used.
d) Where significant changes have been made to the standards and codes, the implications of
these changes have been assessed.
e) Survivability assessment for those items that need to respond in an emergency.
f)
Preventative maintenance routines in place for critical equipment.
63
September 2004
Principle SC - 06: The Safety Case must contain an overall demonstration

that risk has been reduced so far as reasonably practicable, including as
appropriate such issues as:
Reliance on good practice, engineering judgement and application

of standards and codes
Comprehensive safety management processes
Management commitment
Benchmarking
Peer review
Review of the facility and/or company safety record
Review of the results of any safety culture/climate reviews
Estimated level of risk to the most exposed individuals
Estimated overall level of risk
Demonstrated risk reduction obtained
Risk control measures selected and rejected
Implementation plan for any additional risk control measures.
Reason
a) Regulation 9 (4) (e) requires that risks to people on the facility are reduced so far as
reasonably practicable. This applies to all risks, not just MAE risk.
a) The Safety Case documentation has been approved and signed by senior management.
b) The commitment of management is demonstrated through:
Management involvement in review meetings.
Presentations associated with safety and the safety case.
The provision of necessary resources to develop the safety case.
c) The Safety Case includes a demonstration that the previous safety record of the
facility/organisation has been critically reviewed and that root causes have been
systematically addressed.
d) The Safety Case includes an implementation plan for improvements including specific
responsibilities and timing (or reference to such a plan).
e) There is a review process that manages the implementation plan for improvements.
64
September 2004

f)
The Operator clearly shows ownership and overall responsibility for the content of the Safety
Case and does not attempt to devolve that to others (eg design contractors or specialist
consultants).
g) The FSA provides a thorough and systematic assessment of the overall risk for the facility,
identifies the key risk contributors and the exposure to the various working groups.
h) The risk is compared against risk criteria that are benchmarked against industry and other
regulatory criteria.
i)
Risk control measures are selected or rejected based upon the risk reduction achieved, the
cost effectiveness and the hierarchy of controls.
65
September 2004
Principle SC - 07: The Safety Case must include reference to the

performance standards required for the Safety Management System as a
whole and for each critical control (either equipment or activity) and the
systems in place to ensure that the actual performance meets the defined
standard.
Reason
a) Reg 9 (4) (i) requires that performance standards exist for the SMS itself.
b) Reg 24 (2) (b) requires performance standards for the emergency response plan (which is
typically a critical control).
a) The FSA includes a process to determine which of the risk control measures are most critical.
b) The Safety Case references performance standards for the SMS itself eg audit schedules,
requirements for system training etc.
c) The Safety Case references performance standards for the emergency response plan such as
number of different types of drills, frequency of updates to contacts listing etc.
d) The Safety Case references required performance standards (such as the nominated testing
and maintenance frequencies) for critical control measures identified in the FSA such as:
fire and gas detection systems, heating, ventilation air conditioning (HVAC) and
maintenance system(s)
emergency shutdown system
fire protection system (active and passive)
PSV and pressure vessel inspection system
corrosion monitoring
crane safety system
work management and maintenance system
maintenance of escape craft and escape routes.
e) Performance management systems in place with:
Records that compare actual performance versus standard.
Tracking of performance via a performance indicator where practicable.
66
September 2004
Routine reporting to relevant personnel
Meetings held at defined intervals to review the performance of the control measures
versus the performance standards and to drive improvements.
67
September 2004
Facility Description
3.1 Introduction
3.1.1
Purpose
The purpose of the Facility Description is to document the factual information about the facility
that provides the basis of the Formal Safety Assessment and the Safety Management System. In
the sense that development of the FSA and SMS may result in a decision to modify the physical
facility, the FD also documents some of the outputs of the FSA and SMS development processes.
In order to provide an effective basis for, and documentation of the output of, the other parts of
the Safety Case, it is generally required that the design basis and philosophy are described, rather
than just the output of the design process. The implications of these decisions may result in
residual risks and controls that will be discussed in the other sections of the Safety Case.
Example
Overpressure protection philosophy is a typical example. The process facilities on an FPSO
may be designed to the maximum Shut In Tubing Head Pressure (SITHP) of the reservoir up
to a point on the separator outlet to crude storage. A description of this philosophy provides
better background to the FSA (and a lead in to discussion of the potential for overpressure of
the tanks and associated controls), than a simple listing of the design pressure of various
parts of the process.
Many Operators discover that the FD becomes a useful document for providing internal and
external stakeholders with an introduction to the facility.
3.1.2
Design and Operating Envelope
The FD can be considered to be a description of the design and operating envelope of the facility
and all related activities. The design envelope for a facility, equipment item or activity is the set
of combinations of conditions that describe the boundary between safe and unsafe operation.
The operating envelope is the set of combinations of conditions that describe normal operations.
The difference between the two envelopes is the safety margin (in addition, there is often also a
safety margin between the design envelope and actual failure of the system).
This concept applies equally to the design pressure and temperature range of the process
equipment, the weather window for marine or helicopter operations or the range of lifts that can
be made by a facility crane. The metocean conditions chosen for the overall facility structural
design are also included.
68
September 2004

The FD describes the design and operating envelope for facility systems, considering that the
Safety Case covers normal operations anywhere within the set of conditions described. The FD
also describes the physical systems in place to ensure that the design envelope is not breached,
or if it is that the situation can be brought under control.
3.1.3
Options for Content
Preparation of the FD involves a balance between providing a readable document that contains
useful information for the reader, and putting in so much detail that the document becomes
quickly out of date and/or requires many revisions.
In managing the content of the document, it is again important to remember that the focus of
the FD is on the design and operating philosophy and envelope and these are unlikely to be
subject to frequent changes.
Some of these issues are eliminated if the FD is prepared as an electronic document with live
links to the master copies of other information such as drawings.
3.1.4
Common Weaknesses
The most common weaknesses in a FD are:
Provision of too much operational detail so that the document is difficult to keep up to
date
Inclusion of vague statements, rather than specific facts about the facilities
Including assertions about the overall acceptability of the facility design features
independent of the risk assessment.
69
September 2004
3.2 Preparation and Assessment Principles for the Facility Description

Principle FD-01: The Facility Description must contain an accurate
description of the:
facility, its purpose , layout and operation;
activities (current and planned) that are covered by the Safety Case;
interaction between the facility and its surroundings, including the

natural environment and other facilities, industries or activities that are
(or may be) present;
design and operating philosophies and operating envelopes;
safety design features to manage Major Accident Events.
Reason
a) Regulation 9 (2) requires the Facility Description to include this information.
b) Regulation 9 (3) (a) requires that the FSA covers all hazards having the potential to cause a
major accident event. This includes the facility itself, but also hazards that arise through
interactions with the surrounding environment and facilities. Since the FD provides the factual
input and output of the FSA process, it must cover all relevant environmental factors.
c) Regulation 9 (4) (g) requires that the Safety Case address communications facilities.
d) Regulation 18 (1) requires that the Safety Case specifies equipment that relates to, or may
affect, the safety of the facility.
e) Regulation 20 (1) requires that the Safety Case contains details of the lifesaving equipment
eg number of life rafts and launch/access arrangements.
a) The Facility Description includes a list and brief description of the range of activities covered
such as operation, construction, maintenance, well interventions, marine operations,
helicopter operations etc.
b) The Facility Description includes specific information about each activity such as the
maximum number of people on the facility at that time and the frequency or duration of the
activity.
c) Drawings included in the FD show signs that they are checked as built.
d) The FD has been through a process of checking and approval, which is recorded.
70
September 2004

e) The Facility Description includes information about the specific future modifications to the
facility that are (or are not) covered by the Safety Case.
f)
The Facility Description contains details of the blast rating and heat resistance over time of
passive fire and explosion barriers.
g) The Facility Description contains details of the main active fire protection system such as
location and type of fire water pumps, level of redundancy, overall system reliability, deluge
capacity and design philosophy.
h) The Facility Description contains details of active and passive fire protection systems for
enclosures, rooms and spaces such as location and type of fire suppression systems, level of
redundancy, overall system reliability, capacity and design philosophy.
i)
The Facility Description includes information under the appropriate headings such as:
general description
subsurface conditions
structure and layout including well configuration
staffing
primary functions
hazardous substances quantities
safety features and systems
drawing set
Checklists for each of the eight headings are included in Appendix 1.
71
September 2004
Criterion FD-02: The FD section must contain sufficient information about

the facility to demonstrate that the design and operating philosophy is
consistent with the Safety Management System and the assumptions and
outputs of the Formal Safety Assessment.
Reason
a) Regulation 9 (2) (b) requires the Facility Description to be consistent with the FSA and to
cover layout and design features that are control measures.
b) For the Safety Management System, regulation 9 (4) (b) requires that the SMS covers all
activities and the FD must also cover all activities.
a) The Formal Safety Assessment and Safety Management System sections of the Safety Case
contain cross-references to the relevant parts of the FD for example it may state the
maximum number of people on board. This could be cross-referenced in the FSA (as one of
the inputs to the risk assessment) and in the SMS (with regards to any procedure required to
manage numbers on board).
b) The description of the safety features contains the design philosophy including:
When is a safety feature applied and the form/basis of that feature.
when and how safety features and systems are activated in an emergency, and
where from manual, auto-electric, air etc
their required performance criteria in an emergency
safety system performance standards.
These safety measures are listed in the FSA as control measures and the design philosophy
considered as an integral part of demonstrating fitness for purpose.
c) Performance standards for critical controls may be contained in the Facility Description, but
referenced from and justified in the Formal Safety Assessment eg conclusions regarding the
required test frequency for a critical instrumented system.
d) The Facility Description details the design envelope for various parts of the system and the
Formal Safety Assessment specifically addresses possible hazards leading to a departure from
the design envelope, eg design pressure/temperature envelope for sections of the process
specified in the FD and operating conditions such as introduction of nitrogen into liquid LPG
systems that could lead to very low temperatures.
72
September 2004
Criterion FD-03: The Safety Case must list or refer to all Australian or
international Standards to be applied in the design, construction,
installation, modification, operation and decommissioning of the facility or
plant used on or in connection with the facility.
Reason
a) Specific requirement of Regulation 11.
b) Use of engineering judgment in the form of codes and standards is a valid part of the
demonstration that risk to people on the facility has been reduced to a level that is as low as
reasonably practicable.
a) The Safety Case contains a list of the relevant codes and standards (including revision
number / date) or a reference to some other system or systems that record the relevant
codes and standards.
b) The basis for selection of a specific standard is given.
c) Where deviations from the standards do occur, this decision is justified by risk assessment.
d) An understanding exists as to the level of compliance with these standards.
e) A system exists to ensure that compliance with the relevant codes and standards is
considered as part of any modification to the facility.
f)
A system exists to ensure the safety implications of major changes to relevant codes and
standards are identified and considered.
73
September 2004
Criterion FD-04: The Safety Case must specify an office or position on the
facility, the occupant of which, when on duty:
Is in command of the facility; and
Is responsible for the safe operation of the facility.
Reason
a) Specific requirement of Regulation 12 (1) (a).
b) Part of a modern safety management system approach is to clearly define responsibilities.
This must be seen to start from the top of installation management.
a) The Facility Description includes information about the organisation structure on the facility
including the name of the position of the person in charge or a reference to the location of
this information.
b) The Safety Case includes information about the specific safety responsibilities of the
management team on the facility or a reference to the location of this information.
c) Contingency arrangements are in place to cover the incapacitation of key personnel during an
emergency to ensure the continuance of a chain of command.
74
September 2004
Criterion FD-05: The Safety Case must specify the medical and
pharmaceutical supplies and services, sufficient for an emergency
situation, that must be maintained on, or in respect of, the facility.
Reason
a) Specific requirement of Regulation 17.
a) The Facility Description includes a list of the specific supplies including location, quantity,
storage arrangements and authorised users or a reference to a document that includes this
information.
b) The Facility Description includes a list of the specific medial services that are available
including location, type and availability or a reference to a document that includes this
information.
75
September 2004

Appendix 1
Facility Description Checklist
The following checklists provide a typical listing of items that are likely to be detailed (or
referenced) in a comprehensive Facility Description.
1. General Description
This is to provide an overview and a clear understanding of the purpose of the installation and its
activities. It should include a description of wells and pipelines connected to the facility, and
should highlight key assumptions and lifecycle phases. A location plan should be included,
together with information about any activities in the area that may present a risk. Also included
should be a summary of local environmental information, including extreme conditions.
Checklist of typical items included or referenced:
facility overview
operator or permit/licence number
structure
geographical location
water depth
development bases and phases
key design performance standards
design validation philosophy
metocean conditions (should include the adopted design values)
limiting sea state conditions and return periods
wind
seawater and air temperature
geotechnical
foundation strength
geotechnical data
anchoring
seabed conditions
structural integrity and corrosion management philosophy
use of novel technology or materials
interaction with shipping
standards and design and construction specifics
Cross-references to data sources, figures etc. should be provided.
76
September 2004

2. Subsurface Conditions
The description should cover foreseeable structural feature and characteristics of rock and of
fluids contained in the reservoirs penetrated or contacted by the wells connected to or controlled
from the facility. Any exceptional or severe condition which may exist or develop in the future,
and which might affect well control or well operations, should also be covered. The degree of
confidence or uncertainty in this information should be supported by, for example, local drilling
experience.
HOLD: TO BE PROVIDED BY A RESERVOIR ENGINEER
3. Structure or Vessel Layout
This should include a description of the general structure of the installation, its location, water
depth, orientation, major equipment, escape routes, temporary refuge, physical connections and
interaction with present or future installations. A description of the general design of the wells,
their completion and the well-head should also be included.
Structure Layout:
platform orientation
elevation/plan views
hazardous area classification
equipment
design codes used for the structure
structural details, including modelling of structure and loadings
accommodation
well bays
riser(s)
wells and sub-sea system
helipad
cranes
Vessel layout (include the following where applicable for Floating Production Storage and
Offloading Vessels):
mooring release facility
riser release facility
mooring patterns
77
September 2004

The safety-related aspects of the layout and orientation of the facility should be
detailed, for example; segregation of process equipment from living quarters,
influence of prevailing winds on distribution of heat and smoke throughout the
facility, influence of prevailing seas on location of escape craft, location of helideck
etc.
interaction with other facilities:
physical connections including product offloading facility and pipelines
support from existing facilities (aircraft, supply boats)
allowance for impact by vessels
interaction with expected facilities (where applicable).
Number and configuration of wells and slots
Completion arrangements
Details of wellhead design.
4. Staffing
This should include a description of the organisational structure for the facility, and for relevant
parts of the company management. It should indicate the incumbents of key positions, and state
their competency and selection criteria.
staffing philosophy and arrangements, including:
numbers and location of people taking into account fluctuations with shifts, maintenance
activities, visitors
minimum staffing levels
maximum number of people on the facility
organisation structure on the facility including nominated position in charge
organisation structure for onshore support staff
Shift arrangements.
Position descriptions detailing safety responsibilities.
5. Primary Functions
For each function, the description should include systems, equipment, controls, arrangements,
policies, procedures and supporting design criteria as appropriate with an emphasis on their role
in prevention, reduction and mitigation of major accident events.
Special attention should be paid to the stated limits of operation of each function (maximum,
minimum, level or redundancy etc)
78
September 2004

process systems:
process description (overview)
process control features
safety control systems for use during emergencies for example controls at the
temporary refuge or emergency assembly area
pipeline and riser systems:
platform and sub-sea installation
location, separation, protection
riser connect/disconnect system (Floating Processing, Storage and Off-load

Facility(FPSO) and Floating Storage, Off-load Facility(FSO)
wells and sub-sea systems:
wellheads and christmas trees
sub-sea flowlines, umbilicals and associated equipment
shutdown and control system
downhole equipment
well design and construction
utility systems:
power generation and distribution (including supply and safety critical equipment)
standby power systems (including starting systems)
emergency lighting
communications (voice and data)
instrument air system
hydraulic control system
potable water
drains and sumps
navigation lighting
chemical injection
inert gas systems
heating, ventilation and air conditioning
cranes and other lifting equipment
drilling systems:
drilling capability and rig safety features
integration with platform systems
assumed rig and its load on platform
workover and wireline systems:
extent and type of activity planned
integration with platform systems
assumed rig and its load on platform
79
September 2004
marine functions/systems:
supply/service vessels
standby vessels
diving operations
ballast and stability systems (FPSO/FSO)
integrity of off-take tankers
mooring systems/ jacking systems
station keeping system
cargo and offload system
aircraft operations:
onshore base
capability of aircraft
route taken to/from facility
helicopter refuelling
helideck
6. Hazardous Substances and Inventories

This is a summary of all the hazardous substances that could contribute to the escalation of an
event into a major accident.
Type of hazardous material
reservoir fluids
pipelines fluids
process fluids
stored fuels and compressed gases
product crude oil cargo
process fluids
stored liquids and solids
radioactive materials for example NORMs
other substances
The range of sizes of isolated inventories in the event of a platform shutdown shall be given.
Material safety data sheets should be referenced in the safety management system section of
the safety case.
Physical and chemical behaviour of the dangerous substances present.
Factual information concerning the known physical, chemical or toxicological characteristics of

dangerous substances, which may cause immediate or delayed harm to either people or the
environment.
80
September 2004

7. Safety Features and Systems
This is a description of those systems provided for reduction and mitigation of Major Accident
Events.
detection systems
visual monitoring system (if applicable)
fire and gas detection/alarm system
toxic detection
heat detection
smoke detection
blowout detection and prevention systems
well control systems
drilling
facility shutdown system(s)
total facility shutdown
subsurface shutdown
surface shutdown
process shutdown system
including shutdown of connected facilities and arrangements for control of

emergency shutdown valves and sub-sea isolation valve (SSIVs) (where
applicable).
fire and blast protection passive
fire protection active
fire pumps
deluge system
sprinkler system
hose reels, monitors and extinguishers
inert systems
other support services eg equipment room and enclosures
relief and blowdown
instrumentation systems
pressure safety valves (PSVs)
flare, vents and drains
emergency power, communications and lighting
escape routes and temporary refuge
pharmaceutical supplies
evacuation and rescue equipment (location, types and capacities)
Ship movement monitoring.
81
September 2004
Ballasting systems
Flooding prevention systems
8. Drawing Set
A drawing set is essential to understanding. The drawings provided in/ with the Safety Case
should be sufficiently comprehensive and details to enable NOPSAs assessment, but need not
contain all engineering details.
A typical drawing set could include:
development location map
deck plot plans
major equipment/facilities layout (including sub-sea)
process and instrumentation diagrams
safety critical electrical, hydraulic and pneumatic systems
fire and blast protection
location of emergency shut-down valves
fire and safety equipment
escape routes/emergency assembly area/temporary refuge
fire and gas systems
flare, vent and drain system
structural layout (including riser(s) location)
quarters layout
mooring layout
hazardous area classification drawings
riser and associated pipelines
seabed plan view showing fixed hazards (if appropriate)
heating ventilation and air conditioning system (HVAC) (intakes and vents).
fire and gas cause and effect matrices
process schematic
emergency shut-down logic.
82
September 2004
4.1 Introduction
4.1.1
What is a Safety Management System?
The safety management system (SMS) is the method by which safety is managed on the facility.
Having said that, an SMS is much more than simply a set of procedures. The thing that makes
the system is the way that all the documentation links together and links to the risks that it is
designed to address.
From a risk assessment perspective, the SMS is the method of reducing risk and ensuring that it
remains As Low As Reasonably Practicable over the life of the facility.
One of the key features of an SMS is the continuous improvement cycle. This means that the
starting point for development of an SMS is the definition of the policy and objectives of the
system. Once these are set, the next step is planning, which involves determination of the
resources required to achieve the objectives that have been set. In an SMS, risk assessment is
usually one of the planning elements as the risk exposure, and hence risk control strategies,
determines much of the rest of the system.
Features of a Management System

Effective policies set a clear
direction for the organisation to
follow. They contribute to all
aspects of the business
performance.
Information from Audit and

internal monitoring and
evaluation is used to improve
the management system by
influencing policy and
processes.
Planning
Continuous
Improvement
Audit & Review

There is systematic review of
performance based on data
from monitoring and
independent audits.
Performance is assessed by
reference to internally set
performance indicators and
external comparison with other
in the sector and best practice.
Objectives & Targets are set.

Plans for implementation are
developed (address risk).
Performance standards are
established and used for
measuring performance.
Policy
& Objectives
Implementation
Monitor & Evaluate
Active self monitoring reveals how

effectively the management system is
functioning. Performance is measured
against agreed standards to reveal when
and where improvement is required.
83
An effective management
structure and systems are in
place for delivering the policy.
There is a shared common
understanding of the
organisations vision, values &
beliefs.
September 2004

The third stage of the management system process is implementation. In an SMS sense, this
includes things like how the facility will be operated safely. The fourth step is monitoring and
evaluation, including such safety issues as inspection and testing. The final stage of the loop is
audit and review.
The information obtained from audit and review is used to adjust policy and procedures and so
the loop is closed to ensure that safety performance is continually improved.
Typical elements that make up a SMS are as follows:
Policy and Objectives
Planning
Hazard Identification, Risk Assessment and Controls
Organisation and Responsibility
Employee Selection Training and Competency
Employee Involvement and Communication
Information Management and Document Control
Implementation
Operations Management
Repair and Maintenance
Design, Construction and Commissioning
Emergency Preparedness and Response
Management of Change
Contract, Contractor and Services Management
Procurement
Monitoring
Inspection, Testing and Monitoring
Health Surveillance and Injury Management
Incident Reporting, Investigation and Follow Up
84
September 2004

Audit and Review
There are many possible models for this, such as:
Australian Standard AS 4801- 2000. Occupational health and management systems

Specification with guide for use.
Australian AS 4804 2001. Occupational health and management systems General

guidelines on principles, systems and supporting techniques.
UK Health and Safety Executive publication HSG65. Successful health and safety
management.
American Petroleum Institute API Recommended Practice RP750, Management of

Process Hazards
American Petroleum Institute API Recommended Practice RP9100A, Model EHS

Management System
American Insititute of Chemical Engineers, Centre for Chemical Process Safety,

AIChE/CCPS Guidelines for Process Safety Management Systems
North West European HSE Case Guidelines for MODUs. issued by the International
Association of Drilling Contractors
International Maritime Organisation, International Safety Management (ISM) Code.
Another key aspect of an SMS is that the continuous improvement loop applies not only to the
system as a whole, but also to each individual element. An example of this would be Emergency
Response where part of the policy for emergency response might be that all major types of
scenarios (as identified in the FSA) are tested annually. The planning for this would be covered
by the schedule for emergency exercises. Processes should check that the exercises have been
done and results recorded. Continuous improvement would be demonstrated by ensuring that
recommendations made as a result of the exercises are actioned and systems are re-tested as
appropriate in the next scheduled period.
To cover these principles, management system documentation is typically organised into (at
least) 3 tiers or levels:
The top level is the overall safety policy.
The second level is typically a set of guidelines (one for each element) that describe
policy, planning etc for that element.
The bottom level (or levels) of the system is the detailed procedures.
Whilst the above discussion has focussed on how the documentation is organised, in a broader
system sense a key issue is leadership and management commitment. The management system
must ensure that appropriate people are hired; that they are trained to acquire the appropriate
skills, and that they are motivated on safety issues by appropriate leadership.
85
September 2004

Many organisations also separate management system documentation into two sets according to
whether it relates to management and onshore based activities such as design, or offshore
facility-based systems and procedures. The first set may be called the Corporate SMS or similar
and the second set the facility SMS. Both sets of documentation are included in the requirements
of an offshore Safety Case.
Note that the SMS must include consideration of occupational health issues in addition to safety.
In addition, some organisations may chose to manage environmental issues as part of the same
system since many of the requirements and issues are common or similar. This is not required
for the Safety Case, but is acceptable.
4.1.2
Links to the Formal Safety Assessment
The Formal Safety Assessment is a study or set of studies conducted in order to gain an
understanding of the Major Accident Events, to determine whether there are sufficient risk
controls in place, and to determine which are the most important risk controls.
As the SMS must cover management of all safety related issues, there are 2 important links to the
FSA:
The processes used to prepare and update the FSA, and the rest of the Safety Case,
must be included in the SMS
The risk controls identified will include management system elements, either because the
controls are themselves procedures or administrative systems, or because a hardware
control needs to have a system in place to describe the related training, operation and
maintenance.
It should be noted that the SMS must cover ALL safety-related issues, not just those related to
Major Accident Events.
4.1.3
What is a performance standard?
A performance standard is a statement of the performance required of a system, item of

equipment, person or procedure. The terms functionality, reliability, availability and survivability
and interdependence provide useful parameters with which to define the standard.
Performance standards should be developed based on consideration of the risks being managed.
Meeting all performance standards is the method of demonstrating that risk continues to be
controlled to a level that is as low as reasonably practicable.
Performance standards are required for the SMS as a whole, and for the risk controls that are
identified as critical.
86
September 2004

Performance standards are useful only if the actual performance is measured against the required
standard by use of performance indicators. Good performance indicators are SMART Specific,
Measurable, Appropriate, Realistic and Time-bound.
4.1.4
SMS documentation as part of the Safety Case
The documentation submitted on the subject of the SMS as part of the Safety Case itself should
be a demonstration that the system in place generally addresses the SMS Principles from Section
4.2. In other words this can be a description of the system, rather than large sections of the
system documentation itself.
Another issue with submitting sections of the SMS itself is the need to control revisions.
4.1.5
Common weaknesses
Too much focus on documentation, too little focus on active leadership in the field
An SMS consisting of many procedures with no clear system
Documentation out of date compared to actual practice or uncontrolled copies in use
Gaps identified but no system in place for prioritisation and close out
Absence of meaningful performance standards eg systems are reviewed periodically or

frequently or kept under constant review.
Field staff not adequately trained or familiar with procedures.
87
September 2004
4.2 Preparation and Assessment Principles for the Safety Management

System
4.2.1
Overall SMS Principles
Principle SMS-01: The Safety Management System must be comprehensive

and integrated, including elements that address all components of the
management system loop i.e. policy and objectives, planning,
implementation, monitoring and review.
Reason
a) Regulation 9 (4) (a) requires that the SMS is comprehensive and integrated.
b) Coverage of the management system loop is a requirement of Regulation 10 for the system
as a whole.
a) The Safety Management System includes a documented policy authorised by the accountable
chief executive that clearly states strategic safety objectives and a commitment to continual
safety performance improvement.
b) The Safety Management System includes (or references) plans made by the organisation to
ensure that the policies etc are implemented. Issues that should be addressed include
leadership, commitment, workforce involvement, resourcing and roles and responsibilities.
c) The Safety Management System includes (or references) systems and procedures covering
both people and technology to ensure that the desired safety outcomes can be achieved in
the workplace.
d) The Safety Management System includes (or references) performance standards against
which the actual performance can be compared. Note that this applies at both a total
system, element and individual procedure level
e) The Safety Management System includes (or references) a step that ensures overall system
improvements are identified by methods such as external benchmarking, systemic review of
incident and/or performance data, internal and external audit.
f)
The Safety Management System follows the structure of an established model or standard
such as:
88
September 2004
Australian Standard AS 4801- 2000. Occupational health and management systems

Specification with guide for use.
Australian AS 4804 2001. Occupational health and management systems General

guidelines on principles, systems and supporting techniques.
UK Health and Safety Executive publication HSG65. Successful health and safety
management.
American Petroleum Institute API Recommended Practice RP750, Management of

Process Hazards
American Petroleum Institute API Recommended Practice RP9100A, Model EHS

Management System
American Insititute of Chemical Engineers, Centre for Chemical Process Safety,

AIChE/CCPS Guidelines for Process Safety Management Systems
North West European HSE Case Guidelines for MODUs. issued by the International
Association of Drilling Contractors
International Maritime Organisation, International Safety Management (ISM) Code.
89
September 2004
Principle SMS-02: The Safety Management System should also address the
management system loop (policy, objectives, planning, implementation,
monitoring and review) for each element, and for the system as a whole.
Reason
a) Regulation 9 (4) (a) requires that the SMS is comprehensive and integrated. Use of the
management system loop part of best practice for SMS development.
a) Documentation of specific SMS elements includes not only the specific requirements and
activities to be carried out, but also some statement of policy, purpose or the overall aim of
the element in question.
b) The SMS reflects top management commitment and culture and how this is driven down into
the management of safety.
c) The SMS details how the SMS fits into the overall management of the organisation.
d) The documentation clearly describes roles and responsibilities of personnel involved in
implementing each element of the SMS, and in overall management of the SMS, allocated at
an appropriate level to demonstrate commitment and drive a positive safety culture.
e) Roles and responsibilities are incorporated into the job descriptions for key personnel.
f)
Training requirements necessary to support the SMS element are described.
g) Documentation that covers the identification and management of resources.

h) Evidence that organisation has sufficient resources for development and implementation of
the SMS element.
i)
SMS elements and procedures detail when, how and the resources required to manage the
activities associated with them.
j)
Documents describe how improvement plans, audits etc are scheduled, resourced and
allocated and implementation monitored.
k) Documentation of specific elements includes references to how the performance of the SMS
element is monitored.
l)
The element includes audit requirements and audit checklists
m) The element includes the review period for the element.
90
September 2004
4.2.2
Policy and Objectives
Principle SMS-03: The Safety Management System must be based on and

consistent with the safety policy of the organisation.
Reason
a) Regulation 9 (4) (a) requires that the SMS is comprehensive and integrated. This principle
sets a top down approach to this.
a) The roles and responsibilities described within the SMS support the implementation of the
policy eg personal responsibility for ones own safety and that of the team.
b) The culture described in the safety policy should be consistent with the SMS elements. For
example if the policy states that the company is to be an industry leader in safety then the
SMS would probably have aspects of seeking out best practice etc.
c) If the policy states that no business objective will take priority over health and safety then
this should be reflected in the management system.
d) Where the policy requires a contractor to manage their health and safety in line with the
policy, then the SMS should have procedures for the appropriate selection, induction, training
and audit.
91
September 2004
4.2.3
Planning
Principle SMS-04: The scope of the Safety Management System must be

consistent with the operating envelope for all activities and facilities as
described in the Facility Description.
Reason
a) Regulation 9 (4) (b) requires the SMS to cover all activities.
a) The SMS describes how safety is managed for all the activities described in the facility
description (eg. Marine, cranes, general operations etc).
b) The SMS applies to all stages of life-cycle of the facility as described.
c) Systems and operating procedures are available for normal and abnormal operations
described in the FD.
d) Safe operating limits (such as Critical Operating Parameters) are defined for all activities.
e) The incident investigation and reporting procedures call for investigations to be conducted
where the plant operating envelope, as described in the FD, is exceeded.
f)
Management of change covers all aspects of the operations and facilities described in the FD.
g) The design philosophies described within the facility description are consistent with the SMS
(and related documents) elements associated with facilities design. For example:
performance criteria for emergency systems listed in the FD should be linked back to
the safety management system.
Design QA requirements listed in the FD are described in the SMS and related
documents.
h) SMS elements are consistent with the organisational structure and staffing arrangements.
For example, the roles and responsibilities described in the SMS elements match the
organisation as described in the FD.
92
September 2004
Principle SMS - 05: The Safety Management System must address risk to
people on or near the facility due to all hazards (not just MAEs).
Reason
a) Regulation 9 (4) (c), (d) and (e) generally require that the SMS covers hazard and risk
management for all risks to people on the facility
a) Processes used in preparation of the FSA are documented as part of the SMS.
b) Management system documents exist detailing the procedure to be followed in updating the
FSA, including triggers for a revision.
c) The Safety Management System includes risk assessment process other than the FSA such
as:
Job Safety Analysis
Hazop
Tool box meetings
and the results of these processes are linked to the risk controls in the SMS.
93
September 2004
Principle SMS - 06: Appropriate and competent people must have

participated in development and implementation of the Safety
Management System and in development and implementation of
changes to the system.
Reason
a) Regulation 10 requires that systems are in place to ensure that the SMS is effective.
b) Regulation 15 requires persons involved with the facility to be involved to a level such that
they can arrive at an informed opinion about the risks and hazards to which they are
exposed.
Representatives). The specific consultation requirements for this Principle should be done
within this wider framework. See specifically P(SL)A clauses 12, 13, 15, 19(1), 20, 24 and 25.
a) Field based employees (or their representatives) have been involved in development of
procedures for tasks that they perform.
b) Contractor representatives have been involved in development of links between the systems
of the operator and those of the contractor organisation where interfaces exist.
c) General staff such as field based employees and design engineers have been trained in the
principles of the safety management system and their responsibilities and accountabilities
within that system.
d) Where specialist expertise external to the Operator has been used to develop all or part of
the SMS, operating company personnel can demonstrate a clear understanding of the
purpose and requirements of the system.
e) Systems are in place to ensure that personnel have the appropriate level of competency and
knowledge to carry out the tasks required of them.
f)
For critical activities competency is assessed prior to the individual being permitted to carry
out a task.
94
September 2004
Principle SMS - 07: Appropriate quality assurance procedures must be

used in managing SMS documentation and information in general and the
Safety Case in particular.
Reason
a) Storage of copies of the Safety Case itself is a specific requirement of regulation 27.
b) Regulation 9 (4) (a) requires the SMS to be comprehensive and integrated. A comprehensive
system must be controlled sufficiently to ensure that personnel are using accurate and up to
date systems, procedures and forms.
a) Documentation includes a revision record showing who wrote the document, who reviewed it
and who has authorised its use.
b) All documentation including forms and other things used in the field are clearly labelled with
revision identification.
c) The revision record shows that the documentation has been updated and reissued as
necessary.
d) An up to date audit plan exists.
e) The audit schedule cover all aspects of the SMS and Safety Case.
f)
Review periods are defined for documentation.
g) The review and audit process is described.

h) The review and audit process are allocated appropriate ownership in the organisation.
i)
An action management system is in place to document actions taken and close out.
95
September 2004
Principle SMS - 08: The Safety Management System should detail roles,
responsibilities and reporting structures affecting safety. In particular, the
Safety Case must describe (or reference) the arrangements for command
of the facility in normal operation and in an emergency including:
that someone is always nominated as in command,
that the nominated person is competent,
that the identity of the person in command is clearly displayed.
Reason
a) Requirement of regulation 12 (2).
a) The facility description provides an organisational chart for the facility and who is in
command.
b) Backup personnel are defined in the event of absence of the person in command or their
incapacitation during an emergency.
c) Training needs of the person in command are defined in the Job Description and/or training
needs analysis.
d) A current emergency response contact list exists and available at emergency control centres.
96
September 2004
Principle SMS - 09: The Safety Case must include a description of the
provisions made to ensure that each employee has the appropriate skills,
training and ability for the range of tasks that he or she may reasonably be
asked to perform, including specifically:
Actions required in an emergency
Use of the permit to work system
Reason
a) Skills, training and ability of personnel to perform tasks is a requirement of regulation 13.
Note that the most general interpretation of the requirements of this regulation covers
onshore engineering and management decision making in addition to employees offshore.
b) Actions required in an emergency is specifically addressed in regulation 24 (4)
c) Competency in permit to work requirements is specifically addressed in 14 (2)(c).
a) Procedures exist regarding selection of personnel for safety critical positions.
b) Training requirements have been defined based on safety critical tasks including
Induction
Initial training
Re-training when and how?
Training needs assessment
Arrangements on training on major hazard scenarios.
Competency assessment approach
c) Competency is periodically reassessed.

d) These provisions apply to offshore employees and onshore support and management
personnel as appropriate.
e) Monitoring and auditing are conducted for such areas as permit to work.
f)
Emergency scenarios / desk top audits are conducted to assure readiness and confirm
competency for emergency response actions.
g) Systems are in place to address fitness for work.
97
September 2004
Principle SMS - 10: The Safety Case should include a demonstration that
the number of personnel on the facility is adequate for the range of tasks
that may be required to be performed simultaneously on the facility, both
in normal operation and in an emergency.
Reason
a) Skills, training and ability of personnel to perform tasks is a requirement of regulation 13.
The number and type of simultaneous activities required to be undertaken by any individual
has a direct impact on then ability to perform the tasks adequately.
a) Systematic studies of tasks required to be done simultaneously have been conducted and
assessed relative to the staffing and competency levels likely to be present on the facility.
b) The studies have included the range of potential emergency scenarios that exist.
c) Task analysis studies to identify the range of cognitive skills required by individuals who are
required to perform simultaneous tasks.
d) In considering emergency response consideration is given to fatigue, workload, stress on the
ability of the person to identify and diagnose problems.
98
September 2004
4.2.4
Implementation
Principle SMS - 11: The Safety Management System must include

provision for safe operating procedures.
Reason
a) Regulation 25 requires this for pipelines.
b) Regulation 26 requires this for vessels and aircraft operations.
c) Regulation 9 (4) requires the SMS to be comprehensive and integrated.
a) Procedures exist for all key activities and modes of operation..
b) Procedures are present to control risks during all phases of the facilitys life including design,
construction, commissioning, operation and abandonment.
c) The safe operating procedures cover both abnormal and normal operation.
d) The safe operating procedures acknowledge the hazards identified during the FSA and
emphasise the control measures used to protect against the hazard.
e) Procedures contain:
Critical operating parameters and safe operating limits.
Details of the consequences of exceeding the limits and actions to be taken to should
they be exceeded.
99
September 2004

provision for inspection, maintenance and testing of equipment and
hardware used to control all risks (not just MAEs).
Reason
a) Specific requirement of regulation 9 (4) (f).
a) Policy available that details the objectives for control of integrity, measurable performance
targets and management commitment.
b) Documentation exists detailing the maintenance and inspection philosophy. (eg. Risk based
versus fixed interval)
c) Documentation is available that details what equipment is included and excluded from the
integrity program
d) Adequate resources are supplied as demonstrated by the completion of the PM and
inspection programs.
e) Responsibilities for management of these systems are included in procedures and job
descriptions.
f)
Detailed inspection procedures/PM job plans are available.
g) A management system exists to plan, implement and report on inspection and maintenance
activities.
h) Reports are available that detail the performance of inspection program.
100
September 2004

provision for management of safety issues arising from purchasing,
contractors and suppliers
Reason
a) Regulation 9 (4) requires that the SMS is comprehensive and integrated. These issues can
affect safety and hence must be addressed.
a) An approved list of equipment & materials suppliers and contractors is available that is
endorsed by appropriately qualified and competent personnel.
b) All contractors pre-qualified before being offered the opportunity to tender. This pretendering process could include:
Evaluation of HSE management system
Site inspection and assessment of performance and culture.
An assessment of their technical competence.
c) Procedures require that contractor employees and subcontractors have completed the site
induction and relevant safety training.
d) Audits are conducted on contractors in the same way as the organisations employees.
Audits include:
Work Permits
Equipment used complies with facility requirements, etc.
e) Contractors and subcontractors use the same system for reporting and investigation of
incidents.
f)
The management of change system includes changes in materials, contractors and suppliers.
101
September 2004
Principle SMS-14: The Safety Case must describe the operational and
emergency communications systems between the facility and:
Onshore installations
Vessels and aircraft
Other facilities.
Reason
a) Regulation 9 (4) (g) requires that the SMS makes provision for the communications between
the facility and appropriate onshore installations, appropriate vessels and aircraft and other
appropriate facilities.
b) Regulation 22 provides for the specification of emergency communication systems.
a) The Safety Case contains or references details of communications system such as capacity,
operating constraints/limits (if any), reliability, redundancy, hierarchy of operation.
b) The Safety Case contains as assessment of the survivability of each communications system
in an emergency.
102
September 2004

processes for management of change, including physical changes, staffing
chances, organisational changes and operational changes.
Reason
a) Regulation 9 (4) requires that the SMS is comprehensive and integrated. Change
management is a key aspect of this.
a) Management of Change (MOC) processes are documented which provide for appropriate
levels of review, authorization and training prior to implementing a change.
b) Change is defined in the procedure to cover changes in personnel, organization structure,
plant, processes and process variables, materials, equipment, operating and maintenance
procedures, software, other aspects of design or external influences.
c) The MOC procedure includes temporary, emergency, and permanent changes and associated
time period for the change where a temporary change is required.
d) The MOC requires documentation of the technical basis for the proposed change, EHS,
engineering, and operational reviews, as well as authorisations.
e) The MOC has a post implementation review to assure that documentation is updated and that
the change has achieved objectives and actions closed out.
f)
A system is in place such that when a new facility or a significant modification to the existing
facility occurs that assurance is provided that:
The facility is constructed as per design.
safety, operating, maintenance, and emergency procedures are in place and

adequate.
A risk assessment has been conducted and actions completed prior to startup.
Personnel are trained.
103
September 2004
Principle SMS - 16: The Safety Management System must include a

documented permit to work system including clearly defined
responsibilities for authorisation and supervision. Activities covered by
the system must include
Welding and other hot work
Cold work
Electrical work
Entry and work in confined spaces
Working over water
Diving operations.
Reason
a) Regulation 14 (1) and (2) requirements.
a) A documented permit to work systems is provided that addresses the areas listed above as
minimum.
b) Procedures address roles and responsibilities for issuing, receiving and performing work
under the permit, including hand-back and recommissioning.
c) The permit procedures and permit should address:
Duration of the permit
Shift change requirements
Actions in the event of emergency (eg. Ceasing work)
d) The PTW system includes monitoring and audit requirement to assure the effectiveness of the
system.
e) The permit should address:
Start and expiry time
Condition of equipment (eg. Contents, inerting)
Hazards and required precautions.
Equipment involved
Specification of work to be completed.
PPE requirements
104
September 2004

f)
The PTW system details the training requirements for personnel involved in the issue or
receiving of the permits as well as those undertaking the work.
105
September 2004

processes to ensure that the integrity of the facility is maintained, by
control of design, construction, installation, and modification of the
facility, in particular:
Inventory isolation and pressure relief
Access to equipment
Structural integrity
Reason
a) Requirement of regulations 16 (1) and (2) (a), (b) and (c)
a) Systems are in place that require the use of relevant engineering and design standards.
b) Systems are in place that require HSE studies and reviews, including Hazard Identification
and Risk Assessment.
c) The system provides for hazard studies to consider the lifecycle of a facility or project
including design, procurement, construction, commissioning phases and post commissioning.
d) The system provides for the identification of EHS Critical plant, equipment, structures,
instrumented systems and control systems, including software so that they may be
appropriately controlled on an ongoing basis.
e) design principles, practices and engineering standards are documented.
f)
A design review and approval process is in place that ensures that all affected personnel are
involved.
g) Changes required in the design are required to be documented, reviews and approved via a
change management process (eg. Engineering change request or similar).
h) Procedures are in place to ensure that the facilities are designed and constructed to approved
specifications, standards and procedures.
i)
QA procedures are in place to assure that vendor supplied equipment and site construction
work are fit for purpose. This include appropriate use of NDT, external certification and
inspections.
106
September 2004

processes for control of therapeutic drugs, controlled substances and
intoxicants on the facility.
Reason
a) Requirement of regulation 19.
a) A drugs and alcohol policy exists that:
Describes the unacceptability of coming to work under the influence of drugs and
alcohol that inhibit performance of duties in a safe and efficient manner.
A framework for constructive intervention, where drug and alcohol issues exist,
enabling employees to seek early treatment and return to their appropriate place
within the work force.
Cover the use and management of therapeutic drugs.
Details disciplinary consequences and procedure.
107
September 2004

processes for responding to an emergency on the facility and the system
for testing the procedures using drills. The Safety Case must describe the
arrangements for command of the facility in the event of an emergency
and ensure that this structure is clearly displayed on the facility.
Reason
a) Requirement of regulation 24.
b) Regulation 12 requires the command arrangements to be specified and displayed.
a) An emergency response plan is available.
b) The emergency response plan has been developed based on an assessment of emergency
situations that might arise from facility activities and strategies have been developed for
those situations. These may include
Fire & explosions
medical emergency
utility failure
exposure to or unplanned release of hazardous material
security threats
natural event (such as cyclones)
c) Systems are in place to rapidly warn people present on the facility. This includes:
F&G systems
Communication systems
Emergency alarm
d) The emergency plan describes the organisational structure, authorities and responsibilities.
e) The organisational structure is described in the Safety Case and is also clearly displayed on
the facility.
f)
Contingency plans are in place for:
Incapacitation of emergency response personnel
Communications failure
108
September 2004
Inaccessibility of primary emergency control centre.
g) Arrangements are in place for external onshore support including rescue.

h) The system requires emergency response drills to ensure the emergency response plans are
regularly practiced, reviewed and updated as required.
i)
A system is in place to ensure that new personnel are inducted as to the location of alarms,
alarm tones and required response.
j)
A system is in place to ensure that facility personnel are provided sufficient training for their
role in the emergency.
109
September 2004
4.2.5
Monitoring
Principle SMS-20: The Safety Management System must include systems

for monitoring and evaluating the effects of the working environment on
the health of the workforce.
Reason
a) This is a general requirement sunder the Petroleum (Submerged Lands) Act.
a) System in place for pre-employment medicals and regular checks.
b) System in place for identification of health hazards and addressing them via a hierarchy of
controls approach.
c) Specific monitoring and analysis for residual health hazards eg noise and hearing loss,
hazardous substances and exposure effects.
d) Policy in place on fitness for duty including fatigue.
110
September 2004
4.2.6
Audit and Review
Principle SMS-21: The Safety Management System must include processes

that are used to continually and systematically identify and address
deficiencies in the system and/or its implementation including but not
limited to investigation of incidents.
Reason
a) Requirement of Regulation 10 (b).
a) The Safety Management System includes (or references) performance standards against
b) The Safety Management System documentation includes audit schedules, protocols and
results.
c) There is a system in place for tracking audit actions to close out.
d) A system exists for employees to raise problems with the system and for such issues to be
evaluated and actioned as appropriate.
e) A performance review process exists that includes a review of the SMS performance
measures and indicators. Deficiencies are identified from this process.
f)
There is a system in place for tracking the status of incident investigations and the action
items arising from them.
g) The incident investigation process involves a root cause analysis to detect system faults.
111
September 2004

processes that identify and implement improvements in the system and/or
its implementation.
Reason
a) Requirement of Regulation 10 (c).
a) The Safety Management System includes (or references) performance standards against
b) The Safety Management System includes (or references) a step that ensures overall system
improvements are identified by methods such as external benchmarking, systemic review of
incident and/or performance data, internal and external audit.
c) A system exists for employees to suggest changes to improve the system and for such
suggestions to be evaluated and actioned as appropriate.
112
September 2004
5.1 Introduction
5.1.1
Purpose
The purpose of the Formal Safety Assessment is to demonstrate that, in relation to major
accident events, all reasonably practicable controls have been identified in order ensure that risk
is as low as reasonably practicable (ALARP). Note that implementation and ongoing
management of controls is covered by the SMS.
As part of this it is necessary for the operator to ensure, through appropriate analysis and
assessment, and through implementation of the findings of those assessments, that:
the exposure of employees on the facility to hazards has been minimised, firstly through
elimination of hazards and secondly through control of remaining hazards
the integrity of the temporary refuge, fire protection and detection systems, escape
routes, evacuation / embarkation points and lifeboats/liferafts under accident conditions
is maintained so far as is reasonably practicable
all reasonably practicable steps have been taken to ensure the safety of persons in the
temporary refuge, using the escape routes and at the embarkation points, until such time
as all employees have reached a place of safety or have left the facility
there are adequate facilities within the temporary refuge to expedite safe escape and
evacuation of employees during a major accident event.
In this context, Formal Safety Assessment is taken to include the Fire Risk Analysis that is
required by regulation 23, and the Escape, Evacuation and Rescue Analysis that is required by
regulation 26.
5.1.2
Concepts of Risk
Risk may be defined as the likelihood of a specified undesired event occurring within a specific
period or in specified circumstances. It may be expressed as a frequency, being the number of
the specified event that can be expected to occur in a given period. Alternately, it may be
expressed as a probability, being the probability of the specified event arising in particular
circumstances. Thus we can talk about the risk of boat collision during unloading operations,
meaning the probability that there will be a boat collision whilst unloading is occurring, or the risk
of a gas leak due to corrosion, meaning the average annual frequency of such leaks.
In the context of the Formal Safety Assessment, the overall risk of interest is the risk of fatality
due to all possible Major Accident events (of which there may be many, 2 of which may be boat
collision and gas leak due to corrosion).
113
September 2004
In numerical terms, the risk from a particular MAE is the product of frequency and consequence.
The likelihood, consequence and risk may each be expressed either qualitatively or quantitatively.
Qualitatively, terms such as below are typically used:
Likelihood Not credible, unlikely, likely, very likely
Consequence Minor, Significant, Major, Catastrophic
Risk Low, medium, high, very high
These may be combined in matrix format, for example as follows:
Minor
Significant
Major
Catastrophic
Very likely
High
High
Very High
Very High
Likely
Medium
High
High
Very High
Unlikely
Medium
Medium
High
High
Not credible
Low
Medium
Medium
High
Acceptability of risk would be based on the low, medium, high, very high categorisation. The
categories of likelihood and consequence might also be assigned numeric values, which would be
estimated based on judgement, historic data or quantitative assessment.
Typical quantitative measures of risk used for offshore petroleum facilities are as follows:
IRPA Individual Risk Per Annum, being the probability (typically averaged over the entire
crew or over a particular team) that an individual person will be killed over a one-year
period. Risk expressed in this way can readily be compared to the risks of, say, driving,
flying, house fires, diseases, etc. Typical risk levels for the offshore industry lie in the region
0.0001 per year to 0.001 per year, i.e. between 1 in 10000 and 1 in 1000 per year. It is
common to set a limit of 0.001 per year above which the risk is considered intolerable; this
roughly corresponds to the risk level that is observed in Australia in recognised high-risk
industries such as forestry and fishing, but greater than the risk in mining and construction.
PLL Potential Loss of Life, being the number of fatalities that are expected to occur on
average in a one-year period. This measure of risk depends on the number of persons
exposed; for a facility that has a workforce of 100 (summed over all shifts), a typical PLL is
114
September 2004

in the range 0.01 to 0.1 per year. It is not generally a suitable basis for a risk criterion, but
is a useful measure when determining ALARP through cost benefit analysis.
A quantitative risk assessment (QRA) would be needed, if such measures were to be used.
5.1.3
Risk Acceptance Criteria and Demonstration of ALARP
In the context of MAE risk as addressed in the FSA, the demonstration that risk is as low as
reasonably practicable is based on the concept:
That there is a maximum level of risk that is intolerable
There is a low (but non-zero) level of risk that is broadly acceptable
Between these 2 risk levels there is a grey area where the risk may be accepted by a
company or individual provided that the risk as be shown to be as low as reasonably
practicable. This is commonly called the ALARP region.
In the ALARP region, principles of continual improvement apply. This means that risk reduction
measures should be adopted until the difficulty and cost of adoption exceeds their benefit.
Further, where the risk level is close to the tolerability / acceptance criteria, control measures
should be adopted unless their difficulty and cost grossly outweighed their benefit. Except in
exceptional circumstances it would be expected that all control measures set out in industry
standards are adopted.
Note that the demonstration that MAE risk is ALARP is a 2 step process, firstly to determine
where the risk falls (intolerable, in the ALARP region, broadly acceptable) and secondly to
determine what further risk reduction can be justified. Simply determining that the risk falls into
the ALARP region does not mean that the second stage of the process can be skipped.
Some organisations have a system of management reporting, monitoring or sign off for hazards
determined to pose significant risk eg anything in the high or very high area of the risk matrix.
Whilst management focus (particularly on controls for these hazards) is good, it is not in itself a
demonstration that the risk has been reduced as far as reasonably practicable.
The process described can be used qualitatively eg in the form of a risk matrix or to judge the
results of a numerical assessment ie QRA. One disadvantage of the risk matrix approach is that
MAEs are judged individually and it is difficult to address the overall level of risk to people on the
facility in this form of analysis. Some form of approximate cumulative analysis is likely to be
required, firstly to justify the boundaries in the risk criteria and secondly to show that the overall
assessed risk is reasonable (in addition to the risk from each MAE).
If risks are quantified, then generation of ALARP criteria is easier and the key issue becomes the
accuracy of the risk calculations and the assumptions made.
115
September 2004
A third aspect that should be considered in the risk criteria adopted is the relative aversion of
society to high consequence low frequency events, compared to low consequence high frequency
events. This means that extra consideration should be given to scenarios that can lead to large
numbers of fatalities, even if the overall risk is judged to be low (based on the very low
frequency).
It should be noted that the demonstration that all risks to people on the facility are as low as
reasonably practicable lies with the Safety Case as a whole, not just the FSA. Assessment of MAE
risk is a key aspect of a demonstration of ALARP, but other aspects may be at least as important
(refer to criterion SC-06).
5.1.4
Process
The FSA process typically includes the following steps (see figure):
Hazard Identification
This step involves the identification of the hazardous events that may occur at the facility. For the
purpose of later analysis, the hazardous events are often categorised as hydrocarbon hazards
and non-hydrocarbon hazards, within which there may be sub-groups. For example, blow-out,
process loss of containment, fire, explosion, etc might be sub-groups of the hydrocarbon hazards,
whilst dropped objects, structural failure, ship collision, loss of stability, etc would be sub-groups
of the non-hydrocarbon hazards. A data base or similar is then developed to record the details of
all of the identified hazardous events; this is frequently referred to as a hazard register.
At this stage in the process the measures in place to control risk and assumptions made about
their performance should also be recorded.
116
September 2004
FIGURE 4.1: FORMAL SAFETY ASSESSMENT (FSA) SCHEMATIC
OBJECTIVES
PROCESS
*Overall FSA Process
*Safety Goals/Criteria
HAZARD
IDENTIFICATION
*Hazard Listing
*Hazard Ranking
HAZARD
DOCUMENTATION
HAZARD AND RISK

ANALYSIS
MAE's
*Consequence Studies
*Risk Assessment Studies
*Sensitivity Studies
OTHERS
ASSESSMENT OF
RESULTS
*Major Risk Contributors
*Potential Risk Reduction
Measures
RISK
REDUCTION
PROCESS/MEASURE
*Risk Reduction Methods
Adopted
*Assess
acceptability
against criteria
APPLY ALARP
PRINCIPLES
[HOLD: THIS HAS BEEN TAKEN FROM THE EXISTING GUIDELINES, AND NEEDS UPDATING.]
117
September 2004

The next step involves ranking identified hazards by their consequence, and determining whether
they meet the definition of a major accident event. A major accident event is defined as one
that could cause multiple fatalities. Hazardous events that are identified as being potential
major accident events are then carried forward for more detailed analysis.
This ranking process may rely solely on qualitative analysis (i.e. a judgmental assessment), or
may include a degree of quantification. In practice a combination of both is usually deployed
judgement is used to identify those events that clearly are MAEs, and those that clearly are not,
whilst quantitative analysis is used to categorise the marginal cases.
Hazard and Risk Analysis
Following identification of the hazardous events that are MAEs, the more detailed analysis
typically concentrates on the following:
Identifying the various circumstances in which the hazardous events may occur, i.e. the
potential causes of the events and the controls in place. Note that some practitioners use
the word hazard to refer to the cause, whilst others use the term threat.
Estimating the likelihood or probability of those events occurring, and the likelihood of
each cause leading to the event. These estimates may again be based on judgement, or
on quantitative analysis, or a combination of the two.
Estimating the consequences of the hazardous events and their potential impact. These
estimates may again be based on judgement, or on quantitative analysis, or a
combination. The consequences of hydrocarbon events are usually estimated first in
terms of the size of the fire or explosion, and the extent of harmful levels of heat, smoke,
overpressure, etc. From these estimates, further estimates are made of the impact on
persons how many may be harmed and how badly due to immediate effects or through
escalation or the need to evacuate.
It is important that the hazard identification, and the hazard/risk analysis, both address all the
MAEs at the facility. For this purpose these studies should encompass:
All types of operations and activities at the facility, including
well operations
processing and storage of hydrocarbons
diving, crane, ship and aircraft activities
different stages of operations (start-up, normal, shut-down, etc)
routine and campaign maintenance
construction
stand-alone and simultaneous activities
All types of hazards, for example
releases of flammable materials
118
September 2004
fires and explosions
impacts by ships, aircraft, etc
extreme environmental events
structural failures and loss of stability or buoyancy
All types of consequences, such as
fire, smoke and toxic gases
impact on critical structures
impact on significant inventory holders
impact on critical emergency systems
impact on escape, evacuation and rescue
impact on the temporary refuge integrity
Any activity not considered in the FSA will require a revision to the FSA before going ahead if the
MAE risk may change as a result of the activity.
The Operator should record the assumptions made during the hazard ranking process and during
the more detailed assessment of major accident events. Assumptions may be made about the
facility and the way it is operated and about how particular events should be modelled.
Assumptions about the facility may draw on the Operator's procedures described in the safety
management system or facility description parts of the Safety Case, for example:
It might be assumed that the maximum number of persons able to be harmed by a

particular type of hazardous event is limited to 2, because other persons are kept in the
accommodation whilst the relevant activity (e.g. explosives work) is being conducted
It might be assumed that well test facilities are on line and pressured for 20% of the time
and otherwise are hydrocarbon filled, but depressured.
Assumptions about modelling may include such things as the leak hole sizes modelled to cover
the full range of possible leak scenarios or the flame length modelling parameters used.
At this stage the analysis for an existing facility would normally be based on the assumption that
risk control measures that are already in place operate with a certain degree of reliability. This is
a key assumption and should be backed up by some level of demonstration of the current level of
adequacy of the control eg reference to test records.
The results of hazard and risk assessment studies are used to identify and rank the major risk
contributors, in terms of their individual impact (e.g. number of fatalities), their risk level
(frequency of fatalities), or a combination of both. Also at this stage sensitivity studies may be
carried out, relative to the assumptions that have been made. This identifies the assumptions
that most significantly influence the results, which can then be checked.
119
September 2004

Assessment of results
The first part of the assessment of results should ask whether the level of risk is tolerable. Most
petroleum operators will already have established risk acceptance criteria, against which the
estimated risk level may be compared. If the company has no established risk criteria, then
criteria should be developed, based on industry good practice. The risk criteria that companies
use would need to be acceptable to NOPSA and, of course, the level of risk at the facility should
be acceptable according to the criteria.
The second part of the assessment of results should attempt to identify the means by which risk
may be reduced:
what hazards and potential MAEs may be eliminated
what other control measures could be adopted to reduce the likelihood of MAEs
what other control measures could be adopted to reduce the consequences of MAEs
what other control measures could be adopted to better protect persons from the effects
of MAEs
Note that the other control measures identified may be new things or changes/upgrades to
existing risk controls to increase reliability or functionality in a way that reduces risk.
Further sensitivity studies may then be carried out to assess the benefits of the various risk
reduction options that have been identified. It is possible that engineering modifications are not
reasonably practicable (for example, elimination, intensification, alleviation, substitution and
simplification). In such cases, more reliance may have to be placed upon procedural or system
controls. These controls should provide equivalent levels of risk reduction compared to
engineering modifications. The level of residual risk needs to be linked to the operators risk
acceptance criteria, and the safety management system for its management.
The final step is to determine which of the additional identified control measures should be
adopted. The principle of ALARP means that risk reduction measures should be adopted until the
difficulty and cost of adoption exceeds their benefit. Further, where the risk level is close to the
tolerability / acceptance criteria, control measures should be adopted unless their difficulty and
cost grossly outweighed their benefit. Except in exceptional circumstances it would be expected
that all control measures set out in industry standards are adopted.
The effectiveness of risk reduction measures may be determined individually and in groups. It is
possible that risk reduction measures may not be independent, for example introduction of
emergency shut down valves to reduce inventory available for release and passive fire protection
to surrounding members may each be practicable measures, but carrying out both may not be
reasonably practicable.
120
September 2004

Cost alone should not be the sole criteria for adopting (or not adopting) risk reduction measures.
Results of qualitative processes such as the ALARP workshop (including regulator participation
where possible) should also be taken into consideration.
5.1.5
Hierarchy of Controls
The overall demonstration that has been reduced to a level that is as low as reasonably
practicable should consider the suite of controls used for the most significant risks. The preferred
approach is to have a range of controls giving defence in depth. This means that it is desirable to
have controls in place some of which are procedures, some administrative systems (like Permit to
Work) and some hardware items like PSVs.
It is also desirable to have a range of controls that address causality as well as the potential
outcomes of an MAE. This can be considered in terms of a hierarchy such as:
Elimination
Prevention
Reduction
Mitigation
That is, the potential for MAEs should be eliminated if possible. If this is not possible, then the
MAEs should be prevented from occurring, or their likelihood of occurrence reduced, for example
by eliminating some causes. Next, there should be a reduction in the consequences of MAEs, for
example by limiting quantities and pressures or flammable materials, or by improving fire and
explosion detection and protection systems. Finally, further measures should be taken to
mitigate the consequences and the impact on personnel, for example by improving the protection
of personnel, and by better enabling their escape, evacuation and rescue.
Measures for the elimination, prevention, reduction and mitigation of hazard, are discussed
further below.
121
September 2004

Elimination
Designing out the hazard should be the first priority, for example by eliminating any non-essential
hazardous materials, or any non-essential hazardous activities. If designing out is not possible,
consideration should be given to the other types of risk reduction measures in the hierarchy.
Prevention
Sequences of events that may result in major accident events occurring should have already been
identified and discussed. To ensure the safe operation of the facility, measures should now be
considered that may prevent the initiation of each of these sequences.
The FSA should discuss the measures in the form of a structured, qualitative argument linked to
specific MAEs. This should include consideration of the relevant aspects of the management
system, including procedures for design, quality assurance, operations, inspection and
maintenance. Because many prevention measures are procedural in nature, this is an area where
workforce input is particularly valuable.
Reduction
No matter how good the preventative risk controls are, there is always potential for one to fail
and hence risk reduction measures should be considered to limit the consequence of the event,
and to prevent or reduce propagation/escalation. These measures act to intervene at some point
in the sequence of events, in an attempt to control and contain the developing situation before a
major accident event develops.
Risk reduction measures could include:
Ventilation (to prevent explosive concentrations of gas forming)
Fire and gas detection (to promptly detect leaks, and enable effective shutdown)
Emergency shutdown systems (to isolate leaks)
Depressurisation/blowdown/venting systems (to safely release isolated inventories)
Liquid dumping (ditto)
Electrical isolation (to limit the possibility of ignition)
Subsea isolation valves (SSIVs) (to isolate pipelines and wells)
Mitigation
It may not always be possible to intervene in the sequence of events to avoid the major accident
event starting. In such cases measures should be taken to mitigate and minimise the
consequences and impact of the major accident event. Such measures will have effect only after
the major accident event has started.
Such measures could include:
122
September 2004
Alarm and public address/communications system (to warn and instruct personnel)
Fire protection (to minimise fire effects, and to extinguish if possible)
Temporary refuge (for people to shelter from fire effects, etc)
Escape and evacuation systems (to enable safe escape)
Emergency procedures (to enable safe escape)
Protective personal equipment (to provide protection during escape).
5.1.6
Human Error
In considering the potential causes of an MAE, the potential for both human and organisational
error should be taken into account. In considering the potential for human error to cause a MAE,
it is useful to firstly consider the various generic types of human error that are possible. The
following table describes slips, lapses, mistakes and violations (HOLD insert reference to James
Reason).
CLASSIFYING HUMAN ERROR

Error Type
Description
Example
Slips
Error of commission: The action is

executed in an inappropriate way. Eg. I
did something I shouldnt have done.
Accidentally connecting the diesel

bunkering line to the water storage.
Lapses
Error of omission: Failure to perform the

required action. Eg. I didnt do
something I should have done.
Leaving a blind in a line after maintenance.
Mistake:
Occur when a course of action is selected

(that might be correct in some
circumstances), but not in the current
circumstance.
Rule based
The wrong rule is selected or it is

misapplied.
An Operator who normally works on facility

A being temporarily on facility B and lining
up a well for a well test in the way he is
used to doing it, rather than the way it
needs to be done on facility B.
Knowledge based
Occur in novel situations no stored rules

or procedures exist.
A change to the shuttle tanker means that

application of some aspects of the current
offtake procedure is not possible. The crew
then rely on their knowledge and
experience to conduct offtake operations,
but an unforseen circumstance leads to
equipment in a hazardous state.
These errors are problem-solving or

analytical errors, where experience or
knowledge of the situation is limited.
Violations:
A deliberate decision (for whatever

reason) to ignore established safety rules,
codes of practice, etc.
Routine
Tend to occur on a regular basis.
Exceptional
Tend to be one off events.
123
Although a previous operator error had

reduced reactor power to well below 10
percent of maximum, and despite strict
safety procedures prohibiting any
operations below 20 percent of maximum
power, the combined team of operators
and electrical engineers continued with the
planned test program. This and the
subsequent violations of safety procedures
resulted in a double explosion within the
core that breached the containment,
releasing a large amount of radioactive
material into the atmosphere (Chernobyl,
1986).
September 2004

Both slips and lapses are skill-based errors. This means that the person has formulated the right
intention (chosen the correct action to take) but executed it incorrectly. In terms of mistakes, the
error occurs in the decision or choice of action.
The risk control and mitigation strategies vary considerably depending on the error type. The
table overleaf summarises error types, when they are likely to occur, typical causes and likely risk
control strategies. The table concludes with some information on error detectability and one key
risk control strategy for human error is our ability to detect and correct errors before they lead to
a hazardous outcome.
124
September 2004

HUMAN FACTORS INFORMATION FOR RISK ASSESSMENT
ERROR TYPES
SLIP OR LAPSE
MISTAKE
UNINTENTIONAL
DESCRIPTION
VIOLATION
INTENTIONAL
Slip: Error of commission: The action

is executed in an inappropriate way.
Knowledge based: A problem-solving

or analytical error
Routine: frequent deliberate violation,

no damage intended
Lapse: Error of omission: Failure to

perform the required action.
Rule based: Misapplication of a rule or

procedure
Exceptional: infrequent deliberate

violation, no damage intended
Sabotage: deliberate violation, damage
intended
OCCURANCE
COMMON
CAUSES
Highly practiced task (done many

times before)
Novel or non-routine task (requires

thinking about)
Routine: usually frequently performed

tasks
Automatic, unconscious thoughtprocesses
Analytic, conscious thought-processes
Exceptional: infrequent, routine or

non-routine tasks
ATTENTION LIMITATIONS: preoccupation with something else,

inattention, interruption
COGNITIVE BIASES: human thinking

is biased towards only paying attention
to information that is prominent, easy to
collect, agrees with what we believe,
etc.
OPERATIONAL PRESSURES: rushing,

taking short-cuts to get job done faster
INFORMATION OVERLOAD: having

to process too much information
FATIGUE OR HIGH WORKLOAD:

poor shift scheduling, poor planning,
physical exhaustion, boring task
requiring prolonged attention
SITUATION CHANGES: but failure

to alter behaviour to suit
ORGANISATIONAL STRUCTURE
ISSUES: poor communication,
information flow
FATIGUE OR HIGH WORKLOAD:
poor shift scheduling, poor planning,
physical exhaustion, boring task
requiring prolonged attention
EQUIPMENT: poorly designed,
poorly maintained
DIFFICULTY GETTING THE RIGHT

INFORMATION: information
unavailable or difficult to obtain
POOR DECISION MAKING: using
wrong information, failure to get
enough information, lack of time
ORGANISATIONAL CULTURE: low

procedural adherence, poor supervision,
short-cuts, risk taking attitudes
EQUIPMENT: poorly designed, poorly

maintained
ENVIRONMENTAL FACTORS:
noise, weather conditions, degree of
comfort, time of day
OPERATIONAL PRESSURES:
rushing, taking short-cuts to get job
done faster
POOR VISUAL CUES: misleading or
poor signage
MOST SUITABLE
CONTROLS
Design to minimise distraction and

assist with holding attention on task
at hand
Prompts: to alert operator to alter
behaviour if situation changes
Restructure communication and
information flow
Design of equipment/ machinery to

assist decision making
Design: to reduce likelihood of

intentional short-cuts
Procedures and documentation
Culture review: to detect poor culture

and attitudes and devise solutions
Training
Experience level
Review shift structures and task

structure
Review procedures and
documentation
Review shift structures and task

structure
Minimise environmental
distractions
DETECTION
ABILITY
Difficult to detect because not

expecting to make an error - as these
are usually highly practiced tasks.
More likely to recognise slips than
lapses
5.1.7
Difficult for person to detect these

errors as they are not highly-practiced
tasks and may not recognise that they
have made an error
Violations are conscious, so person is

aware of deviation, although routine
violations may become so entrenched as
the way things are done around here
that they might not be detected
Organisational error
This view of accident causation takes into account the organisation as a whole and the effect of
the organisation on the technology and people that operate within it.
125
September 2004
Organisations are made up of people, processes, and technology. These three components
interact to produce the outputs of what is called the socio-technical system. The organisational
perspective considers this interaction of people with people, people with processes, and people
with the technology. It sees these factors as integrated components of the one entity. As such
human error by management and operational staff is a product of the interaction of the different
parts of the system and needs to be addressed within that context. An understanding of this
approach is essential to developing an understanding of how serious incidents and accidents
develop in organisations and therefore, how they might be prevented.
Accidents in complex socio-technical systems (like offshore operations) have multiple and varied
causes. Even though these organisations tend to be well defended - using the best on offer in the
form of engineering and other organisational defences they can experience accidents with often
catastrophic outcomes. The figure below illustrates how these accidents are generated (HOLD
insert reference to James Reason).
Organisation
Workplace
Management
decisions
&
organisational
processes
Error- and
violationproducing
conditions
Person/team
Defences
Outcome
Errors
(slips, lapses,
mistakes)
Incidents /
INCIDENT /
Accidents
ACCIDENT
&
Violations
latent
failure
pathway
active
failure
pathway
These accidents have their origins, not at the workplace level and the unsafe acts of operational
staff, but at the organisational level: eg. Strategic decision making, processes to do with
forecasting, budgeting , allocation of resources, planning, scheduling, communicating, managing,
auditing, and organisational culture etc. These factors are often called General Failure Types
(GFTs) and latent failures as they sit dormant within the organisation for long periods of time
before combining with other chance events to lead to an accident. The outcomes of decisions at
the organisational level are then communicated to individual workplaces - eg. control rooms,
maintenance facilities and so on. Here they reveal themselves as factors that promote unsafe
acts. - eg. time pressure, inadequate tools, poor human-computer/machine interfaces, insufficient
training, inadequate supervision and so on. Organisations working with safety critical technology
must take this complexity into account and work to mitigate the potential for this kind of error.
126
September 2004

5.1.8
Strengths and Weaknesses of QRA
Any quantified risk assessment should be conducted with the knowledge that QRA is not an exact
analytical tool. Despite advances in the quality of analytical techniques and input data in recent
years it remains, principally, a tool for making comparisons between options.
The results from QRA are highly dependent on the quality of the input data, and the integrity of
the modelling of the event sequences. Hence, reliance on the use of QRA in absolute terms
should generally be avoided, but QRA can be used with more confidence when comparing the risk
reduction benefits of two or more alternatives.
Whilst QRA does aid the assessment of risk and the evaluation of control measures, it should not
be used in isolation. Rather, it should be used in conjunction with engineering analysis of specific
failure mechanisms, qualitative assessments of risk, consideration of potential for human and
organisational error in the system.
5.1.9
Common Weaknesses
Common weaknesses in a FSA are as set out below.

Hazard Identification Stage
Not considering human error as a potential cause of hazardous events
Failing to consider the hazardous events that may arise during maintenance
Analysis Stage
Underestimating the risk by assuming that all risk control measures function perfectly
Assuming that events that have never occurred, cannot occur
Assessment Stage
Assuming that ALARP is achieved merely by demonstrating that risk is below the
intolerable level
Overall
The FSA comprises separate studies with weak linkages between them
The FSA does not address all of the expected activities at the facility
127
September 2004
5.2 Preparation and Assessment Principles for the Formal Safety

Assessment
Principle FSA - 01: The scope of work for identification of hazards and
assessment of risks must be consistent with the operating envelope for all
activities and facilities as described in the Facility Description.
Reason
a) Regulation 9 (3) (a) requires identification of all hazards having the potential to cause a
major accident event.
b) Regulation 21 (2) (a) requires identification of fire and explosion hazards.
a) The hazard identification process clearly and explicitly encompasses the range of activities
and physical extent of the Safety Case described in the Facility Description.
b) The process used for hazard identification has considered the various operating phases or
activities explicitly.
c) Identified hazards include items other than normal operation (such as maintenance, marine
operations, construction etc).
d) Assumptions regarding the number of people on the facility include people other than the
normal operating crew (such as construction, painting, diving etc).
e) Personnel relevant to the various operations, activities and operating phases have been used
during the hazard identification process.
128
September 2004
Principle FSA - 02: The Formal Safety Assessment must address risk to
people on or near the facility due to MAEs.
Reason
major accident event. The risk assessment activities all flow from this hazard identification
step.
b) The focus in the Formal Safety Assessment (unlike the Safety Case as a whole) is on
identification, assessment and management of large events. (MAEs are defined as events
with the potential to cause multiple fatalities.)
a) The process used for hazard identification describes the criteria used to screen identified
hazards in and out of MAE listing.
b) The record of the hazard identification processes includes a listing of items screened out.
c) The safety assessment process maps the impact of MAEs to affected personnel.
129
September 2004
Principle FSA - 03: Appropriate and competent people must have

participated in development of the FSA.
Reason
a) Many of the processes required by the regulations (eg 9 (3)) such as hazard identification and
risk assessment involve professional judgement of various kinds. These judgements are
made sometimes individually and sometimes by a group. If people with appropriate
experience are not involved, the validity of the outcome of the FSA process can be called into
question.
b) Regulation 15 requires persons involved with the facility to be involved to a level such that
they can arrive at an informed opinion about the risks and hazards to which they are
exposed.
Representatives). The specific consultation requirements for this Principle should be done
within this wider framework. See specifically P(SL)A clauses 12, 13, 15, 19(1), 20, 24 and 25.
a) Field based workforce have been involved in FSA processes for identification of hazards,
assessing the effectiveness of existing control measures and identification and selection of
potential new control measures.
b) FSA workshops and other processes have included contractor representatives where
contractors play a role in preventing or mitigating risks.
c) General staff such as field based employees and design engineers have been trained in the
principles of the safety case philosophy and risk based design and on their responsibilities
and accountabilities in the process ie attendance at HAZIDS, ALARP workshops, HAZOPS etc.
d) Where specialist expertise external to the Operator has been used, operating company
internal documentation demonstrates a clear understanding of the methods used and results
obtained. This applies to both risk assessment consultants who may have assisted in the
overall process, and technical specialists who may have assessed particular hazards.
130
September 2004
Principle FSA - 04: Assumptions made in the Formal Safety Assessment

must:
Be documented
Be reasonable
Be justified
Have been reviewed by appropriate personnel
Be referenced as to their source
detail any limits of applicability eg geographic limitations and
be tracked to identify any change.
Reason
a) Regulation 9 (3) (b) requires that the Formal Safety Assessment is detailed and systematic.
Whilst it is necessary to make many assumptions (with regards to both conditions on the
facility and modelling of specific MAEs) in conducting a Formal Safety Assessment, the
process must include a system to ensure that the assumptions are and remain valid.
b) Regulation 9 (4) requires that the Safety Management System makes provision for continual
and systematic identification and assessment of hazards. Again, such a process is not
effective unless assumptions are reasonable and changes controlled effectively.
a) The Safety Case documentation includes a paper or electronic list of assumptions.
Alternatively assumptions are detailed where they appear in management system
documentation.
b) Assumptions are recorded for modelling data (eg hole sizes chosen in a QRA) and input data
(eg proportion of time that the test system is on line),
c) Input assumptions are referenced back to the Facility Description.
d) The logic behind the assumptions is provided along with the sources, suitability and reliability
of the information used to support the assumption and the limits of validity of the
assumptions.
e) The assumptions list or discussion has been signed off by relevant and competent people eg
Operations personnel for operating assumptions.
f)
The sensitivity of the risk assessment results to the assumptions made has been tested.
g) Modelling assumptions have been justified by review against the range of industry methods
available.
131
September 2004

h) A system exists to ensure that changes to facility operation / design are reviewed and any
changes in assumptions identified before the event (eg maximum number of people on
board, changes to operating conditions).
i)
A system exists to ensure that changes to industry practices and experience are reviewed and
any necessary changes in assumptions identified (eg new research on effects of water on
smoke suppression, assumed frequency of blowouts during wireline).
j)
The Safety Case includes discussion about variations in available data such as the range of
leak frequency information from various sources and a justification for the chosen data.
k) QRA calculations take into account the reliability and availability of physical control measures
such as blowdown, emergency shutdown systems, fire water systems etc.
132
September 2004
Principle FSA - 05: Appropriate quality assurance procedures should have

been adopted in development of the FSA.
Reason
a) Many of the processes required by the regulations such as hazard identification and risk
assessment involve assimilation of large amounts of information from various parts of an
operating organisation. This information is then processed to produce a potentially large
number of actions and findings. If quality assurance principles of control of information,
repeatability, and tracking of outputs are not followed, the validity of the outcome of the FSA
process can be called into question. This would be inconsistent with regulation 9 (3).
a) A system is in place to assure the accuracy of input data such as facility details, operating
conditions and process drawings.
b) Paper and electronic documents are managed under a document control system and
includes:
Revision numbering
Evidence of checking by relevant personnel
An approval process (sign off)
c) The quality assurance process covers all aspects of the safety case including assumptions,
calculations, reports etc.
d) A quality control plan has been prepared and an individual assigned to ensure its
implementation. This would detail the required activities to support the safety assessment,
the personnel and competence required to undertake the work and describe the approval
process.
e) Systems are in place for checking risk calculations done using either proprietary software
products or spreadsheet-based software. Checking may include detailed checking of the
accuracy of the calculations, checking input data and/or a check of the results using some
other method.
f)
If a commercial software package is used, a summary of the software developer's quality

assurance system is included in the FSA. For major industry recognised software this may
not be required.
g) A system exists for recording, tracking and closing out actions.

h) Field checks have been conducted to confirm data as well as simple documentation checks.
133
September 2004

i)
There is clear linkage between the hazard identification, the evaluation of the risks, the
assumptions, the control measures in place or proposed and the ALARP demonstration.
j)
The validation process includes verification that control measures are in place and working as
outlined in the Safety Assessment.
134
September 2004
Principle FSA - 06: For a new facility or modification to an existing facility,

the Formal Safety Assessment process should start at the concept
selection stage and run in parallel with the design process.
Reason
a) Regulation 9 (4) (e) require risks to be reduced to a level that is as low as reasonably
practicable. Since part of this process is typically a cost/benefit analysis and the cost of
changes at the concept stage of a project is much less than in the operational stage,
consideration of the risk profile should commence at the beginning of the project.
b) Regulation 16.(2) (d) requires the design to take into account the results of the Formal Safety
Assessment.
c) Regulation 21 (g) requires the design to take into account the results of the Fire Risk
Assessment.
a) The FSA shows how the risk profile has changed as the design has proceeded from concept
selection through concept design and detailed design.
b) The FSA shows how safety considerations were taken into account as part of the concept
selection.
c) The FSA shows how the design has been changed due to the output of the FSA process.
d) The Field Development Plan shows risk-based criteria used in selection of the preferred field
development concept.
e) The Safety Case describes what safety improvements/options were considered at each phase
and the basis for selection or rejection.
f)
Evidence of the consideration of the principles inherently safer design at the conceptual
design phase (eg. Reduction of inventories, process steps etc).
135
September 2004
Principle FSA - 07: The hazard identification process must be thorough

and the level of detail appropriate to the magnitude of the hazards
involved. The results must be systematically recorded.
Reason
major accident event. The only way to demonstrate that an attempt has been made to
identify ALL hazards is for the process used to be thorough and the results clearly recorded in
detail.
a) The hazard identification process used that is appropriate to the complexity of the
installation, the stage in the lifecycle and the nature of the hazards. It will be some
combination of:
hazard and operability study (HAZOP)
what if? analysis
checklist
failure mode and effects analysis
human factor analysis
b) A hazard register or similar document or system is available which describes:
identified hazards and their causes
major accident events
control/mitigation and recovery measures
estimated risk level
Opportunities for improvement
links to the safety management system.
c) The hazard register includes a range of hazards such as:
extreme climate events such as storms, tsunamis and earthquakes
hydrocarbon releases frequency/size/duration, explosions, smoke and fires, including

jet fires
external events for example. ship collision
136
September 2004
toxic release exposures
dropped objects
loss of structural integrity.
137
September 2004
Principle FSA - 08: The processes used for identification of hazards must
take into account the operating history of the facility, or similar facilities,
owned by the facility Operator or others.
Reason
a) Regulation 9 (3) requires identification of all hazards having the potential to cause a major
accident event.
Sources of information that should be considered about what can go wrong include the past
operating history of the facility in question or similar facilities in industry. Care should be
exercised in dismissing past incidents as not relevant due to changes made in the interim or
differences between facilities. Most MAE scenarios have a complex causal chain and it is
unlikely that the same specific chain of events will occur on another facility. On the other
hand it is possible that some of the same factors, and hence hazards, may be present on
another facility.
a) Any QRA work includes benchmarking of overall predicted leak or fire frequencies (or similar)
with actual facility operating data or that of equivalent facilities within the organisation
b) Records of hazard identification workshops include specific consideration of company
historical data including near misses on company facilities.
c) Records of hazard identification workshops include specific consideration of industry historical
data.
138
September 2004
foster creative thinking about possible hazards that have not previously
been experienced.
Reason
accident event.
Since major accident events are by their nature rare, not all possible hazards leading to an
MAE have been experienced. A key part of any FSA process is to foster thinking about what
might go wrong, not just about what has occurred in the past.
a) Hazard identification processes include brainstorming techniques such as What if studies.
b) Hazard identification techniques have included workshops involving multi-disciplinary teams.
c) The hazards considered in the FSA include:
hydrocarbon releases
fire and explosion
toxic release
dropped objects
extreme environmental conditions
well control
aviation incidents; and
marine incidents
loss of structural integrity
d) The hazard identification process includes consideration of simultaneous operations.
139
September 2004
include the potential for human and organisational error in addition to
equipment and system faults and failures.
Reason
accident event.
These relate to all causes including the human factor, both individually and in an
organisational setting.
a) Hazard identification processes such as checklists or Hazop studies include consideration of
slips, lapses and violations as sources of hazard.
b) Past incidents and/or near misses have been analysed to determine organisational causal
factors and these have been included in the Safety Case as potential causes of hazard.
c) A safety culture review has been conducted to assess any strengths, weaknesses or other
issues.
d) Human factors assessments are conducted to identify any potential hazards. Areas of
potential concern include:
Alarm overload
Inadequate human machine interface (eg. DCS)
Inadequate control room ergonomics (noise, distractions etc)
Inability to access critical equipment.
Poor constructed procedures or inadequate training.
140
September 2004
Principle FSA - 11: The FSA must include a detailed, systematic, reasonable
and transparent assessment of the frequency, consequence and risk of
each identified MAE.
Reason
a) Regulation 9 (3) (b) requires this.
b) Any demonstration that the overall risk is as low as reasonably practicable requires
consideration of the risk from each contributing hazard.
a) The FSA details the relationship between any separate studies by detailing linkages between
the studies to ensure the assessment is integrated and consistent.
b) The FSA includes a detailed example calculation showing all the stages of the assessment for
one or more specific cases.
c) Uncertainties in the input data and modelling is recognised and the sensitivity of the risk
assessment to this data is assessed and discussed.
d) For hydrocarbon/flammable events, where applicable, the following aspects of the event and
its consequences could be analysed:
release frequency / size / duration
directional nature of event
ignition probability (immediate and delayed)
flame effects - emissivity, surface extent, width and length, and the radiation
levels at various distances from the flame surface
smoke generation
blast effects
toxicity
congestion on the facility ( for example process area, - blast pressure generation)
nature of boundaries separating areas of the facility ( for example fire/blast walls,
& deck type grating or plate)
other employee impairment mechanisms
141
September 2004
population distribution to cover other operating conditions, simultaneous

operations and campaign maintenance.
The analysis shows the probable location of employees at the start of any
incident and justifies those locations.
e) Base event data (including hydrocarbon leak frequencies) are justified in the context of the
installation-specific circumstances. Variation from generic data occurs where facility specific
mechanisms and controls justify. Eg vulnerability of pipeline risers to boat impact, depending
on fender design and boat management practices.
f)
Consequence models, data and assumptions are described and justified for the range of
scenarios considered. Any limits to applicability are noted.
g) Appropriate consideration has been given to the range of fire and explosion types that could
exist.
h) Criteria used for the assessment of harm to people and damage to equipment and structures
due to fire and explosion are appropriate and correctly used.
142
September 2004
Principle FSA - 12: The FSA process should include identification of the
existing risk control measures relevant to each hazard.
Reason
a) Regulation 9 (3) (c) requires that the Formal Safety Assessment describes measures taken to
ensure that risk is as low as reasonably practicable.
b) Regulation 21 (2) (b)-(f) require that measures for detection, elimination and reduction of fire
and explosion hazards are specified.
a) The hazard register lists the control measures that are present to protect against each
hazard.
b) The hazard register may include reference to specific management system procedures,
including procedure numbers.
c) The hazard register may include electronic links to specific management system procedures.
d) Bow ties or similar are used to show the links between specific hazards and specific controls.
e) Control measures on the hazard register cover the full spectrum of the hierarchy of control.
143
September 2004
Principle FSA - 13: The assessment of risk from each scenario must take
into account the effectiveness and viability of each control measure during
such a scenario.
Reason
a) Required by regulation 18(2)(b) for equipment, machinery and instrumentation.
b) Required by regulation 22(2) for emergency communications.
c) Required by regulation 23 for a range of specific control systems
d) To accurately reflect the risk of a scenario requires consideration of how systems on the
facility may interact as a scenario develops. This includes consideration of both machinery
and human aspects.
a) Failure modes of critical controls are explicitly covered in the risk assessment. This includes:
Emergency shutdown systems
Blowdown system
F&G systems involved in executive action
Process trips
b) The risk assessment takes into account movement of smoke in the event of a fire and the
possible effect on the ability to use the evacuation facilities
c) Assumptions regarding the emergency shutdown system take into account the failure mode
of the system.
d) Assumptions regarding actions required by people in the event of an emergency include
consideration of human factors such as access, number of people with required skill, other
emergency actions required at the same or similar time and stress.
e) The hazard and risk assessment studies has considered the vulnerability and endurance
under major accident event conditions of the following:
temporary refuge boundaries and its impairment (whether outside or inside)
emergency shutdown systems
fire water deluge system, including the fire pump system
emergency communication systems
144
September 2004
f)
emergency power systems
escape, evacuation and rescue system
life saving equipment.
SIL study has been conducted.
g) Availability of control measures has been quantified.

h) The functionality of critical controls has been assessed and verified. For example:
Where a HIPPS system is installed will it operate within the timeframe required.
Is the gas detection system suitable and detectors located correctly.
i)
Common mode failures are identified and controls listed.
j)
Where human performance is part of a control that consideration is given to the performance
influencing factors (eg. Environment) that may impact their ability to conduct that activity.
145
September 2004
into account the potential for escalation of the scenario to key structures
and major inventory holders.
Reason
a) The general requirement to demonstrate that risks to personnel are as low as reasonably
practicable requires that all effects of an MAE should be considered.
a) The risk results for each MAE include the potential for fatalities due to immediate effects,
delayed effects, and evacuation.
b) The risk assessment process includes a systematic structured approach to escalation analysis.
c) The risk assessment contains discussion on how the event could impact on key systems or
facilities (eg. Structures, temporary refuge, escape, fire protection)
d) Risk assessment work includes a review of:
The integrity of key structures
The integrity of key inventory holders
Escape routes
Temporary refuge
e) The risk assessment takes into account the type and duration of the event, the design of key
facilities and the probability of escalation.
f)
Consideration is given to the potential actions of key personnel in responding to an incident.

This consideration considers the smoke and heat present along with consideration of the
stress to which the personnel are subjected.
g) The risk assessment could include details of emergency response scenario training and
exercises as evidence that personnel are prepared.
146
September 2004
into account the risk due to evacuation, escape and rescue including:
Impairment of escape routes;
Possible alternative escape routes;
Impairment of methods of escape;
Possible alternative escape methods/means;
Impairment of the temporary refuge;
Amenities such as emergency communication required in the

temporary refuge;
Hazards associated with control of the incident eg fire fighting;
Suitable means of rescue.
Reason
a) Regulation 20 (2) specifically requires consideration of risks due to evacuation, escape and
rescue.
b) Regulation 21 (2) requires that the analysis of fire and explosion risks includes consideration
of the performance of the evacuation, escape and rescue facilities.
c) The general requirement to demonstrate that risks to personnel are as low as reasonably
practicable requires that all effects of an MAE should be considered.
a) The risk results for each MAE include the potential for fatalities due to immediate effects,
delayed effects, and evacuation.
b) Risk assessment work includes a review of:
The integrity of the temporary refuge
availability of escape routes
integrity of safe evacuation and rescue systems
escalation potential.
c) An analysis of the functionality of the escape, evacuation and rescue routes, and facilities has
been completed. Various techniques may be used including simulation or a scenario-based
desk top review.
147
September 2004

d) For EER issues contingency planning has occurred and alternatives arrangements are
available and fit for purpose should the primary EER functionality be impaired by the incident.
This includes:
Alternative escape routes.
Options for rescue.
Back-up communications.
e) The risk assessment covers incapacitation of personnel in the chain of command in an

emergency.
148
September 2004
Principle FSA - 16: The FSA must include a systematic and transparent
assessment of the overall level of risk to personnel on the facility due to
the identified MAEs.
Reason
a) Demonstration that overall level of risk (as well as the risk from each MAE) is within
acceptable limits is part of the demonstration that risk to personnel has been reduced to a
level that is as low as reasonably practicable as required by Regulation 9 (4) (e).
a) Overall risk results are reported numerically using measures such as Potential Loss of Life
(PLL) and Individual Risk Per Annum (IRPA).
b) The FSA demonstrates a clear understanding of the major risk contributors including
whether the risk is dominated by a single (or few) scenarios or is more evenly
distributed across the various scenarios.
why each identified event is a major risk contributor for example:

i. high frequency of serious consequences
ii. occurs in the immediate area of the Temporary Refuge
iii. occurs during evacuation, escape and rescue.
c) The FSA demonstrates how the risk is distributed across the various working groups
including:
Which groups have the highest individual risk.
What are the factors that most influence the high risk groups.
The demonstration of ALARP for all working groups.
d) The analysis has included consideration of any common pathways between the major risk
contributors eg a weak point in the structure that may be vulnerable to a number of fire
cases.
e) The facility has the same hazards and comparable risks with other facilities of a similar type.
f)
Industry standards have been followed.
149
September 2004
Principle FSA - 17: The FSA must detail the risk acceptance criteria
chosen, the rationale for selection and how the criteria are to be used.
Reason
a) Regulation 9 (4) (e) requires risk to be reduced to a level that is as low as reasonably
practicable. As organisations will have various interpretations of this requirement based on
corporate preferences and facility types, the specific risk criteria chosen and how they are to
be applied must be set out in the Safety Case.
a) Risk acceptance criteria are defined in the FSA and the selection is justified in terms of:
Comparison with relevant industry and regulatory guidelines.
The type of facility
Whether the facility is new or existing.
b) Tools, such as a risk matrix, that are used to determine risk acceptance and whether action is
required are clearly anchored to relevant risk criteria. Such assessments are based on a
quantitative judgment of frequency and consequence.
c) Risk criteria may support the concept that new facilities may achieve lower residual risk levels
than existing facilities. Existing facilities can be constrained by the higher costs of retrofitting
equipment, or upgrading, compared to making a design change to a new facility.
d) The basis for accepting, selecting and rejecting control measures on the basis of risk is
described.
e) Examples exist where the criteria have been used to determine the need for additional, or
more robust, measures in order to demonstrate ALARP.
f)
The criteria are set that lead to a positive trend in reducing levels of residual risk in both
existing and new facilities. New facilities can take advantage of technological advances in
equipment and facilities and enhanced knowledge and understanding of key risk drivers.
g) The risk criteria take into account societal risk aversion for credible events with very high
consequences. The risk criteria are used sensibly with a clear level of understanding of the
uncertainty of the risk results. Consequently, risk criteria can only assist judgements, and the
decision-makers should bear in mind the uncertainties involved. Risk criteria should therefore
be used as guidelines for decision-making, and not as inflexible rules.
h) Layers of protection/SIL study type studies have their risk criteria justified in relation to the
overall risk criteria.
150
September 2004
151
September 2004
Principle FSA - 18: The FSA should detail the range of additional risk
control measures considered and the reasons for implementation or
rejection of each.
Reason
a) this is a general requirement for demonstration that risk is as low as reasonably practicable
as required by regulation 9 (4) (e).
a) The operator should show that the risk to employees is as low as reasonably practicable by
describing risk reduction measures and showing that the cost associated with adopting
further control measures is disproportionate to the accrued benefits. The assessment of the
benefit of each risk reduction may take into account:
risk from the implementation of the measure
the risk in installing and maintaining the measure (particularly relevant for sub-sea
measures)
the reduction in other forms of risk, such as environmental, asset, business

interruption and reputation that follow as a consequence of the risk reduction
measure.
The practicability of the control measure
b) Consideration of risk reduction measures takes into consideration and is consistent with the
FSA risk criteria.
c) Consideration of control measures takes into account the hierarchy of controls:
Where options are considered the following hierarchy of controls exist

i. Elimination,
ii. Prevention
iii. Mitigation, and
iv. Emergency response.
Similar for systems that reduce risk the typical hierarchy in decreasing order of
preference are:
i. Passive systems
ii. Active systems
152
September 2004

iii. Operational systems
iv. External systems
d) Consideration of alternatives considers the effectiveness and viability of the control over the
expected life of the facility.
153
September 2004
Validation
6.1 Introduction
6.1.1
Purpose
Validation is a form of independent certification of agreed parts of the facility, and of agreed
items of equipment on the facility. It is a means of providing NOPSA with an increased level of
assurance that the agreed parts of the operators facility and its equipment fulfil their safety
functions.
This increased assurance is provided by the person(s) conducting the validation having suitable
qualifications and experience in the relevant matters, and sufficient independence from the
project. Evidence is provided in the form of a written statement or certificate. The validation
certificate establishes, in the opinion of the validator(s), the soundness and efficacy of the
matters specified.
In the case of a proposed facility the regulations require two broad matters to be validated:
That the design, construction and installation of the facility (including instrumentation,
process layout and process control systems) incorporates measures that will protect the
health and safety of persons at the facility; and
That the design, construction and installation of the facility (including instrumentation,
process layout and process control systems) is consistent with the Formal Safety
Assessment.
In the case of an existing facility (i.e. where there is a proposal to make a modification), there is
only one broad matter to be validated that the facility will continue to include measures that
protect the health and safety of persons at the facility.
6.1.2
Establishing the Scope of Validation
Validation has been part of the Australian offshore petroleum safety regime since commencement
of development activities in Australian waters.
At that time, the petroleum and safety regulatory authorities established the system of third-party
validation specifically to address those aspects of facility design and construction in which they
considered themselves to have insufficient experience to make the necessary judgements.
On that basis, a typical scope of validation was established to be as follows:
The primary structure
Fire and gas detection systems
154
September 2004
Emergency shut down systems
Fire protection systems (both active and passive)
Hazardous area classification
Suitability of electrical equipment for hazardous areas
However, in this context, the following should be noted:
The above scope of validation was developed at a time when State and Northern
Territory OHS agencies provided validation of plant such as pressure vessels, boilers
and cranes. This is no longer the case. Therefore, high hazard plant of this type may
now need to be included in the scope of validation.
The standard scope of validation may be inadequate for mobile facilities such as mobile
offshore drilling units, and for floating production storage and offloading facilities.
NOPSA may require the scope of validation to include the hull, buoyancy and ballasting
systems of mobile and floating facilities, being the equivalent of the primary structure
for a fixed facility.
The standard scope of validation does not address drilling and well intervention systems
only the safety systems that are listed above, so far as they relate to drilling or well
intervention. Where novel drilling / well intervention systems are proposed, or where the
proposed well activities appear to be of particularly high potential risk to health and
safety, NOPSA may require validation of parts of these systems.
NOPSAs currently preferred scope of validation is set out in the following document:
HOLD: Link to be inserted here.
It may be seen that the NOPSA preferred scope of validation remains largely based on the
established practice, taking account of the factors noted in relation to plant, mobile facilities and
drilling / well intervention.
6.1.3
Selection and Approval of the Validator
The regulations require that the persons(s) conducting the validation should have a sufficient
level of competence in the relevant matters, and also a sufficient level of independence from the
project (or aspects of the project) that they are validating.
The necessary level of competence and independence is a matter to be agreed between NOPSA
and the facility operator. The agreement would need to be reached for each new facility,
although for change projects NOPSA and the operator may reach a more general agreement. For
clarity, any such agreement should be documented in the Safety Case.
It is often the case that the person(s) conducting the validation are contracted from a separate
company, typically one that specialises in design verification, vessel classification and/or quality
155
September 2004

auditing. However, other arrangements may be acceptable to NOPSA, depending on the project
management structure and project ownership.
6.1.4
The Validation Process
The regulations require the validator to have suitable free access to the necessary information.
Otherwise, they specify no particular requirements regarding how validation should be conducted,
but the following factors will be of interest to NOPSA when confirming first that the scope of
validation is suitable, and later whether the necessary level of assurance has been provided:
The work-effort for the validation tasks
The location of the person(s) conducting the validation, relative to the design, safety
assessment, procurement and construction activities
The manner in which the person(s) conducting the validation are integrated into, or
otherwise interface with, the project team
6.1.5
Vessel Classification as Validation
A mobile facility may be certified against class rules. It is NOPSAs expectation that this will
provide a suitable scope of validation for the vessel, and a suitable level of competence and
independence. However, it would still be necessary to agree the scope in advance with NOPSA,
and to provide suitable examples of evidence for the purpose of Safety Case assessment.
156
September 2004
6.2 Assessment Principles for Validation

Principle VAL - 01: The scope of validation must be appropriate.
Reason
a) There is a legal requirement to validate to a previously agreed scope (reg ???)
b) The validation should provide confirmation of adequate design and construction for those
aspects of the facility that most influence risk, or where there is greatest uncertainty.
a) In all cases there is a written prior agreement of the scope with the Safety Authority
b) The normal scope of validation has been specified
primary structure,
fire/gas detection,
emergency shutdown,
active and passive fire and blast protection,
hazardous area classification and associated electrical equipment
c) The scope addresses high-risk aspects of the facility, as determined by risk assessment, and
as set out in the Safety Case
d) The scope has been defined so as to address novel aspects of the facility, where there is
uncertainty about the risk
e) There is an agreement with NOPSA as to the general matters to be validated during change
projects
f)
Any such agreement is set out in the Safety Case.
g) In all cases, the certificate of validation should confirm that the scope of validation complies
with the prior agreement with NOPSA.
157
September 2004
Principle VAL-02: The persons who conducted the validation must be

technically competent
Reason
a) Requirement of regulation 28L(3)
b) Technical competence is necessary to conduct appropriate validation.
a) Evidence of suitable formal qualifications, including membership of appropriate professional
organisations, relative to the scope of validation
b) Evidence of training and accreditation as an independent auditor
c) Documented experience in relevant industries, for an appropriate time
d) Employed at a suitably senior level in a quality-assured organisation
158
September 2004
Principle VAL-03: The persons who conducted the validation must be given
access to the necessary information
Reason
b) Access to data is necessary to conduct appropriate validation.
a) The validators worked within the offices of the design/construction contractor
b) The validators were provided with controlled copies of documents
c) The validators were on the circulation list for squad checks etc
d) The validators were involved as part of the change management process for the project
159
September 2004
Principle VAL-04: The persons who conducted the validation must be

sufficiently independent
Reason
b) Independence is necessary to conduct appropriate validation.
a) The validators are employed in a separate organisation to the title-holder, operating company
and design/construction contractor
b) Although employed within the title-holder, operating company or design/construction
contractor, the validators are employed within a separate group and appropriate
management systems exist to ensure independence (e.g. quality accredited)
c) Written statement from validator confirming independence
160
September 2004
Principle VAL-05: The validation must indicate that the facility (or
modification) is fit for the purpose of protecting health and safety
Reason
b) The purpose of validation is to provide increased confidence that the facility is safe.
a) The certificate of validation confirms that suitable standards were adopted
b) The certificate of validation confirms that the standards were adhered to
c) The certificate of validation confirms that appropriate risk assessments have been conducted,
and the findings acted upon
161
September 2004
Principle VAL-05: The validation must be consistent with the formal safety
assessment
Reason
a) HOLD
b)
a) HOLD
b)
c)
d)
162
September 2004

SAFETY AUTHORITY

Part 3 : Definitions, Abbreviations and References
SEPTEMBER 2004
163
Rev C, August 2004
Definitions
The following glossary of definitions covers specialist terms related to safety cases and safety
management system, and terms that are unique to the Australian petroleum industry. It does not
attempt to define standard industry terms.
Some terms and definitions used in this document may vary from those adopted by individual
operators or in other standards. When an operator uses different terms in a safety case, the
safety case should clearly define those terms.
Definitions marked * are taken from the Petroleum (Submerged Lands) (Management of Safety
on Offshore Facilities) Regulations 1996.
Adjacent Area
The area of water adjacent to a State or to the Northern

Territory, from the baseline to the 200 Nm limit. This area
includes waters administered under the PSLA 1967 of the
Commonwealth and waters administered under the PSLA
1982 of the State or Northern Territory. The area is
sometimes referred to as PSLA waters.
Audit
A formal process of checking implementation of, and

compliance with, a set of policies, objectives and
procedures. In the current context, this means a process
of checking implementation of, and compliance with, the
safety management system and the safety case.
As low as reasonably practicable
A level of risk that cannot be reduced further without the

expenditure of costs that are disproportionate to the
benefit gained. The level of risk must also meet any
specified limit of tolerability.
Control measures
Measures taken to control eliminate or otherwise reduce

the risk to health and safety. Control measures may be
engineered systems and features, including facility layout,
or they may be procedural or administrative in nature.
Critical control measures
Those control measures that relate to potential major
accident events, and/or that have a strong influence on the

164
September 2004

overall level of risk, and therefore need to be highly
effective and reliable.
Designated Authority
The relevant Minister of a State or of the Northern

Territory, who is empowered to take specified actions
under the PSLA 1967 on behalf of the Commonwealth.
Emergency
An urgent situation that presents, or may present, a risk of

death or serious injury to persons at the facility.*
Escape
Movement of persons from a place on the facility where

there is an immediate threat to health and safety, to a
place on the facility, such as a temporary refuge, where
there is relative safety.
Evacuation
Movement of persons from the facility in an emergency, or

as a precaution when there is an immediate threat of an
emergency. Evacuation might be by helicopter, lifeboat or
life-raft, or direct to the sea.
A formal investigation of the nature, likelihood and

consequences of potential major accident events, and the
means to prevent them occurring or to reduce their
likelihood or consequences, so as to identify those
measures that will reduce the risk of major accident events
to as low as reasonably practicable.
Hazard
Generally, a situation which has the potential to result in

some kind of harm. In the context of a safety case, a
hazard is something that has the potential to cause death,

injury or illness.
Hazard identification
The process of determining what hazards exist on the

facility.
Hazard register
A document or data-base that lists the identified hazards,

and that may also include details of their likelihood of
occurrence, their potential consequences, and the relevant
control measures.
165
September 2004
Individual risk
The frequency at which an individual may be expected to

sustain a given level of harm from the realisation of
specific events (usually expressed per annum - IRPA).
Major accident event
An event connected with a facility, including a natural

event, having the potential to cause multiple fatalities of
persons at or near the facility.*
Examples of a major accident event may include:
a fire or explosion at the facility, or an unignited

release of flammable or explosive substances;
a release of toxic substances at the facility;
major damage to the structure of the facility, or loss

of stability of the structure;
any event which significantly impairs options for

escape to the temporary refuge, the integrity of the
refuge itself, or escape from the refuge to a place of
safety;
Monitoring
collision of a helicopter or vessel with the facility;
failure of a life support system for diving operations.
A process of checking performance, as measured by audit

and by incident statistics, against defined objectives and
targets. The results of monitoring are used to guide the
review process.
Performance Standard
A standard, established by the operator, of the

performance required of a system, item of equipment,
person or procedure which is used as a basis for managing
the risk of a major accident event.*
Place of safety
A place where a person's well-being can be assured.

For an offshore facility, a lifeboat or a helicopter would not
be considered a place of safety. A supply boat or nearby
platform could be considered a place of safety, depending
on the persons condition. The safety case should specify
the place of safety for all foreseeable circumstances.
166
September 2004
Potential Loss of Life
The estimated number of fatalities per year on a site,

evaluated by taking account of the number of persons
exposed to the risk and the magnitude of the Individual
Risk.
Rescue
Movement of people from a place to which they have

evacuated such as a lifeboat, a life-raft, or the sea to a
place of safety.
Review
A process of evaluating the overall effectiveness of the
safety management system and the safety case, in order

to identify what improvements should be made.
Risk
The likelihood of a specified level of harm occurring within

a specific period or in specified circumstances.
In the current context the risk is normally a fatality risk,
and is typically expressed in annual terms, either as an
Individual Risk, or as a Potential Loss of Life.

Safety case
A document prepared under Division 1 of Part 3 of the
Petroleum (Submerged lands) (Management of Safety on

Offshore Installations) Regulations 1996, that describes the
facility, its hazards and risks, and the control measures for
managing those hazards and risks, which is intended to
demonstrate the adequacy of those measures.
A system for managing occupational health and safety at

the facility.*
The safety management system for a facility must address
the matters set out in Division 1 of Part 3 of the Petroleum
(Submerged Lands) (Management of Safety) Regulations

1996.
Temporary refuge
An area on the facility to which employees can escape and

where they can muster in an emergency without undue
167
September 2004

risk of serious harm, and from which, if necessary, safe
evacuation can be effected.
The temporary refuge is sometimes referred to as a safe
haven.
Validation
A process of obtaining independent evidence, such as test

reports, certificates, etc, that certifies that equipment
and/or systems are fit for their purpose.
In this context, the equipment and systems are to be
validated as being fit for the purpose of protecting health
and safety.
168
September 2004
Abbreviations
ALARP
as low as reasonably practicable
AS
Australian Standard
FD
facility description
FPSO
floating production, storage and off-loading facility
FSA
formal safety assessment
FSO
floating storage and off-loading facility
HAZIDS
hazard identification session
HAZOP
hazard and operability study
IRPA
individual risk per annum
ISM Code
international safety management code
MAE
major accident event
MODU
mobile offshore drilling unit
NORM
naturally occurring radioactive material
OHS
occupational health and safety
PLL
potential loss of life
PPE
personal protective equipment
PSLA 1967
Commonwealth Petroleum (Submerged Lands) Act 1967
PSLA 1982
State or NT Petroleum (Submerged Lands) Act 1982
PSV
pressure safety valve
QRA
quantitative risk assessment
SMS
safety management system
SSIV
sub-sea isolation valve
169
September 2004
References
The following sources of reference are provided, which persons developing or assessing offshore
Safety Cases may find useful. However, it should be noted that reference material is constantly
changing, that the sources of references listed here are not exhaustive, and that all the
information is subject to change.
If any of these links is broken, please inform NOPSA by e-mailing HOLD. Suggestions for
additional links may be sent to the same address.
Commonwealth Government Authorities
www.nopsa.gov.au
Department of Industry, Tourism and Resources
www.ditr.gov.au
Australian Maritime Safety Authority
www.amsa.gov.au
National Occupational Health and Safety Commission
www.nohsc.gov.au
National Industrial Chemical Notification Scheme
www.nicnas.gov.au
State and Northern Territory Designated Authorities

New South Wales
www.minerals.nsw.gov.au
Northern Territory
www.dme.nt.gov.au
Queensland
www.nrm.qld.gov.au
South Australia
www.pir.sa.gov.au
Tasmania
www.mrt.tas.gov.au
Victoria
www.dpi.vic.gov.au
Western Australia
www.doir.wa.gov.au
Industry Associations
American Petroleum Institute
www.api.org
Australian Petroleum Production and Exploration Assn
www.appea.com.au
Australian Institute of Petroleum
www.aip.com.au
Fire Protection Association of Australia
www.fpaa.com.au
International Association of Drilling Contractors
www.iadc.org
International Marine Contractors Association
www.imca-int.com
International Maritime Organisation
www.imo.org
Oil and Gas Producers Association
www.ogp.org.uk
United Kingdom Offshore Operators Association
www.ukooa.co.uk
UK Energy Institute (including Institute of Petroleum)
www.petroleum.co.uk
US National Fire Protection Association
www.nfpa.org
170
September 2004

US Society of Fire Protection Engineers
www.sfpe.org
Standards Associations
American Petroleum Institute
www.api.org
American Society of Mechanical Engineers
www.asme.org
Australian Standards
www.standards.com.au
British Standards Organisation
www.bsi-global.com
International Electrotechnical Commission
www.iec.ch
International Standards Organisation
www.iso.org
Norwegian (Petroleum) Standards
www.standard.no/imaker.exe?id=244
OGP (International) Standards
http://info.ogp.org.uk/standards/
International Regulators
Petroleum Safety Authority Norway
www.ptil.no/English/Frontpage.htm
United Kingdom Health and Safety Executive
www.hse.gov.uk
United States Minerals Management Service
www.mms.gov
Universities and Research Organisations

Australian National University (OHS Research)
http://ohs.anu.edu.au
Fire and Blast Information Group
www.fabig.com
Herriot Watt University (Petroleum Institute)
www.pet.hw.ac.uk
UK HSE Offshore Research
www.hse.gov.uk/offshore/index.htm
University of Aberdeen (Oil and Gas Centre)
www.abdn.ac.uk/oilgas
University of WA (School of Oil and Gas)
www.oil-gas.uwa.edu.au
Legislation
Commonwealth Law
http://scaleplus.law.gov.au
New South Wales Law
www.legislation.nsw.gov.au
NT Law
www.nt.gov.au/...legislation.shtml
Queensland Law
www.legislation.qld.gov.au/...htm
South Australia Law
www.parliament.sa.gov.au/leg...shtm
Tasmania Law
www.thelaw.tas.gov.au
Victoria Law
www.dms.dpc.vic.gov.au
Western Australia Law
www.slp.wa.gov.au/statutes/swans.nsf
Other
UK Step Change in Safety
http://step.steel-sci.org
171
September 2004

SAFETY AUTHORITY

4 Part 4 : Frequently Asked Questions
SEPTEMBER 2004
172
September 2004
FAQ 1.5.1 Does Maritime OHS Law Also Apply?

In the same way that State and Northern Territory laws wholly or substantially related to OHS are
disapplied with respect to offshore petroleum activities, so are the OHS provisions of maritime
law:
The Commonwealth Navigation Act 1912 and the Commonwealth Occupational Health
and Safety (Maritime Industry) Act 1993 are both disapplied in respect of offshore
petroleum facilities by Section 11A of the PSLA, whilst the facilities are engaged in
petroleum activities, whether or not the facilities are capable of independent navigation.
The equivalent maritime law of each State and the Northern Territory is also disapplied
by the PSLA of each State and of the Northern Territory, in the same way, and with the
same exclusion.
Notwithstanding the above, the relevant maritime law applies to the transfer of goods
between a facility and a vessel (assuming that the vessel is ordinarily governed by that
maritime law).
Certain types of vessels that service petroleum facilities, such as supply vessels and off-take
tankers, are specifically excluded from the definitions of facility and associated offshore place
in Schedule 7 of the PSLA see section 3.10.1 of Part 1 of these Guidelines. All vessels that are
excluded from the definition of facility in this way are governed by relevant maritime law,
including its OHS aspects, and not by Schedule 7 of the PSLA, or by the requirements of any of
the safety related regulations under the PSLA.
Mobile facilities, when under way, would fall under the relevant maritime law, but would transfer
to the PSLA law (subject to the above exclusions) when they reach the petroleum area and start
to prepare for petroleum activities.
It is important to recognise that the relevant maritime law may be the Commonwealth
Navigation Act or the equivalent law of a State or NT. However, if a vessel is foreign flagged, has
below a certain proportion of Australian crew, and meets certain other criteria it does not fall
under Australian maritime law.
It should be noted that seismic survey vessels, although they fall under Petroleum (Submerged
Lands) legislation generally when engaged in petroleum-related activities, are excluded from the
definition of facility and hence continue to fall under the OHS provisions of the relevant
maritime law.
173
September 2004

The Commonwealth Crimes (Ships and Fixed Platforms) Act 1992 also applies. This Act makes
each of the following a criminal offence:
Seizing control of a fixed platform;
Acts of violence;
Destroying or damaging a fixed platform;
Placing destructive devices on a fixed platform;
Causing death;
Causing grievous bodily harm;
Causing injury to a person; and
Threatening to endanger a fixed platform.
More details of the application of Petroleum Submerged Lands law and Maritime law, and the
interfaces between them, may be found in (HOLD provide link to more detailed explanation).
Back
174
September 2004
FAQ 1.5.2 What Other Commonwealth OHS Laws are Relevant?

Australian customs law has some relevance to health and safety at offshore petroleum facilities.
The Customs (Prohibited Imports) Regulations apply to offshore facilities that are moved into
Australian waters, and to goods that are transported from overseas countries direct to Australias
offshore petroleum facilities, as these facilities and goods are treated as imports.
Some of the prohibitions under customs regulations are for reasons of health and safety examples of relevant prohibited imports are asbestos and PCBs (polychlorinated biphenyls).
However, as the list of materials prohibited under the Petroleum (Submerged Lands)
(Occupational Health and Safety) Regulations and the list of materials prohibited under the
customs regulations have the same origin, the application of the customs law makes little
practical difference.
The Industrial Chemicals (Notification and Assessment) Act 1989 also applies. This Act
establishes the National Industrial Chemicals Notification and Assessment Scheme (NICNAS),
which is the Australian Government regulatory authority for industrial chemicals, and provides a
national notification and assessment scheme to protect the health of the public, workers and the
environment from the harmful effect of industrial chemicals. NICNAS assesses all chemicals new
to Australia and assesses those chemicals already used on a priority basis, in response to
concerns about their safety. No new chemicals are allowed into Australia unless tested and
approved under this scheme this would cover any movement of chemicals into Australia on an
offshore petroleum facility, and any transport of chemicals direct from overseas to an offshore
facility. These provisions are additional to those of the customs laws.
The Commonwealth Australian Radiation Protection and Nuclear Safety Act 1998 has relevance to
occupational health and safety only insofar as it establishes the Australian Radiation Protection
and Nuclear Safety Agency, which has a role in establishing radiation safety standards in
Australia. The Act establishes duties of care and other such requirements only in respect of
prescribed Commonwealth premises, Commonwealth employees, etc, and does not impose any
direct requirements on operators or other persons involved in offshore petroleum activities. It is
the radiation safety law of the adjacent State or NT that applies offshore.
Similar applies in areas such as food safety the relevant Commonwealth laws establish national
bodies, which in turn develop national standards or codes of practice. These standards or codes
of practice are not law in themselves, but are generally adopted into the law of each State and
Territory and will apply to offshore facilities unless specifically disapplied by listing in the
Petroleum (Submerged Lands) (Occupational Health and Safety) Regulations.

175
September 2004
The Commonwealth Occupational Health and Safety (Commonwealth Employment) Act 1991,
applies to NOPSA and its employees (who are Commonwealth employees). For example, NOPSA
has duties of care towards its employees under that Act. However, that Act does not impose any
duties or requirements on any other persons involved in offshore petroleum activities, such as
operators, and can therefore be disregarded for the purpose of these Guidelines.
FAQ 1.5.1 discusses the application of the Commonwealth Occupational Health and Safety
(Maritime Industry) Act 1993.

Back
176
September 2004
FAQ 1.5.3 What Workers Compensation Law Applies?

Nothing in the PSLA in any way affects the operation of the Workers Compensation laws of the
Commonwealth, any State or Territory.
Persons working on or in relation to offshore facilities are covered by the Workers Compensation
legislation of the Commonwealth, State or Territory in which they are employed:
Persons engaged offshore through contracts of employment in a State or Territory of

Australia are normally covered by the Workers Compensation legislation of that State or
Territory.
Persons employed by the Commonwealth who work at offshore petroleum facilities (i.e.
NOPSA inspectors) are covered by the Commonwealth Safety, Rehabilitation and
Compensation Act 1988.
Persons who are employed through contracts of employment entered into outside of Australia
are not covered by any of the Australian Workers Compensation laws. However, the
corresponding laws of their home countries may apply.
Currently, there are some inconsistencies in the coverage of Workers Compensation legislation of
Australian States and Territories where persons are working outside of the State or Territory
where they have been insured. There is a national policy that these inconsistencies should be
rectified, but this has not yet been achieved by all jurisdictions - Victorian law was modified on 1
July 2004, for example.
NOPSA has no role in the Workers Compensation schemes, and advice on this matter should be
sought from the relevant State or Territory WorkCover authorities.
Back
177
September 2004
FAQ 1.5.4 What Emergency Management Law Applies?

Regulations under the Petroleum (Submerged Lands) Acts require the operator to develop plans
for the management and control of emergencies:
The Petroleum (Submerged Lands) (Management of Safety on Offshore Facilities) Regulations
1996 require the operator to conduct an assessment of escape, evacuation and rescue,
provide adequate emergency equipment and systems as a result of this, prepare an
emergency response plan, and have an emergency command structure. All these things
must be described or specified in the Safety Case.
The Petroleum (Submerged Lands) (Management of Environment) Regulations 1999 require

the implementation strategy for the environment plan to provide for the maintenance of an
up-to-date emergency response manual (including an oil spill contingency plan) including
detailed response arrangements.
Other laws that relate to emergency management include:
The Emergency Management Act 1986 in Victoria; and
The Disasters Act in Northern Territory.
These laws establish a framework for the control of and response to disasters, and establish
certain government emergency management agencies or committees, assigning particular areas
of responsibility to each. However, they do not generally impose any particular requirements on
operators or other persons involved in offshore petroleum activities.
In WA there is no relevant emergency management law, but the response to offshore
emergencies is managed according to the Offshore Petroleum Operations (Exploration and
Production) Emergency Management Plan, also known as WESTPLAN Offshore Petroleum. In
practice the arrangements in WA are similar to those in Victoria and Northern Territory.
Generally, it is the operators responsibility to control the emergency at the site of the offshore
petroleum operations, whilst the marine, emergency and (if necessary) military services of the
State, Territory and Commonwealth will be involved in the provision of necessary personnel,
equipment and resources, under the law and plans of the relevant jurisdiction. NOPSAs role will
generally be limited to the provision of advice during the emergency, and the conduct of any
resulting investigation.
Back
178
September 2004
FAQ 1.5.5 What are the Laws that Provide for Funding of NOPSA?
NOPSA is funded by levies and fees paid by industry. Primary funding is by an annual levy on the
operators of facilities that have an accepted safety case, and this is supplemented by levies for
the investigation of incidents and for the assessment of pipeline safety management plans. The
relevant legal provisions are as follows:
Section 7 of the Offshore Petroleum (Safety Levies) Act 2003 provides for there to be levy for
facilities in Commonwealth waters that have a safety case in force, the amount of which is
specified in or worked out in accordance with the regulations. Section 8 states likewise, but
applies to facilities in State and NT waters. Section 150YS of the PSLA states that these
levies become due and payable at the time specified or worked out in accordance with the
regulations.
Section 5 of the Offshore Petroleum (Safety Levies) Act provides for an investigation levy if
there is an inspection into a notifiable accident or occurrence in Commonwealth waters and
the condition or conditions specified in the regulations are satisfied, the amount of which
worked out in accordance with the regulations. Section 6 states likewise, but applies to
investigations of incidents that occur in State and NT waters. Section 150YR of the PSLA
states that these levies become due and payable at a time specified or worked out in
accordance with the regulations.
Section 9 and 10 of the Offshore Petroleum (Safety Levies) Act provide for a levy on the
licensee of any pipeline for which there is a pipeline safety management plan in force, again
worked out in accordance with the regulations, whilst Section 150YT of the PSLA provides for
regulations that specify the time of payment.
The safety case levy is an annual levy, paid quarterly, and which comprises two parts. The main
part is a levy on the operator of each facility for which there is a safety case in force, the amount
of which is determined by the type of facility and the portion of the year for which there is a
safety case in force. The other part is a levy on each operator regardless of the number of
facility safety cases that are in force, the amount of which does not depend on the number of
type of facilities (in effect, this part of the levy can be related to the companys management
system, which applies at all of its facilities).
The pipeline safety management plan levy applies only when NOPSA assesses and accepts a
pipeline safety management plan (including any major revision to such a plan), and the amount
depends on the type of pipeline.
179
September 2004

The safety investigation levy is triggered once costs for an inspection into a notifiable accident or
occurrence exceed a defined level (currently $30000), and is the amount by which the costs
exceed that threshold.
The corresponding regulations are all made in the Offshore Petroleum (Safety Levies) Regulations
2004. The Regulations allow NOPSA to reduce the levies when appropriate.
In addition, Section 150YQ of the PSLA allows for regulations to provide for payment to NOPSA,
by any person, of fees for service. Again, the corresponding regulations are made in the Offshore
Petroleum (Safety Levies) Regulations 2004. The amounts and payment schedule are a matter
for agreement between NOPSA and the person requesting the service.
Back
180
September 2004
FAQ 1.5.6 What is a Safety Case, and why is it Required?

A Safety Case is a detailed document, prepared by the operator of an offshore facility, that
outlines the types of safety studies undertaken, the results obtained, the measures taken or to be
taken to eliminate or otherwise reduce the risk to personnel at the facility, and the relevant
management arrangements.
The requirement for operators to prepare and submit a Safety Case constitutes a key strategy for
improved safety in the offshore industry. All facilities engaged in petroleum activities offshore
Australia (or being constructed / installed at the petroleum site) are required under the Petroleum
(Submerged Lands) (Management of Safety on Offshore Facilities) Regulations to have a Safety

Case that has been accepted by the relevant regulatory authority, and to operate in accordance
with that Safety Case.
A Safety Case must be a true reflection of the state of safety arrangements for the existing or
proposed facility. It must demonstrate to the satisfaction of the regulatory authority, by its
contents and supporting material, that the operator knows what technical and human activities
occur or will occur, how they are managed, and how safety will be assured in the event of an
emergency. It must also identify methods to be used for monitoring and reviewing all activities in
connection with the facility, so as to achieve continual improvement of safety at the facility.
Once a Safety Case has been accepted, the regulatory authority, in this case NOPSA, continually
reviews the safety performance of the operator, through audits and inspections on-site and at the
companys offices, through investigations of incidents, and through analysis of company data, to
determine whether the standards and arrangements described in the Safety Case are being
followed.
Operators may only construct, install, use, modify or decommission a facility in accordance with
what is stated in a Safety Case that has been submitted to and accepted by NOPSA (or, during
the transitional period) has previously been accepted by the relevant Designated Authority).
Once NOPSA has accepted a Safety Case, the operator of the facility to which the Safety Case
relates has permission to construct, install, use, modify or decommission the facility to the
extent allowed for by the Safety Case
Back
181
September 2004
FAQ 2.10.1 Which Facilities Require Safety Cases?

The definition of facility in the Management of Safety Regulations is the same as that in
Schedule 7 of the PSLA, except that it excludes pipelines. Any place that meets this definition
requires a Safety Case, except if an exemption is granted under regulation 43 of the Petroleum
(Submerged Lands) (Management of Safety on Offshore Facilities) Regulations.

The relevant definition of facility is, in summary:
Any vessel or structure, whether floating or fixed, and whether or not it is capable of independent
navigation, while that vessel or structure is located at a site in Commonwealth waters and is being used,
or prepared for use, at that site for any of the following:
(i)
recovery, processing, storage or offloading of petroleum;
(ii)
provision of accommodation for persons working on another facility;
(iii) drilling or servicing a well or doing work associated with the drilling or servicing;
(iv) manufacturing, laying or maintaining petroleum pipes;
(v)
erecting, dismantling or decommissioning a vessel/structure referred to in (i) to (iv);
(vi) for any other purpose related to offshore petroleum operations that is prescribed.
Facilities therefore include fixed production platforms, floating production facilities, floating
storage facilities, mobile drilling units and drilling ships, pipe-lay barges, construction barges,
accommodation barges, units for tender-assisted drilling, and so forth. However, it should be
noted that a Safety Case may relate to 1 or more facilities, so that a single Safety Case might
relate to a production platform and associated floating storage unit, or to a production platform
and an associated wellhead platform. Note that no vessels or structures are currently prescribed
to be facilities as per item (vi).
A facility is taken to include any associated offshore place, which in turn is defined as:
Any offshore place near the facility where activities (including diving activities) relating to the
construction, operation, maintenance or decommissioning of the facility take place, but does not include:
(a)
another facility;
(b)
a supply vessel, off-take tanker, anchor handler or tugboat; or
(c)
a vessel or structure that is declared not to be an associated offshore place.
This means that a Safety Case for a facility must include any place where ancillary or supporting
activities are taking place, unless these are on another facility, or are on one of the types of
vessels or structures specifically listed as not being associated offshore places.
182
September 2004

A facility is also taken to include:
(a)
any wells and associated plant and equipment by means of which petroleum processed or stored at
the vessel or structure is recovered; and
(b)
any pipe or system of pipes through which petroleum is conveyed from a well to the vessel or
structure; and
(c)
any secondary line associated with the vessel or structure.
This means that, for example, the Safety Case for a production facility must also encompass any
secondary lines running to and from the facility, and any wells and associated plant and
equipment on those lines.
However, the following are not facilities for this purpose:
(a)
off-take tankers;
(b)
tugs or anchor handlers;
(c)
vessels or structures used for supplying a facility or otherwise traveling between a facility and the
shore; or
(d)
vessels or structures that are declared by the regulations not to be a facility.
Vessels of the type referred to in (a), (b) and (c) are primarily governed by the Navigation Act,
and hence not required to comply with Schedule 7 of the PSLA or with the Regulations see
section 2.1 of the main document. Note that no vessels or structures are currently declared not
to be facilities as allowed by item (d).
As noted, an operator may be exempted from the requirement to have a Safety Case for a
particular facility. Such exemptions must be applied for individually, and would be considered by
NOPSA case by case.
Back
183
September 2004
FAQ 2.10.2 How Does the Safety Case Relate to the SMS?
The relationship of the Safety Case to the Safety Management System is often misunderstood.
NOPSA considers the relationship to be as follows:
Although the Safety Case contains a description of the Safety Management System, the
Safety Case is in fact subordinate to the SMS. The SMS is the fundamental basis for ensuring
all aspects of safety at the facility. The Safety Case simply specifies and describes the SMS
that applies, for the purpose of NOPSAs assessment.
In this context, the SMS is taken to include not only the procedures and work instructions
that govern the day-to-day activities at the facility (which are sometimes collectively referred
to as the works management manual or the facility management system) but also those
management processes that address organisational structure, recruitment, training, facility
design, construction quality, etc (which are sometimes collectively referred to as the
corporate management system).
Whilst the Safety Case must specify or contain the Formal Safety Assessment, the Fire Risk
Analysis and the Escape, Evacuation and Rescue Analysis for the facility, it is the SMS that
contains and defines the procedures for initiating and conducting these studies
Although not an explicit requirement of the Regulations, the SMS should also contain the
procedures for preparing and maintaining the Safety Case.
This topic is discussed further in Part 2 of these Guidelines.

Back
184
September 2004
FAQ 2.10.3 How does the Safety Case relate to other Regulations?
As noted in FAQ 2.10.1, the Petroleum (Submerged Lands) (Occupational Health and Safety)
Regulations support the definition of facility that is used throughout Schedule 7 to the PSLA and
its regulations, by listing specific vessels and structures, or types of vessels or structures, which
are or are not facilities. These Regulations therefore in part define the application of the Safety
Case requirements.
The P(SL)(OHS) Regulations also prescribe certain matters, such as the national ban on asbestos,
and a prohibition on drugs and alcohol. The safety management system that must be established
under the Petroleum (Submerged Lands) (Management of Safety on Offshore Facilities)
Regulations, and which must be described in the Safety Case, will need to include procedures
whereby the operator ensures compliance with those requirements.
Otherwise, there are no direct interfaces between the two P(SL)(OHS) Regulations and the
Management of Safety Regulations.
There is an overlap between the Petroleum (Submerged Lands) (Diving Safety) Regulations and
the Management of Safety Regulations, in that the Diving Regulations require the identification,
assessment, control and management of the risks associated with diving, and if the diving is
taking place from a facility these matters would also have to be addressed within the Safety Case
for the facility. However, this overlap should not impose unnecessary burden on operators, as
operators must approve the dive project plan for the facility-based diving, before that diving takes
place, and therefore will have sufficient knowledge of the diving risks to address these in a
revision to the Safety Case. In practice the Safety Case revision might simply be a reference to
the dive project plan and the corresponding diving safety management system.
There is also an overlap between the Petroleum (Submerged Lands) (Pipelines) Regulations and
the Management of Safety Regulations. The Pipelines Regulations require risks associated with
the whole of the pipeline to be identified, assessed, controlled and managed as part of the
Pipeline Management Plan. This includes risks to health and safety, as well as to production and
the environment. In addition, the risks from a pipeline to persons working at a facility must be
considered in the Safety Case for that facility. This includes describing the pipeline interface with
the facility, assessing the risk of major accident events at the platform involving the pipeline, and
including necessary procedures within the safety management system. More specifically the
Management of Safety Regulations require the Safety Case to provide for adequate means of
shutting down and isolating each pipeline in an emergency, and the test and inspection regime
for the shutdown valves.
185
September 2004
There is a similar overlap between the Petroleum (Submerged Lands) (Well Operations)
Regulations and the Management of Safety Regulations. The Well Operations Regulations require
risks associated with well operations to be identified, assessed, controlled and managed as part of
the Well Operations Management Plan. This includes risks to health and safety, as well as to the
reservoir and environment. In addition, the health and safety risks from wells and well activities
must be considered in the Safety Case for any facility. In practice, the Safety Case should
consider the health and safety risks from well activities generally, and then the Well Operations
Management Plan should give more detailed consideration to the risks associated with particular
well operations. If these specific risks fall outside of the general risks considered in the Safety
Case, the WOMP can then be treated as an addendum (i.e. revision) to the Safety Case, without
any need for a new document. [HOLD for final form of Well Ops Regulations]
The only interface between the Safety Case requirements under the Management of Safety
Regulations and the requirements within the P(SL) (Resource Management) Regulations [HOLD
for final form of Resource Management Regulations] is that there must be an accepted Safety
Case in force for a facility before a consent to construct/install or to use that facility is issued
under the Resource Management Regulations.
Back
186
September 2004
FAQ 2.10.4 How Does the Safety Case Relate to OHS Standards?
Since the prescriptive requirements of the Schedule of Specific Requirements have been revoked
in favour of performance-based Regulations, there is relatively little in the petroleum submerged
lands law that prescribes standards to be followed in relation to occupational health and safety.
In this context standards is taken to mean design standards such as those issued by Australian
Standards or industry bodies such as the American Petroleum Institute. However, in a more
general sense, it may also include management system standards such as AS4801, and risk
management standards such as AS4360. Finally, it may also include standards for management
of specific risks, such as the National Standards and National Model Regulations for OHS that are
issued by the National Occupational Health and Safety Commission.
The decision not to enforce any particular design standards is deliberate, and reflects the
international nature of the offshore petroleum industry, as well as the trend to performancebased regulation. However, it is a requirement that the Safety Case specify the standards that
are to be applied in design, construction, use, modification and maintenance of the facility, and
the processes whereby compliance with these standards is to be ensured. Further, the
Regulations require validation of the facility, which may include a validation that the operators
selected standards have been adhered to.
The risk management processes that are required under the Management of Safety
Regulations are general, and must address all hazards, including those specific types of hazard
covered by individual NOHSC National Standards and Model Regulations. By comparison to the
Management of Safety Regulations, the NOHSC National Standards and Model Regulations are
quite prescriptive regarding the factors that must be considered when assessing different types of
risk, and also regarding the types of control measures that should be adopted to control those
risks. If an operators general risk management processes and outcomes under the Safety Case
do not appear to be suitable, NOPSA may request that these aspects of the National Standards be
adopted.
Likewise, the safety management system that is required under the Management of Safety
Regulations, together with the Duties of Care under Schedule 7, provide for a general
management system that is broadly compatible with standards such as AS4801. However, in this
case the requirements under the PSL are more specific, for example in relation to what
procedures should be included in the management system. An operator may choose to use the
structure suggested by AS4801 or a similar standard, but the management system must be
187
September 2004

comprehensive and integrated as required by the regulations, and must include the processes
and procedures set out in the regulations.
Notwithstanding the above, certain prescriptive provisions within NOHSC National Standards and
Model Regulations have been included within the P(SL)(OHS) Regulations, and must be
complied with:
Prohibitions of specific hazardous and carcinogenic substances, as set out in Schedules to

the National Model Regulations for the Control of Workplace Hazardous Substances
[NOHSC:1005(1994)], and in the National Model Regulations for the Control of Scheduled
Carcinogenic Substances [NOHSC:1011(1995)]
The exposure standard for noise as set out in the National Standard for Occupational
Noise [NOHSC:1007(2000)], and the exposure standards for hazardous substances as set
out in the Exposure Standards for Atmospheric Contaminants in the Occupational
Environment Data Base [NOHSC:3008(1995)]
Back
188
September 2004
FAQ 2.10.5 What is the Workforce Involvement in the Safety

Case?
The Management of Safety Regulations require the operator of a facility to consult with the
workforce in the development and revision of the Safety Case for the facility.
Consultation should encompass all three parts of the Safety Case the facility description, the
SMS, and the FSA as well as changes to those matters.
There are various reasons for this requirement, but in particular it is intended to ensure that:
The Facility Description is accurate.
The Safety Management System that is described in the Safety Case properly reflects the
actual safety management practices and procedures that are applied at the facility, and that
those safety management practices and procedures have been developed taking the views of
the workforce into account, in particular the workforces views regarding the practicality and
effectiveness of the practices and procedures.
The workforce is able to arrive at informed opinions about the risks and hazards to which
they may be exposed on the facility. In general, this will require participation of relevant
members of the workforce in the risk management processes hazard identification, safety
assessment, and adoption of risk control measures. It will also require that each member of
the workforce is informed about the risks, and is trained in the risk control measures relevant
to their activities.
In reading the above it should be recognised that the workforce consultation requirements under
the regulations are simply one aspect of wider requirements established under Schedule 7 of the
PSLA, which require consultation regarding:
The OHS policy
Formation and variation of designated workgroups
Election of Health and Safety Representatives
Formation and management of an OHS committee
Changes to the workplace that may affect health and safety
Once elected, HSRs are generally the focal point for workforce consultation regarding OHS.
However, the absence of elected HSRs does not absolve the operator from the requirement to
consult the workforce regarding any other matters.
Back
189
September 2004
FAQ 4.6.1 What Review and Appeal Processes Exist?

The Regulations provide for reviews by NOPSA itself, prior to formal decisions being made on the
acceptance or withdrawal of acceptance of Safety Cases.
Specifically, NOPSA must give the operator reasonable opportunity to change and resubmit a
Safety Case or proposed revision to a Safety Case if NOPSA is not reasonably satisfied with the
Safety Case or proposed revision that is submitted initially. Similar applies in relation to
withdrawal of acceptance of a Safety Case before making a decision to withdraw acceptance
NOPSA must conduct a review, giving the operator and other potentially affected parties the
opportunity to make further submissions.
The only decisions under the PSLA that are externally reviewable under the Administrative
Appeals Tribunal Act 1967 are those made by the Minister in respect to Commonwealth external
territories (e.g. Ashmore and Cartier Islands). However, as it is NOPSA rather than the Minister
who makes decisions related to OHS, even these limited administrative review provisions do not
apply in relation to the Safety Case.
However, any decisions by NOPSA, including decisions in relation to a Safety Case, may be
subject to judicial review by the Federal Court under the Administrative Decisions (Judicial
Review) Act 1997 of the Commonwealth. This is not limited to decisions made under the
Commonwealth PSLA; in accordance with Schedule 3 of the AD(JR) Act it includes decisions made
by NOPSA under State or NT PSLAs, where the relevant State or NT has agreed to this.
NOPSA is preparing separate guidelines related to reviews and appeals, addressing the whole
range of decisions that NOPSA and its OHS inspectors may make, including decisions relating to
Safety Cases, Diving Safety Management Systems, etc, and also Notices issued by OHS
Inspectors under Schedule 7 of the PSLA.
Back
190
September 2004

SafetyCaseGuidelines PDF

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

SafetyCaseGuidelines PDF

Uploaded by

Copyright:

Available Formats

NATIONAL OFFSHORE PETROLEUM

SAFETY CASE GUIDELINES

nopsa Safety Case Guidelines

National Offshore Petroleum Safety Authority

Purpose of this Document

Safety Cases, August 2000, ISBN 0 642 72085 1

Format of this Document

Part three provides definitions, abbreviations and useful references.

nopsa Safety Case Guidelines

National Offshore Petroleum Safety Authority

The Regulatory Framework .............................................................................................6

Jurisdictions and the Application of these Guidelines ...................................................6

The Petroleum OHS Legal Framework........................................................................7

The Petroleum OHS Legal Framework from 1 January 2005....................................... 11

Application of State and NT OHS Law ...................................................................... 13

Frequently Asked Questions.................................................................................... 15

Guide to the Management of Safety Regulations ............................................................. 16

Safety Case Administration ..................................................................................... 17

Safety Case Contents ............................................................................................. 20

Further Requirements of the Safety Case ................................................................. 21

Incident Reporting ................................................................................................. 25

Penalty Provisions .................................................................................................. 27

Exclusions and Exemptions ..................................................................................... 27

Frequently Asked Questions.................................................................................... 28

Stages and Types of Safety Cases.................................................................................. 29

Fixed Production Facilities....................................................................................... 29

Mobile Drilling Units ............................................................................................... 33

Safety Case Administrative Processes ............................................................................. 36

Submission of a Safety Case ................................................................................... 36

Assessment of Safety Cases.................................................................................... 38

Safety Case Acceptance and Non-Acceptance ........................................................... 40

Processes Following Acceptance of a Safety Case ..................................................... 45

Frequently Asked Questions.................................................................................... 48

Part 2 : Guide to Safety Case Contents ..................................... 49

Overall Safety Case Process........................................................................................... 52

nopsa Safety Case Guidelines

National Offshore Petroleum Safety Authority

Preparation and Assessment Principles for the Facility Description.............................. 70

Safety Management System .......................................................................................... 83

Preparation and Assessment Principles for the Safety Management System................. 88

Formal Safety Assessment........................................................................................... 113

Introduction ........................................................................................................ 113

Validation .................................................................................................................. 154

Introduction ........................................................................................................ 154

Assessment Principles for Validation ...................................................................... 157

Part 3 : Definitions, Abbreviations and References ...... 163

Definitions ................................................................................................................. 164

Abbreviations ............................................................................................................. 169

Part 4 : Frequently Asked Questions.......................................... 172

nopsa Safety Case Guidelines

NATIONAL OFFSHORE PETROLEUM

SAFETY CASE GUIDELINES

nopsa Safety Case Guidelines

National Offshore Petroleum Safety Authoritys

The Regulatory Framework

1.1 Jurisdictions and the Application of these Guidelines

1967 of the Commonwealth, so as to minimise legal inconsistencies.

nopsa Safety Case Guidelines

National Offshore Petroleum Safety Authoritys

1.2 The Petroleum OHS Legal Framework

Development of the PSLA OHS Laws

Good Oil-Field Practice and DA Directions