4th ISFEH.dot by a902alN

VIEWS: 18 PAGES: 13

									         HAZARD MANAGEMENT OR SAFETY CASE?
                                    Dalzell, G.A.

(TBS)3 Limited, Major Hazard Consultancy, Hill of Minnes, Udny, Ellon,
                 Aberdeenshire, AB41 6RE, Scotland


ABSTRACT

This paper outlines the development of effective hazard management in the offshore
industry following the Piper Alpha disaster and subsequent Inquiry. There are many
lessons to be learned by people intending to follow the Safety Case route. This paper
describes the change in approach from delivering a complex QRA based document
specifically for the regulator, to a more pragmatic approach to understanding and
managing the causes and consequences of hazards. It refers to the supporting offshore
regulations, the Prevention of Fire, Explosion and Emergency Response and the
guidelines written by UKOOA to support it. These provided a structured approach
which has been further developed by the author, both as the basis for major accident
hazard management in developing countries and also for influencing design to
enhance inherent safety. The underlying premise of this evolution is that the
understanding of risk at corporate level and the understanding of hazard at operations
level are imperative for effective management. However, this requires the open
communication of this information with the associated discomfort at the exposure this
generates. How can we be safe if we don’t understand hazard and risk, and how can
we be safe from prosecution if we do? This and other barriers are discussed.

INTRODUCTION

The Piper Alpha disaster brought the Safety Case to the North Sea offshore oil and
gas business. Up until then, it had operated in a prescriptive environment, mandating
minimum standards with their adequacy certified by an independent authority. The
primary recommendation from the Public Inquiry chaired by Lord Cullen (1) was the
transfer of responsibility for the regulation of offshore safety from the Department of
Energy to the Health and Safety Executive. It also recommended that a goal setting
regime should be introduced with the repeal of the prescriptive regulations. This was
to be based on the onshore regime for major chemical plants, which had been
introduced following the Flixborough disaster. The legislation for the Safety Case
was introduced in 1992 (2). The Inquiry also required that more detailed legislation
should be introduced to give the regulatory regime the solidity that it might otherwise
lack. Two more regulations, supported by guidance were introduced in 1995 and
1996 covering; fire, explosion and emergency response (3); and design and
construction (4). The industry led by the United Kingdom Offshore Operators
Association, responded positively both to the Inquiry, offering expert witnesses,
contributing to the regulations and preparing comprehensive guidelines to support the
secondary regulations (5), (6), (7). The preparation and review of the first safety cases
were monumental tasks, matched by major upgrades of safety systems on most
installations. The scale of the operation was an order of magnitude greater than that
for the onshore plants. It was a time of learning and evolution for all concerned and
everyone genuinely attempted to follow both the spirit of Lord Cullen’s
recommendations and the letter of the law. It is now 11 years since primary
regulations were introduced so it is opportune to reflect upon the whole process and
to ask if it could be improved. For those about to embark upon a safety case regime or
to improve the one that they have, there are lessons to be learned, particularly where
simplification can improve the focus, clarity and overall benefit of the process. The
views in the paper are solely those of the author.

THE SAFETY CASE: SOME OBSERVATIONS

The Beneficial Aspects

There is no doubt that the safety case regime is the correct basis for the operation of
all major hazard sites and that it has delivered a major reduction in risk. This has been
achieved both by physical improvements to existing facilities and radical changes in
the design of new platforms. This has been matched by a major change in the way
facilities are managed, with much tighter controls on hazardous operations and a way
of working where the management of risk is a key business process. The whole
industry now thinks about hazards, and ways to reduce risk. The workforce has been
actively involved in the preparation of the safety cases, from participation in Hazard
Identification Studies (HAZID), to the identification of potential improvements.
Every platform and drilling rig has a copy of the safety case which is accessible to
everyone on board so they have knowledge of the hazards, the risks to which they are
exposed and the key systems needed to manage the effects of the hazards. A
constructive relationship between the operating companies and the regulator
developed. Each had their job to do and at times this led to somewhat frank
discussions but, overriding these differences was a widespread commitment to work
together to make the offshore industry a genuinely safer place and to ensure that
another major disaster would not occur. This was reflected in their joint participation
in extensive hazard research (8) and the pooling of resources to draft good supporting
regulations and guidance as described above.

The Areas for Improvement

There is a perception that the Safety Case is a management system for major hazards
in itself; the thought that “we have a safety case, therefore we are safe”. However,
the Safety Case is written primarily as a submission to the regulator. As such it is just
what it is called; a Case for Safety; the justification of continued operation. It was
neither a user’s guide to hazards nor a systematic basis for the integration of all
hazards and critical activities. The early cases, and particularly the supporting
documentation, were specialist documents, written for those with equivalent expertise
within the regulator. They gave an overview of risk but did not deliver detailed
guidance to managers and operators on how to manage the hazards that remained.

The justification for continued operation focussed on the demonstration that risks are
“as low as reasonably practical” (ALARP). Initially, this is derived from case law
where a pragmatic judgement was made as to whether the responsible company had
taken every reasonable step to safeguard its employees. With the offshore Safety
Case, this demonstration of ALARP took on a new life with the use of Quantitative
Risk Analysis. This dominated all of the first safety cases with huge resources
devoted to the generation of individual risk numbers and an indication of societal risk
inferred from the likelihood of impairment of the temporary refuge. Most
improvements were focussed upon those measures which had a numerically
quantifiable benefit. Invariably these were hardware measures which reduced the
consequence of incidents. They did not apply sufficient focus on improvement to
prevention measures, particularly those involving competence and procedures. The
predominant discussion about ALARP also caused an almost myopic interest in those
improvements. In the first few years, the existing measures such as plant integrity and
“standard” safety systems were almost taken for granted with the danger that they
would not receive appropriate ongoing attention by either operators or regulators.

The use of QRA in the early years caused people both to believe the numbers and to
consider them as the only important deliverable from the whole risk analysis. The
running and rerunning of these statistical mathematical models in order to deliver
appropriate numbers seemed to have pre-eminence over all other activities.
Underlying the statistical models was a wealth of hazard knowledge relating to the
likelihood, characteristics and escalation of potential incidents. This could have been
distilled and used to optimise the everyday running of the facilities but it was hidden
from the view of the people who could use it. This was clearly demonstrated with the
issue of the supporting regulations; the Prevention of Fire, Explosions; and
Emergency Response Regulations, PFEER (3) and the Design and Construction
Regulations DCR (4). The former required that the characteristic of each major
hazard should be documented; causes, severity and consequences, together with the
prevention, detection, control and mitigation measures, and their performance
standards. The latter regulation required that these measures be listed as Safety
Critical Elements and that their adequacy and performance should be independently
verified. It proved to be an almost impossible task to extract this information from the
QRA and supporting analyses. And in many cases, people started the risk assessments
again from scratch or compiled default lists of equipment and performance standards.
It is one of the greatest criticisms of a poor QRA that it relies solely on statistical data
for the likelihood of incidents rather than taking a systematic examination of cause
and an assessment of the adequacy of prevention measures. Without the linkage
between cause and likelihood, how can an effective hazard management system be
based on QRA? In summary, the QRA only delivered high level information to
manage risk. It did not deliver critical data for the management of hazards, but it
could have, if that requirement had been highlighted from day one.

As part of the submission, operators were required to describe their Safety
Management System. In most cases, operators described discrete elements, such as
leadership, integrity management, risk assessment, competence, assurance and
emergency response. These are akin to the pieces of a jigsaw, all vital to the process
but few described how these all fit together into an integrated process for managing
major accident hazards. To their credit, both the regulator and operating companies
recognised this shortcoming leading to a more pragmatic approach in the supporting
legislations, particularly regulation 5 of PFEER (3) and the preparation of the
UKOOA Guideline for the Management of Fire and Explosion Hazards (5). Although
this is now a little dated and a slightly tortuous read, it does provide a good start point
for an effective hazard management system.

A MAJOR ACCIDENT HAZARD MANAGEMENT SYSTEM

The system described in this chapter is a combination of two initiatives by BP. The
first is the development of their Inherently Safer design process. The second is the
development of a Major Accident Hazard Management System for their Trinidad
operations. The latter was developed in conjunction with DNV. The process follows
the classic five steps of the ISO models; policy, plan, implement, measure and
improve. This can only give a brief outline and a more detailed description is given in
(9). Dealing with each of the steps in turn:
Policy
Most major companies evolve and the larger they are, the harder they try to improve
their systems. We are in an era of new initiatives, often spawned as the result of
individual incidents, unfavourable trends or catastrophic industry events. Without
careful management, this can result in a plethora of policies, expectations, and
standards. In addition, legislation will add an additional set of requirements. This can
result in an uncoordinated management process and encourages a compliance
approach to specific requirements rather than promoting an integrated management
system. It is essential that all corporate, local and regulatory requirements which refer
to components or all of a major hazard management system are listed and that there is
a commitment to one process to fulfil the total set of requirements.
Planning
This is the whole process of hazard identification, analysis, risk reduction and the
determination of how each hazard will be managed. It should deliver all of the
requirements, for strategies, systems and performance standards. As a parallel
exercise, it will also assess the resource, infrastructure and business processes which
will be needed to implement, maintain and assure their adequacy. This process is
described in more detail below.
Implementation
A risk assessment is not a management system. This cannot be a stand alone process
and is entirely dependent upon existing management systems into which the specific
requirements for hazard management systems are embedded. A hazard register can be
used as the document to communicate the overall process and requirements for
managing each hazard but it cannot possibly look after the detail. It should provide
linkages into these management systems which are already the bedrock of operations.
One aspect which must be carefully defined is the overall resource and infrastructure
which is essential to run and support these systems. If not, organisational change will
slowly erode them and this will contribute to accidents (10). This is discussed below
under infrastructure.
Measurement
The planning will give structure to the whole process of assurance. It will allow a top
down process starting with the overall risk and spread of that risk, through each of the
hazards, down to the critical plant, people and processes and finally to the minimum
standards that they have to meet. It will be focussed and transparent. It should also
question whether the whole process is working by confirming that the risk analysis is
adequate, that risk and hazard are understood, and that the pieces of the jigsaw do fit
together as intended.
Improvement
The initial planning may just be sufficient to structure a hazard management process
around existing facilities; i.e. living with what you’ve got in the short term.
Thereafter the whole planning process will identify whether further risk reduction is
required and the areas in which it should be focussed. Within design, a truly proactive
approach will identify most of the potential improvements before any detail design
work is undertaken, minimising the cost and difficulties with their implementation.
With an existing plant, much more care is needed. Improvement should focus upon
the greatest risk drivers but there should be structure to the way this is carried out.
Improvements should first focus on people, procedures and business process such as
integrity management. These might not be quantifiable but the benefits are realised in
a very short time. Almost invariably, they will focus on frequency reduction by
addressing prevention measures. Thereafter, strategic improvement of the
performance and reliability of existing systems should be considered followed finally
by hardware improvements. These generally protect people and take time to
implement. They also increase risk by introducing construction activities and people
into hazardous areas. A controversial paper (11) has argued that even in operation, the
overall benefit of some protection systems way be questionable.

Hazard Understanding

Frank Crawley said “You can run a dangerous plant safely and a safe plant
dangerously”. He was quite right, but the former only applies if you know why it is
dangerous. Our everyday knowledge of the dangers around us is what keeps us alive,
so why should the same principle not apply to major hazards? There is a problem; we
are happy to talk about safety but not about dangers, particularly those with
catastrophic potential. The whole ethos of the Safety Case is to demonstrate that the
plant is safe so there is no encouragement to be graphically explicit about the severity
of events. It is natural to play down the risks and consequences. There is also a
concern that sharing this with the general public either through statutory requirements
or unapproved sources could lead to undue pressure for improvement or shutdown, or
could prejudice a defence in the event of an accident and prosecution. However,
having the awareness of risks and the catastrophic nature of hazards at the forefront
of the minds of managers and the workforce is the best way to made sure that the
accidents do not happen. Apply a simple philosophy; We will all know what is
dangerous, why it is dangerous and what each of us has to do to keep us all safe”.

Different people need to know different things depending on their job and level of
responsibility. Everyone has a finite capacity for knowledge and for the depth of
information that they can realistically access on a day to day basis. The Safety Case
and supporting studies can fill several bookshelves so this information should be
distilled and delivered to the appropriate people. There is a fixed amount that can be
carried in the memory, a next level of detail in an aide memoire, and a further level
that should be accessible through a database or from colleagues. The following
paragraphs consider an organisation from the point of view of four levels, and
considers each one’s responsibility for risk, hazards, and critical plant and activities.
It is interesting to note that Hopkins (10) also considered similar levels when
examining the causes of the Longford explosion and fire in Australia.
Business and Corporate
At this level, managers and directors should focus on risk, and this is where the
output of QRA is most appropriate. They should be aware of the overall risk that the
organisation and each business carries, its impact on the whole corporate reputation
and viability, and the spread of that risk by region and type of operation. They should
also be aware of the underlying drivers of those risks, such as organisational change,
mergers, technological, social and economic pressures, the age of the facilities,
demographic changes in the workforce, or specific local factors. This should drive the
whole approach to managing risk; influence how hard the businesses are driven, the
provision of corporate and local infrastructure, and the overall level and focus of
safety investment.
Facility
At this level, the focus is still on risk, but this time it is the spread of that risk
throughout the facility by hazard and type of operation. Managers should understand
the overall process to manage those hazards, the relative dependence on different
business processes to support it both inside and beyond the company, and the
resources that they require to do so.
Supervisory
This relates to site operations and moves to the understanding of the hazards;
specifically the different hazards on the site, their causes, severity and consequences;
and the measures to prevent and control and mitigate them. This is where the hazard
register is useful as is the point where the jigsaw pieces of hazard management are
put together.
Individual
At this level, it is the critical tasks that are important. It is the knowledge of the most
critical procedures, plant inspection and testing requirements that ensures that they
are carried out effectively.

Infrastructure

The management of hazards is totally dependent upon the performance and ongoing
quality of plant, people and processes. This will determine whether the intent of the
plan to manage the hazards is implemented and maintained for the life of the facility.
This is not documented within, or carried out by a new discrete hazard management
system but by the established business processes which run the facilities. The hazard
assessment process within the plan will identify the safety critical measures, and
detailed analysis should either confirm or set new performance requirements. These
must be met if the hazards are to be managed and risks kept to the tolerable levels
determined by the risk assessment. The existing business processes already contain
many standards and the means of their assurance. These should be used as the basis
for ongoing management and enhanced using the outputs of the risk analysis. It is a
case of maintaining what should already be done well, enhancing its performance
where required, and sustaining that performance for the life of the facility. These
business processes need resources to maintain their effectiveness. Hopkins in his
examination of the Longford explosion, (10) identified where maintenance backlogs
and the relocation of technical support began to erode this infrastructure and this may
have contributed to that incident. It is relatively simple to define the frequency and
method of inspection of a flame detector, but how should the need for, and quality, of
specialist support for the technicians be defined? What should be included in the
internal corporate infrastructure of a company and how much can they depend upon
external support? The hazard and risk assessments should be used for the strategic
planning of the infrastructure and any reorganisation should take this into account in
its management of change process. Some of the areas where the infrastructure is
important are as follows:

Minimum engineering standards
International and corporate engineering standards are full of mistakes. Every time we
blow up a plant we improve the standards to reflect our lessons learned. They contain
default minimum provision and performance for process plant integrity, structure and
safety systems. Clear policies should be established for the use of standards, and
direct responsibility should be assigned for the assurance that the choice and use of a
particular standard is appropriate for the hazards. Effective use and control over
engineering standards requires a corporate engineering resource. Clearly it is not
practical to have experts in every field but it is essential in the core engineering
disciplines which prevent major accidents. In areas where the hazard characteristics
are unique to that company, or the general hazard knowledge in that field is not
mature, then specialised safety engineers or scientists may be needed.
Integrity management
No hazard management system can exist without processes and resources to inspect,
test and maintain the plant. All critical equipment must have a full integrity assurance
programme, defining tasks, their frequencies and pass/fail criteria. These tasks should
be risk based. The infrastructure to support it should also be risk based with resources
assigned according to the contribution to overall risk from the failure of each type of
engineered system. This would determine the extent to which it can be outsourced
and the need to retain control internally with specific discipline engineers taking
personal responsibility. In a modern well run organisation, each part of the plant;
structure, process plant, relief or control systems, may have their own risk based
inspection systems using different criticality ratings based on their own discrete risk
assessment processes. Some of these processes, in particular that for control systems
(12) can take on a life of their own and disproportionately elevate the importance of
their technology. It is important that the whole of the integrity management is
prioritised and resourced in a balanced way. It is worth considering a universal
criticality rating for all plant, based on the overall facility risk and hazard assessment
process.
Operations
This term has been used to cover the people aspect of hazard management. It covers
the basics of competence, manning levels, supervision, procedures and the control
over operations. Again the minimum resource needs to be defined, both in terms of
quality and quantity, so that it is not undermined by reorganisation. A good
operations management system should have detailed requirements, such as
procedures and competences, fully documented. However, it may not define the
overall resource. The risk assessment should confirm that the detail covers all of the
identified hazards, the operational causes of those hazards and that the competences,
controls and procedures are sufficient to address them. A much broader view should
be taken when determining the infrastructure requirements, in a similar way to
integrity management. The overall workload of the operators and supervisors should
be considered and compared with the extent of the dependence upon them to prevent
a major accident. A raft of excellent procedures and controls are worth nothing if they
are not observed because either they are too complex or people are overworked.
Contractual relationships – external dependence
There are two aspects to this infrastructure requirement; the internal resources to
manage the contract and the resources of the contractors to carry out their
responsibilities. The risk assessment and the linkages to safety critical measures
should identify where each contract has an important role to play in preventing
accidents. For example, a 3rd party container may be lifted over a gas pipeline and its
overloading in a contractor’s premises may result in sling failure, impact onto the line
and its rupture. The critical aspects of each contract should be identified in the risk
assessments and both resourcing and specific requirements agreed and documented.
Administrators alone cannot manage safety critical aspects of contracts. They must
have adequate technical support to ensure the initial adequacy and assure
implementation.
Procurement
As with contractual management, the risk assessment should identify safety critical
aspects of procurement, particularly of both new and replacement plant. It should
have similar attention to the overall processes for specification and quality control
with adequate technical support as required. With the trend to outsource the
procurement process, this also needs assurance that the overall technical resourcing is
adequate and that price does not become the overriding criterion for selection of
vendors or products.

Hazard Management Planning
This describes in more detail the second stage of the hazard management process.
This moves on from compliance with default requirements and good practice to a
fully integrated proactive process to manage the totality of risk. This is the process of
understanding the hazards and risks, optimising the available resources in the most
effective way and deciding if the final arrangements are good enough to manage them
effectively. It is a case of balancing many factors:
     The relative risks of different hazards, whether they are occupational,
         environmental, or different types of major accident. Simply because one
         hazard has short term public or internal prominence does not justify
         additional focus. The next accident will not be the same as the last one ) but
         the underlying causes may be the same)
     Prevention vs cure: It is easy to over-concentrate upon protection, and there
         are many public pressures to do so, but it makes better business sense not to
         have the accident in the first place.
     The balance between default requirements and a totally risk based system.
         Any organisation with higher default standards for people and plant will have
         a lower risk for an equivalent facility and need fewer additional measures to
         address the residual hazards. However, it is inherently more expensive to run.
         A risk based system can be more economic but it requires a much more
         robust risk management infrastructure and process to support it.
     People and plant: With new facilities, it is preferable to make the whole plant
         fail safe providing that it does not introduce overcomplexity and excess
         maintenance requirements which introduce their own potential for human
         error. With an existing plant, it will be necessary to live with what exists with
         its associated dependence upon people. It there is critical dependence upon
        human action where a single error could realise a major hazard, then
        additional engineered systems may be considered to provide defence in
        depth.
The following flowchart gives one structured approach to hazard management:

   HAZID                          Hazard Understanding
                      Cause       Severity Consequence Escalation      Risk


  Eliminate                         Minimise at Source



    Strategy
                       Prevent
                                     Control
                                                 Mitigate
                                                            Evacuate
     System
     Choice             Passive
                                      Active
                                                 Operational
                                                            External
  Performance           Integrity
   Standards
                                     Function
                                             Competence,
                                              Manning
                                                     Contractual
                                                    Requirements


                        No
                                    Is it good
                                    Enough?




                                    Implement



                Figure 1 – Hazard Management Decision Process
Many of the decisions in the flowchart will be forced upon an operating facility
simply because of its inherent hazards and the existence or otherwise of the hardware.
In design the process can be much more flexible and proactive.
Hazard identification and understanding:
The value of widespread understanding has been discussed above. Delivering that
understanding needs a thorough hazard identification process and an analysis of the
causes, severity, consequences and potential for escalation. It should not be analysis
for its own sake; simply because the methodology or process exists, but a genuine
exercise to understand the characteristics to the extent needed to make decisions,
design systems and to set minimum standards for operations. However, it should be
thorough, in particular the analysis of the causes, so that adequate prevention
measures can be put in place. With consequence modelling, however, it will depend
upon whether or not it is a design event in which case, it needs to be sufficient to
specify effective protection.
Hazard Elimination and minimisation at source
This is the implementation of inherently safe design principles in a structured way.
The hazard identification and analysis process should be the automatic triggers for the
search for safer designs. Once something is identified, it should be eliminated or
minimised. This particularly applies to cause which can be minimised by inherent
strength and reliability (13). Inherently Safer Design is fully described in (14), (15)
and (16). It also needs a culture within the design contractor and a contractual
relationship which rewards it. These are described in (17). The aim is not to provide a
better protected plant but to design one where protection is unnecessary (11). A
successful example of its implementation is given in (18)
Strategy Selection
Hazard should be actively managed; i.e. there should be specific decisions as to how
each hazard should be addressed; i.e. which are design events and which are not? It is
not a vague outcome dependent on what comes out of the QRA but a conscious
decision and commitment to break the chain of events at a specific point. The options
are;
      to ensure it does not happen; absolute prevention- prevent
      to try to minimise the likelihood and thereafter to limit the severity so that its
         potential for harm is insufficient to cause death or escalation – and control
      to limit the severity and thereafter to protect against the effects of a finite
         range of events. These may be hydrocarbon fires limited by maximum hole
         size, ESD and depressurisation – and mitigate
      to recognise that, in some extreme cases, such as blowouts, that controlled
         and protected evacuation is the only option, living with the consequential loss
         to the facility – and evacuate.
These decisions should primarily be based on the practicality of implementing the
chosen strategy. Clearly it is impractical to design for 10 bar explosions or the total
engulfment of an offshore installation, but it is practical to design for more moderate
events and to ensure that relatively simple plant, such as clean gas risers do not leak.
This is where the hazard characteristics must be communicated to engineers and
operators to allow sensible decisions to be made. The hierarchical choice should be
from prevent down to evacuate.
Systems Selection
The four following options exist for equipment in all of the strategies, and in most
cases a combination of some of them will be required:
        Passive systems are those items of plant such as process vessels, structure
         and passive fire protection which are relatively inert. They require periodic
         inspection but have no moving parts and should therefore be highly reliable.
         As such they are the first preference with others progressively descending in
         desirability.
      Active systems require maintenance and may be subject to breakdown or
         unrevealed failure but are less prone to direct human error, particularly in an
         emergency. These may include instrumented shutdown systems and active
         fire protection
      Operational Systems. These depend upon people and are subject to human
         error with all its direct and underlying causes.
      External systems depend on others beyond the operating company’s
         immediate control and are the least favoured. Typically they include the
         shutdown and depressurisation of incoming pipelines and the dependence on
         others for emergency response such as helicopter evacuation.
Performance
The performance standards should clearly define a system’s role with respect to a
hazard. They define the minimum measurable requirements that it must meet and a
statement of its quality or probability of success. Many of them will come from
default standards. Typical examples for the different types of system could include:
      Passive; design loading or capacity, design safety factors, minimum material
         quality, minimum thicknesses or defect limits and the inspection frequency
      Active; functional requirements such as response time or flowrate; reliability
         and availability ( sometimes described as a downtime limit), and survivability
         if the system needs to work during or after an incident
      Operational; manning and supervisory levels, competences, operating
         controls such as those for simultaneous operations
      External; a clear definition of role and specific contractual requirements
         such as availability, response time, capacity, capability and competence.
Is it good enough?
A structured approach to making this decision is given in (19) in which a hierarchy is
offered from codes and standards, engineering judgement, qualitative risk assessment,
for example by risk matrices, quantitative risk assessment, internal stakeholder
consultation and finally external stakeholder consultation. For well understood,
moderate risk hazards, the lower tier are appropriate rising up to the top tier for
politically sensitive decisions involving novel technology and corporate reputations.
In most cases engineering judgement and qualitative assessment in the full
knowledge of the hazard characteristics is acceptable. However such decision
making without this knowledge is irresponsible guesswork.

CONCLUSIONS

This paper may appear to offer strong criticism for the offshore safety case but
without it, the paper would never have been written. The events of Piper Alpha and
the subsequent inquiry started us down the right road. There are improvements such
as the integration of all aspects of the risk assessment to deliver not just a
demonstration of safety but a fully working hazard management system. The
complexity of classical safety cases should be reviewed to ensure that it enhances
hazard understanding as this is the greatest risk reducer of all.

ACKNOWLEDGEMENTS

To BP for encouraging radical and clear thinking, and for supporting the development
of the inherently safer design and major accident hazard management processes.
To Alistair Warwick in W.S Atkin’s Houston office, for contributing to the structured
process of Inherently Safer Design
To the BP and DNV Major Accident Hazard Management team in Trinidad for
refining and trialling the process.

REFERENCES

1.    The Public Inquiry into the Piper Alpha Disaster; - HMSO publications
2.    A Guide to the Offshore Installations (Safety Case Regulations) HSE Books
3.    Prevention of Fire and Explosion, and Emergency Response on Offshore
      Installations; Approved Code of Practice; HSE Books
4.    The Offshore Installations and Wells ( Design and Construction) Regulations SI
      1996/613
5.     UKOOA Guidelines for Fire and Explosion Hazard Management
6.    UKOOA Guidelines for the Management of Emergency Response for Offshore
      Installations
7.    UKOOA Guidelines for the Management of Safety Critical Elements
8.    Joint Industry Project on Blast and Fire Engineering for Topsides Structures,
      Phase 2; Steel Construction Institute, Ascot Berkshire
9.    Understanding Major Accident Hazards – The Cutting Edge of Common Sense;
      Ditchburn S; Mohess R; Dalzell G; I Chem. E Hazards XVII; Manchester 2003
10.   Lessons from Longford; Hopkins A; CCH Australia 2000
11.   Nothing is Safety Critical; Dalzell G; Chesterman A;I. Chem E Hazards XIII;
      Manchester 1997
12.   ISO 61508 Instrumented Control Systems
13.   Risk = Opex Squared; Dalzell G; I. Chem E Journal on Inherent Safety; Due for
      publication in 2003
14.   Kletz T.A.; Process Plants; A handbook for Inherently Safer Design; Taylor and
      Francis 1998
15.   BP Inherently Safer Design Process; Internal Document.
16.   What Makes and Inherently Safer Design; Dalzell G; OMAE conference, Lisbon
      1998
17.   Safer Design – an Attitude; Dalzell G; Willing P; I Chem E Hazards XV
      Manchester2000
18.   Application of Inherent Safety Challenge to an Offshore Platform Design for a
      New Gas Field Development – Approaches and Experiences; Chia S; Walshe K;
      Corpuz E; I Chem E Hazards XVII; Manchester 2003
19.   UKOOA Risk Based Decision Making Framework

								
To top