163404540 sp 2062 hse specification specifications for hse cases

8/12/2019 163404540 SP 2062 HSE Specification Specifications for HSE Cases

1/84

Petroleum Development Oman LLC

Revision: 1.0Effective: Mar-11

Page 1 SP-2062 Specification for HSE Cases Printed 04/08/14

The controlled version of this CMF Document resides online in Livelink. Printed copies are UNCONTROLLED.

Petroleum Development Oman L.L.C.

Document Title: Specification for HSE Cases

Document ID SP-2062

Document Type Specification

Security Unrestricted

Discipline Technical Safety Engineering

Owner MSE/4Head of Technical Safety Engineering

Issue Date 31 March 2011

Version 1.0

Keywords:This document is the property of Petroleum Development Oman, LLC. Neither the whole nor

any part of this document may be disclosed to others or reproduced, stored in a retrieval system, or

transmitted in any form by any means (electronic, mechanical, reprographic recording or otherwise)

without prior written consent of the owner.


2/84





This page was intent ional ly lef t blank


3/84





i Document Authorisation


4/84


5/84





TABLE OF CONTENTS

i Document Authorisation ......................................................................................................... 3

ii Revision History ..................................................................................................................... 4

iii Related Business Processes ................................................................................................. 4iv Related Corporate Management Frame Work (CMF) Documents ........................................ 4

1 Introduction ............................................................................................................................ 8

1.1 Purpose ............................................................................................................................ 8

1.2 General Definitions ........................................................................................................... 8

1.3 Review and Improvement (SP 2062) ............................................................................... 8

1.4 Deviation from Standard .................................................................................................. 8

2 WHEN ARE HSE CASES REQUIRED? ................................................................................ 9

3 WHAT TYPES OF HSE CASES ARE THERE? .................................................................. 11

3.1 Asset/Facility HSE Cases at different ORP phases ....................................................... 11

3.1.1 Identify and Assess ...................................................................................... 12

3.1.2 Select ............................................................................................................ 12

3.1.3 Define ........................................................................................................... 12

3.1.4 Execute ......................................................................................................... 12

3.1.5 Operate ......................................................................................................... 13

3.2 Roles and Responsibilities for the HSE Case ................................................................ 13

3.2.1 Sign Off Dates .............................................................................................. 13

3.3 Roles and Responsibilities within the HSE Case ........................................................... 133.4 Workforce Involvement .................................................................................................. 16

3.5 Deliverables .................................................................................................................... 16

3.6 Performance Monitoring ................................................................................................. 16

3.6.1 Review and Improvement (HSE Cases)....................................................... 17

3.6.2 Material Change ........................................................................................... 17

4 ASSET INTEGRITY - PROCESS SAFETY MANAGEMENT .............................................. 18

4.1 Process Safety Manual, HSSE Control Framework, Section ........................................ 18

4.2 Centre for Chemical Process Safety Guidelines for Risk Based Process Safety (CCPS

RBPS) ...................................................................................................................................... 18

4.3 Process Safety in Projects ............................................................................................. 19

4.4 Critical Drawings ............................................................................................................ 19

5 HEMP ................................................................................................................................... 20

5.1 Hazards and Effects Register ........................................................................................ 21

6 BOW-TIES ........................................................................................................................... 22

7 SAFETY CRITICAL ELEMENTS ......................................................................................... 25

7.1 SCE (Hardware) Barriers ............................................................................................... 25

7.2 SCE Selection ................................................................................................................ 27

7.3 Performance Standards ................................................................................................. 28


6/84





7.3.1 Performance Standard Approval .................................................................. 29

8 HSE CRITICAL TASKS ....................................................................................................... 30

9 MATRIX OF PERMITTED OPERATIONS (MOPO) ............................................................ 31

9.1 Using the MOPO ............................................................................................................ 31

9.2 Deviations from the MOPO ............................................................................................ 31

10 ALARP demonstration .................................................................................................... 32

10.1 ALARP Definition .......................................................................................... 32

10.2 How to Undertake an ALARP Assessment .................................................. 33

10.2.1 Principles of Hazard Management ............................................................... 33

10.2.2 Good Engineering Practice .......................................................................... 33

10.2.3 Good Engineering Principles ........................................................................ 34

10.2.4 HEMP Studies .............................................................................................. 34

10.2.5 ALARP Review ............................................................................................. 34

10.3 Assessment of Complex Decisions .............................................................. 35

11 OPERATE PHASE CONTINUOUS IMPROVEMENT .................................................... 36

11.1 Drivers for Improvement ............................................................................... 36

11.2 Remedial Actions .......................................................................................... 36

11.2.1 Qualitative Analysis of RAP Items ................................................................ 37

11.2.2 Interpreting the RAP ..................................................................................... 38

12 STATEMENT OF FITNESS ........................................................................................... 39

13 MANAGEMENT OF CHANGE ....................................................................................... 41

14 CONCEPT SELECTION REPORT ................................................................................ 43

14.1 DCAF Deliverables for Identify, Assess and Select Phases ........................ 44

15 DESIGN HSE CASE REQUIREMENTS ........................................................................ 45

15.1 Basic Requirements ..................................................................................... 45

15.2 Format .......................................................................................................... 45

15.2.1 Contents ....................................................................................................... 45

15.2.2 Part 1 Introduction ........................................................................................ 45

15.2.3 Part 2 CSR ALARP demonstration Summary .............................................. 46

15.2.4 Part 3 Design Basis & Facility Description ................................................... 46

15.2.5 Part 4 Hazards & Effects Management Process .......................................... 46

15.2.6 Part 5 Improvement (Action Plan) ................................................................ 47

15.3 DCAF Deliverables for Define and Execute phases .................................... 47

16 OPERATIONS HSE CASE REQUIREMENTS .............................................................. 49

16.1 Basic Requirements ..................................................................................... 49

16.2 Format .......................................................................................................... 49

16.2.1 Contents ....................................................................................................... 49

16.2.2 Part 1 Introduction ........................................................................................ 50

16.2.3 Part 2 Facility Description ............................................................................. 50


7/84





16.2.4 Part 3 People, HSE Critical Tasks ................................................................ 50

16.2.5 Part 4 Hazard and Effects Management ...................................................... 50

16.2.6 Part 5 Improvement (Action Plan) ................................................................ 51

16.3 DCAF Deliverables for Execute and Operate Phases ................................. 51

Appendix 1 Glossary of Definitions, Terms and Abbreviations ....................................... 53

Appendix 2 Related Business Control Documents and References ............................... 55

Appendix 3 Hazard Inventory Checklist .......................................................................... 56

Appendix 4 Example Hazard and Effects Register ......................................................... 63

Appendix 5 Safety Critical Elements Categories ............................................................. 64

Appendix 6 Example Safety Critical Elements Register .................................................. 65

Appendix 7 Example Design Performance Standard ...................................................... 66

Appendix 8 Example Operations Performance Standard (EP 2009-9009, Ref. 10) ....... 69

Appendix 9 Example of Implementation Table ................................................................ 70

Appendix 10 MOPO ........................................................................................................... 72

Appendix 11 Operations HSE Case Change Approval ..................................................... 78

Appendix 12 CCPS RBPS Process Safety Elements ....................................................... 83


8/84





1 Introduction

An HSE Case provides a documented demonstration that risk reduction philosophies andmeasures have been developed and implemented at each phase of the OpportunityRealisation Process (ORP) to ensure that the risks are tolerable and as low as reasonably

practicable (ALARP) through the systematic application of the Hazards and EffectsManagement Process (HEMP) as set out in the PDO HSE Management System (HSE-MS).

This document should be read in conjunction with the guideline Applying Process Safety inProjects GU-648 [4].

1.1 Purpose

This purpose of this specification is to establish minimum requirements for the content ofHSE Cases and it shall be used for the development of HSE Input to Concept SelectReports, Design HSE Cases and Operations HSE Cases.

This specification SHALL [PS] be used for demonstration of the following requirements ofthe Process Safety Manual in the Shell HSSE & SP Control Framework [Ref. 7]:

Identify and document Hazards with RAM red and yellow 5A and 5B ProcessSafety Risks for existing and new Assets (Requirement 1).

Develop a Statement of Fitness for the Assets (Requirement 7)

Review the Process Safety Risks to the Asset at least annually, in line with 8Management Review (of the HSSE & SP Management System) (Requirement20).

This specification contains information on the contents of each type of HSE Case andgives guidance and examples of information to be contained in specific sections.

1.2 General Definitions

The capitalised term SHALL [PS]indicates a process safety requirement.

The lower case word shallindicates a requirement.

The word shouldindicates a recommendation.

1.3 Review and Improvement (SP 2062)

Responsibility for the upkeep of this Specification shall be with the CFDH TechnicalSafety Engineering (Owner of this Specification). Changes to this document shall only beauthorised and approved by the Owner.

Any user of this document who encounters a mistake or confusing entry is requested toimmediately notify the Document Custodian using the form provided in CP 122 Health,Safety and Environment Management System [Ref.1].

This document shall be reviewed as necessary by the Owner, but not less than every twoyears.

1.4 Deviation from Standard

Deviation to this Specification shall follow the requirements of PR-1247 Project ChangeControl & Standards Variance Procedure, Version 1 31/8/1999.


9/84





2 WHEN ARE HSE CASES REQUIRED?

HSE Cases are mandatory for all PDO operated (owned, leased or contracted)projects/operations containing hazards rated severity five or high risk on the PDO risk

assessment matrix (RAM) as perFigure 2-1[Ref.1]. Hazards to that fall into this categoryare referred to as Major Accident Hazards (MAH), and are typically identified during theHAZID conducted at the start of concept phase of a project.

However, for smaller, less complex projects or modifications to an existing asset where anOperations HSE Case already exists, it may be suitable to undertake a design review inplace of a Design HSE Case and then update the existing Operations HSE Case.

For projects that fall into Category C as per Figure 2-2 overleaf, both qualitative (bow-tieanalysis) and quantitative analysis (QRA) are required to determine the level of risk and todemonstrate that risks are reduced to tolerable and ALARP, thus a Design and OperationsHSE Case must be compiled.

Guidance and confirmation shall be sought from MSE/4 on an individual project basis.

Figure 2-1: PDO Risk Assessment Matrix

Figure 2-2 shows the industry guidelines for a framework for risk related decision support byOil and Gas UK in 1997 (formerly the UK Offshore Operations Association, UKOOA).

Once a new project has been assessed against the risk assessment matrix in Figure 2-1and found to contain level 5 or high risk hazards, it shall be categorised as per the chart inFigure 2-2.

A B C D E

Never

heard of in

the Industry

Heard of in

the Industry

Has

happened

in PDO or

more than

1>yr in the

Industry

Has

happened

at the

Asset or

more than

1>yr in

PDO

Has

happened

more than

1>yr at the

Asset

0No injury or

health effectNo damage

No

effect

No

impact

1

Slight injury

or healtheffect

Slight

damage

Slight

effect

Slight

impact

2Minor injury

or health

effect

Minor

damageMinor effect Minor impact

3Major injury

or health

effect

Moderate

damage

Moderate

effect

Moderate

impact

4PTD or up to

3 fatalities

Major

damageMajor effect major impact

5More than 3

fatalities

massive

damage

massive

effect

Massive

impact

Increasing likelihood

Reputation

Asset

Environment

Consequences

Severity

People


10/84





Figure 2-2: Framework for risk related decision support in PDO

To use the Framework, first relate the decision being considered to the decision contextcharacteristics on the right hand side of the Framework. Establish a horizontal line acrossthe Framework at the point that best fits the nature of the decision. The segments of thishorizontal line define the relative weight that should be given to the different decisionmaking approaches in the ALARP determination. The descriptors on the lefthand side of thediagram describe the type and extent of consultation that is needed for the selecteddecision context and type.

Type B and C decisions shall be taken at higher levels within an organisation than Type Adecisions.

Type Adecisions are those involving well-understood hazards and proven solutions. Thelessons learned from past years have been incorporated into authoritative Good Practice.Reference to the relevant Good Practice, supported by expert judgment, is sufficient todefine the barriers needed to reduce the risks to both tolerable and ALARP.

Type Bdecisions are those involving less well-understood hazards. Good Practice has tobe supplemented by more detailed analytical methods such as quantified risk assessment(QRA) particularly to address the uncertainties of novel aspects of design. However, risk-based analysis cannot be the only approach, as illustrated by the fact that it forms no morethan 40% of a horizontal line through the Type B band.

Type Cdecisions are those involving hazards that may create societal concerns. The moretechnological factors in the ALARP determination need to be conditioned, or viewed in thecontext of how the situation will be seen by stakeholders.

The A, B, C groupings are not intended to split the framework into three discrete sections,but should be used to indicate a continuum of decision context types from a strongly Type A(technology based) at one extreme to a strongly Type C (judgment based) at the otherextreme. A range of decision-making approaches will contribute, especially to Type B and Cdecisions. The background to the Framework is described in [4].


11/84





3 WHAT TYPES OF HSE CASES ARE THERE?

PDO activities and operated facilities fall into different categories and the different types ofHSE Cases used to cover these are listed below:

o Asset/facility: hydrocarbon gathering/production facilities organised into deliveryteams or hydrocarbon transporting infrastructure and storage facilities. The majority ofPDO HSE Cases fall into this category and the content shall meet the requirements ofthis HSE Case Specification

o Contractor drilling rigs and hoists; the content shall meet the requirements ofInternational Association of Drilling Contractors (IADC) [Ref. 4] and this HSE CaseSpecification

o Air Operations; the content shall meet the requirements of EP 2005-0263 AirTransportation Standard and this HSE Case Specification

o Land Transport; the content shall meet the requirements of EP 2005-0261 RoadTransportation Standard and this HSE Case Specification

Air transport operations, road transport operations and marine operations with severity 5 orhigh level hazards (as defined by the RAM inFigure 2-1) that are PDO operated (owned,leased or contracted) shall have an Operations HSE Case.

The nature of Transport and Drilling Rig HSE Cases is that they are developed to describethe hazards and set out controls associated with the respective operation or activity. Thesecases are reviewed and updated as they develop, but rarely is there a requirement todevelop a new HSE Case for these activities.

Asset/Facility HSE Cases differ in that new design projects or production stations mayrequire that a new HSE Case is developed in accordance with this specification.

Asset/Facility HSE Cases are further separated into the following types of HSE Cases:

o

Concept Select Report: This demonstrates that there has been a systematicapplication of HEMP during the Identify, Assess and Select phases, that the HSE risksassociated with each development option have been identified and assessed, thelowest risk option has been chosen or that the cost/effort required to adopt the lowestrisk concept is grossly disproportionate to the benefit.

o Design HSE Case: This demonstrates that there has been a further systematicapplication of HEMP during the Define and Execute phases, demonstrates that theseverity 5 or high level hazards identified are both tolerable and ALARP and that allsafety critical elements (with associated performance standards) have been identifiedand meet the performance standards.

o Operations HSE Case: This describes management of the severity 5 or high levelhazards to ensure that they are tolerable and ALARP, bow-tie diagrams showing thehazards and the barriers to the hazards, a list of HSE critical tasks, references to

operational management systems and a statement of fitness. This acts asconfirmation that the HSE Case Owner (Director) is satisfied that the arrangementsare in place for the facility to operate safely.

3.1 Asset/Facility HSE Cases at different ORP phases

The opportunity realisation process (ORP) is split into 5 phases punctuated by DecisionGates (Dg1-5) and Value Assurance Reviews (VAR1-5). Once the need for an HSE Casehas been identified, the type of HSE Case and when it should be compiled needs to beidentified as perFigure 3-1.

The Identify & Assess; Select; Define; Execute and Operate phases are discussed in the

following sections.


12/84





Figure 3-1: 5 stages and applicable HSE Cases

3.1.1 Identify and Assess

This phase initiates opportunities and demonstrates the feasibility of thoseopportunities. Ideas are generated and aligned with business principles andstrategies and potential values established so a decision to fund and staff furtherdevelopment of these ideas can be made.

This phase also asks the question as to whether the project has looked sufficiently atthe risks, different development options, realisations and all possible outcomes. Isthere at least one solution that would work in most, perhaps all, of the realisations?The project must understand what it is going to be taking into the Select phase.

HSE input at this stage is at a high level and includes a preliminary HAZID, HSE-SDPlan and input to the Risk Register.

3.1.2 Select

This stage must select the best concept solution for delivering value from theopportunity and make it clear why one choice was the preferred option.

HSE input into the select phase has potentially the greatest impact. The optionselected to take forward into the define phase must be ALARP. An ALARP

demonstration must be provided in the CSR (see section 14).

3.1.3 Define

The selected concept must be defined technically (scope, cost, schedule) orcommercially (JVA, JOA, country entry) for final investment decision (FID). Note thatthe timing of a technical FID may not coincide with a commercial FID.

HSE activities and deliverable at the define stage include a Design HSE Case andother HEMP Studies.

3.1.4 Execute

The project is to be delivered as a facility consistent with the forecast scope, cost,

schedule and proven performance and has to be accepted by the Owner ofoperations (usually the Relevant Director) for use.


13/84





During the execute phase the Design HSE Case is refined. The Operations HSECase is developed prior to handover to operations. Further HEMP studies arecarried out to support the ALARP Demonstration.

3.1.5 Operate

The project is operating as per expected and is maximising returns to Shareholdersand protecting the License to Operate. The Owner of operations (usually therelevant Director) has accepted responsibility for continued safe operations.

The Operations HSE Case will contain the ALARP demonstrations for the Operatephase. This is built and maintained throughout the operate phase, (see section 16).

3.2 Roles and Responsibilities for the HSE Case

Delivery Team Leaders (DTL): DTLs are responsible for ensuring that the HSE Casesare developed and maintained for their assets and meet the requirements of thisspecification.

Project Managers: Project Managers are responsible for ensuring that the ConceptSelect Report and Design HSE Cases are developed and meet the requirements of thisspecification.

Contract Holders: For Air Operations, Road Transport and Drilling & Hoist Rigs, it is theContract Holders that are responsible for ensuring that their Contractors develop andmaintain HSE Cases that meet the requirements of this specification.

3.2.1 Sign Off Dates

Sign off dates for the CSR/HSE Cases shall be as follows:

o The Concept Select Report Case shall be signed off prior to VAR3.

o The Design HSE Case shall be signed off prior to VAR4.o The Design HSE Case during detailed design phase shall be signed off when

completed and prior to the PSUA.

o The Operations HSE Case shall be signed off prior to start up.

3.3 Roles and Responsibilities within the HSE Case

There are three main roles for developing, implementing and maintaining an HSE Case; theHSE Case Owner, HSE Case Custodian and the HSE Case Administrator. These roles foreach type of HSE Case are shown inTable 3-1and cover new projects and modifications toexisting facilities.

Table 3-1: Roles and responsibilities within an HSE Case

HSE Input to ConceptSelect Report (CSR)

Design HSE Case Operations HSE Case

HSECaseOwner

Project Manager

Identifies therequirement for a HSESection in the CSR inaccordance with thisspecification

Appoints HSE resource

Project Manager

Identifies therequirement for an HSECase in accordance withthis specification

Appoints HSE CaseCustodian and assignsresponsibilities

Asset Director

Identifies therequirement for an HSECase in accordance withthis specification

Initiates OperationsCase and assignsresponsibilities


14/84







Approves the ConceptSelect Report

Approves outcome ofALARP multi-disciplinary

reviews Develops a Statement of

Fitness for the Asset Approves the Design

HSE Case

Develops a Statement ofFitness for the Asset

Approves outcome ofHEMP studies

Approves the OperationsHSE CaseAssigns HSECritical Elementownership to theappropriate Technical

Authority/HSE Adviser; Ensures ongoing

compliance with thisspecification

Conducts periodicOperations HSE Case

reviews Ensures facility is

operated according tothe Operations HSECase

HSECaseCustodian

Project HSE Lead

Manages HEMP studies,ensures risk tolerabilityand suitable and robust

ALARP demonstrations

are made Prepares HSE content of

the CSR and checksDCAF content all signedoff

Coordinates thedevelopment of the HSEInput to the CSR.

Lead Technical SafetyEngineer

Identifies HEMP studiesto assess the hazardsand risk associated with

the project Develops risk reduction

strategies, identifiessafety critical elements(SCE) and associatedPerformance Satandardsin conjunction with SCETechnical Authorities(TA)

Facilitates that suitableand robust ALARPdemonstrations aremade.

Reviews and approvesall action items raised forcorrect detail, actionparty and target date

Compiles/co-ordinatesthe HSE Case

Delivery Team Leader

Ensures the HSE Casesare developed andmaintained for theirassets in accordance

with latest requirements. Ensures participation in

development andawareness and properuse of the HSE Case bythe organisation

Validates HEMP studiesand technical accuracyof the contents of theHSE Case

Co-ordinates review ofHSE critical tasks listingsand associated

Performance Standards Ensures that revisions

and updates areprepared whennecessary, adequatelycontrolled and distributed

Reviews facility specificemergency responseplans

Reviews and approvesall action items raised forcorrect detail, actionparty and target date


15/84







HSECaseAdministrator

N/A N/ADirectorate Technical SafetyEngineer

Compiles/co-ordinatesthe HSE Case andsubsequent reviews andupdates

Supports the HSE CaseCustodian


16/84





3.4 Workforce Involvement

The HSE Case shall demonstrate that the workforce have been part of the developmentand review of the HSE Case. Workforce in this context is the front line operations andmaintenance staff that are directly involved in the day-to-day running of the facilities.

The purpose of this requirement is to ensure that front line operations and maintenancestaff:

have knowledge of the Major Accident Hazards that have been identified for thefacility where they work

are aware of the controls and barriers in place to manage these MAHs (SCEs,performance Standards, HSE Critical Tasks, MOPOs)

have knowledge of how these controls are managed (MIE, FSR, assurancereviews)

For Design HSE Cases, workforce involvement can be demonstrated by ensuring that

relevant staff representatives have been involved in the design. This may be done byensuring they participate directly in the design activities (HAZIDs, HAZOPs, HEMPstudies) and by participating in project assurance reviews such as Design Reviews, peerreviews and project Audits.

Operations HSE Cases shall be communicated to the operations and maintenance teamson site. The focus shall be on what the case means to them and what impact is it likely tohave. In addition, representatives from current operational, engineering, andmaintenance teams and workforce representatives (where applicable) shall be included inthe regular reviews as described in Section13. This engagement may be demonstratedby ensuring that the HSE case is reviewed regularly by operations and maintenance staff,which can be achieved through

job descriptions and staff performance contracts

dedicated communications initiatives

staff onboarding

committees or working groups (e.g. AIPSALT).

For both types of HSE Cases, the details of how workforce involvement has beenachieved shall be described in the HSE Case or in the documentation of the periodicreview of the HSE Case.

3.5 Deliverables

Design and Operations HSE Cases are classified as Essential Records according to CP-102 Documents & Records Management and shall be maintained on Livelink by theHSE Case Administrator.

Design and Operations HSE Cases are mandatory deliverables for new projects andexisting assets, as described by the Discipline Control and Assurance Framework(DCAF) section in SP-2061 Technical Authority System [Ref.7].

3.6 Performance Monitoring

Routine performance monitoring of HSE Cases shall include:

o Assurance of Design HSE Cases at VARs

o Review of Operations HSE Cases during Pre-Start up Audits


17/84





o AI-PSM Assurance of Operations HSE Cases

o Monitoring of Operations HSE Case KPIs

3.6.1 Review and Improvement (HSE Cases)

Once the Concept Select Report is signed off, it is not anticipated that any revisionswill be required as further project work will be covered in the Design HSE Case.

The Design HSE Case may need to go through several revisions during the Defineand Execute phases depending on the nature of the design of the new project.

The Operations HSE Case shall be reviewed and updated at a maximum interval of5 years unless any of the following circumstances occur:

o As part of a Material Change to the Facility, operation or surrounding environmentthat may have a potential impact on the risk profile

o When it cannot be verified that the performance of safety critical elements (SCEs)meet the performance standards and/or when mitigation measures have beenemployed for extended periods to compensate for this shortfall

o Prior to any material changes to the organisational arrangements or personnellevels

o Following a major incident involving the Facility or operation, or from laterallearning from other major incidents applicable to the Facility or operation

o Enhancements in knowledge or technology that change the basic assumptions onwhich the risk tolerability and ALARP demonstrations are based

o If there is a change to any of the signatory parties for the HSE Case, i.e. HSECase Owner (Director), HSE Case Custodian (Delivery Team Leader) or HSECase Administrator (Technical Safety Engineer)

3.6.2 Material Change

A material change is any change that significantly affects the basis for original theALARP demonstration in the HSE Case. In practice this usually includes changesthat have the potential to affect the major accident hazards or their controls, eitherdirectly or indirectly.

Examples of direct effects are:

o Significant modifications or repairs to the plant or equipment, either assingle large modifications or multiple smaller modifications.

o an increase in hydrocarbon inventory,

o new technology, processes or operational complexity,

o new types of combined operations, or new activities in connection with an

installation,o new operational risk controls.

Examples of indirect effects are:

o new ownership or operatorship, introducing a change in the managementsystem,

o a major change of contractor, and

o extension of the use of the installation or its components beyond theoriginal design life.


18/84





4 ASSET INTEGRITY - PROCESS SAFETY MANAGEMENT

Assuring the safety of people, assets, the environment and reputation is a core value andproviding assurance that major process safety risks are being managed is a critical aspect

of PDO corporate governance. Asset Integrity Process Safety Management (AI-PSM)describes the way in which PDO assets are managed so that the process risk is as low asreasonably practicable (ALARP).

There are two Process Safety implementation mechanisms within PDO:

1. The Process Safety Manual of the Shell Group HSSE Control Framework [Ref.6]

2. AI-PSM as developed by Centre for Chemical Process Safety Guidelines for RiskBased Process Safety (CCPS RBPS) [Ref.9].

4.1 Process Safety Manual, HSSE Control Framework, Section

The HSSE & SP Control Framework replaces the mandatory requirements in EP2005

series, and includes mandatory Standards, Manuals, Specifications and Glossary terms,and non-mandatory Assurance Protocols and Guides.

The Process Safety Manual of the HSSE & SP CF comprises four elements:

1. Asset IntegrityProcess Safety Management Application Manual

2. Design and Engineering Manual 1 (DEM1)

3. Design and Engineering Manual 2 (DEM2)

4. Override of Safeguarding Systems.

A full description of each element can be obtained in The HSSE & SP Control Framework

[Ref.6]Compliance to the detailed requirements of the Process Safety Manual is demonstratedby signing a Statement of Fitness (SoF). The Statement of Fitness is shown in section 12and testifies that the hazards have been appropriately managed in accordance withHEMP and that a suitable and robust ALARP demonstration has been made.

The Statement of Fitness is a requirement of the AI-PSM Application Manual and asigned SoF shall be included in Design and in Operations HSE Cases, respectively.

For operational assets the SoF shall be signed by Asset Directors, and for new projectsby the Project Manager before handover to operations.

4.2 Centre for Chemical Process Safety Guidelines for Risk Based

Process Safety (CCPS RBPS)

The CCPS RBPS AI-PSM process is an assurance process containing 20 elements 1thatdescribe minimum expected standards and stipulates the requirements for a range ofprocess related activities ranging from organisational culture, workforce involvement, riskmanagement, HEMP and audit through to design.

The assurance process includes routine checking, self-assessments and audits, as wellas independent 3rd party verification that the AI-PSM system and practices are consistentwith industry best practice and are controlling process risk to ALARP.

The assurance process also identifies opportunities for improving the management andcontrol of process risk and therefore, is a key driver for continuous improvement.

1A description of the 20 AI-PSM elements is provided inAppendix 12.


19/84





HEMP is an integral element of the AI-PSM process and the HSE Case and provides aclear link between the two processes. Both the AI-PSM and HSE Case processes aim toidentify, control and reduce risk levels to ALARP.

4.3 Process Safety in ProjectsAI-PS requirements in projects, from project identification through to execution, isdescribed in GU-648 Guide for Applying Process Safety in Projects[Ref.4].

This guideline extracts all the relevant information from the existing ORP documentationthat is necessary to meet the AI-PS requirements at handover. It also provides furtherclarity with regards to the assurance processes which underpin the project teams abilityto demonstrate that AI-PS requirements are met at the end of every project phase.

The main objective of this guideline is to explain the key AI-PS objectives anddeliverables throughout the project phases that demonstrate the facility is fit for the safeintroduction of process fluids and that systems, processes and procedures are in place sothat AI-PS can be safeguarded in the subsequent operate phase.

This will allow PDO to make the statement that Our Asset is Safe and we know it aftereach project phase.

4.4 Critical Drawings

Critical drawings are those drawings which are required to be maintained in order tosupport the implementation of critical tasks. Critical drawings are required to ensure thatthe risks from MAHs are ALARP.

A list of critical drawings shall be made for each facility. All critical drawings shall bestored in an easily accessible database to reflect the current design and status of theasset (as-built status).

This will ensure that all personnel have access to reliable and up to date information to

allow accurate planning of work operations and activities, management of change andinvestigative activities (when an incident has occurred).

Critical drawings include, but are not limited to:

o PFS

o PEFS

o Cause and Effect matrix

o Hazardous area classification

o Area Layout

o Site plan (sub-field layout)

o Key plan and Plot plan

o

Escape routeso Safety equipment layout

o Critical valve list (including locked open and locked closed valves)

o Fire and Gas layouts.


20/84





5 HEMP

The hazards and effects management (HEMP) process identifies and asses HSE hazards,implements control and recovery measures and maintains a documented demonstration

that major HSE risks have been reduced to a level that is as low as reasonably practicable(ALARP).

HEMP shall be applied to all activities over which PDO has operational control and shallcover the entire lifecycle of the asset or operation; from concept through todecommissioning and disposal. Work undertaken by a Contractor and under theContractors own management system shall have a requirement for an equivalent HEMPapproach expressly stated in the contract.

HEMP is fundamental to all analysis and assessment elements of the formal HSE activities,and is at the heart of the HSE management system used in PDO. The HEMP processcomprises four basic steps:

Systematic identification of hazards, threats, unwanted events and their effects

Assessment of the risks against screening criteria, taking into account thelikelihood of unwanted events and the potential severity of the consequences interms of effects to people, assets, the environment and reputation of PDO

Implementation of suitable risk reduction measures to control or mitigate thehazard and its effects

Planning for recovery in the event of a loss of control leading to an unacceptableeffect.

The main objective of HEMP activities is to demonstrate that hazards (and associated risks)have been identified and where the hazard cannot be eliminated the risks are controlled to alevel that is tolerable and as low as reasonably practicable (ALARP). The HEMP model ischaracterised byFigure 5-1.

Figure 5-1: HEMP Model

HEMP studies shall be performed by staff who are knowledgeable about the facility andoperations and who are competent in the HEMP techniques necessary. The studies shallbe planned and implemented in a timely manner to enable the results to be incorporatedwithout incurring avoidable rework and costs. The studies should be documented such thatkey information and decisions made are transparent and available for future reference.

Recommendations arising from HEMP studies shall be recorded in an appropriate actiontracking system.

Identify ControlAssess

RISKS TOLERABILITY & ALARP

Recover

DOCUMENT


21/84





5.1 Hazards and Effects Register

Hazards and their effects on people, the environment, the assets and the reputation ofPDO shall be systematically identified and listed for the full lifecycle of the asset andoperations.

The hazards are identified in a Hazard Identification (HAZID) meeting, and the outcomeof this meeting is used to develop the Hazards and Effects Register.

PDO use a checklist of potential hazards to populate the Hazards and Effects Register. Itis recommended that a multi-disciplinary team facilitated by an experienced person gothrough the list of hazards and identify those relevant to the specific facility/asset/operation under consideration. Ideally the team should be made up of Management,Operations, HSE, Maintenance and Engineering Disciplines (Concept, Detailed Designas appropriate) personnel.

The PDO Risk Assessment Matrix inFigure 2-1 shall be used to assess the hazards andtheir severity and frequency of occurrence. The experience of the team will be used tobrainstorm hazards known to have been realised from previous experience or thinkingwhether it is a credible hazard that could occur within PDO operations. This is a

subjective process and care must be taken not to over-complicate the process by thinkingof multiple events, double jeopardy events or highly unlikely events.

Examples of credible scenarios could include major leak from oil storage tank at MAF,leak at a Booster station on the main oil line, leak from offtake tanker hose, loss ofcontainment from on-plot processing facilities, loss of containment of H2S (affecting bothonsite personnel and the general public). Consequences from such incidents usuallycover injury/fatalities, fires/explosions, environmental impact, loss of facility and negativeimpacts on reputation.

For low and medium risk hazards, the controls for the hazards, i.e. permit to work, jobsafety assessment, operating procedures, competence assessments, tool box talks, etc.,are discussed and then added to the Hazards and Effects Register.

Hazards that have been assessed as being a severity 5 or high risk on the riskassessment matrix are then modelled further using bow-tie methodology as described innext section.

See Appendix 3 for the full checklist of potential hazards, and an example of a Hazardand Effects Register is provided inAppendix 4.


22/84





6 BOW-TIES

The Hazards and Effects Register documents that all hazards associated with the facilityand that control and mitigation measures have been identified. Hazards that have been

assessed as being a severity 5 or high risk on the risk assessment matrix (Figure 2-1)arethen modelled further using bow-tie methodology.

The Bow-Tie is a model that represents how a Hazard can be released, escalate, and how itis controlled. It contains the elements required to effectively manage the Hazard such thatthe risks are tolerable and ALARP. Bow-Ties can also be used to support risk managementof non-HSE processes.

For each severity 5 or high level hazard, the bow-tie methodology allows for:

1. Identification of the hazard release, escalation and consequence scenarios2. Identification of controls, e.g. barriers and escalation factor controls required to

manage the hazards3. Categorisation of controls into Inherent Safety, Safety Critical Element (hardware)

or Critical activity (procedures, processes, operator action)4. A clear visual representation to enable the ALARP review to be undertaken5. An aid in the incident review process if occurrence of such a major incident has

occurred.

The bow-tie is a model that represents how a hazard can be released, escalate and how itis controlled. Bow-Tie XP is the PDO preferred software tool

Figure 6-1: Generic bow-tie model


23/84





Table 6-1: HEMP definitions and Bow-tie terminology

ALARP As Low As Reasonably Practicable (Risk) means that havingreviewed all practical alternatives for Major Accident Hazardelimination, Threat Controls and Recovery Measures, further

reduction in risk would involve disproportionate cost or resourcesfor the risk reduction achieved.

Barrier Barriers prevent or reduce the probability of each Threat (lefthand side of the bow-tie), limit the extent of, of provideimmediate recovery from the Consequences (right hand side ofthe bow-tie). Barriers may be hardware, such as safety systems(e.g. F&G ESD, etc) or management systems and procedures.

Consequence Consequences in the bow-tie are a direct result of the Top Eventoccurring. Indirect consequences, if applicable shall be modelledin a separate bow-tie, Can include potential consequences thathave not been heard of in the industry.

EscalationFactor

Factors that defeat, or reduce the effectiveness of a Barrier

EscalationFactorControl

Measures put into place to prevent or mitigate the effects ofEscalation Factors.

Hazard Any situation with the potential for harm to people, environment,asset or reputation e.g. hydrocarbons under pressure, droppedload.

HSE CriticalTask

An HSE Critical Task develops, implements or maintains theeffectiveness and integrity of a Barrier or Escalation ControlFactor in Bow-Ties for Severity 5 or High Risk Hazards. HSECritical Positions are those that execute HSE Critical Tasks

HSE CriticalPosition HSE Critical Positions are those that execute HSE Critical Tasks

Major AccidentHazards (MAH)

Hazards that are classed as High Risk (Red) or severity 5 on thePDO Risk Assessment Matrix. This means any situation with thepotential for major consequences (harm) to people, environment,asset and reputation if released.

RecoveryMeasure

Any measure put in place to manage Consequences and assistrecovery from a Top Event.

Risk The likelihood of a Top Event combined with the severity of theConsequences (The risk is from the Hazard to people,environment, asset and reputation).

Threat Any action or mechanism that could bring about the unplannedrelease of a hazard.

Threat Control Any measure put in place to prevent a Threat being successful.

Tolerable Risk Tolerable Risks are those that have been reduced to a levelwhere they comply with the applicable laws and regulations,standards, strategic objectives and other agreed TolerabilityCriteria.

Top Event The first thing that happens when a hazard is released.Individual bow-ties shall have a single Top Event.

The role of a barrier on the bow-tie diagrams is to prevent (Left hand side of BT) or limit(Right hand side of BT) the consequence of a major incident. Barriers may be:


24/84





1. Design (inherent) features, e.g. separation distances, reduction of process pressures,minimisation of leak sources, etc. (depicted blue on the bow-tie).

2. Safety Critical Elements (hardware and logic software), e.g. Process ContainmentSystems, Pressure Relief Valves, ESD, Fire and Gas Detection, Escape & EvacuationSystems, Breathing Protection, etc. (depicted green on the bow-tie)

3. Operational Safety Processes, e.g. valve lock out/tag out, breaking containmentprocedures, permit to work, etc. (depicted yellow on the bow-tie)

4. Operational Intervention Tasks, e.g. Plant Monitoring, Alarm Response, Shutdown, etc.(depicted yellow on the bow-tie)

Barriers shall be:

1. Effective in preventing the Top Event or Consequence

2. Able to prevent a specific Threat from releasing the Hazard

3. Verifiablehow shall the effectiveness of the barrier be confirmed?

4. Independent of other barriers in the same Threat line, e.g. no common mode failure.

Hardware Barriers for Severity 5 or High Risk Hazards (HSE) shall be classified as HSECritical Elements. Selection of these Barriers shall be in accordance with EP2009-9009SCE Management Manual [Ref.10]and is further described in Section7.

Common barriers or escalation factor controls that appear frequently, e.g. such as those todo with Operator/Human Error, should be modelled using a separate bow-tie to manage thesingle Threat of Operator/Human Error.

See Section10 ALARP demonstrationfor further information.


25/84





7 SAFETY CRITICAL ELEMENTS

A Safety Critical Element (SCE) is any item of hardware, system or logic software the failureof which could cause a major Accident Hazard (MAH) or whose purpose is to prevent or

mitigate the effects of a MAH. SCEs groups are categorised according to Shell EP2009-9009 Safety Critical Element Management Manual [Ref. 10]. These groups or barriers(see section7.1)contain the definitions of those items that may be classed as safety criticalon any given facility.

Safety Critical Elements shall be selected from these groups during the bow-tiedevelopment process. The bow-tie diagrams show the SCEs as barriers to the MAH. Adeliverable of the Bow-Tie development process is a list of SCEs applicable to the facility.This list shall be further developed as part of a SCE identification process that defines thesafety critical components of each SCE barrier.

The role of a barrier on the bow-tie diagrams is to prevent or limit the consequence of amajor incident. Barriers may be:

1. Design (inherent) features, e.g. separation distances, reduction of process pressures,minimisation of leak sources, etc.

2. Safety Critical Elements (hardware and logic software), e.g. Process ContainmentSystems, Pressure Relief Valves, ESD, Fire and Gas Detection, Escape & EvacuationSystems, Breathing Protection, etc.

3. Operational Safety Processes, e.g. valve lock out/tag out, breaking containmentprocedures, permit to work, etc.

4. Operational Intervention Tasks, e.g. Plant Monitoring, Alarm Response, Shutdown, etc.

The SCE management manual [Ref. 10] describes the activities and processes formanaging the critical hardware barriers (SCEs) that appear in the MAH bow-ties.

7.1 SCE (Hardware) Barriers

Each SCE is grouped under one of 8 hazard management barriers, as depicted in theSwiss Cheese Model (Figure 7-1). The hazard management barriers are as follows:

Structural Integrity

Process Containment

Ignition Control

Detection Systems

Protection Systems

Shutdown Systems

Emergency Response

Life Saving Equipment

Each SCE belongs to one hazard management barrier. Generally, the Structural Integrity,Process Containment and Ignition Control SCEs together with some aspects of thePSD/ESD system, reside on the left hand-side of the bow-tie top event. Failure of any ofthese barriers could cause or significantly contribute to a MAH. The remaining SCEsnormally reside on the left hand-side of the bow-tie top event. These SCEs are providedto control or mitigate the effects of a MAH after it has occurred.


26/84





Figure 7-1: SCE Hardware Barriers and SCE Groups

The hardware barriers in Figure 7-1 are depicted with a number of small holes thatrepresent an integrity failure either in design or operating performance. On their own,these failures may not be significant but, if the holes line up, there may be no effectivebarriers in place between safe operations and escalating consequences, leading to amajor incident.

For example, a loss of containment in a sweet gas facility would not normally beexpected to cause fatalities unless it is ignited. An integrity failure in the processcontainment system combined with a failure in the ignition control system could cause anignited event, i.e. a fire or explosion. If there are no personnel in the area then this initself would not cause fatalities. However, if there are integrity failures in the fire and gasdetection system then the event may not be detected and the process system notisolated and the event may have the potential to escalate to adjacent inventories. Thiswould also be the case if an ESD Valve or Blowdown Valve failed to operate on demand.Finally, if adequate assembly points and EER systems such as emergency telecoms arenot provided or are not suitable, then personnel may not be evacuated quickly enoughand the process release would have the potential to cause fatalities. The example showsthat a number or what on their own would sometimes be considered as minor failures

have combined to produce a Major Accident causing fatalities.


27/84





Figure 7-1 shows the importance of maintaining and monitoring and ensuring theintegrity status of all hardware barriers, so that what might be considered to be relativelysmall faults in individual barriers do not combine together in an unforeseen manner thatcompromises the ability if the barriers to prevent or control a major incident.

Note that it is not necessary for all barriers to fail to lead to a major incident. Forexample, failure of a single barrier such as process containment on a high sour facilitymay lead directly to major incident.

Each SCE is attached to a relevant discipline who are designated as the owner of theassociated Performance Standard.

7.2 SCE Selection

SCEs should be colour coded green on the Bow-tie and the specific SCE categorydenoted beneath the barrier that appears in the Bow-tie.

The process for selection of SCEs starts with a review of the generic list of SCEs provided in the

SCE Management Manual [Ref.10]to identify those SCEs that are applicable to the facilities, for

each of the identified Major Hazards. The list of selected SCEs shall be reviewed and agreed by

the relevant discipline engineers during the define phase.

Figure 7-2 depicts the process for the selection of SCEs.

The HSE Case shall contain a list of the SCEs identified in the bow-tie diagrams as perthe table provided inAppendix 5.

The HSE Case shall contain a table showing each SCE against the MAH bow-ties wherethey appear as hardware barriers, and an example is shown for the SCE group ProcessContainment inAppendix 6.

Is the purposeof this elementto preventa

Could failure ofthis element

causea MAH?

Could failure of

this elementcontribute

substantiall to a

Is the purposeof this element

to limit theeffectsa

This item isaSafety Critical

Element.

This item isnot a Safety

Critical

No

No No

No No

No No

Ye

No

Ye

No

Ye

No Ye

No

Generic Listof SCEs

EP9009-2009


28/84





Figure 7-2: Selection Process for Safety Critical Elements

7.3 Performance Standards

A Performance Standard is a statement, which can be expressed in qualitative orquantitative terms, of the functional performance required of a SCE, and which is used asthe basis for managing the risk from the Major Hazards. Defining and ensuringcompliance with suitable Performance Standards provides assurance that the SCE is andwill remain a barrier to the identified MAH.

Generally, the SCEs and Performance Standards follow a one-to-one relationship whereeach SCE has its own Performance Standard.

Performance Standards are used as the basis for design and technical (operational)integrity verification and are expressed in terms of functionality, availability, reliability,survivability and dependencies/interactions with other SCEs.

Functionality

Functionality is an expression used to define what the system or equipment is required toachieve in order to ensure design integrity.

Reliability and Availability

Reliability is defined as the required probability that the system or equipment will operateon demand, when required.

Availability is defined as the extent to which the system or equipment is required in orderto retain its functional integrity.

Survivability

Survivability defines the external loading events such as fires, explosions or extremeweather, associated with the various MAHs against which the system or equipment is

required to retain its functional integrity.

Dependencies and Interactions

This is used to identify other systems or equipment that are critical to the functionality ofthe primary system or equipment. By identifying these dependencies and interactions itis ensured that all interfaces have been covered.

There are two types of Performance standards;

Design Performance Standards. Design Performance Standards must be developedduring the Define phase. They shall provide a list of key functional criteria to whichthe SCE must comply with during the design. In practice the content of the

performance standards will be largely taken from the design and engineeringstandards that apply to the item or SCE. However, other information may be takenfrom the basis for design, the design philosophies, or the results of workshops andHEMP Studies such as HAZID/HAZOP, Design Review, Layout Reviews, Fire &Explosion Analysis, QRA, IPF, SAFOP, etc.

The Design Performance Standards will mature further during the execute phase andwill check that the SCEs have been constructed as designed. The existing QA/QCprocedures and practices should be used to support the Design PerformanceStandards. The design must take into account operational demands so thatsuitability can be ensured into the operate phase.

The Design Performance Standards will evolve into Operate phase PerformanceStandards at the end of the execute phase before handover.

Operations Performance Standards. The Operate phase Performance Standards forSCEs should evolve from the Design Performance Standards. These Performance


29/84





Standards are formatted to comply with the requirements of SAP-PM and SAP-QM interms of minimum assurance tasks, assurance measures, assurance value and unitsof measure for the correct allocation to the appropriate level in the asset hierarchy.

Examples of the two types of Performance Standard are provided in Appendix 7 andAppendix 8,respectively.

7.3.1 Performance Standard Approval

Each performance standard is allocated an owner. The owner is responsible forensuring that the content of the performance standard is appropriate and achievable. Theperformance standard owner is normally the CFDH for the items covered by the SCE.However, the CFDH may delegate the review and approval of their performancestandards to the relevant TA2.


30/84





8 HSE CRITICAL TASKS

An HSE Critical Tasks is one that is in place to develop, implement or maintain theeffectiveness and integrity of a Barrier, Escalation Factor Control or Recovery Measure

Control in the MAH bow-ties.An HSE Critical Position are those that execute HSE critical tasks.

The minimum information required for a HSE critical task shall be:

The description and purpose of the HSE critical task required

The person (position and reference indicator) responsible for performing each task

Reference to supporting documentation, e.g. work instructions, SAP, procedure, etc

The method and criteria to verify that the task is performed as required to maintainbarrier effectiveness.

HSE critical tasks should be developed to the level of the party responsible for ensuring that

tasks are completed on time and to the required standard, e.g. Managers, Supervisors andSpecialiststhe position responsible for ensuring that the task is done and not the personwho is actually undertaking the work.

Bow-tie XP software enables the HSE critical tasks to be linked to the relevant barriers.

Inspections and preventative maintenance activities for hardware SCEs are implementedvia the Maintenance Management System, i.e. SAP. The task information is containedwithin the task description in SAP for all SCE barriers and is NOT listed as an HSE criticaltask, and is considered part of the hardware barrier itself. This applies to for examplemaintenance and calibration of a gas detector.

Implementation tables shall be developed for each HSE Critical Position. Theimplementation tables describe each HSE Critical Task, its supporting business controlsand the business records required to verify that the task is being adequately executed. Theimplementation tables also provide a link to relevant barriers (HSE Critical Activities) andhazards on the Bow-Tie diagrams.

SeeAppendix 9 for an example extract from an Implementation table. Communication ofHSE Critical tasks to affected people in affected position is the responsibility of the HSECase Custodian.


31/84





9 MATRIX OF PERMITTED OPERATIONS (MOPO)

A matrix of permitted operations (MOPO) is an information tool to assist Supervisors andLine Managers during the planning and coordination of operations and activities by

providing useful information on: The operation or activity operating envelope and safe operating limits. Actions(s) to take if/when certain situations arise that could compromise safe

operations.

The MOPO is a set of matrices that maps operational activities against foreseeablesituations that if or when they arise could compromise safe operating limits thesesituations are identified from:

The Threats and Escalation Factors identified as part of the Bow-tie assessmentsfor severity 5 and high risk hazards.

An assessment of other operations and activities that could contribute to theescalation of an incident, e.g. continuing with hot work when fire pumps (a safety

critical element (SCE)) are unavailable.Circumstances that could compromise safe operations are grouped into three categories:

Simultaneous operations (SIMOPs), where large work parties under differentmanagement structures carry out work which results in hazards that may impact theother. e.g. removal or overhaul of equipment and/or production and/or constructionand/or drilling in the same area (MOPO entitled SIMOPs MOPO)

External influences, e.g. extreme weather, visibility, security issues (MOPO entitledAdverse Weather MOPO)

Inactive safeguards; i.e. SCE unavailability or impairment, e.g. ESD systems,firefighting systems (MOPO entitled SEC Impairment MOPO).

The MOPOs shall identify and differentiate between stop (red) conditions, i.e. operationNOT permitted and what are proceed with caution (amber) conditions, i.e. continuefollowing appropriate risk assessment and provide additional controls where necessary. Allother activities in the MOPO that do not require further assessment or controls are denotedsafe to proceed (green).

For developing a new MOPO or reviewing and updating an existing MOPO, refer toAppendix 10.

9.1 Using the MOPO

Copies of the MOPO shall be readily available in a suitable format (poster size,laminated, etc) and displayed in the control room and other operational and job planning/coordination areas.

The MOPO shall be referred to during both routine work planning and coordination andin responding to unforeseen conditions.

9.2 Deviations from the MOPO

In event of a situation arising where the preferred option is contrary to that given in theMOPO, this shall be assessed and approved by the Delivery Team Leader and relevantdiscipline authority as defined in DCAF. In the event of a SCE being impacted, relevantdiscipline authorities shall also be consulted using the FSR process.


32/84





10 ALARP demonstration

10.1 ALARP Definition

ALARP (As Low As Reasonably Practicable) allows a proportional level of effort to be putinto risk reduction once the initial level of risk has been assessed for a particularoperation or process. The ALARP principle is used to determine whether risks arebroadly acceptable, tolerable or intolerable via comparison against company risk criteria.

The use of the ALARP principle requires judgement to determine whether or not risklevels are as low as reasonably practicable. ALARP can be demonstrated when thesacrifice (cost, time, effort) required to reduce the risk any further, would bedisproportionate to the risk reduction potentially achieved (the benefit). The termsacrifice relates to the time, effort and/or cost of the complete implementation and futuremaintenance and operation of the particular risk reduction measure in question. Benefitrelates to the level of risk reduction offered by a risk reduction measure. Reasonablypracticable is the balance between the sacrifice and benefit of implementing the riskreduction measure, or suite of measures.

ALARP justification also requires demonstration that all risk reduction measuresassessed as reasonably practicable have been implemented. The use of reasonablypracticable uses a goal setting approach to risk reduction rather than a prescriptive one .This is a standard approach for all high risk industries including the oil and gas industry.

ALARP demonstration can be based on a comparison of the suite of barriers and controlmeasures that are in place, versus those expected to be seen in equivalent assets orindustries. This represents good practice and can be identified as standards forcontrolling risk that have been judged and recognised as satisfying a particular set oflaws or regulations. In the absence of a developed regulatory system, companystandards, corporate global standards, best engineering practice and engineering

judgement may be used as a basis for comparison.

For ALARP to be demonstrated, all hazards and risks must have been identified as far aspracticable and assessed against the PDO Risk Assessment Matrix (RAM) (Figure 2-1)and as described in Section 5. This provides a prioritised listing of hazards. As aminimum, all Major Accident Hazards (High Risk and Severity 5 hazards) shall besubjected to Bow-Tie analysis as described in Section6. This is a qualitative approach todemonstrating ALARP using the engineering, process, Process Safety and HSEknowledge and experience of the selected workshop group.

In addition to this approach, ALARP demonstration can employ a combination ofqualitative and quantitative techniques dependent on the novelty, complexity and type ofprocess or project under assessment. The HSE Cases are assessed in line with theFramework for risk related decision support in PDO as shown inFigure 2-1 and the levelof risk assessment performed proportional to the level of risk associated with the processor project.

Refer also to GU-648 Guide for Applying Process Safety in Projects [Ref. 4]and CP-117 Project Engineering Code of Practice [Ref. 6] for further description of ALARPrequirements.


33/84





10.2 How to Undertake an ALARP Assessment

10.2.1 Principles of Hazard Management

The hazard management hierarchy as shown in Error! Reference source not

ound. is used to manage HSE risks and shall be referenced when demonstratingALARP. .

Nevertheless, all hazard management controls should be considered at each stageof the development.

Figure 10-1: Hazard Management Hierarchy

The strategy selected for managing a hazard will differ depending on the projectphase, and this principle shall form part of the evaluation when making ALARPdemonstrations.

As the opportunity for influencing the facility design is greatest during early designphases, the focus shall be on elimination or substitution of the hazards. Thistypically applies to Identify& Assess and Select phases of the ORP process.

As the project matures into Define and Execute, there is less opportunity to apply

elimination or substitution and hence the predominant hazard management controlsconsist of isolation/separation and engineering solutions that can be put in place.

Once a facility becomes operational, the hazard management will largely focus onthe organizational and procedural controls. PPE is generally regarded as the lastprinciple of hazard management and therefore also the least effective.

10.2.2 Good Engineering Practice

In most situations, deciding whether HSE risks have been reduced to ALARPinvolves a comparison between the control measures a project is proposing and themeasures PDO would normally expect to see in such circumstances i.e. therequirements of relevant good practice captured in Company specifications andprocedures listed in GU-611.

PPE

Isolate

Engineer

Admin

Isolate/Separate

PPE

Engineer

Organisation

Procedures

MOST

EFFECTIVE

LEAST

EFFECTIVE

EliminateSubstitute

Notassessed in

quantitative

termsPPE

Isolate

Engineer

Admin

Isolate/Separate

PPE

Engineer

Organisation

Procedures

MOST

EFFECTIVE

LEAST

EFFECTIVE

EliminateSubstitute

Notassessed in

quantitative

terms

EliminateEliminate the hazard

Substitute -

Use processes or methods with lower risk impact

Isolation / Separation Segregate hazards and/or targets

Engineered SafeguardsPREVENTION Design to prevent an unwanted event

RECOVERY Design to mitigate harmful consequences

Organisational ControlsTraining, Competency, Communication

Procedural Controls -Operating procedures, Work instructions, Permits

Maintenance regimesEmergency Response procedures

Personal Protective EquipmentProtect the person


34/84





The scope for eliminating hazards and threats and reducing the scale ofconsequences is greatest at the beginning of the project and progressively reducesas the project develops. In part this is because the cost and difficulty of delivering agiven risk reduction solution increases as the project develops. ALARPdemonstrations must be robust for each of the HSE Cases as perFigure 3-1.

CP-122 Health, Safety and Environment Mgmt SystemCoPdescribes applicationof the AI-PSM process from CCPS RBPS within PDO to demonstrate compliance togood engineering practice and to ensure that risk levels are ALARP. This is madevia demonstrating compliance against the 20 Process Elements shown inAppendix12.

10.2.3 Good Engineering Principles

Company specifications and engineering standards should be followed unless thereis sound justification, and then consideration given to whether there is any more thatcan be done to reduce the risk. If there is more that can be done, these furthermeasures need to be assessed by comparing the risk reduction with the cost andeffort involved in further reducing it.

Simply following standards does not in itself demonstrate ALARP, particularly formore complex or novel projects, where additional considerations shall be made.

10.2.4 HEMP Studies

HEMP studies undertaken during the select, define, execute and/or operate phasesof the development are used to assess risk levels and identify any further riskreduction measures.

Applicable HEMP studies for each project phase are defined in DCAF.

10.2.5 ALARP Review

In assessing the risks associated with the Design or Operations HSE Case hazards,

a qualitative review of the Bow-ties shall be undertaken. The review shall be led byan experienced facilitator and the review team shall be comprised of experiencedstaff from the following areas of expertise:

o Engineering

o Process

o HSE

o Maintenance

o Operations

o Management

o Asset stakeholders.

Each of the threat lines in the bow-ties shall be reviewed in turn and the discussionshould cover such questions such as:

o Does industry best practice state what should be done or make anyrecommendations?

o Can a benchmark exercise be undertaken against other operators and similarcontrols implemented?

o Where are the gaps/shortfalls and what action needs to be taken to address thesegaps/shortfalls? See Section11.2.

o Is there sufficient quantity and quality of barriers?

o Is there anything else that can be done to further reduce the risk?


35/84





Both barrier effectiveness and the number of barriers contribute to the overalleffectiveness of control, although in general, the effectiveness of individual barriersis more critical.

The number, independence and reliability of the control and recovery measures shallbe commensurate with the risk.

By approaching the bow-tie review in this systematic fashion, the barriers can bechallenged in terms of completeness and adequacy and gaps identified andaddressed so that the review team is satisfied that the risks arereduced to ALARP.

The HSE Case process enables an ALARP argument to be formulated although inisolation, a complete ALARP argument cannot be made. The claims made againstthe numbers, quality, performance and location of the barriers must also be verified.This verification of the safeguards (both hardware and procedural controls) isperformed via AI-PSM audit and the TR-MIE and TI-HBV processes. Theseprocesses substantiate the claims made within the Bow-Ties and MOPO in terms ofbarrier integrity and performance.

10.3 Assessment of Complex DecisionsDemonstrating ALARP shall involve consideration of fundamentally different options toprovide assurance that the Company gets the best value for money over the lifetime ofthe facility. The assessment of fundamentally different options normally takes place inthe identify, assess and select phases.

Assessment of complex decisions requires consideration of all the hard and soft issuesrelated to a range of options and should reflect a decision taken at the right level in theorganisation with full knowledge of all the options and their associated risks and costs.

The following structure is recommended for documenting ALARP demonstration forcomplex project decisions:

1. IDENTIFY

a. Problem Definition

b. HSE Issues and Potential Risk

c. HSE Standard & Tolerability Criteria

2. ASSESS

a. Options Considered

b. Basis for Selection and Uncertainties

c. Justification for Chosen Option

3. CONTROL & EVALUATION

a. Residual HSE Risksb. Recommendation for Next Project Phase

c. Requirements for the Operations HSE Plan/Case

The ALARP demonstration for such decisions shall be signed by the person developingthe demonstration as well as relevant discipline Technical Authorities.


36/84





11 OPERATE PHASE CONTINUOUS IMPROVEMENT

11.1 Drivers for Improvement

Key Performance Indicators (KPIs) have been established for the AI-PSM programmewithin PDO. AI-PSM KPIs consist of:

o A set of KPIs defined by Operational and Functional Leadership, collected on auniform basis at all assets (Corporate KPIs).

o Any additional asset-specific KP