steps for implementing a safety case regime final

StepsforimplementingaSafetyCaseRegime

Final Page1

Preparedforthe

USChemicalSafetyandHazardInvestigationBoard

JohnClegg,InauguralCEOoftheAustralianNationalOffshorePetroleumSafetyAuthority

GrahamDalzell,Internationallyrecognizedspecialistinoffshorefireandexplosionhazards,riskmanagement,anddesignsafety

17January2014


Final Page2

CONTENTS

Introduction

Background

The case for change

The characteristics of an effective and efficient duty of care health and safety regime incorporating a safety case

Some impediments to changing from a prescriptive to a duty of care regime

Steps for implementing a duty of care regime incorporating a safety case/report

Justification for implementing a duty of care regime incorporating a safety case/report

Annex A: Principles of permissioning

Annex B: Hazard and risk understanding and responsibilities

Annex C: Risk based decision making framework

Introduction

The purpose of this paper is to set out the step-by-step process for implementing a safety case regime. The paper provides an explicit explanation for how such a regime was developed and implemented in both the UK and Australia. It provides detailed information concerning the actual transition steps taken by both countries, including but not limited to strategies used by the regulator/government to achieve industry compliance to the new regimes requirements, as well as how decisions were made concerning staff and resource requirements for regime implementation and successful full operation.

Background

Health and safety law is characterised by prescription, duty of care, or, more usually, a combination of both. Regimes generally are moving towards requirements incorporating a duty of care in which the duty holder has to produce a safety document which is submitted to the regulator. If the regulator is required to make an acceptance decision, this becomes a permissioning regime.

Prescription

Health and safety law is based traditionally on mainly prescriptive requirements. The government, in consultation with the industry, drafts the detailed safety requirements; the duty holder installs plant, systems and processes as directed by the law; and the regulator


Final Page3

checks compliance with the law through inspection. Although prescription has its strengths, it also has potentially serious weaknesses:

Regulations are often drafted to deal directly with issues resulting from individual incidents and hence tend to prescribe detailed, mainly technical, solutions to address specific failings. They generally do not deal comprehensively or holistically with all matters, especially management issues, for example failing to allocate responsibilities in a meaningful way through the company.

Regulations quickly become out of date as technology and management systems develop and improve. Consequently a hotch-potch of dated regulations can proliferate.

Regulation is frequently supported by detailed technical guidance, sometimes produced by the regulator, which the duty holder and regulator frequently interpret and apply as though it were the law, resulting in even more prescription.

The duty holder may install prescribed protection systems without necessarily fully understanding the hazards and risks at the facility and the benefit or otherwise of the systems.

The regulator may apply a check list approach to inspection without in depth questioning of the duty holders understanding of his overall management of health and safety on the facility.

The regulator may not have the competencies or the time to properly understand the intent, impact and limitations of the regulations or the manner in which the duty holder complies with those regulations.

Compliance solely with prescriptive regulation can instil an unwarranted feeling of comfort and security in stakeholders.

Duty of Care

In a duty of care regime the Government sets the goals in legislation and regulation, the duty holder responds by setting out how he intends to meet those goals to ensure effective management of the safe operation of the facility, and the regulator provides informed challenge to the duty holders claims.

The Government through legislation and regulation:

Sets the health and safety goals for the duty holder to meet. Establishes an independent and competent regulator. Puts in place the funding arrangements for the regulator.

The duty holder undertakes the following steps:

A systematic analysis of the hazards and risks and puts in place management and hardware systems to eliminate, minimise, prevent, control and mitigate the hazards and risks so that the risks are reduced to as low as reasonably practicable.

Puts in place appropriate emergency response procedures. Uses appropriate and proportionate hazard and risk analysis, standards and

guidance to inform the process Involves the workforce in a meaningful way in the process.


Final Page4

Documents the process; this document is sometimes known as a safety case or safety report.

The role of the regulator is to:

Challenge the claims made by the duty holder, both management and hardware, in the document through assessment

Verify effectiveness of implementation through inspection and audit of the facility and through investigation.

Have the necessary independence, authority and competence to challenge, inspect, audit and enforce

Challenge means an intelligent and thorough questioning of the claims made in the safety case in order to establish the veracity of the arguments. This dialogue makes the Duty Holder justify the approach he has taken and helps the regulator understand the basis of the case for safety. If done properly, it establishes a professional respect between regulator, Duty Holder and workforce. Furthermore the information gleaned through this ongoing process provides a sound basis for future inspection of the facilities. It follows that for the challenge and ensuing dialogue to be effective, the regulator needs skills in process safety, management systems and influencing which are way above those needed in regulating a prescriptive regime. Importantly it will quickly establish the ownership of the document ie how much the Duty Holder has subcontracted the preparation of the various elements of the safety case and how much the workforce has been involved. By adopting this regulatory approach the whole industry will quickly realize that the regulator is competent, is taking the safety case seriously, and will be using the safety case in the future to hold them to account. This, coupled with strong regulatory levers, eg non-acceptance or withdrawal of a safety case will quickly improve standards within the industry. In Australia it took about 18 months of quite robust activity to reach this stage. The Government, in particular Ministers, and the governance board need to be aware of and support this approach as they are likely to receive significant lobbying from the industry!

This regime places major obligations on both the duty holder and the regulator.

Combination of Duty of Care and Prescription:

It was thought the introduction of duty of care regimes would replace detailed prescriptive requirements with goals to be obtained, thus promoting continuous improvement. However, the reality is they are often introduced in addition to existing prescription resulting in overly extensive, complex, and sometimes overlapping law.

Reviews of this hybrid form of legislation usually recommend some stripping out of this detail. This need to prescribe good practice can then be dealt with by moving much of the prescription out of regulation and into standards, codes and guidance that can then be referenced in the safety document. Once referenced it is a legal requirement for the duty holder to comply. Some prescription such as occupational health exposures/limits may well need to remain in regulation.

These combined or hybrid frameworks are common and can be tailored to suit the culture of the Government and the industry.


Final Page5

Some Persuasive Incident History

There was a landmark ruling regarding health and safety in the UK in 1974. In order to address the failings of prescription and in response to the poor health and safety record in the UK industry, Lord Robens reviewed the overall health and safety regime. This resulted in the introduction of the Health and Safety at Work Act 1974 and the formation of the Health and Safety Executive and Commission. In particular, Robens identified:

Apathy to the scale of the problem and the rate of change in technology and society and

Too much reliance on State regulation and too little personal responsibility. He stated there was simply too much law and went on to assert that apathy will not be cured so long as people are encouraged to think that health and safety at work can be cured by an ever expanding body of legal regulations enforced by an ever expanding body of Inspectors.

Lord Robens was very clear that regulatory law needed to be concerned with influencing attitudes and creating a framework for action by industry itself.

The 1974 Act replaced a disjointed, non-comprehensive, multiplicity of regulations and standards with a visionary goal setting approach to regulation which has stood the test of time. The key principles of the Act are:

The need to recognise the pace of change in technology, in business and in society. To do away with rigid, specific old fashioned prescriptive solutions.

And to replace it with a broader more generic goal setting, duty of care, approach based on the overriding principle that those who create the risk are best placed to manage it.

This systematic approach helps ensure:

A reduction in numbers of people being harmed by work A major reduction in cost to business and society of these losses and incidents and A significant potential improvement in motivation and productivity

Apart from the human suffering resulting from accidents at work, the financial cost and loss of reputation to business can be significant. In the UK costs are around 2 to 3 billion pounds a year.

The fundamental significance of the duty of care regime with its emphasis on goal setting, including process and safety management systems, often incorporating the requirement for a safety case, is such that over the years it has been adopted by many countries, sometimes as the result of major accidents. Some accidents and regime improvements worthy of note are:

1976: highly toxic chemical release at Seveso in Italy following a runaway chemical reaction. Hundreds of people were affected; thousands of animals died and tens of thousands had to be slaughtered. In 1982 the first EU Directive followed by a second so called Seveso ii Directive introduced a duty of care regime at thousands of major hazard chemical sites across Europe.


Final Page6

1988: an explosion and fire at the Piper Alpha offshore petroleum installation in the UK sector of the North Sea killed 167 workers and resulted in total loss of the facility. Safety case regime introduced offshore, regulatory prescription was done away with and the health and safety regulator was moved from the Dept. Of Energy to the Health and Safety Executive and considerably strengthened, both in competence and numbers.

1994: gas release during gas freeing operations on the BHP Griffin Venture Floating Production, Storage and Offloading (FPSO) facility. Review (1996) by Tony Barrell ex OSD HSE. Part 1 of the review looked at BHPPs safety management arrangements including the preparation and current status of the safety case. Part 2 looked at the interaction between the regulators and between themselves and operators and the capacity of all parties to implement their roles. It also examined the adequacy of the regulatory provisions relating to safety administration recognising the transitional stage of the legislative framework (move to a safety case regime)

1998: explosion at a natural gas plant at the Esso facility at Longford, Victoria, Australia killed 2 workers, injured 8 and severely affected gas supplies to the state for 2 weeks. A Royal Commission was called and Victoria introduced the Major Hazard Facilities Regulations requiring a safety case regime at sites containing major chemical hazards, also the competence and strength of the regulator were improved .

1999: The Australian Government commissioned a review of the offshore petroleum safety case regime which was administered by the States on behalf of the Government. The review, undertaken by the Norwegian regulator, suggested a simplification and strengthening of the regime and, importantly, the establishment of a single statutory authority (National Offshore Petroleum Safety Authority, NOPSA) to regulate all the offshore petroleum industry. The regulator was set up on best practice principles. This followed the review by Tony Barrell mentioned above.

2005: poor safety performance in the mining industry caused the Western Australian government to seek independent advice on best practice safety regulation for the mining industry in that State. Amongst other things the report suggested a safety case regime be adopted.

In Australia, as a result of continuing high accident rates, the Conference of the Chief Inspectors of Mines produced a National Mine Safety Framework Implementation Plan. The plan specified that the key features of mining legislation must be based on a duty of care incorporating safety management systems.

2005: The BP Texas City refinery experienced a catastrophic process accident. It was one of the most serious US workplace disasters of the past 2 decades, resulting in 15 deaths and more than 170 injuries. BP were fined $50 million and set aside a $700 million compensation fund. A subsequent report by James Baker called on BP to give process safety the same priority as BP had historically given to personal safety and environmental performance. The panel made 10 recommendations for improving BPs process safety leadership, systems, expertise and oversight of process safety performance. The US Chemical Safety Board commented that the report is an opportunity for review and reform on a worldwide scale. It has also commented that corporate leadership at the highest level is accountable for the safety operation of facilities that use chemicals, and the safety culture is created at the top, when it fails there it fails workers far down the line.


Final Page7

TheCaseforChange

Reviews of health and safety legislation, generally following a major hazard accident, often identify that:

There is too much legislation, boundaries are unclear, there is overlap in legislation and application is inconsistent.

Industry operates in a compliance culture where there is minimal involvement of the workforce and there is little incentive to move beyond regulation to seek continuous improvement.

Regulators lack regulatory skills, capacity, and consistency and do not have a clear view of their role.

Government does not have sufficient resources, technical expertise, credibility or authority to drive the necessary changes.

The move to a goal setting duty of care regime provides the opportunity to address these and other related issues.

It is worth noting that concerns are often raised that in moving to such a regime all prescription is lost. However, this need not be the case. As previously explained, the prescription that resides in regulations may be moved to national and international standards, codes and guidance and company standards. These can then be called up in the safety case. Once it is referenced in the safety case it must be complied with. This improves the flexibility and longevity of the legislation, also technical standards can be updated more quickly than regulation to reflect technical developments. Furthermore, national and international standards will generally reflect world -wide learning and best practice.

The safety case regime becomes more effective and robust if there is a requirement for the duty holder to submit the case to the regulator for assessment and an acceptance decision. The roles and responsibilities of the various players are outlined in Annex A.

The role of the industry

There are some views that a safety case is very resource intensive to prepare and maintain and is a sledge hammer to crack a nut. However, a safety case must be fit for purpose. A large, complex business may therefore require a large, complex safety case but a small business with limited hazards and risks will require only a relatively small document.

The very important aspect, often over-looked, is that the safety case regime is not just about producing a document. It is in fact a process required by law in which the duty holder has to fully understand his business and the key elements in its safe operation. In doing so he must involve the workforce to ensure the safety case reflects reality. The safety case is a way of documenting this understanding and assuring himself and his workforce that he has done all he reasonably can do and continue to do to ensure the safety of his operation. It is also a very effective communication tool for engaging all stakeholders from Government and regulator through to the public.

Fully understanding the various and interlinked elements of hazard and risk, the effectiveness of prevention, detection, control, mitigation and evacuation and escape


Final Page8

systems, the maintenance and management of the systems, and the role of people within these systems and processes can be challenging (Annex B). Understanding and demonstrating safety at complex plant will involve numerous discipline engineers and the use of sophisticated and rigorous techniques. The duty holder must understand the risk levels, the underlying risk drivers, risk patterns, hazards, hazard characteristics and the way in which they are all managed. However at simple plant little more than understanding and documenting existing arrangements may suffice.

The duty holder must demonstrate the risks are reduced to as low as reasonably practicable (ALARP) by following a rigorous process of hazard identification and risk minimisation using an appropriate mix of decision making tools.

Having identified the hazards and risks the process should follow a hierarchy of:

Elimination, minimisation, prevention, detection, control, mitigation and emergency response.

The design of each of those elements should, in preferred order, be based on:

Passive, active, operational and finally external systems Each system should have clearly stated, meaningful and measurable performance

standards

In deciding the mix of these elements, certain decision making tools can be used. These are in ascending order of risk and uncertainty:

Codes and standards, good practice, engineering judgement, qualitative risk assessment, quantitative risk assessment (QRA), company values, and societal values (Annex C).

The role of the regulator

If there is a requirement to submit the safety case to the regulator then the regulator will, through assessment, provide a degree of assurance that the content of the safety case complies with the requirements of the law. The regulator will then use the safety case to inform later inspection, audit and enforcement.

In order to undertake these tasks the regulator needs skills far in excess of those required under prescriptive regimes. It cannot be over-emphasised that sound regulatory oversight is required to ensure companies are effective in implementing duty of care regimes. A regulator that is weak, under resourced, incompetent and captured, and doesnt have and use a full range of sanctions, will seriously undermine the regime.

Provided there is a requirement for the regulator to accept or reject a safety case submission then it becomes a form of licensing (permissioning). Once the submission is accepted, the duty holder is required by law to comply with all aspects of the safety case, throughout the lifecycle of the facility, including hazard identification, risk assessment and risk control, and the means for ensuring the adequacy of the design, construction, installation, operation, maintenance, modification and decommissioning of the facility. Through its safety management system it also deals with occupational health and safety as well as major accident events.


Final Page9

In order to undertake this assurance work the regulator must be independent, competent and well financed. The regulator must be able to make judgements regarding the leadership and management capability of the company, the systems and procedures, the plant and process, and the competence and training of the workforce. The inspectors must have well developed auditing skills, must understand the law and be able and willing to influence at all levels of the company, including taking enforcement action as necessary. The regulator itself must have systems and procedures in place to ensure high standards and consistency. Importantly, to be a good influencer, the regulator must have the respect of the industry and the workforce. It is therefore essential that the inspector has good interpersonal, management and engineering skills, preferably obtained in a related industry. This role of the regulator in applying checks and balances is why, after major accidents; the spotlight always falls on the regulator to ensure it has been applying the necessary skills and resources in an effective manner.

Experience has shown that to implement a modern goal setting duty of care health and safety regime the Government, regulator, industry and workforce must be fully committed and remain committed to the process.

Thecharacteristicsofaneffectiveandefficientdutyofcarehealthandsafetyregimeincorporatingasafetycase

If the safety case regime is to be a meaningful exercise, is it is vital that it reflects the experience, knowledge and opinions of all those affected by the operation including Government, regulator and industry.

Some of the main elements of an effective and efficient duty of care regime incorporating a safety case are:

Government:

The Government actively maintains and supports the process by proposing new or updated laws and standards, providing information and advice, and making adequate arrangements for the enforcement of health and safety in relation to specific work activities. In particular:

Encourages cross party and Tripartite agreement Resources and maintains the policy section, reviewing, updating and revoking

legislation and regulation in a timely manner Oversees the good governance of the regulator including the board Receives and comments on the strategic and annual plans of the regulator and its

board Receives and comments on the annual reports of the regulator and its board Arranges for periodic independent reviews of the performance of the regulator Attends the annual review the regulator conducts with duty holders Attends annual industry health and safety conferences

The Regulator


Final Page10

The regulator influences the industry to commit to and fully implement the requirements of the safety case regime, using the complete range of legislated powers. In doing so, the regulator can promote the use of structured risk and hazard management or he can undermine it. The open communication and discussion of dangers, hazards and risks must not be inadvertently suppressed by regulation or the fear of litigation. The enforcing authorities have a range of tools at their disposal in seeking to secure compliance with the law and to ensure a proportionate response to criminal offences. Inspectors may offer operators information and advice, both face to face and in writing. This may include warning operators that in the opinion of the inspector, they are failing to comply with the law. Where appropriate, inspectors may also serve improvement and prohibition notices, make non acceptance decisions on safety cases, withdraw safety cases/approvals, vary licence conditions or exemptions, issue simple cautions. Withdrawal of a safety case or issue of a prohibition notice stops work in order to prevent serious personal injury. Information on these activities is made publicly available Another powerful tool is the collection and dissemination of industry performance data, enabling comparisons between installations and companies, and providing trend analysis and targeting of resources. The regulator may also initiate or take part in research in order to fill information gaps. In discharging these responsibilities the regulator is:

Independent, competent in managerial, technical and regulatory matters, adequately staffed, and well funded.

Open, honest, transparent, and accessible Proportionate in response to any risks to health and safety or seriousness of any

breach of the law Targeted on those whose activities give rise to the most serious risks and that action

is focused on the duty holders who are responsible for the risk and who are best placed to control it whether employers, manufacturers, suppliers or others

Consistent in his approach to all duty holders and to the management of hazards and risks

Transparent in his dealings with stakeholders, explaining his actions, the implications, and the actions to take to seek compliance. Distinguishing between statutory requirements and advice, or guidance about what is desirable but not compulsory

Accountable to the public for their actions, having policies and standards against which they can be judged, and an effective and easily accessible mechanism for dealing with comments and handling complaints

The Industry

The industry provides the necessary leadership, resources and encouragement to ensure a company culture conducive to good health and safety performance in which the safety management system can function effectively. In particular recognising:

The understanding of hazards; cause, severity, and consequence, is the most powerful means of reducing risk. Engineers and corporate organisations have an underlying ethos which delivers this knowledge, links it to management systems, and regards it as essential for the safe design and operation of any facility.

Risk assessments distil and deliver appropriate information to each part and level of an organisation; from delivering the overall risk and underlying risk drivers to the


Final Page11

directors; to delivering specific performance requirements for procedures and plant to the individual at the workplace. This is used to define responsibilities at every level

Risk assessments are not a one off specialist activity. They are owned by those responsible for the risks, undertaken in conjunction with those faced with them and is a living process which is at the forefront of daily and strategic activity

Everyone responsible for risk and hazard is able to apply a structured approach to risk assessment without reference to specialised techniques such as QRA. These are there to support the development of a complete picture but do not determine the content or how it is painted

The safety case is developed and owned by the employer in conjunction with the workforce, is accessible to all and is used on a daily basis for the safe operation of the plant

The recording of all relevant accident, dangerous occurrence and precursor events to monitor and report health and safety performance. This information is used to produce targeted improvement programmes.

Meaningful health and safety performance and improvement programmes are included in company annual reports

Any incentive programmes properly recognise health and safety risk and encourage open reporting, including the reporting of bad news

Has an open and constructive relationship with the regulator, valuing independent assessment, audit and inspection

Some impedimentswhen changing from a prescriptive regime to adutyofcare

Failure to initiate the process:

Major stakeholders not committed to the process, unconvinced of the need, suspicious, defensive, vested interests

Lack of understanding that the safety case regime is a process to be undertaken by the duty holder and the workforce to improve understanding of the hazards, risks and their controls, and to put in place measures for continuous improvement, rather than just a document

Lack of resourcing by Government and industry Lack of the necessary legislative timetable

Failure to implement the regime successfully:

The safety case is treated as a necessary evil and is simply used to get a tick in the box from the regulator

The safety case is used to document the existing safety management systems, plant and processes without using the exercise as an opportunity to review, understand and improve them.

Documented safety management system does not reflect reality Poor identification of hazards and risks Poor links between hazards, risks and controls Poor understanding of the performance of control systems


Final Page12

Use of the process to justify existing controls rather than to seek opportunity to improve

The workforce are not involved in the process Undue reliance is placed on cost benefit analysis (CBA) and quantitative risk

assessment (QRA) The safety case is an unwieldy document containing excessive technical detail and

risk analysis The safety case process is under-resourced Much of the safety case preparation is farmed out contractors so the duty holder and

workforce do not learn from the process and do not own the result The document is inaccessible so just lives on the shelf The safety case is not required to be submitted to the regulator for assessment and

acceptance so goes unchallenged. This also devalues the process If the regulator is not required to assess the safety case and make an acceptance

decision then he does not learn from the process and loses a potentially highly valuable tool for inspection and enforcement

The regulator does not use the safety case to inform inspection and audit No or limited requirement for the reporting of accidents, dangerous occurrences and

precursors resulting in lack of comprehensive performance data. This has serious implications when comparing performance between installations and companies and for putting in place improvement programmes and targeting resources.

The regulator is under-resourced, technically challenged, poorly trained, has inadequate legal levers, has poor systems and procedures, is inconsistent, captured.

Steps for implementing a duty of care health and safety regimeincorporatingasafetycase/report

The regime should be implemented having regard to the regulatory principles and frameworks (Annex D) which represent best practice. The underlying principles are:

The legislation and regulation should be slim and fit for purpose, not simply superimposed on existing prescriptive regulation.

Regulation should be effective, efficient and well funded. Industry should move away from a culture of compliance with detailed prescriptive

regulation to one of involving the workforce in understanding the hazards and risks so everyone throughout the company understands and discharges their individual responsibilities for safe operation.

The strategies adopted for implementing the safety case regime for offshore petroleum operations in the UK and Australia differed markedly due mainly to the different structure and maturity of the legislative and regulatory regimes in the two countries.

UK

Following the Seveso chemical accident in Italy and the subsequent directives from Europe, the UK implemented the safety case regime for onshore major hazard industries. A few


Final Page13

years later, following the Piper Alpha tragedy, the UK implemented a similar regime offshore. There was such huge shock and concern that such an accident could occur that the Government and industry accepted all 106 recommendations of the Lord Cullen review without opposition.

The regulator was removed from the Dept. Of Energy, where it was seen to be compromised by the licensing and revenue collection activities of the Department, and placed in the Health and Safety Executive which is the primary UK independent health and safety regulator. About 60 staff including managers, inspectors and administrators was transferred. Over the years the regulator was expected to grow to about 400 staff but this never happened, probably peaking at about 240. The initial funding was considered inadequate and the HSE managed to negotiate a better package from the Government of about 35m pounds. A number of high quality managers, inspectors and administrators were transferred from HSE into the new Offshore Safety Division (OSD) to speed the set up, including establishing systems and procedures, recruiting inspectors, running training programmes and drafting legislation, regulations and guidance.

A new policy team was established in OSD. The team put in place programmes to work with OSD technical specialists and inspectors to draft the new suite of goal setting legislation and regulations, to revoke the majority of the existing prescriptive legislation, and to negotiate the changes with the industry and the unions. Negotiations had to take place separately as the unions were not happy working jointly with the industry. The industry was represented by its trade associations, mainly the United Kingdom Offshore Operators Association (UKOOA) now known as Oil and Gas UK.

In the early days the industry was unsure as to how it should go about organising itself to deliver an improved health and safety culture, in particular how to prepare a safety case. The regulator was almost equally unsure how to go about assessing safety cases. Particular concerns related to the use of QRA, the structure and content of the safety management system (SMS), how to engage the workforce in a meaningful way, the role of consultants and the roles and skills of management, supervisors and workforce. To address some of these concerns the industry and the regulator spent considerable resources preparing guidance, both internal and external, sometimes in collaboration, and running seminars and training courses. To some extent this guidance was used by the industry in preparing safety cases and the regulator in assessing safety cases so common standards could be used, this helped considerably. In addition a significant multi-million pound research programme was initiated to better understand the initiation and development of fires and explosions in confined spaces such as offshore modules, the information being used to improve existing guidance.

Another problem was how to make a judgement as to the appropriate detail in the safety case. Too much detail and the document became huge, unmanageable, inaccessible and by its very nature, useless! If it was too slim then it was also useless. The skill was including sufficient detail in summaries of elements such as the SMS, hazard and risk assessments, and emergency plans supported by appropriate use of references. Initial safety cases were generally too big, and later on they were too slim!

A major factor in ensuring proper implementation was the requirement on the duty holder to submit the safety case to the regulator for assessment and an acceptance decision. Without


Final Page14

an accepted safety case the duty holder could not operate his installation. This placed legal obligations on the regulator, as well as the duty holder. The assessment of the safety case was undertaken by the regulator as a desk-top exercise. This enabled assessment to be undertaken in meaningful and timely fashion. It was validated post acceptance during inspection.

However, it was quickly realised it was not possible to undertake a complete and thorough assessment of all aspects of the safety case to meet the required timescales so a sampling process was put in place. On receipt of the safety case a lead inspector was appointed, usually the inspector for the installation in question. The inspector read through the complete safety case checking the contents met the regulatory requirements. Using his knowledge of the installation, the culture of the duty holder and the process the duty holder went through in preparing the safety case, he decided the areas in which to examine the case in detail (a top down slice) and appointed specialist inspectors from within OSD to undertake those assessments. On the rare occasions the necessary expertise was not available then external consultants were employed. Areas needing improvement or clarification were raised with the duty holder and resolved prior to acceptance.

Having accepted the safety case the lead inspector would assemble a small technical team to carry out topic based inspections of the installation. The purpose of these inspections was to validate the claims made in the safety case and resolve any outstanding issues. Of primary importance was assessing on the installation the involvement of the management, supervisors and workforce in the safety case preparation, their views on how the process had been carried out, the value of the process, the accessibility of the safety case and how they used it in their daily operations. The safety case was also the primary reference when investigating incidents and complaints.

The proactive role of the regulator in assessment and inspection ensured the safety case content met the requirements of the regulation, gave reassurance that the duty holder and the workforce followed a sound process in assessing and managing the risks and the regulator undertook a meaningful assessment on which he was able to make a decision. In other words the value of the safety case regime, if properly followed by the industry and the regulator, lies in the process followed by both parties as much as in the document itself.

Australia

Much of the information, including details on the approach to and preparation and implementation of a modern duty of care, safety case regime should be available from the Australian Commonwealth Government (Department of Resources, Energy and Transport, RET, Canberra,) and the National Offshore Petroleum Safety and Environmental Management Authority (NOPSEMA, Perth).

Useful information is given in the following references, which are public documents. Copies of the papers are attached.

Creating a New Offshore Petroleum Safety Regulator, presentation to IADC, APPEA Conference 25 March 03, Peter Wilkinson, Department of Industry, Tourism and Resources, Australia


Final Page15

National Offshore Petroleum Safety Authority, Transitional Plan, Chris Papadopolous, Chair, Offshore Safety Steering Committee

Offshore petroleum production is mainly concentrated in the States of Western Australia and Victoria and in the Northern Territory. Those operations located in State waters were originally under State jurisdiction, whilst operations in Commonwealth waters, generally beyond 3 nautical miles, are covered by Commonwealth jurisdiction but were controlled by the adjacent State authorities on behalf of the Commonwealth.

The safety case regime was introduced in 1992 based on Lord Cullens recommendations following consideration by a national committee of regulators, industry and unions. Consultation was held with the UK HSE, UKOOA, IADC and the Norwegian Petroleum Directorate (NPD). A National Safety Case Working Group, comprising all interested parties, including contractors, was set up to facilitate the essential process of consultation with industry and unions. The task of the group was to prepare assessment and auditing criteria, and to replace existing prescriptive legislation with goal setting regulations and guidelines.

A key element of the guidelines was to enable duty holders to demonstrate the adequacy of their SMS and safety systems rather than just to describe them. This was to be achieved by identifying, understanding, and documenting the links between hazards, risks, prevention, detection, control, mitigation and emergency response. Also key was the role played by individuals in the process and its application. By driving risks to ALARP, all stakeholders could see a considerable value add. As more inspectors/assessors were recruited, the need for clear guidelines, quality training and a system of accreditation became paramount. The need for existing regulators to move beyond prescription and embrace goal setting was a challenge.

The move to goal setting legislation was seen as an opportunity for entrepreneurial engineering to improve safety standards in parallel with the economic advantages of smarter design and operating practices. Regarding the workforce, it was believed the safety case regime offered them the opportunity of greater involvement in risk management, thus encouraging confidence in the safety management principles relevant to their working environment. Experience showed that the discipline of following the safety case approach identified a range of problems that hadnt previously been identified.

However, the Government remained concerned about the quality of offshore petroleum safety regulation and was committed to reviewing the success or otherwise of introducing safety cases. There were independent international reviews in 1996 and 2000, the latter being overseen by a steering committee consisting of representatives from the Commonwealth Government, the States/Northern Territory, industry and the workforce to help ensure its independence and continued focus. They concluded the Australian legal and administrative framework, and the day to day application of this framework for regulation of health, safety and environment in the offshore petroleum industry is complicated and insufficient to ensure appropriate, effective and efficient regulation of the offshore petroleum industryMuch would require improvement for the regime to deliver world-class safety practice.

In particular they found that:


Final Page16

There are too many acts and regulations, their boundaries are unclear, there are overlaps and application is inconsistent; different sets of laws apply for each State/Northern Territory;

The State/Northern Territory safety regulators lacked regulatory skills, capacity and consistency and did not have a clear view of their role;

The Commonwealth Government did not have sufficient resources, technical expertise, credibility and authority to drive the required changes.

They recommended: The current framework of laws is revised, and; The regulatory system is restructured by establishing a national petroleum regulatory

authority to oversee safety regulation in Commonwealth offshore waters.

A policy/implementation section was set up initiate the necessary changes. The State regulators were opposed to the change as they would be losing jurisdiction and regulation but the industry and the workforce were convinced of the need. In particular the workforce/unions wanted a single, independent and strong regulator. It soon became clear the team needed high quality assistance from people with technical and regulatory skills obtained from operating in an existing safety case regime. Two offshore specialists with UK safety case experience were recruited. Also the administrators were of high quality with good understanding of government processes and excellent personal skills. This enabled the team to negotiate successfully from a position of strength. The auspices of the Ministerial Council on Mineral and Petroleum Resources (MCMPR), on which all Australian Governments are represented, were used to negotiate with the States/NT. They endorsed a set of principles for regulation of safety of petroleum activities in Commonwealth and State/NT waters. These were in summary:

An enhanced and continuing improvement of safety outcomes is a priority for all stakeholders

A consistent national approach to safety regulation in all waters is essential for cost effective delivery of safety outcomes

The safety case approach is the most appropriate form of regulation to deliver world class safety by delivering appropriate behaviour in the industry

Efficient and effective safety regulation requires A clear and enforceable legislative framework Competent and experienced personnel Structure and governance of the regulator demonstrating independence,

transparency, openness and cost efficiency Independent approach in implementing legislative responsibilities and in dealings

with industry and agreed performance criteria Industry and workforce to be empowered to identify and report potential hazards and

to ensure appropriate control measures are implemented Streamlining and coordination of approval processes in safety, titles, environment

and resource management to ensure no undue delay to project development To put this into effect the MCMPR endorsed the work of the Offshore Safety Steering Committee and issued a Communiqu directing that a transitional plan be implemented. The purpose of the plan was to outline the processes and principles agreed to implement the


Final Page17

new regulator. The detail is given in the reference above and is attached, so will not be repeated here. It contains much useful information. The MCMPR issued a Statement of Expectations setting out their vision for the new regime and the contribution expected from the regulator. The regulator responded with a Statement of Intent explaining how they would implement the requirements. These are on the NOPSEMA web site so are not reproduced here. Some salient points worth noting in setting up the regulator are:

The CEO should have considerable knowledge and understanding of offshore safety case regimes, have a good reputation within the industry and be able to provide the leadership, technical and administrative management, and mentoring necessary

The CEO should be the first appointee so that he/she can direct the build of the organisation

Staff should be recruited against detailed job descriptions and should cover the full range of technical, management and regulatory requirements

Pay rates and terms and conditions should be sufficient to attract high calibre staff A competency framework reflecting the required knowledge, skills, and experience

required to undertake the full range of regulatory functions should be constructed to a recognised standard

Appropriate training programmes need to be put in place Staff should be used to build the administrative and regulatory systems and

processes which should be to a recognised standard such as ISO 9001 An enterprise document records management system (EDRMS) which records all

significant transactions from telephone calls to regulatory decisions will be needed An enforcement management model which provides for a structured decision making

process when making enforcement decisions should ensure fairness, transparency and consistency

An electronic dedicated safety case assessment procedure which captures the detail of the process to be followed and records the background to the decision making process will be needed. This helps ensure good quality, consistent and transparent assessment and provides a data base of information which is used for future validation/topic facility inspections. Importantly it also provides a comprehensive record of the process which can be used in event an appeal against an assessment decision

An accident and dangerous occurrence data base will be needed need to store knowledge and data to provide reference information and the capacity to analyse trends

An emergency reporting and response process to ensure all significant events are properly logged and dealt with

A balanced scorecard will need to be constructed to record the business risks, their controls and the people charged with managing those risks

To assist in the smooth running of the organisation a suite of Memoranda of Understanding with other organisations will be required. These will clarify legislation, roles and responsibilities, and identify any gaps or overlaps between the organisations. I recall NOPSA had about 25 MoUs!


Final Page18

Resourcing It is difficult to estimate the resources required for the regulator as it depends on the style and culture of the regulator and the time to be spent on the major functions of assessment, inspection, audit, investigation, enforcement, preparing guidance and providing advice. It will also vary depending on the maturity of the organisation, as initially there will be high training and process build loads. As a rough guide:

Safety case assessment: may take on average 30 days/case, involving the lead inspector, technical specialists and administrators. It will typically account for about 30% of total inspector time and 10% of administrators time

Inspection: each manned facility will be inspected at least twice per year, more if there are significant issues. Each inspection will take about 2 to 3 days planning, including discussions with the duty holder, 3 days offshore, and 3 days writing up the inspection and feeding back to the duty holder. It will involve the lead inspector and one or two technical specialists depending on the topics to be covered. There will also be administrative support. (30% inspector time, 1% administration)

Investigation: this includes the investigation of incidents and complaints (7% inspector time, 5% administration)

Other regulatory, including enforcement: this includes specific advice to duty holders, the issuing of improvement and prohibition notices (16% inspector time, 25% administration)

Advice and liaison: providing advice to the industry generally, running seminars for the industry and attending conferences etc (3% inspector time, 2% administrator)

Well integrity work (2% inspector time, 4% administrator) Maintaining the legislative framework: providing advice to the policy section on the

effectiveness and otherwise of the legislation and contributing to improvements. (2% inspector time, 2% administrator)

Overall: Regulatory activity will take about 79% of inspector time and 23% of administrator Administration will take about 12% of inspector time and 71% of administrator Development and maintenance work will take about 9% of inspector time and 6% of

administrator. Funding: NOPSA set up costs were paid for by the Commonwealth Government, my recollection is that this amounted to about A$8m. Thereafter, the NOPSA running costs were paid for by a levy on the offshore petroleum industry. The levy is broadly based on activity eg number and size of facilities/pipelines and is paid quarterly in arrears for those facilities with a safety case in force. Importantly the money is paid directly to NOPSA so reinforcing the independence, transparency and accountability of the regulator, it also ensures there is no bleed of the money into Government funds! This industry levy pays for the full running costs of NOPSA, there is no Government appropriation. The Duty Holder has only a few weeks to pay the bill after which high penalty interest charges are incurred, this tends to focus the mind of the Duty Holder! This funding arrangement is far superior to the fee basis operated in the UK where the regulator retrospectively charges for safety case assessment activities but loads the charge to pay for all its other activities, including admin. The money goes directly to the Government rather than to the regulator. It is not unknown for some Duty Holders who have submitted poor safety cases and hence incurred high assessment costs due to the


Final Page19

considerable regulator time taken to get the Duty Holder to improve the safety case to challenge the cost, to argue against paying the bill and to seriously delay payment. This results in significant bad feeling between parties at a difficult time. Even when there are no disputes the industry can take months or even years to pay its bills!

Justification for implementingadutyofcareregime incorporatingasafetycase/report

There is a two pronged approach to justifying the use of the safety case regime; firstly the principle of adopting such an approach, and secondly putting in place measures incorporating key performance indicators which, coupled with periodic independent reviews of the effectiveness of the regime, should demonstrate the worth of the system over time. The principle This has its roots in the Lord Robens review of health and safety in the UK and the obligations a goal setting regime puts on the Government, regulator and industry which are summarized in page 2 of this report. The soundness of this approach has been reaffirmed in numerous reviews of major accidents and in academic papers over the years and reinforced by its adoption in a number of countries. Furthermore the safety case is used by some of the more enlightened Duty Holders in countries which do not legislate for such an approach. These Duty Holders have seen the economic advantages and enhanced reputation that the use of the safety case regime can bring, allowing, as it does, the use of fast moving technology and modern management strategies to deliver good outcomes. Some Duty Holders use an accepted safety case as a world-wide marketing tool for their mobile facilities. An approach to some of these Duty Holders such as BHPP and Shell would bring a balanced view of the pros and cons of the safety case regime, including views on what constitutes an effective regulator. The KPI/independent review approach. The ultimate goal of the safety case regime is to provide the tools for the industry to significantly improve its health and safety culture and for the regulator to be effective in working with the industry to ensure a culture of continuous improvement that drives risks to ALARP. In NOPSA (now NOPSEMA) the following graduated approach was adopted: A view of the health and safety performance of individual companies and of the industry as a whole is obtained by collecting data from 5 main areas. These are, in ascending order of usefulness:

Lagging indicators: death, injury, fires and explosions, hydrocarbon releases, well kicks, collisions, unscheduled activation of the emergency response plan and damage to safety critical equipment

Leading indicators from regulatory activities such as promotion, advice, safety case assessment, inspection, audit and investigation

Leading and lagging indicators from the regulators national programs such as facility integrity, lifting operations and emergency response

Trade associations collecting and sharing best practice among members. Trade associations, in conjunction with the regulator; running regular workshops on hot


Final Page20

topics on and what is and what is not working, running annual health and safety conferences and annual meetings of health and safety reps.

Leading indicators obtained from annual safety culture surveys carried out across the industry. This is one of the more powerful indicators as it is directly measuring the desired outcome. Some companies carry out their own internal culture surveys. In 2012 NOPSEMA initiated a safety culture national programme. The majority of Duty Holders participated in a survey to identify the prevalence of safety improvement initiatives such as: Safety leadership development Personal and process safety training Use of perception surveys to measure safety culture Implementation of safety culture improvement initiatives Prior to leaving NOPSA it was my intention to initiate a programme with the industry, via its trade associations and the unions, to review and adopt a single cultural survey tool and implement it across the industry on an annual basis. It would require each Duty Holder to report on the outcomes in its annual report. This would have become an extremely powerful benchmarking tool.

Some of the main issues we experienced relate to:

Poor reporting of lagging and leading indicators Wrong classification of incidents, lack of useful benchmarking data Lack of meaningful reporting by facility management and workforce to senior

management/director. Poor reporting of meaningful health and safety data and lack of detail of improvement

programmes in company annual reports

All the above data and information can be used by the industry and the regulator to benchmark the offshore industry against other industries and also company against company. NOPSEMA produces fairly comprehensive annual reports trending the health and safety performance of the Australian offshore petroleum industry. These reports are on their website. The data understandably shows variations year by year but some indicators show there has been a general improvement since 2004 when the new regime of improved regulation and single regulator was implemented. Lagging indicators are a poor indicator of overall health and safety performance but in Australia they seem to show the offshore petroleum industry is better than the onshore industry but worse than some other countries as measured by the International Oil and Gas Producers Association (OGP) index.

There is a legislated requirement for the Minister to initiate a 3 yearly independent review of the effectiveness of NOPSEMA, This involves comprehensive information collection from all major stakeholders including the board, government policy section, industry and workforce. Two reviews have been undertaken, one quite recently, these are available on the NOPSEMA website (be aware they are large files and can take a long while to download). They include the good and bad aspects of the regime and its implementation but overall provide a fairly compelling case for the regime, particularly in terms of flexibility and capacity to cope with significant change.


Final Page21

ANNEXA

PRINCIPLESOFPERMISSIONING

Duty Holder

Demonstration

Initial integrity Control of production Maintenance of integrity Management of change Emergency response Cessation of operations

Control of Operations

Identify hazards Assess risks Select controls and performance standards Apply ALARP test

Trade Associations and Unions

Influence Provide input to legislation and guidance Prepare industry guidance

Regulator

Assessment

Assess validity of demonstration: includes factual information, demonstrations are sufficient, complies with legislation and regulations

Inspection

Verify safety case reflects reality, is available on site, and is in every-day use Verify safety management system is in place, robust and effective Verify competence of staff Verify controls are in place and operated properly Challenge adequacy of SMS, controls, competencies and staffing levels Investigate failures of SMS and controls Enforce as required

Operational Policy

Prepare policy on permissioning consistent with legislation and regulation Implement policy via procedures and guidance


Final Page22

Provide feedback to Governent policy section on the adequacy of legislation and regulation and assist in review

ANNEXB

HAZARDANDRISK

UNDERSTANDINGRESPONSIBILITIES

LEVEL TYPICAL INDIVIDUALS

HAZARD AND RISK MANAGEMENT KNOWLEDGE (these are not specific to the individuals listed in the preceding column)

TYPICAL RESPONSIBILITITES (these are not specific to the individuals and knowledge in the preceding columns)

LEVEL 1 Senior Management

Board Directors

Engineering Directors

Project Directors

HSE Governance Board

o Overall corporate risk levels both individual and societal o Comparative risk with similar and other industries o Spread of risk by the type of business and location o Change of risk patterns as the business develops o Underlying risk drivers such as the age of the facilities, geographical and political influences, business change o Public perception of risks relating to the company business o Risk from future growth options

To set the overall standards for tolerable risk and the investment levels to reduce that risk To manage the company in the knowledge of the risks To set overall company targets which can realistically be achieved To decide if specific businesses or facilities have intolerable risks which cannot practically be reduced and to close them down To provide the resources and infrastructure to support the business units in their management of risk To manage the future risk exposure of the company


Final Page23

LEVEL 2 Local Management

Business unit managers

Operations Project managers

Departmental managers e.g. contracts, procurement, engineering, integrity management, HSE

o Business and facility risk levels o Spread of risk by facility o Spread of risk by hazard or activity o Spread of risk by types of personnel o Risks from future development options o Critical areas of ignorance and uncertainty o Overall and specific dependence upon business processes such as integrity management, competence and emergency response o Dependence on others; major contractors, corporate support,

To manage the operations in the knowledge of the hazards and risks To determine and implement the risk management strategy for each facility and major hazard To set the priorities and determine the extent of risk reduction required to meet corporate standards To shut down plants or limit activities if the operational risks exceed tolerable levels To select safer concepts where the risks can be effectively managed within corporate limits To optimise inherent safety and put in place effective hazard management on new designs To provide local business processes and infrastructure to ensure competent people and plant integrity To provide sufficient resources for operations and support services

LEVEL 3 Supervisors and Technical Authorities

Offshore platform managers

Plant managers and supervisors

Discipline engineers

Internal contract managers

External contract managers

o Hazards on the facility and the relative risks o Overall characteristics of each of the major accident hazards; primary causes, severity, immediate consequences, potential and timing for escalation o Hazard management strategy and the critical measures to prevent,

To operate the plant within clearly defined safe limits To manage the hazards in line with the selected strategy and prioritise work in recognition of their relative risks To control hazardous activities which may cause or exacerbate major accident hazards To ensure that the critical measures are


Final Page24

detect, control, mitigate and evacuate o The processes and people that ensure these measures are effective

suitable and effective through setting and meeting performance standards

LEVEL 4 Individual

Designers and draughtsmen

Plant duty holders

Maintenance technicians

Contractors

o To understand the hazards associated with their work o To know which procedures and plant are critical o To know the performance standards and limitations of critical plant

To comply with critical operating procedures To maintain and work within their competence To design the plant to meet the performance standards for its working life To maintain the plant to the performance standards


Final Page25

ANNEX C RISK BASED DECISION MAKING FRAMEWORK

(Based on the UKOOA Model)

INC

REA

SIN

G R

ISK

AN

D U

NC

ERTA

INTY

RELATIVE USE OF DECISION MAKING TOOLS

C

B

A

Codes and Standards

Engineering Judgement

Qualitative Risk Assessment

Quantitative Risk

Assessment

Company Values

Societal Values

Good Practice


Final Page26