Formal Safety Assessments (FSAs) was identified in the Cullen Report (written following the Piper Alpha event) as being an essential part of a Safety Case. This knol discusses the organization and contents of a typical FSA.
The International Maritime Organization (IMO) identifies the following five stages as being part of an FSA.
- Identification of hazards (a list of all relevant accident scenarios with potential causes and outcomes);
- Assessment of risks (evaluation of risk factors);
- Identification of control options (devising regulatory measures to control and reduce the identified risks);
- Cost benefit assessment (determining cost effectiveness of each risk control option); and
- Recommendations for decision-making (information about the hazards, their associated risks and the cost effectiveness of alternative risk control options is provided).
As with everything else to do with safety cases, the nature and content of an FSA will vary according to local conditions and requirements. The management of safety is both non-prescriptive and performance-based. The information provided here provides a framework for the development of an actual FSA that meets the specific needs of a facility or project. Guidance is also provided in ISO 31010: Risk Management – Risk Assessment Techniques.
Elements of an FSA
An FSA is a demonstration that, so far as is reasonably practicable, the risks to personnel have been minimized. It should:
Structure of an FSA
An FSA will be structured to meet the needs of the facility being analyzed. An example is provided in Table 1.
- Project HSE Plan
- Safety in Design Philosophy
- Assumptions Register
- Hazards Register
- Hazard Identification
- Layout Hazard Review
- Major Accident Events/Safety Critical Elements
- Fire and Explosion Analysis
- Gas and Smoke Dispersion Analysis
- Non-hydrocarbon Analysis
- Emergency escape, evacuation and rescue analysis
- Emergency Systems Survivability Analysis (ESSA)
- Temporary Refuge Analysis
- Environmental analysis
- Quantitative risk assessment
- Noise Analysis
- Material Handling
- Health Risk Assessment
- Human Factors Engineering
A summary discussion of each of the above topics is provided below. Links to more detailed pages are provided where appropriate.
1. Project HSE Plan
A safety case is concerned primarily with the safety of the facility once it has been built and is in operation. However, the project itself has its own set of hazards, particularly during the fabrication and construction stages (which may have their own safety case). Therefore a Health, Safety and Environmental (HSE) plan for the project itself should be prepared and incorporated into the FSA.
The Project HSE plan will cover health issues such as the treatment of minor injuries and precautions to be taken when traveling overseas.
The plan will also show how safety on the project is to be managed. In the front end phases of the project the focus will be on issues such as safe driving, the development of safety moments with which to start meetings and a schedule for project safety meetings.
As already noted, safety during the construction phase of the project is a major concern and will often have its own safety case.
General environmental issues, such as not disposing of items overboard, will be included in the Project HSE Plan. The environmental plans and impact statements to do with the facility itself once it is in operation are usually prepared by specialist consulting groups or consultants.
2. Safety in Design Philosophy
The Safety in Design (SID) Philosophy has three primary purposes. First, it should how the different elements of the FSA (Table 1), and of the safety case in general, link to one another.
Second, it should show how overall risk is assessed and controlled, as discussed in the Risk Management in the Process Industries page.
Finally the SID Philosophy should describe any special safety or management goals that the project may have. The management for one company, for example, made it a condition that the concept of Inherent Safety was to be integrated into all the work done on the project. The Safety in Design Philosophy showed how this goal was to be achieved.
3. Assumptions Register
The project plan should include an Assumptions Register. A convenient place to locate this register is in the Safety in Design Philosophy. This register will contain a list of the assumptions used to develop the Formal Safety Assessment. (An alternative approach would be to put the assumptions for each topic into the deliverable for that topic.
The justification for the assumptions made should be provided. Generally, the justification will come from one of three sources.
A public report such as the Offshore Hydrocarbon Release Statistics and Analysis, 2002 (HSE 2003) that provides information on leak and ignition frequencies.
An industry data base such as the Offshore Reliability Data Handbook (OREDA 2009) or The Update of Loss of Containment Data for Offshore Pipelines(Energy Institute 2003).
The company’s own internal sources of information and statistics.
The results of blast and gas dispersion analyses vary significantly depending on whether the deck is plate or grate. Therefore the assumptions made as to the type of deck to be used in various parts of the platform need to be made explicit.
Numbers of Personnel and their Locations
The Assumptions Register should specify how many people are on the platform, and where they are most likely to be located. An estimate as to peak manning loads, say during drilling, should also be provided.
The assumptions made as to the size of leaks from flanges, fittings, piping, instruments and vessels need to be documented.
An estimate as to the frequency with which leaks can occur is required. The frequency value will generally vary inversely with hole size.
An important part of the safety case is estimating the frequency and consequence of accidents involving helicopters, work boats and other forms of transportation. The types of transportation to be used, and the number of journeys made has to be estimated.
Assumptions to do with ship collisions (including pleasure boats that may be present) should be written down. Factors to consider include the speeds at which collisions may occur, and whether collisions occur while boats are maneuvering or drifting.
Assumptions to do with lifting operations need to be spelled out as a basis for the Material Handling study. Issues to be itemized include:
- The types of lifting devices (monorails, platform cranes and chain hoists);
- Areas for potential dropped objects (including subsea); and
- Loading and unloading supply boats.
Guidance should be provided as to the percentage of drops that occur over the deck, over the side (into the sea), and into a work boat.
Rescue and Recovery Operations
Assumptions as to the effectiveness of emergency response and rescue operations need to be spelled out.
The Assumptions Register should contain meteorological information, covering both normal and extreme weather conditions. The information should include:
- Mean wind speed;
- Stability class;
- Mean air temperature; and
- Mean humidity.
Structural Failure Time
Assumptions have to be made regarding the time it takes for steel structures to fail when they are exposed to fire. An example is provided in Table 2.
Representative Structural Failure Times
4. Hazards Register
During the course of a project the facility design will be subject to a series of hazards analyses of various types. It is important that all identified hazards be captured in a single data base so that they can be managed, controlled and not overlooked.
The hazards register (sometimes called the risk register) is used to store information about all identified hazards. Although most of the items in the register will come from hazards analyses, some of the hazard information may come from other sources, such as incident investigations or lessons learned from other facilities.
Table 3 is an example of a Hazards Register. It will be managed and updated by a single person — often the same person as scribes the hazards analysis meetings.
The rows to do with hazard identification are discussed below.
Finding Number and Date
Each identified risk item is given its own number — often corresponding to a finding from a hazards analysis or from a Management of Change review.
The identified hazard is described in this row. A perennial complaint to do with hazards analysis reports is that they are too cryptic, and that insufficient background material is provided. Therefore It is important to provide as much detail at this point — people who read and use the register months or even years later will not have any knowledge of the discussion that led up to the creation of the finding.
The register should contain information as to how and where the hazard was identified. Typically this will be a hazards analysis, but the information may come from other sources such as incident investigations or employee observations.
Consequence(s) / Likelihood / Risk
The hazards analysis team spells out the hazard, consequence and likelihood for each finding. A perennial complaint to do with hazards analysis reports is that they are too cryptic, and that insufficient background material is provided. Therefore It is important to provide as much detail at this point — people who read and use the risk register months or even years later will not have any knowledge of the discussion that led up to the creation of the finding.
The follow-up section of the risk register describes how the identified hazard was handled, and when the associated recommendation was completed. On a large project it is necessary to have one person who is assigned the task of making sure that all findings are closed out properly before the new facility is started up. In addition to managing the register itself, the person in charge of follow-up generally is assigned the broader responsibility of filing all of the hazards analysis reports. Questions that have to be answered in this context include:
- How are the hazards analysis records to be managed?
- How are the recommendations and action items to be managed?
- How are the recommendations to be communicated?
- What media are to be used for storing the hazards analysis records?
- How and when are they to be purged?
- Who has access to the hazards analysis records?
- Who can modify the hazards analysis records?
5. Hazard Identification
The identification of hazards is fundamental to any risk management program. This topic is discussed extensively elsewhere. For an FSA the following methods are particularly pertinent:
6. Layout Hazard Review
Guidance to do with layout, and its relationship to Inherent Safety, is provided by the United Kingdom Offshore Operators Association. Some of the layout items to consider include the following:
- Avoid conducting different hazardous operations at the same time;
- Physical separation of major components containing hydrocarbons (e.g.,risers, wells and separators);
- Location of the temporary quarters remotely from major hydrocarbon inventories, in particular wellheads and risers;
- Reduction of congestion in process areas;
- Siting of high pressure gas and Liquefied Petroleum Gas (LPG) inventories in well ventilated areas and away from large inventories;
- Location of risers to avoid supply boat impacts.
7. Major Accident Events / Safety Critical Elements
Major Accident Events
A major accident event (MAE) is one that has a high consequence. Large fires, explosions and toxic gas releases fall into this category. An important part of the FSA is to identify these MAEs and to ensure that they are properly controlled.
Safety Critical Elements
The term “safety critical element (SCE)” is sometimes used during the preparation of a safety case. The term refers to a part of an installation or facility whose failure could contribute substantially to a major accident, or whose purpose is to prevent, or limit the effect of, such an accident.
Given that SCEs are so important to the safety of offshore facilities, it is important that everything to do with them is properly documented, and that the documentation is kept up to date.
Depending on what the SCE is, documentation will generally include:
- Design information;
- Certificates covering items such as materials of construction, testing and certificates of fitness; and
- Demonstration of compliance with regulations, codes and standards.
8. Fire and Explosion Analysis
This topic is discussed in another web page at this site.
9. Gas and Smoke Dispersion Analysis
An analysis of the smoke plume that can come from a fire is important (most of the deaths on the Piper Alpha platform were of men in the quarters who were overcome by smoke).
In general, the higher the wind speed the more quickly the plume disperses because the air is more turbulent. Atmospheric stability is divided into the six classes (Pasquill 1961) shown in Table 4.
10. Non-Hydrocarbon Analysis
11. Emergency Evacuation, Escape and Rescue Analysis
This topic is discussed in another web page at this site.
12. Emergency Systems Survivability Analysis
13. Temporary Refuge
14. Environmental Analysis
15. Quantitative Risk Assessment (QRA)
Given that risk is basically subjective it is not possible to dispassionately define what level of risk is acceptable and what is not. After all, if a facility operates for long enough, it is certain - statistically speaking – that it will experience an accident. Yet, given that real-world targets are needed for implementing safety cases, a value for “acceptable safety” is needed.
The following ALARP page discusses this troublesome topic.