1

The development of formal safety management systems for offshore oil andgas facilities can be said to have started with the Piper Alpha catastrophethat occurred in 1988.

Offshore platforms had had safety programs before that time, usually builtaround Safety Cases.

But Piper Alpha ushered in a new and much more thorough approach tosystem safety.

Following the accident, an investigation was conducted by a committee headedby the Scottish High Court judge, Lord Cullen.

The committee’s report was highly critical of the safety programs that hadbeen in place in the North Sea facilities prior to the accident.

2

In response to the Cullen report, the offshore industry took two different tracks

1. Some companies operating eg those of the North Sea continued with thesafety case approach, but radically improved the thoroughness and qualityof the technical analyses and put in place more stringent measures toensure that the recommended measures were implemented.

2. Some companies eg those of United States (principally the Gulf of Mexico)under The American Petroleum Institute (API) developed theirRecommended Practice 75 (RP 75), which recommended that offshorefacilities develop a Safety and Environmental Management Program (SEMP).

Reasons for not using safety cases in the United States include the following:

1. The Gulf of Mexico has between 5000 and 6000 platforms—many of themsmall and in shallow water. It is simply not economically feasible to writea safety case for each platform.

It is possible to do a generic FMEAs and HAZOPs for several facilitiessince the process equipment and instrumentation are very similar to oneanother for these platforms.

3

2. The multiple small platforms are generally very similar to one another.Therefore it makes more sense to develop universal standards (typicallywritten and published by the API) than to conduct a formal analysis foreach platform.

3. The use of API standards and related documents has proven to besuccessful. The Deepwater Horizon incident was the first major release inU.S. waters since the Santa Barbara blowout of 1969, thus indicating thatSEMP-based systems have been effective.

4. The preparation of safety cases is time-consuming and involves a largeamount of paper work. It is not clear if this administrative effort trulyimproves safety.

5. When all platforms are designed and operated to the same standards it isrelatively easy to audit them. The auditor simply has to look up theappropriate code or rule in order to determine compliance. Such is not thecase with a safety case system, where each platform has its own uniqueprogram against which it has to be evaluated.

Safety Management System (SMS) is a sustainable, formal and structured,enterprise-wide safety program that appropriately manages safety riskcomprehensively of products and the systems that produce them.

4

There are three drives for adopting a safety management system for a business –these are ethical, legal and financial.

There is an implied moral obligation placed on an employer to ensure that workactivities and the place of work to be safe

There are legislative requirements defined in just about every jurisdiction on howthis is to be achieved and there is a substantial body of research which showsthat effective safety management (which is the reduction of risk in the workplace)can reduce the financial exposure of an organisation by reducing direct andindirect costs associated with accident and incidents.

To address these three important elements, an effective SMS should: Define how the organisation is set up to manage risk.

Identify workplace risk and implement suitable controls.

Implement effective communications across all levels of the organisation.

Implement a process to identify and correct non-conformities.

Implement a continual improvement process.

A safety management system can be created to fit any business type and/orindustry sector.

5

All Safety Management Systems (SMSs) share fundamental features, regardlessof technology or location. Some of these features are:

Safe limits

Nonprescriptive

Risk-based

Involvement and thoroughness

Holistic

SAFE LIMITS

The safe limits for each process variable must be defined quantitatively, Forexample, the safe temperature range for operating a compressor may be 125 to150 oC.

If the actual temperature deviates outside of that range, then that operation is,by definition, out of control and potentially unsafe; and action must be taken tobring the temperature back into the correct range.

The fact that the process has deviated outside the safe range does not meanthat an emergency situation exists—there may be plenty of time to takeaction. 6

They must, though, do something because the facility must always be operated withinits safe limits.

Once the safe range has been defined, management must determine how to operatetheir facility so that it stays within that range.

In the case of the compressor temperature example, instrument set points must beadjusted and operators trained so as to achieve the 125 to 150 oC range.

All the people involved in running or maintaining the unit must know how to identify an out-of-control situation,

What its consequences might be, and

how they should respond to it.

If it is management’s intention to operate outside the prescribed range then theManagement of Change program should be implemented in order to ensure that thenew conditions are safe, that new limits have been set, or that new safeguards havebeen installed.

When a facility is new, the safe limits are defined by its designers.

As operating experience is accumulated new safe limit values will be implemented,often through use of the hazards analysis and Management of Change processes. 7

There are some safe limits that mayhave no meaningful value. For example, if a pressure vesselis designed for full vacuumoperation then that vessel has nosafe lower limit for pressure.

The concept of safe limits can beextended to include operating andemergency limits, as illustrated inFigure, which shows values for aprocess variable such as pressure,temperature, level, or flow rate.

If operating conditions are allowedto move outside the operating limits,but within the safe limits, then thefacility is said to be in “trouble”, i.e.,there are no safety issues to worryabout, but the system is operatinginefficiently.

8

Troubleshooting efforts to bring the value back into the operating range willsave money.

Much of management’s attention will be directed toward trouble-shootingbecause addressing difficulties in this area will often lead to a significantimprovement in profitability for relatively little expenditure. Examples of“trouble” include:

Excessive energy consumption;

Product quality problems;

Unusually high use of spare parts; and

Low production rates

The operating limit values are often quite not clearly thought out.

As the system moves away from optimum operation it will start to exhibitsymptoms of unusual operation, which will eventually lead into thetroubleshooting range.

The next range is defined by the safe limit values.9

The parameter is allowed to exceed275 or go below 210, the system is inan unsafe condition and action mustbe taken to bring that value back intothe safe range.

The final set of values is theemergency limits.

If the process parameter goes beyondone of these limits then an emergencysituation has been created.

Immediate action is required; generallythe safety instrumentation and safetyequipment (such as pressure reliefvalves) will be activated.

The upper emergency limit is 310;there is no lower emergency limit.

10

The relationship between operating, safety, and emergency limits is shown inTable.

The fourth column in describes the actions taken if the emergency gets out ofhand and emergency response teams have to be mobilized.

11

12

13

The elements of an SMS have strong interactions with one another.

It is not possible to meet the requirements of one of the elements withoutconsidering its effect on the others.

The interconnectedness of the elements can be illustrated by considering thedevelopment of an Emergency Response Plan, in which the following sequence ofactions, involving seven of the elements of SEMS, may occur:

The writing of the Emergency Response Plan (element 10) requires aknowledge of which hazards have to be addressed.

Consequently, a Hazards Analysis (element 2) is required to identify thehazards.

In order to be able to carry out the hazards analysis, information fromsources such as Piping and Instrument Diagrams (P&IDs) and Material SafetyData Sheet (MSDS) is needed. Much of this information is included in theKnowledge Management program (element 1).

14

Once the Emergency Response Plan has been developed, it will be necessary toTrain everyone in its use (element 4).

The Emergency Response Plan has to be Audited on a regular basis (element11).

During the training process, those being trained will come up with ideas thatwill improve the quality of the Emergency Response Plan. This is WorkforceInvolvement (general).

After going through the Management of Change step (element 8), these ideascan be used to upgrade the emergency manual.

When considered in isolation, many of the elements appear to be the “mostimportant”.

For example, Workforce Involvement is the “most important” because if theemployees do not participate, the process safety program will not functionproperly.

15

But Management of Change could be considered the “most important” becausethe root cause of all incidents is uncontrolled change.

On the other hand, all of the elements require a solid base of up-to-date,comprehensive information.

Therefore Knowledge Management is the “most important” But then it could beargued that Incident Investigation and Root Cause Analysis is what reallymatters because incidents reveal what is really going on in the organization.

The real point, of course, is that they are all important and necessary, and thatthey all rely on one another to be effective.

16

A Safety Management System is not something that is created and then handeddown by management to their employees and contract workers.

It is a program that involves everyone: designers, operators, maintenancetechnicians, managers, and senior executives.

The key word is involvement, which is much more than just communication.

All managers, employees, and contract workers are responsible for the successfulimplementation of the program.

Management, who must provide determined and committed leadership, mustorganize and lead the initial effort, but the employees must be fully involved inits implementation and improvement because they are the people who know themost about how a process really operates, and they are the ones who have toimplement recommendations and changes.

Specialist groups such as staff organizations and consultants can provide helpin specific areas, but process safety is fundamentally a line responsibility.

17

The implementation of an SMS also requires thoroughness.

For example, a company may have a good training program, but one person mayhave missed part of it because he or she was on vacation.

Management will have to make sure that this person is trained and that his orher personnel files are updated appropriately.

Both involvement and thoroughness require that those in charge show not onlymanagement skills, but that they are also good leaders.

18

19

The first step in the development of an SMS is to describe the facility forwhich the study and analysis is being conducted.

Items to be considered include:

The physical location of the facility;

Its function (production, drilling, or pipeline transportation);

The organization that owns the facility which is responsible for its safeoperation;

The role of contractors and their relationship with the owner/operator;

The connections (both physical and organizational) that the facility has withother facilities;

The management of contractors and the way in which their safety programsare integrated with that of the owner/operator; and

The regulatory regime in which the facility operates.

20

Technical information provides the foundation for most of the analyses and studiesthat comprise a Safety Management System.

The information includes P&IDs, Layout Diagrams, and Drilling Plans.

Once the facility description is complete and technical information has been gathered,the next step in the development of an SMS is to conduct a risk assessment.

Such an assessment consists of five steps:1. Identify the hazards;

2. Evaluate the consequences (safety, environmental, and economic) of those hazardsshould they materialize;

3. Estimate the predicted frequency of the hazards;

4. Determine the effectiveness of the system safeguards; and

5. Assess the overall level of risk.

21

Management has to decide if the calculated level of risk is acceptable, and, if itis not, what actions need to be taken to reduce it.

Some Safety Management Systems—in particular many Safety Cases—arebuilt around the concept of a numerical value for an ALARP (As Low asReasonably Practicable) value.

If the risk lies above or below the predetermined ALARP value then correctiveactions must be taken.

The next step in the development of an SMS is to report on the results of thework that has been conducted up to that point.

22

All management systems must include an audit process.

The audit results are used as the basis for the next SMS iteration.

The development and implementation of a Safety Management System neverends.

Risk can never be low enough; improvements can always be made.

Therefore, once the six steps have been implemented, management will startthe whole process over again—usually at the risk-analysis and planningsteps—in order to achieve ever-higher levels of safety and economicperformance.

For facilities that are still in the design stage, the actions taken, particularlyduring the Risk Assessment step, will change for each iteration.

For example, early evaluations of risk will use a HAZID (Hazard Identification)technique; later on, as detailed engineering information becomes available, themore comprehensive HAZOP (Hazard and Operability Study) method will beused.

23

The true benefits of an effective Safety Management System have to do with savinghuman life and protecting the environment.

The basic idea is that if a facility operates with integrity, i.e., it operates in the waythat it was meant to operate, then all the facets of the operation will improvecorrespondingly.

Conversely, a failure in one area will lead to deterioration in the others.

Therefore the actions taken to improve safety will improve profitability.

The costs associated with a major event can be enormous.

After the Macondo blowout, BP immediately created a $20 billion contingency fund;later estimates suggest that the final cost to BP could exceed $40 billion—an almostincomprehensible amount of money.

The losses in the billions are enough to bankrupt all but the largest companies, so itis not a simple risk-reward evaluation, such as whether or not a person should takeextra insurance when renting a car.

24

DEVELOPMENT AND APPRAISAL OF CONTROL MEASURES

Hazard Identification and Risk Assessment will provide information on what is to becontrolled by the SMS.

This information coupled with the company safety policy should lead to thedevelopment of appropriate control measures.

Key elements in this process would be the use of acceptance criteria and cost benefitanalysis to demonstrate compliance with the ALARP principle.

Other valid inputs would include engineering judgement and safety reviews.

The areas where control measures are applied can be broken down into a number of‘typical’ groupings.

Areas Requiring Control

Disaster Plans Disaster plans deal with foreseeable disaster scenario’s and should incorporate suchthings as individual responsibilities and lines of communication/command.

Plans should be subject to regular testing by simulation or exercise includingexternal agencies who would be likely to be involved, eg coastguard.

25

Local Emergency Plans

Prompt, effective, emergency response can go far to reduce injuries and theextent of plant damage.

There is insufficient time during an emergency to decide who is in charge,allocate duties, train personnelor decide who to contact for help and advice.

These requirements need to be identified beforehand, and suitable systems andprocedures developed and tested, which address the following: who is in command during emergencies and those with specific duties personnel should be clear of their duties and be trained if necessary guidance for dealing with the consequences of foreseeable events on aninstallation or associated installation

Other needs are: provision of assembly areas, and method of evacuation an emergency control centre up to date information of emergency services from within or external to theorganisation

26

exercises to test systems procedures for implementing changes in the light of the review of theexercise or drill

Operating Procedures

The risk assessment can reveal critical areas where control is necessary andwhere human activities and actions are directly or indirectly involved.

Task Analysis will help in the development of and ensure appropriate and safeoperating procedures are in place.

Procedures allow for methodical execution of tasks under normal, abnormal andemergency conditions.

The development of procedures should consider: emphasis on safety–critical tasks a method of ensuring compliance with procedures provision for use of procedures in training

27

Maintenance

Maintenance is essential to protect plant operators and the plant itself.

Clear and specific guidance is required which must address:

routine maintenance requirements

safety–critical maintenance tasks

keeping of accurate maintenance records

statutory maintenance requirements

monitoring routine maintenance completion targets

permit for work requirements

permit for work procedures

specialised safe systems of work

the safe handover of plant

method for ensuring that work is carried out in accordance with allprocedural requirements

28

Training

Another key area which needs to be carefully addressed by the SMS is training.

History has shown failure in this area to be a major contributor to accidents,incidents and loss.

Training should provide the knowledge and skills necessary for each person, inthe organisation to carry out their duties effectively and safely.

Training Characteristics

All training should have the following characteristics: Analysis of the particular job:-The job should be analysed correctly todetermine the appropriate needs.

Specification of knowledge and skills:- The job or task should be studiedcarefully to determine the knowledge and skills required.

Determination of the training objectives and development of measures of jobproficiency:- What the training programme sets out to do and development ofa standard or measure of proficiency to measure against are required.

29

Construction of the training programme:- Construct a programme whichincludes instructions, practice material, achievement testing.

Evaluation of the training programme: - Mechanisms are required to ensure thattraining achieves the objectives. The programme also needs to be periodicallyreviewed to ensure it meets the current requirements of the job (i.e it evolvesand does not remain static)

Some types of training are:-

Safety training

Management training

Skill training

On the job training

Refresher courses

30

An area of Management training often overlooked is that which applies to themanagement of safety.

This training should be directed towards the development of skills necessaryfor the:

review and development of the SMS and safety management policy

management of policy implementation

organisation and control of safety related activities

application of control measures at the workplace

The training of employees must be undertaken inorder to ensure that they cancarry out their duties proficiently and competently and in accordance withsafety standards.

31

Design Procedures

“Design as part of the strategy for prevention must start from the principle that theoperator, user or potential victim is an equal partner in the design of the task,equipment and procedures. Safety precautions must become an accepted part of thewhole strategy, rather than something to be bolted on later.”

Inadequately engineered schemes can be identified as an underlying cause ofaccidents, and it is therefore essential that a systematic and consistent approach to allnew designs is taken. Such an approach might encompass: specification of risk assessment techniques

specification of design criteria to ensure hazards are maintained

ALARP

control of design changes

specification of standard codes

application of quality assurance techniques

need for design review and approval

verify design through appropriate control of construction,

commissioning and testing

32

Modification Procedures

The modification of plant, if improperly executed, can significantly increase therisk of accidents occurring. Procedural control of these activities is required.

Factors which should be taken into account in the development of such controlare:

identify who is responsible for undertaking a project.

carry out risk assessment at the proposal stage of all activities to

determine the safety implications associated with the execution of thechange, and with its effects onother plant and operations once implemented.

have approval by an appropriate authority for all identified stages of aproject.

ensure that amendments to documentation, procedures and training areaddressed.

control handover of modified plant.

ensure that operational information is kept up to date.

33

Calculations of how much accidents cost in lost time, workers’compensation, insurance costs, lost product, schedule slip, lawsuits,inefficient use of resources, downtime. - Being unsafe is terrible forthe company image and bottom line. Loss of market share is one ofthe biggest factors.

Use your safety calculations to lower insurance costs. Show them toyour insurance carrier, along with all the documentation thatindicates how safety has been institutionalized - Fewer injuriesmean lower workers’ compensation costs and lower medical costs.

Bring the company lawyer in to explain how a better safety recordand a systematic approach to safety will protect the company fromemployee, community, and governmental lawsuits - Accidents andnear misses slow down the production schedule. And time is money. 34