View non-flash version
dicult decision will have to be taken, but that is why the safety management system requires involvement throughout the cor- porate structure. A manager, or above, will be approached about determining how the cost eectiveness of the mitigation ts into the overall company philosophy. Feedback from risk analysis to design ere is an unhelpful belief by some that a safety case is a required bolt-on to a design, and that it has to be produced to keep the regu- lator happy and ideally should be produced by lling in the blanks in a sample form. is not only upsets the regulators?it results in a document that has no value to either design or operations. If the safety case process is started early enough, the risk analyses will nd problems that are easy to resolve early, but complex to resolve later. ey will also point the way to better approaches to the design by incorporating safety systems into the functionality of the design rather than trying to bolt on safety systems that impede the operations of the facility. Early communications between opera- tions, safety, and process design engineers will ensure that safety is integrated rather than appended, thereby making everybodys job both easier and safer. is is particularly true when human factors engineers are involved in these early studies. Equipment layout can be improved to make the system inherently safer, rather than having to later correct safety deciencies. ere is another, and possibly more insidious, danger in car- rying out the safety case work once the design has been frozen. Instead of the risk studies driving the design, the design drives the risk studies and there is an incentive to prove the design safe rather than to nd out where there are safety deciencies. Neither companies nor their employees intentionally rig the results, but when a risk study shows that the design is (euphemistically) less than ideal, there will be a strong incentive to look the other way and move on. Only the most egregious failings will be mitigated because people will talk their way into seeing what is not very safe as being acceptable. Alternatively, they will try to correct design errors through operational procedures. Procedures are impor- tant, but it is far better to make a safe design that is dicult to operate unsafely, rather than a system that is dangerous to oper- ate if done so incorrectly. Procedures should be the last item on the list of safety enhancements, after design, automation, instru- mentation, alarms, and so forth. ey are valuable, but are easily avoided, particularly when they are onerous. Comprehensive but readable Being asked to develop a safety case can be a daunting pros- pect, but in reality, it is not that dicult. ere are documents to help you get started, to decide what to include, and to learn how to do the work. Not only is there the IADC document, but also regulators give considerable guidance on what they want to see, and in some cases how they are going to audit the documents. Still, it is no small task. It takes a lot of eort from a considerable number of people. e biggest failing of safety cases is that, if they have been developed by people only interested in completing the task, they can become static tomes that inhabit bookshelf space. is type of safety case serves little purpose, and possibly, even worse, can give a false sense of security by promoting a we have a safety case so we must be safe? mentality. A safety case must be a living document that helps operational personnel safely complete their job. is requires a document that is detailed, but readable?not an easy job as it will tend to be voluminous and o-putting. And if it gets out of date, or if certain aspects are continually not being followed, then it needs to be reassessed to see if there is a bet- ter way to perform the relevant tasks that are as safe, but are less likely to be ignored. Given that a rig crew is unlikely to joyfully read a safety case, the contents need to be used as examples for safety meetings. While these are still unlikely to inspire people to read the doc- ument, they will communicate the message, and will require a few people to continually reference the documents to ll their safety meetings. rough this continual referencing, areas requir- ing updating will be identied. A safety case should strive to be as comprehensive as Roberts Rules of Order with the readability of Gone with the Wind . MTJohn Sti is a senior consultant with ABSG Consulting Inc. Donald Nordin is director of oshore risk and integrity for ABSG Consulting Inc. Deeper Dive For more information on the methodologies covered in this article, check out the following resources. The subject of risk tolerability is covered at length in the book, Guidelines for Developing Quantitative Safety Risk Criteria , pub- lished in 2009 by John Wiley & Sons. The U.K. Health and Safety Executive site, www.hse.gov.uk, oers guidance on what regulators want to see, and how some docu- ments are audited. And the November/December 2011 issue of the Journal of System Safety featured a relevant article entitled, The Use of Safety Cases in Certi?cation and Regulation,? by Nancy Levisohn. www.sname.org/sname/mt October 2013