Formal Safety Assessments (FSA)

Formal Safety Assessments (FSA) - or Technical Safety Assessments - were identified in the Cullen Report (written following the Piper Alpha event) as being an essential part of a Safety Case. This page discusses the organization and contents of a typical FSA.

The International Maritime Organization (IMO) identifies the following five stages as being part of an FSA.

Identification of hazards (a list of all relevant accident scenarios with potential causes and outcomes);
Assessment of risks (evaluation of risk factors);
Identification of control options (devising regulatory measures to control and reduce the identified risks);
Cost benefit assessment (determining cost effectiveness of each risk control option); and
Recommendations for decision-making (information about the hazards, their associated risks and the cost effectiveness of alternative risk control options is provided).

The above list is not unique. All risk management programs are structured in a similar manner. And many of the activities, particularly the identification of hazards, would normally be considered as being as more to do with Process Safety Management. Indeed, formal safety assessments are generally mostly concerned with the more technical aspects of safety management. It is these technical elements that are discussed at this page.

As with everything else to do with safety cases, the nature and content of an FSA will vary according to local conditions and requirements. The management of safety is both non-prescriptive and performance-based. The information provided here provides a framework for the development of an actual FSA that meets the specific needs of a facility or project. Guidance is also provided in ISO 31010: Risk Management - Risk Assessment Techniques.

An FSA is a demonstration that, so far as is reasonably practicable, the risks to personnel have been minimized. It should:

Provide reasoned arguments and judgments about the risk acceptance criteria including the rationale for their acceptance, references used and details of the risk acceptance studies conducted into potential major accident events that may occur during the life of the facility.
Demonstrate that the operator has identified the nature, likelihood and consequence of potential major accident events that may occur at the facility;
State the associated risks of fatality with respect to employees at the facility, and that the likelihood of these events and/or consequences has been minimized over the life of the facility.
Demonstrate that all reasonably practicable steps have been taken to ensure the safety of employees in the event of an emergency and during transit to a place of safety. It should demonstrate in particular that the integrity of the temporary refuge, escape and evacuation routes is maintained in the case of a major accident event, and that all reasonably practicable steps have been taken to ensure the safety of employees in the event of an emergency and during transit to a place of safety (this requirement includes embarkation points and the use of escape craft for offshore facilities). Both qualitative and quantitative methods of analysis can be applied to the assessment of risk.
Identify all hazards having the potential to cause a major accident event.
It should provide a detailed and systematic assessment of the risk associated with each of those hazards, including the likelihood and consequences of each potential major accident event.
It should identify the technical and other control measures that are necessary to reduce that risk to a level that is as low as reasonably practicable.
Show that performance standards have been established.
Show that performance is measured against set performance standards within inspection, maintenance and safety management systems.
That there is periodic review of the process by which performance standards are established and maintained, including checks that the right things are being measured.

Elements of an FSA

An FSA will be structured to meet the needs of the facility being analyzed. An example is provided in Table 1.

Table 1
Elements of a Formal Safety Assessment

Project HSE Plan
Safety in Design Philosophy
Assumptions Register
Hazards Register
Hazard Identification
Layout Hazard Review
Major Accident Events/Safety Critical Elements
Fire and Explosion Analysis
Gas and Smoke Dispersion Analysis
Non-hydrocarbon Analysis
Emergency escape, evacuation and rescue analysis
Emergency Systems Survivability Analysis (ESSA)
Temporary Refuge Analysis
Environmental analysis
Quantitative risk assessment
ALARP
Noise Analysis
Material Handling
Health Risk Assessment
Human Factors Engineering

A summary discussion of each of the above topics is provided below. Links to more detailed pages are provided where appropriate.

1. Project HSE Plan

A safety case is concerned primarily with the safety of the facility once it has been built and is in operation. However, the project itself has its own set of hazards, particularly during the fabrication and construction stages (which may have their own safety case). Therefore a Health, Safety and Environmental (HSE) plan for the project itself should be prepared and incorporated into the FSA.

Health

The Project HSE plan will cover health issues such as the treatment of minor injuries and precautions to be taken when traveling overseas.

Safety

The plan will also show how safety on the project is to be managed. In the front end phases of the project the focus will be on issues such as safe driving, the development of safety moments with which to start meetings and a schedule for project safety meetings.

As already noted, safety during the construction phase of the project is a major concern and will often have its own safety case.

Environment

General environmental issues, such as not disposing of items overboard, will be included in the Project HSE Plan. The environmental plans and impact statements to do with the facility itself once it is in operation are usually prepared by specialist consulting groups or consultants.

2. Safety in Design Philosophy

The Safety in Design (SID) Philosophy has three primary purposes. First, it should how the different elements of the FSA (Table 1), and of the safety case in general, link to one another.

Second, it should show how overall risk is assessed and controlled.

Finally the SID Philosophy should describe any special safety or management goals that the project may have. The management for one company, for example, made it a condition that the concept of Inherent Safety was to be integrated into all the work done on the project. The Safety in Design Philosophy showed how this goal was to be achieved.

3. Assumptions Register

The project plan should include an Assumptions Register. A convenient place to locate this register is in the Safety in Design Philosophy. This register will contain a list of the assumptions used to develop the Formal Safety Assessment. (An alternative approach would be to put the assumptions for each topic into the deliverable for that topic.

The justification for the assumptions made should be provided. Generally, the justification will come from one of three sources.

A public report such as the Offshore Hydrocarbon Release Statistics and Analysis, 2002 (HSE 2003) that provides information on leak and ignition frequencies.
An industry data base such as the Offshore Reliability Data Handbook (OREDA 2009) or The Update of Loss of Containment Data for Offshore Pipelines (Energy Institute 2003).
The company’s own internal sources of information and statistics.

Some of the assumption topics are listed below.

Deck Type

The results of blast and gas dispersion analyses vary significantly depending on whether the deck is plate or grate. Therefore the assumptions made as to the type of deck to be used in various parts of the platform need to be made explicit.

Numbers of Personnel and their Locations

The Assumptions Register should specify how many people are on the platform, and where they are most likely to be located. An estimate as to peak manning loads, say during drilling, should also be provided.

Leak Size

The assumptions made as to the size of leaks from flanges, fittings, piping, instruments and vessels need to be documented.

Leak Frequencies

An estimate as to the frequency with which leaks can occur is required. The frequency value will generally vary inversely with hole size.

Transportation Logistics

An important part of the safety case is estimating the frequency and consequence of accidents involving helicopters, work boats and other forms of transportation. The types of transportation to be used, and the number of journeys made has to be estimated.

Assumptions to do with ship collisions (including pleasure boats that may be present) should be written down. Factors to consider include the speeds at which collisions may occur, and whether collisions occur while boats are maneuvering or drifting.

Lifting Operations

Assumptions to do with lifting operations need to be spelled out as a basis for the Material Handling study. Issues to be itemized include:

The types of lifting devices (monorails, platform cranes and chain hoists);
Areas for potential dropped objects (including subsea); and
Loading and unloading supply boats.

Guidance should be provided as to the percentage of drops that occur over the deck, over the side (into the sea), and into a work boat.

Rescue and Recovery Operations

Assumptions as to the effectiveness of emergency response and rescue operations need to be spelled out.

MetOcean Data

The Assumptions Register should contain meteorological information, covering both normal and extreme weather conditions. The information should include:

Mean wind speed;
Stability class;
Mean air temperature; and
Mean humidity.

Structural Failure Time

Assumptions have to be made regarding the time it takes for steel structures to fail when they are exposed to fire. An example is provided in Table 2.

Table 2
Representative Structural Failure Times

	Failure Time (minutes)
	Jet Fire	Pool Fire
H-60 rated firewall	10	60
J-15 Rated Firewall	15	-
Steel Beam	5	10
Steel Plate	5	10
Pipe / Riser / Process Vessel	5	10
Riser SSIV	7	10
Jacket Leg	15	30

4. Hazards Register

During the course of a project the facility design will be subject to a series of hazards analyses of various types. It is important that all identified hazards be captured in a single data base so that they can be managed, controlled and not overlooked.

The hazards register (sometimes called the risk register) is used to store information about all identified hazards. Although most of the items in the register will come from hazards analyses, some of the hazard information may come from other sources, such as incident investigations or lessons learned from other facilities.

Table 3 is an example of a Hazards Register. It will be managed and updated by a single person — often the same person as scribes the hazards analysis meetings.

Table 3
Sample Hazards Register

Finding		Notes
Finding Number
Date of Finding
Full Description of the Hazard
Source
Consequences
Safety
Environmental
Health
Economic
Likelihood
Risk Rank
Follow-Up
Assigned to
Company
Department
Recommendation
Status
Resolution
Date Approved
Approved by

The rows to do with hazard identification are discussed below.

Finding Number and Date

Each identified risk item is given its own number — often corresponding to a finding from a hazards analysis or from a Management of Change review.

Hazard

The identified hazard is described in this row. A perennial complaint to do with hazards analysis reports is that they are too cryptic, and that insufficient background material is provided. Therefore It is important to provide as much detail at this point — people who read and use the register months or even years later will not have any knowledge of the discussion that led up to the creation of the finding.

Source

The register should contain information as to how and where the hazard was identified. Typically this will be a hazards analysis, but the information may come from other sources such as incident investigations or employee observations.

Consequence(s) / Likelihood / Risk

The hazards analysis team spells out the hazard, consequence and likelihood for each finding. A perennial complaint to do with hazards analysis reports is that they are too cryptic, and that insufficient background material is provided. Therefore It is important to provide as much detail at this point — people who read and use the risk register months or even years later will not have any knowledge of the discussion that led up to the creation of the finding.

Follow-Up

The follow-up section of the risk register describes how the identified hazard was handled, and when the associated recommendation was completed. On a large project it is necessary to have one person who is assigned the task of making sure that all findings are closed out properly before the new facility is started up. In addition to managing the register itself, the person in charge of follow-up generally is assigned the broader responsibility of filing all of the hazards analysis reports. Questions that have to be answered in this context include:

How are the hazards analysis records to be managed?
How are the recommendations and action items to be managed?
How are the recommendations to be communicated?
What media are to be used for storing the hazards analysis records?
How and when are they to be purged?
Who has access to the hazards analysis records?
Who can modify the hazards analysis records?

5. Hazard Identification

The identification of hazards is fundamental to any risk management program. This topic is discussed extensively elsewhere on this web site. For an FSA the following methods are particularly pertinent:

Bow-Tie Analysis;
HAZOP; and
Failure Modes and Effects Analysis (FMEA).

6. Layout Hazard Review

Guidance to do with layout, and its relationship to Inherent Safety, is provided by the United Kingdom Offshore Operators Association. Some of the layout items to consider include the following:

Avoid conducting different hazardous operations at the same time;
Physical separation of major components containing hydrocarbons (e.g., risers, wells and separators);
Location of the temporary quarters remotely from major hydrocarbon inventories, in particular wellheads and risers;
Reduction of congestion in process areas;
Siting of high pressure gas and Liquefied Petroleum Gas (LPG) inventories in well ventilated areas and away from large inventories;
Location of risers to avoid supply boat impacts.

7. Major Accident Events / Safety Critical Elements

Major Accident Events

A major accident event (MAE) is one that has a high consequence. Large fires, explosions and toxic gas releases fall into this category. An important part of the FSA is to identify these MAEs and to ensure that they are properly controlled.

Safety Critical Elements

The term “safety critical element (SCE)” is sometimes used during the preparation of a safety case. The term refers to a part of an installation or facility whose failure could contribute substantially to a major accident, or whose purpose is to prevent, or limit the effect of, such an accident.

Documentation

Given that SCEs are so important to the safety of offshore facilities, it is important that everything to do with them is properly documented, and that the documentation is kept up to date.

Depending on what the SCE is, documentation will generally include:

Design information;
Specifications;
Certificates covering items such as materials of construction, testing and certificates of fitness; and
Demonstration of compliance with regulations, codes and standards.

8. Fire and Explosion Analysis

This topic is discussed in another web page at this site.

9. Gas and Smoke Dispersion Analysis

Gas Dispersion

This topic is discussed in another web page at this site.

Smoke Dispersion

An analysis of the smoke plume that can come from a fire is important (most of the deaths on the Piper Alpha platform were of men in the quarters who were overcome by smoke).

Stability Class

In general, the higher the wind speed the more quickly the plume disperses because the air is more turbulent. Atmospheric stability is divided into the six classes (Pasquill 1961) shown in Table 4.

Table 4
Air Stability Classes

Class	Description
A	Very unstable
B	Unstable
C	Slightly unstable
D	Neutral
E	Slightly stable
F	Stable

10. Non-Hydrocarbon Analysis

This topic is discussed in another web page at this site.

11. Emergency Evacuation, Escape and Rescue Analysis

This topic is discussed in another web page at this site.

12. Emergency Systems Survivability Analysis

13. Temporary Refuge

14. Environmental Analysis

15. Quantitative Risk Assessment (QRA)

16. As Low as Reasonably Practicable Risk ¾ ALARP

Given that risk is basically subjective it is not possible to dispassionately define what level of risk is acceptable and what is not. After all, if a facility operates for long enough, it is certain ¾ statistically speaking ¾ that it will experience an accident. Yet, given that real-world targets are needed for implementing safety cases, a value for “acceptable safety” is needed.

The ALARP page discusses this troublesome topic.

17. Noise Analysis

This topic is discussed in another web page at this site.

18. Material Handling

This topic is discussed in another web page at this site.

19. Health Risk Assessment

This topic is discussed in another web page at this site.

20. Human Factors Engineering

Human reliability analysis would normally be analyzed as part of the facility's Reliability, Availability and Maintainability (RAM) program.