163404540 sp 2062 hse specification specifications for hse cases
TRANSCRIPT
-
8/12/2019 163404540 SP 2062 HSE Specification Specifications for HSE Cases
1/84
Petroleum Development Oman LLC
Revision: 1.0Effective: Mar-11
Page 1 SP-2062 Specification for HSE Cases Printed 04/08/14
The controlled version of this CMF Document resides online in Livelink. Printed copies are UNCONTROLLED.
Petroleum Development Oman L.L.C.
Document Title: Specification for HSE Cases
Document ID SP-2062
Document Type Specification
Security Unrestricted
Discipline Technical Safety Engineering
Owner MSE/4Head of Technical Safety Engineering
Issue Date 31 March 2011
Version 1.0
Keywords:This document is the property of Petroleum Development Oman, LLC. Neither the whole nor
any part of this document may be disclosed to others or reproduced, stored in a retrieval system, or
transmitted in any form by any means (electronic, mechanical, reprographic recording or otherwise)
without prior written consent of the owner.
-
8/12/2019 163404540 SP 2062 HSE Specification Specifications for HSE Cases
2/84
Petroleum Development Oman LLC
Revision: 1.0Effective: Mar-11
Page 2 SP-2062 Specification for HSE Cases Printed 04/08/14
The controlled version of this CMF Document resides online in Livelink. Printed copies are UNCONTROLLED.
This page was intent ional ly lef t blank
-
8/12/2019 163404540 SP 2062 HSE Specification Specifications for HSE Cases
3/84
Petroleum Development Oman LLC
Revision: 1.0Effective: Mar-11
Page 3 SP-2062 Specification for HSE Cases Printed 04/08/14
The controlled version of this CMF Document resides online in Livelink. Printed copies are UNCONTROLLED.
i Document Authorisation
-
8/12/2019 163404540 SP 2062 HSE Specification Specifications for HSE Cases
4/84
-
8/12/2019 163404540 SP 2062 HSE Specification Specifications for HSE Cases
5/84
Petroleum Development Oman LLC
Revision: 1.0Effective: Mar-11
Page 5 SP-2062 Specification for HSE Cases Printed 04/08/14
The controlled version of this CMF Document resides online in Livelink. Printed copies are UNCONTROLLED.
TABLE OF CONTENTS
i Document Authorisation ......................................................................................................... 3
ii Revision History ..................................................................................................................... 4
iii Related Business Processes ................................................................................................. 4iv Related Corporate Management Frame Work (CMF) Documents ........................................ 4
1 Introduction ............................................................................................................................ 8
1.1 Purpose ............................................................................................................................ 8
1.2 General Definitions ........................................................................................................... 8
1.3 Review and Improvement (SP 2062) ............................................................................... 8
1.4 Deviation from Standard .................................................................................................. 8
2 WHEN ARE HSE CASES REQUIRED? ................................................................................ 9
3 WHAT TYPES OF HSE CASES ARE THERE? .................................................................. 11
3.1 Asset/Facility HSE Cases at different ORP phases ....................................................... 11
3.1.1 Identify and Assess ...................................................................................... 12
3.1.2 Select ............................................................................................................ 12
3.1.3 Define ........................................................................................................... 12
3.1.4 Execute ......................................................................................................... 12
3.1.5 Operate ......................................................................................................... 13
3.2 Roles and Responsibilities for the HSE Case ................................................................ 13
3.2.1 Sign Off Dates .............................................................................................. 13
3.3 Roles and Responsibilities within the HSE Case ........................................................... 133.4 Workforce Involvement .................................................................................................. 16
3.5 Deliverables .................................................................................................................... 16
3.6 Performance Monitoring ................................................................................................. 16
3.6.1 Review and Improvement (HSE Cases)....................................................... 17
3.6.2 Material Change ........................................................................................... 17
4 ASSET INTEGRITY - PROCESS SAFETY MANAGEMENT .............................................. 18
4.1 Process Safety Manual, HSSE Control Framework, Section ........................................ 18
4.2 Centre for Chemical Process Safety Guidelines for Risk Based Process Safety (CCPS
RBPS) ...................................................................................................................................... 18
4.3 Process Safety in Projects ............................................................................................. 19
4.4 Critical Drawings ............................................................................................................ 19
5 HEMP ................................................................................................................................... 20
5.1 Hazards and Effects Register ........................................................................................ 21
6 BOW-TIES ........................................................................................................................... 22
7 SAFETY CRITICAL ELEMENTS ......................................................................................... 25
7.1 SCE (Hardware) Barriers ............................................................................................... 25
7.2 SCE Selection ................................................................................................................ 27
7.3 Performance Standards ................................................................................................. 28
-
8/12/2019 163404540 SP 2062 HSE Specification Specifications for HSE Cases
6/84
Petroleum Development Oman LLC
Revision: 1.0Effective: Mar-11
Page 6 SP-2062 Specification for HSE Cases Printed 04/08/14
The controlled version of this CMF Document resides online in Livelink. Printed copies are UNCONTROLLED.
7.3.1 Performance Standard Approval .................................................................. 29
8 HSE CRITICAL TASKS ....................................................................................................... 30
9 MATRIX OF PERMITTED OPERATIONS (MOPO) ............................................................ 31
9.1 Using the MOPO ............................................................................................................ 31
9.2 Deviations from the MOPO ............................................................................................ 31
10 ALARP demonstration .................................................................................................... 32
10.1 ALARP Definition .......................................................................................... 32
10.2 How to Undertake an ALARP Assessment .................................................. 33
10.2.1 Principles of Hazard Management ............................................................... 33
10.2.2 Good Engineering Practice .......................................................................... 33
10.2.3 Good Engineering Principles ........................................................................ 34
10.2.4 HEMP Studies .............................................................................................. 34
10.2.5 ALARP Review ............................................................................................. 34
10.3 Assessment of Complex Decisions .............................................................. 35
11 OPERATE PHASE CONTINUOUS IMPROVEMENT .................................................... 36
11.1 Drivers for Improvement ............................................................................... 36
11.2 Remedial Actions .......................................................................................... 36
11.2.1 Qualitative Analysis of RAP Items ................................................................ 37
11.2.2 Interpreting the RAP ..................................................................................... 38
12 STATEMENT OF FITNESS ........................................................................................... 39
13 MANAGEMENT OF CHANGE ....................................................................................... 41
14 CONCEPT SELECTION REPORT ................................................................................ 43
14.1 DCAF Deliverables for Identify, Assess and Select Phases ........................ 44
15 DESIGN HSE CASE REQUIREMENTS ........................................................................ 45
15.1 Basic Requirements ..................................................................................... 45
15.2 Format .......................................................................................................... 45
15.2.1 Contents ....................................................................................................... 45
15.2.2 Part 1 Introduction ........................................................................................ 45
15.2.3 Part 2 CSR ALARP demonstration Summary .............................................. 46
15.2.4 Part 3 Design Basis & Facility Description ................................................... 46
15.2.5 Part 4 Hazards & Effects Management Process .......................................... 46
15.2.6 Part 5 Improvement (Action Plan) ................................................................ 47
15.3 DCAF Deliverables for Define and Execute phases .................................... 47
16 OPERATIONS HSE CASE REQUIREMENTS .............................................................. 49
16.1 Basic Requirements ..................................................................................... 49
16.2 Format .......................................................................................................... 49
16.2.1 Contents ....................................................................................................... 49
16.2.2 Part 1 Introduction ........................................................................................ 50
16.2.3 Part 2 Facility Description ............................................................................. 50
-
8/12/2019 163404540 SP 2062 HSE Specification Specifications for HSE Cases
7/84
Petroleum Development Oman LLC
Revision: 1.0Effective: Mar-11
Page 7 SP-2062 Specification for HSE Cases Printed 04/08/14
The controlled version of this CMF Document resides online in Livelink. Printed copies are UNCONTROLLED.
16.2.4 Part 3 People, HSE Critical Tasks ................................................................ 50
16.2.5 Part 4 Hazard and Effects Management ...................................................... 50
16.2.6 Part 5 Improvement (Action Plan) ................................................................ 51
16.3 DCAF Deliverables for Execute and Operate Phases ................................. 51
Appendix 1 Glossary of Definitions, Terms and Abbreviations ....................................... 53
Appendix 2 Related Business Control Documents and References ............................... 55
Appendix 3 Hazard Inventory Checklist .......................................................................... 56
Appendix 4 Example Hazard and Effects Register ......................................................... 63
Appendix 5 Safety Critical Elements Categories ............................................................. 64
Appendix 6 Example Safety Critical Elements Register .................................................. 65
Appendix 7 Example Design Performance Standard ...................................................... 66
Appendix 8 Example Operations Performance Standard (EP 2009-9009, Ref. 10) ....... 69
Appendix 9 Example of Implementation Table ................................................................ 70
Appendix 10 MOPO ........................................................................................................... 72
Appendix 11 Operations HSE Case Change Approval ..................................................... 78
Appendix 12 CCPS RBPS Process Safety Elements ....................................................... 83
-
8/12/2019 163404540 SP 2062 HSE Specification Specifications for HSE Cases
8/84
Petroleum Development Oman LLC
Revision: 1.0Effective: Mar-11
Page 8 SP-2062 Specification for HSE Cases Printed 04/08/14
The controlled version of this CMF Document resides online in Livelink. Printed copies are UNCONTROLLED.
1 Introduction
An HSE Case provides a documented demonstration that risk reduction philosophies andmeasures have been developed and implemented at each phase of the OpportunityRealisation Process (ORP) to ensure that the risks are tolerable and as low as reasonably
practicable (ALARP) through the systematic application of the Hazards and EffectsManagement Process (HEMP) as set out in the PDO HSE Management System (HSE-MS).
This document should be read in conjunction with the guideline Applying Process Safety inProjects GU-648 [4].
1.1 Purpose
This purpose of this specification is to establish minimum requirements for the content ofHSE Cases and it shall be used for the development of HSE Input to Concept SelectReports, Design HSE Cases and Operations HSE Cases.
This specification SHALL [PS] be used for demonstration of the following requirements ofthe Process Safety Manual in the Shell HSSE & SP Control Framework [Ref. 7]:
Identify and document Hazards with RAM red and yellow 5A and 5B ProcessSafety Risks for existing and new Assets (Requirement 1).
Develop a Statement of Fitness for the Assets (Requirement 7)
Review the Process Safety Risks to the Asset at least annually, in line with 8Management Review (of the HSSE & SP Management System) (Requirement20).
This specification contains information on the contents of each type of HSE Case andgives guidance and examples of information to be contained in specific sections.
1.2 General Definitions
The capitalised term SHALL [PS]indicates a process safety requirement.
The lower case word shallindicates a requirement.
The word shouldindicates a recommendation.
1.3 Review and Improvement (SP 2062)
Responsibility for the upkeep of this Specification shall be with the CFDH TechnicalSafety Engineering (Owner of this Specification). Changes to this document shall only beauthorised and approved by the Owner.
Any user of this document who encounters a mistake or confusing entry is requested toimmediately notify the Document Custodian using the form provided in CP 122 Health,Safety and Environment Management System [Ref.1].
This document shall be reviewed as necessary by the Owner, but not less than every twoyears.
1.4 Deviation from Standard
Deviation to this Specification shall follow the requirements of PR-1247 Project ChangeControl & Standards Variance Procedure, Version 1 31/8/1999.
-
8/12/2019 163404540 SP 2062 HSE Specification Specifications for HSE Cases
9/84
Petroleum Development Oman LLC
Revision: 1.0Effective: Mar-11
Page 9 SP-2062 Specification for HSE Cases Printed 04/08/14
The controlled version of this CMF Document resides online in Livelink. Printed copies are UNCONTROLLED.
2 WHEN ARE HSE CASES REQUIRED?
HSE Cases are mandatory for all PDO operated (owned, leased or contracted)projects/operations containing hazards rated severity five or high risk on the PDO risk
assessment matrix (RAM) as perFigure 2-1[Ref.1]. Hazards to that fall into this categoryare referred to as Major Accident Hazards (MAH), and are typically identified during theHAZID conducted at the start of concept phase of a project.
However, for smaller, less complex projects or modifications to an existing asset where anOperations HSE Case already exists, it may be suitable to undertake a design review inplace of a Design HSE Case and then update the existing Operations HSE Case.
For projects that fall into Category C as per Figure 2-2 overleaf, both qualitative (bow-tieanalysis) and quantitative analysis (QRA) are required to determine the level of risk and todemonstrate that risks are reduced to tolerable and ALARP, thus a Design and OperationsHSE Case must be compiled.
Guidance and confirmation shall be sought from MSE/4 on an individual project basis.
Figure 2-1: PDO Risk Assessment Matrix
Figure 2-2 shows the industry guidelines for a framework for risk related decision support byOil and Gas UK in 1997 (formerly the UK Offshore Operations Association, UKOOA).
Once a new project has been assessed against the risk assessment matrix in Figure 2-1and found to contain level 5 or high risk hazards, it shall be categorised as per the chart inFigure 2-2.
A B C D E
Never
heard of in
the Industry
Heard of in
the Industry
Has
happened
in PDO or
more than
1>yr in the
Industry
Has
happened
at the
Asset or
more than
1>yr in
PDO
Has
happened
more than
1>yr at the
Asset
0No injury or
health effectNo damage
No
effect
No
impact
1
Slight injury
or healtheffect
Slight
damage
Slight
effect
Slight
impact
2Minor injury
or health
effect
Minor
damageMinor effect Minor impact
3Major injury
or health
effect
Moderate
damage
Moderate
effect
Moderate
impact
4PTD or up to
3 fatalities
Major
damageMajor effect major impact
5More than 3
fatalities
massive
damage
massive
effect
Massive
impact
Increasing likelihood
Reputation
Asset
Environment
Consequences
Severity
People
-
8/12/2019 163404540 SP 2062 HSE Specification Specifications for HSE Cases
10/84
Petroleum Development Oman LLC
Revision: 1.0Effective: Mar-11
Page 10 SP-2062 Specification for HSE Cases Printed 04/08/14
The controlled version of this CMF Document resides online in Livelink. Printed copies are UNCONTROLLED.
Figure 2-2: Framework for risk related decision support in PDO
To use the Framework, first relate the decision being considered to the decision contextcharacteristics on the right hand side of the Framework. Establish a horizontal line acrossthe Framework at the point that best fits the nature of the decision. The segments of thishorizontal line define the relative weight that should be given to the different decisionmaking approaches in the ALARP determination. The descriptors on the lefthand side of thediagram describe the type and extent of consultation that is needed for the selecteddecision context and type.
Type B and C decisions shall be taken at higher levels within an organisation than Type Adecisions.
Type Adecisions are those involving well-understood hazards and proven solutions. Thelessons learned from past years have been incorporated into authoritative Good Practice.Reference to the relevant Good Practice, supported by expert judgment, is sufficient todefine the barriers needed to reduce the risks to both tolerable and ALARP.
Type Bdecisions are those involving less well-understood hazards. Good Practice has tobe supplemented by more detailed analytical methods such as quantified risk assessment(QRA) particularly to address the uncertainties of novel aspects of design. However, risk-based analysis cannot be the only approach, as illustrated by the fact that it forms no morethan 40% of a horizontal line through the Type B band.
Type Cdecisions are those involving hazards that may create societal concerns. The moretechnological factors in the ALARP determination need to be conditioned, or viewed in thecontext of how the situation will be seen by stakeholders.
The A, B, C groupings are not intended to split the framework into three discrete sections,but should be used to indicate a continuum of decision context types from a strongly Type A(technology based) at one extreme to a strongly Type C (judgment based) at the otherextreme. A range of decision-making approaches will contribute, especially to Type B and Cdecisions. The background to the Framework is described in [4].
-
8/12/2019 163404540 SP 2062 HSE Specification Specifications for HSE Cases
11/84
Petroleum Development Oman LLC
Revision: 1.0Effective: Mar-11
Page 11 SP-2062 Specification for HSE Cases Printed 04/08/14
The controlled version of this CMF Document resides online in Livelink. Printed copies are UNCONTROLLED.
3 WHAT TYPES OF HSE CASES ARE THERE?
PDO activities and operated facilities fall into different categories and the different types ofHSE Cases used to cover these are listed below:
o Asset/facility: hydrocarbon gathering/production facilities organised into deliveryteams or hydrocarbon transporting infrastructure and storage facilities. The majority ofPDO HSE Cases fall into this category and the content shall meet the requirements ofthis HSE Case Specification
o Contractor drilling rigs and hoists; the content shall meet the requirements ofInternational Association of Drilling Contractors (IADC) [Ref. 4] and this HSE CaseSpecification
o Air Operations; the content shall meet the requirements of EP 2005-0263 AirTransportation Standard and this HSE Case Specification
o Land Transport; the content shall meet the requirements of EP 2005-0261 RoadTransportation Standard and this HSE Case Specification
Air transport operations, road transport operations and marine operations with severity 5 orhigh level hazards (as defined by the RAM inFigure 2-1) that are PDO operated (owned,leased or contracted) shall have an Operations HSE Case.
The nature of Transport and Drilling Rig HSE Cases is that they are developed to describethe hazards and set out controls associated with the respective operation or activity. Thesecases are reviewed and updated as they develop, but rarely is there a requirement todevelop a new HSE Case for these activities.
Asset/Facility HSE Cases differ in that new design projects or production stations mayrequire that a new HSE Case is developed in accordance with this specification.
Asset/Facility HSE Cases are further separated into the following types of HSE Cases:
o
Concept Select Report: This demonstrates that there has been a systematicapplication of HEMP during the Identify, Assess and Select phases, that the HSE risksassociated with each development option have been identified and assessed, thelowest risk option has been chosen or that the cost/effort required to adopt the lowestrisk concept is grossly disproportionate to the benefit.
o Design HSE Case: This demonstrates that there has been a further systematicapplication of HEMP during the Define and Execute phases, demonstrates that theseverity 5 or high level hazards identified are both tolerable and ALARP and that allsafety critical elements (with associated performance standards) have been identifiedand meet the performance standards.
o Operations HSE Case: This describes management of the severity 5 or high levelhazards to ensure that they are tolerable and ALARP, bow-tie diagrams showing thehazards and the barriers to the hazards, a list of HSE critical tasks, references to
operational management systems and a statement of fitness. This acts asconfirmation that the HSE Case Owner (Director) is satisfied that the arrangementsare in place for the facility to operate safely.
3.1 Asset/Facility HSE Cases at different ORP phases
The opportunity realisation process (ORP) is split into 5 phases punctuated by DecisionGates (Dg1-5) and Value Assurance Reviews (VAR1-5). Once the need for an HSE Casehas been identified, the type of HSE Case and when it should be compiled needs to beidentified as perFigure 3-1.
The Identify & Assess; Select; Define; Execute and Operate phases are discussed in the
following sections.
-
8/12/2019 163404540 SP 2062 HSE Specification Specifications for HSE Cases
12/84
Petroleum Development Oman LLC
Revision: 1.0Effective: Mar-11
Page 12 SP-2062 Specification for HSE Cases Printed 04/08/14
The controlled version of this CMF Document resides online in Livelink. Printed copies are UNCONTROLLED.
Figure 3-1: 5 stages and applicable HSE Cases
3.1.1 Identify and Assess
This phase initiates opportunities and demonstrates the feasibility of thoseopportunities. Ideas are generated and aligned with business principles andstrategies and potential values established so a decision to fund and staff furtherdevelopment of these ideas can be made.
This phase also asks the question as to whether the project has looked sufficiently atthe risks, different development options, realisations and all possible outcomes. Isthere at least one solution that would work in most, perhaps all, of the realisations?The project must understand what it is going to be taking into the Select phase.
HSE input at this stage is at a high level and includes a preliminary HAZID, HSE-SDPlan and input to the Risk Register.
3.1.2 Select
This stage must select the best concept solution for delivering value from theopportunity and make it clear why one choice was the preferred option.
HSE input into the select phase has potentially the greatest impact. The optionselected to take forward into the define phase must be ALARP. An ALARP
demonstration must be provided in the CSR (see section 14).
3.1.3 Define
The selected concept must be defined technically (scope, cost, schedule) orcommercially (JVA, JOA, country entry) for final investment decision (FID). Note thatthe timing of a technical FID may not coincide with a commercial FID.
HSE activities and deliverable at the define stage include a Design HSE Case andother HEMP Studies.
3.1.4 Execute
The project is to be delivered as a facility consistent with the forecast scope, cost,
schedule and proven performance and has to be accepted by the Owner ofoperations (usually the Relevant Director) for use.
-
8/12/2019 163404540 SP 2062 HSE Specification Specifications for HSE Cases
13/84
Petroleum Development Oman LLC
Revision: 1.0Effective: Mar-11
Page 13 SP-2062 Specification for HSE Cases Printed 04/08/14
The controlled version of this CMF Document resides online in Livelink. Printed copies are UNCONTROLLED.
During the execute phase the Design HSE Case is refined. The Operations HSECase is developed prior to handover to operations. Further HEMP studies arecarried out to support the ALARP Demonstration.
3.1.5 Operate
The project is operating as per expected and is maximising returns to Shareholdersand protecting the License to Operate. The Owner of operations (usually therelevant Director) has accepted responsibility for continued safe operations.
The Operations HSE Case will contain the ALARP demonstrations for the Operatephase. This is built and maintained throughout the operate phase, (see section 16).
3.2 Roles and Responsibilities for the HSE Case
Delivery Team Leaders (DTL): DTLs are responsible for ensuring that the HSE Casesare developed and maintained for their assets and meet the requirements of thisspecification.
Project Managers: Project Managers are responsible for ensuring that the ConceptSelect Report and Design HSE Cases are developed and meet the requirements of thisspecification.
Contract Holders: For Air Operations, Road Transport and Drilling & Hoist Rigs, it is theContract Holders that are responsible for ensuring that their Contractors develop andmaintain HSE Cases that meet the requirements of this specification.
3.2.1 Sign Off Dates
Sign off dates for the CSR/HSE Cases shall be as follows:
o The Concept Select Report Case shall be signed off prior to VAR3.
o The Design HSE Case shall be signed off prior to VAR4.o The Design HSE Case during detailed design phase shall be signed off when
completed and prior to the PSUA.
o The Operations HSE Case shall be signed off prior to start up.
3.3 Roles and Responsibilities within the HSE Case
There are three main roles for developing, implementing and maintaining an HSE Case; theHSE Case Owner, HSE Case Custodian and the HSE Case Administrator. These roles foreach type of HSE Case are shown inTable 3-1and cover new projects and modifications toexisting facilities.
Table 3-1: Roles and responsibilities within an HSE Case
HSE Input to ConceptSelect Report (CSR)
Design HSE Case Operations HSE Case
HSECaseOwner
Project Manager
Identifies therequirement for a HSESection in the CSR inaccordance with thisspecification
Appoints HSE resource
Project Manager
Identifies therequirement for an HSECase in accordance withthis specification
Appoints HSE CaseCustodian and assignsresponsibilities
Asset Director
Identifies therequirement for an HSECase in accordance withthis specification
Initiates OperationsCase and assignsresponsibilities
-
8/12/2019 163404540 SP 2062 HSE Specification Specifications for HSE Cases
14/84
Petroleum Development Oman LLC
Revision: 1.0Effective: Mar-11
Page 14 SP-2062 Specification for HSE Cases Printed 04/08/14
The controlled version of this CMF Document resides online in Livelink. Printed copies are UNCONTROLLED.
HSE Input to ConceptSelect Report (CSR)
Design HSE Case Operations HSE Case
Approves the ConceptSelect Report
Approves outcome ofALARP multi-disciplinary
reviews Develops a Statement of
Fitness for the Asset Approves the Design
HSE Case
Develops a Statement ofFitness for the Asset
Approves outcome ofHEMP studies
Approves the OperationsHSE CaseAssigns HSECritical Elementownership to theappropriate Technical
Authority/HSE Adviser; Ensures ongoing
compliance with thisspecification
Conducts periodicOperations HSE Case
reviews Ensures facility is
operated according tothe Operations HSECase
HSECaseCustodian
Project HSE Lead
Manages HEMP studies,ensures risk tolerabilityand suitable and robust
ALARP demonstrations
are made Prepares HSE content of
the CSR and checksDCAF content all signedoff
Coordinates thedevelopment of the HSEInput to the CSR.
Lead Technical SafetyEngineer
Identifies HEMP studiesto assess the hazardsand risk associated with
the project Develops risk reduction
strategies, identifiessafety critical elements(SCE) and associatedPerformance Satandardsin conjunction with SCETechnical Authorities(TA)
Facilitates that suitableand robust ALARPdemonstrations aremade.
Reviews and approvesall action items raised forcorrect detail, actionparty and target date
Compiles/co-ordinatesthe HSE Case
Delivery Team Leader
Ensures the HSE Casesare developed andmaintained for theirassets in accordance
with latest requirements. Ensures participation in
development andawareness and properuse of the HSE Case bythe organisation
Validates HEMP studiesand technical accuracyof the contents of theHSE Case
Co-ordinates review ofHSE critical tasks listingsand associated
Performance Standards Ensures that revisions
and updates areprepared whennecessary, adequatelycontrolled and distributed
Reviews facility specificemergency responseplans
Reviews and approvesall action items raised forcorrect detail, actionparty and target date
-
8/12/2019 163404540 SP 2062 HSE Specification Specifications for HSE Cases
15/84
Petroleum Development Oman LLC
Revision: 1.0Effective: Mar-11
Page 15 SP-2062 Specification for HSE Cases Printed 04/08/14
The controlled version of this CMF Document resides online in Livelink. Printed copies are UNCONTROLLED.
HSE Input to ConceptSelect Report (CSR)
Design HSE Case Operations HSE Case
HSECaseAdministrator
N/A N/ADirectorate Technical SafetyEngineer
Compiles/co-ordinatesthe HSE Case andsubsequent reviews andupdates
Supports the HSE CaseCustodian
-
8/12/2019 163404540 SP 2062 HSE Specification Specifications for HSE Cases
16/84
Petroleum Development Oman LLC
Revision: 1.0Effective: Mar-11
Page 16 SP-2062 Specification for HSE Cases Printed 04/08/14
The controlled version of this CMF Document resides online in Livelink. Printed copies are UNCONTROLLED.
3.4 Workforce Involvement
The HSE Case shall demonstrate that the workforce have been part of the developmentand review of the HSE Case. Workforce in this context is the front line operations andmaintenance staff that are directly involved in the day-to-day running of the facilities.
The purpose of this requirement is to ensure that front line operations and maintenancestaff:
have knowledge of the Major Accident Hazards that have been identified for thefacility where they work
are aware of the controls and barriers in place to manage these MAHs (SCEs,performance Standards, HSE Critical Tasks, MOPOs)
have knowledge of how these controls are managed (MIE, FSR, assurancereviews)
For Design HSE Cases, workforce involvement can be demonstrated by ensuring that
relevant staff representatives have been involved in the design. This may be done byensuring they participate directly in the design activities (HAZIDs, HAZOPs, HEMPstudies) and by participating in project assurance reviews such as Design Reviews, peerreviews and project Audits.
Operations HSE Cases shall be communicated to the operations and maintenance teamson site. The focus shall be on what the case means to them and what impact is it likely tohave. In addition, representatives from current operational, engineering, andmaintenance teams and workforce representatives (where applicable) shall be included inthe regular reviews as described in Section13. This engagement may be demonstratedby ensuring that the HSE case is reviewed regularly by operations and maintenance staff,which can be achieved through
job descriptions and staff performance contracts
dedicated communications initiatives
staff onboarding
committees or working groups (e.g. AIPSALT).
For both types of HSE Cases, the details of how workforce involvement has beenachieved shall be described in the HSE Case or in the documentation of the periodicreview of the HSE Case.
3.5 Deliverables
Design and Operations HSE Cases are classified as Essential Records according to CP-102 Documents & Records Management and shall be maintained on Livelink by theHSE Case Administrator.
Design and Operations HSE Cases are mandatory deliverables for new projects andexisting assets, as described by the Discipline Control and Assurance Framework(DCAF) section in SP-2061 Technical Authority System [Ref.7].
3.6 Performance Monitoring
Routine performance monitoring of HSE Cases shall include:
o Assurance of Design HSE Cases at VARs
o Review of Operations HSE Cases during Pre-Start up Audits
-
8/12/2019 163404540 SP 2062 HSE Specification Specifications for HSE Cases
17/84
Petroleum Development Oman LLC
Revision: 1.0Effective: Mar-11
Page 17 SP-2062 Specification for HSE Cases Printed 04/08/14
The controlled version of this CMF Document resides online in Livelink. Printed copies are UNCONTROLLED.
o AI-PSM Assurance of Operations HSE Cases
o Monitoring of Operations HSE Case KPIs
3.6.1 Review and Improvement (HSE Cases)
Once the Concept Select Report is signed off, it is not anticipated that any revisionswill be required as further project work will be covered in the Design HSE Case.
The Design HSE Case may need to go through several revisions during the Defineand Execute phases depending on the nature of the design of the new project.
The Operations HSE Case shall be reviewed and updated at a maximum interval of5 years unless any of the following circumstances occur:
o As part of a Material Change to the Facility, operation or surrounding environmentthat may have a potential impact on the risk profile
o When it cannot be verified that the performance of safety critical elements (SCEs)meet the performance standards and/or when mitigation measures have beenemployed for extended periods to compensate for this shortfall
o Prior to any material changes to the organisational arrangements or personnellevels
o Following a major incident involving the Facility or operation, or from laterallearning from other major incidents applicable to the Facility or operation
o Enhancements in knowledge or technology that change the basic assumptions onwhich the risk tolerability and ALARP demonstrations are based
o If there is a change to any of the signatory parties for the HSE Case, i.e. HSECase Owner (Director), HSE Case Custodian (Delivery Team Leader) or HSECase Administrator (Technical Safety Engineer)
3.6.2 Material Change
A material change is any change that significantly affects the basis for original theALARP demonstration in the HSE Case. In practice this usually includes changesthat have the potential to affect the major accident hazards or their controls, eitherdirectly or indirectly.
Examples of direct effects are:
o Significant modifications or repairs to the plant or equipment, either assingle large modifications or multiple smaller modifications.
o an increase in hydrocarbon inventory,
o new technology, processes or operational complexity,
o new types of combined operations, or new activities in connection with an
installation,o new operational risk controls.
Examples of indirect effects are:
o new ownership or operatorship, introducing a change in the managementsystem,
o a major change of contractor, and
o extension of the use of the installation or its components beyond theoriginal design life.
-
8/12/2019 163404540 SP 2062 HSE Specification Specifications for HSE Cases
18/84
Petroleum Development Oman LLC
Revision: 1.0Effective: Mar-11
Page 18 SP-2062 Specification for HSE Cases Printed 04/08/14
The controlled version of this CMF Document resides online in Livelink. Printed copies are UNCONTROLLED.
4 ASSET INTEGRITY - PROCESS SAFETY MANAGEMENT
Assuring the safety of people, assets, the environment and reputation is a core value andproviding assurance that major process safety risks are being managed is a critical aspect
of PDO corporate governance. Asset Integrity Process Safety Management (AI-PSM)describes the way in which PDO assets are managed so that the process risk is as low asreasonably practicable (ALARP).
There are two Process Safety implementation mechanisms within PDO:
1. The Process Safety Manual of the Shell Group HSSE Control Framework [Ref.6]
2. AI-PSM as developed by Centre for Chemical Process Safety Guidelines for RiskBased Process Safety (CCPS RBPS) [Ref.9].
4.1 Process Safety Manual, HSSE Control Framework, Section
The HSSE & SP Control Framework replaces the mandatory requirements in EP2005
series, and includes mandatory Standards, Manuals, Specifications and Glossary terms,and non-mandatory Assurance Protocols and Guides.
The Process Safety Manual of the HSSE & SP CF comprises four elements:
1. Asset IntegrityProcess Safety Management Application Manual
2. Design and Engineering Manual 1 (DEM1)
3. Design and Engineering Manual 2 (DEM2)
4. Override of Safeguarding Systems.
A full description of each element can be obtained in The HSSE & SP Control Framework
[Ref.6]Compliance to the detailed requirements of the Process Safety Manual is demonstratedby signing a Statement of Fitness (SoF). The Statement of Fitness is shown in section 12and testifies that the hazards have been appropriately managed in accordance withHEMP and that a suitable and robust ALARP demonstration has been made.
The Statement of Fitness is a requirement of the AI-PSM Application Manual and asigned SoF shall be included in Design and in Operations HSE Cases, respectively.
For operational assets the SoF shall be signed by Asset Directors, and for new projectsby the Project Manager before handover to operations.
4.2 Centre for Chemical Process Safety Guidelines for Risk Based
Process Safety (CCPS RBPS)
The CCPS RBPS AI-PSM process is an assurance process containing 20 elements 1thatdescribe minimum expected standards and stipulates the requirements for a range ofprocess related activities ranging from organisational culture, workforce involvement, riskmanagement, HEMP and audit through to design.
The assurance process includes routine checking, self-assessments and audits, as wellas independent 3rd party verification that the AI-PSM system and practices are consistentwith industry best practice and are controlling process risk to ALARP.
The assurance process also identifies opportunities for improving the management andcontrol of process risk and therefore, is a key driver for continuous improvement.
1A description of the 20 AI-PSM elements is provided inAppendix 12.
-
8/12/2019 163404540 SP 2062 HSE Specification Specifications for HSE Cases
19/84
Petroleum Development Oman LLC
Revision: 1.0Effective: Mar-11
Page 19 SP-2062 Specification for HSE Cases Printed 04/08/14
The controlled version of this CMF Document resides online in Livelink. Printed copies are UNCONTROLLED.
HEMP is an integral element of the AI-PSM process and the HSE Case and provides aclear link between the two processes. Both the AI-PSM and HSE Case processes aim toidentify, control and reduce risk levels to ALARP.
4.3 Process Safety in ProjectsAI-PS requirements in projects, from project identification through to execution, isdescribed in GU-648 Guide for Applying Process Safety in Projects[Ref.4].
This guideline extracts all the relevant information from the existing ORP documentationthat is necessary to meet the AI-PS requirements at handover. It also provides furtherclarity with regards to the assurance processes which underpin the project teams abilityto demonstrate that AI-PS requirements are met at the end of every project phase.
The main objective of this guideline is to explain the key AI-PS objectives anddeliverables throughout the project phases that demonstrate the facility is fit for the safeintroduction of process fluids and that systems, processes and procedures are in place sothat AI-PS can be safeguarded in the subsequent operate phase.
This will allow PDO to make the statement that Our Asset is Safe and we know it aftereach project phase.
4.4 Critical Drawings
Critical drawings are those drawings which are required to be maintained in order tosupport the implementation of critical tasks. Critical drawings are required to ensure thatthe risks from MAHs are ALARP.
A list of critical drawings shall be made for each facility. All critical drawings shall bestored in an easily accessible database to reflect the current design and status of theasset (as-built status).
This will ensure that all personnel have access to reliable and up to date information to
allow accurate planning of work operations and activities, management of change andinvestigative activities (when an incident has occurred).
Critical drawings include, but are not limited to:
o PFS
o PEFS
o Cause and Effect matrix
o Hazardous area classification
o Area Layout
o Site plan (sub-field layout)
o Key plan and Plot plan
o
Escape routeso Safety equipment layout
o Critical valve list (including locked open and locked closed valves)
o Fire and Gas layouts.
-
8/12/2019 163404540 SP 2062 HSE Specification Specifications for HSE Cases
20/84
Petroleum Development Oman LLC
Revision: 1.0Effective: Mar-11
Page 20 SP-2062 Specification for HSE Cases Printed 04/08/14
The controlled version of this CMF Document resides online in Livelink. Printed copies are UNCONTROLLED.
5 HEMP
The hazards and effects management (HEMP) process identifies and asses HSE hazards,implements control and recovery measures and maintains a documented demonstration
that major HSE risks have been reduced to a level that is as low as reasonably practicable(ALARP).
HEMP shall be applied to all activities over which PDO has operational control and shallcover the entire lifecycle of the asset or operation; from concept through todecommissioning and disposal. Work undertaken by a Contractor and under theContractors own management system shall have a requirement for an equivalent HEMPapproach expressly stated in the contract.
HEMP is fundamental to all analysis and assessment elements of the formal HSE activities,and is at the heart of the HSE management system used in PDO. The HEMP processcomprises four basic steps:
Systematic identification of hazards, threats, unwanted events and their effects
Assessment of the risks against screening criteria, taking into account thelikelihood of unwanted events and the potential severity of the consequences interms of effects to people, assets, the environment and reputation of PDO
Implementation of suitable risk reduction measures to control or mitigate thehazard and its effects
Planning for recovery in the event of a loss of control leading to an unacceptableeffect.
The main objective of HEMP activities is to demonstrate that hazards (and associated risks)have been identified and where the hazard cannot be eliminated the risks are controlled to alevel that is tolerable and as low as reasonably practicable (ALARP). The HEMP model ischaracterised byFigure 5-1.
Figure 5-1: HEMP Model
HEMP studies shall be performed by staff who are knowledgeable about the facility andoperations and who are competent in the HEMP techniques necessary. The studies shallbe planned and implemented in a timely manner to enable the results to be incorporatedwithout incurring avoidable rework and costs. The studies should be documented such thatkey information and decisions made are transparent and available for future reference.
Recommendations arising from HEMP studies shall be recorded in an appropriate actiontracking system.
Identify ControlAssess
RISKS TOLERABILITY & ALARP
Recover
DOCUMENT
-
8/12/2019 163404540 SP 2062 HSE Specification Specifications for HSE Cases
21/84
Petroleum Development Oman LLC
Revision: 1.0Effective: Mar-11
Page 21 SP-2062 Specification for HSE Cases Printed 04/08/14
The controlled version of this CMF Document resides online in Livelink. Printed copies are UNCONTROLLED.
5.1 Hazards and Effects Register
Hazards and their effects on people, the environment, the assets and the reputation ofPDO shall be systematically identified and listed for the full lifecycle of the asset andoperations.
The hazards are identified in a Hazard Identification (HAZID) meeting, and the outcomeof this meeting is used to develop the Hazards and Effects Register.
PDO use a checklist of potential hazards to populate the Hazards and Effects Register. Itis recommended that a multi-disciplinary team facilitated by an experienced person gothrough the list of hazards and identify those relevant to the specific facility/asset/operation under consideration. Ideally the team should be made up of Management,Operations, HSE, Maintenance and Engineering Disciplines (Concept, Detailed Designas appropriate) personnel.
The PDO Risk Assessment Matrix inFigure 2-1 shall be used to assess the hazards andtheir severity and frequency of occurrence. The experience of the team will be used tobrainstorm hazards known to have been realised from previous experience or thinkingwhether it is a credible hazard that could occur within PDO operations. This is a
subjective process and care must be taken not to over-complicate the process by thinkingof multiple events, double jeopardy events or highly unlikely events.
Examples of credible scenarios could include major leak from oil storage tank at MAF,leak at a Booster station on the main oil line, leak from offtake tanker hose, loss ofcontainment from on-plot processing facilities, loss of containment of H2S (affecting bothonsite personnel and the general public). Consequences from such incidents usuallycover injury/fatalities, fires/explosions, environmental impact, loss of facility and negativeimpacts on reputation.
For low and medium risk hazards, the controls for the hazards, i.e. permit to work, jobsafety assessment, operating procedures, competence assessments, tool box talks, etc.,are discussed and then added to the Hazards and Effects Register.
Hazards that have been assessed as being a severity 5 or high risk on the riskassessment matrix are then modelled further using bow-tie methodology as described innext section.
See Appendix 3 for the full checklist of potential hazards, and an example of a Hazardand Effects Register is provided inAppendix 4.
-
8/12/2019 163404540 SP 2062 HSE Specification Specifications for HSE Cases
22/84
Petroleum Development Oman LLC
Revision: 1.0Effective: Mar-11
Page 22 SP-2062 Specification for HSE Cases Printed 04/08/14
The controlled version of this CMF Document resides online in Livelink. Printed copies are UNCONTROLLED.
6 BOW-TIES
The Hazards and Effects Register documents that all hazards associated with the facilityand that control and mitigation measures have been identified. Hazards that have been
assessed as being a severity 5 or high risk on the risk assessment matrix (Figure 2-1)arethen modelled further using bow-tie methodology.
The Bow-Tie is a model that represents how a Hazard can be released, escalate, and how itis controlled. It contains the elements required to effectively manage the Hazard such thatthe risks are tolerable and ALARP. Bow-Ties can also be used to support risk managementof non-HSE processes.
For each severity 5 or high level hazard, the bow-tie methodology allows for:
1. Identification of the hazard release, escalation and consequence scenarios2. Identification of controls, e.g. barriers and escalation factor controls required to
manage the hazards3. Categorisation of controls into Inherent Safety, Safety Critical Element (hardware)
or Critical activity (procedures, processes, operator action)4. A clear visual representation to enable the ALARP review to be undertaken5. An aid in the incident review process if occurrence of such a major incident has
occurred.
The bow-tie is a model that represents how a hazard can be released, escalate and how itis controlled. Bow-Tie XP is the PDO preferred software tool
Figure 6-1: Generic bow-tie model
-
8/12/2019 163404540 SP 2062 HSE Specification Specifications for HSE Cases
23/84
Petroleum Development Oman LLC
Revision: 1.0Effective: Mar-11
Page 23 SP-2062 Specification for HSE Cases Printed 04/08/14
The controlled version of this CMF Document resides online in Livelink. Printed copies are UNCONTROLLED.
Table 6-1: HEMP definitions and Bow-tie terminology
ALARP As Low As Reasonably Practicable (Risk) means that havingreviewed all practical alternatives for Major Accident Hazardelimination, Threat Controls and Recovery Measures, further
reduction in risk would involve disproportionate cost or resourcesfor the risk reduction achieved.
Barrier Barriers prevent or reduce the probability of each Threat (lefthand side of the bow-tie), limit the extent of, of provideimmediate recovery from the Consequences (right hand side ofthe bow-tie). Barriers may be hardware, such as safety systems(e.g. F&G ESD, etc) or management systems and procedures.
Consequence Consequences in the bow-tie are a direct result of the Top Eventoccurring. Indirect consequences, if applicable shall be modelledin a separate bow-tie, Can include potential consequences thathave not been heard of in the industry.
EscalationFactor
Factors that defeat, or reduce the effectiveness of a Barrier
EscalationFactorControl
Measures put into place to prevent or mitigate the effects ofEscalation Factors.
Hazard Any situation with the potential for harm to people, environment,asset or reputation e.g. hydrocarbons under pressure, droppedload.
HSE CriticalTask
An HSE Critical Task develops, implements or maintains theeffectiveness and integrity of a Barrier or Escalation ControlFactor in Bow-Ties for Severity 5 or High Risk Hazards. HSECritical Positions are those that execute HSE Critical Tasks
HSE CriticalPosition HSE Critical Positions are those that execute HSE Critical Tasks
Major AccidentHazards (MAH)
Hazards that are classed as High Risk (Red) or severity 5 on thePDO Risk Assessment Matrix. This means any situation with thepotential for major consequences (harm) to people, environment,asset and reputation if released.
RecoveryMeasure
Any measure put in place to manage Consequences and assistrecovery from a Top Event.
Risk The likelihood of a Top Event combined with the severity of theConsequences (The risk is from the Hazard to people,environment, asset and reputation).
Threat Any action or mechanism that could bring about the unplannedrelease of a hazard.
Threat Control Any measure put in place to prevent a Threat being successful.
Tolerable Risk Tolerable Risks are those that have been reduced to a levelwhere they comply with the applicable laws and regulations,standards, strategic objectives and other agreed TolerabilityCriteria.
Top Event The first thing that happens when a hazard is released.Individual bow-ties shall have a single Top Event.
The role of a barrier on the bow-tie diagrams is to prevent (Left hand side of BT) or limit(Right hand side of BT) the consequence of a major incident. Barriers may be:
-
8/12/2019 163404540 SP 2062 HSE Specification Specifications for HSE Cases
24/84
Petroleum Development Oman LLC
Revision: 1.0Effective: Mar-11
Page 24 SP-2062 Specification for HSE Cases Printed 04/08/14
The controlled version of this CMF Document resides online in Livelink. Printed copies are UNCONTROLLED.
1. Design (inherent) features, e.g. separation distances, reduction of process pressures,minimisation of leak sources, etc. (depicted blue on the bow-tie).
2. Safety Critical Elements (hardware and logic software), e.g. Process ContainmentSystems, Pressure Relief Valves, ESD, Fire and Gas Detection, Escape & EvacuationSystems, Breathing Protection, etc. (depicted green on the bow-tie)
3. Operational Safety Processes, e.g. valve lock out/tag out, breaking containmentprocedures, permit to work, etc. (depicted yellow on the bow-tie)
4. Operational Intervention Tasks, e.g. Plant Monitoring, Alarm Response, Shutdown, etc.(depicted yellow on the bow-tie)
Barriers shall be:
1. Effective in preventing the Top Event or Consequence
2. Able to prevent a specific Threat from releasing the Hazard
3. Verifiablehow shall the effectiveness of the barrier be confirmed?
4. Independent of other barriers in the same Threat line, e.g. no common mode failure.
Hardware Barriers for Severity 5 or High Risk Hazards (HSE) shall be classified as HSECritical Elements. Selection of these Barriers shall be in accordance with EP2009-9009SCE Management Manual [Ref.10]and is further described in Section7.
Common barriers or escalation factor controls that appear frequently, e.g. such as those todo with Operator/Human Error, should be modelled using a separate bow-tie to manage thesingle Threat of Operator/Human Error.
See Section10 ALARP demonstrationfor further information.
-
8/12/2019 163404540 SP 2062 HSE Specification Specifications for HSE Cases
25/84
Petroleum Development Oman LLC
Revision: 1.0Effective: Mar-11
Page 25 SP-2062 Specification for HSE Cases Printed 04/08/14
The controlled version of this CMF Document resides online in Livelink. Printed copies are UNCONTROLLED.
7 SAFETY CRITICAL ELEMENTS
A Safety Critical Element (SCE) is any item of hardware, system or logic software the failureof which could cause a major Accident Hazard (MAH) or whose purpose is to prevent or
mitigate the effects of a MAH. SCEs groups are categorised according to Shell EP2009-9009 Safety Critical Element Management Manual [Ref. 10]. These groups or barriers(see section7.1)contain the definitions of those items that may be classed as safety criticalon any given facility.
Safety Critical Elements shall be selected from these groups during the bow-tiedevelopment process. The bow-tie diagrams show the SCEs as barriers to the MAH. Adeliverable of the Bow-Tie development process is a list of SCEs applicable to the facility.This list shall be further developed as part of a SCE identification process that defines thesafety critical components of each SCE barrier.
The role of a barrier on the bow-tie diagrams is to prevent or limit the consequence of amajor incident. Barriers may be:
1. Design (inherent) features, e.g. separation distances, reduction of process pressures,minimisation of leak sources, etc.
2. Safety Critical Elements (hardware and logic software), e.g. Process ContainmentSystems, Pressure Relief Valves, ESD, Fire and Gas Detection, Escape & EvacuationSystems, Breathing Protection, etc.
3. Operational Safety Processes, e.g. valve lock out/tag out, breaking containmentprocedures, permit to work, etc.
4. Operational Intervention Tasks, e.g. Plant Monitoring, Alarm Response, Shutdown, etc.
The SCE management manual [Ref. 10] describes the activities and processes formanaging the critical hardware barriers (SCEs) that appear in the MAH bow-ties.
7.1 SCE (Hardware) Barriers
Each SCE is grouped under one of 8 hazard management barriers, as depicted in theSwiss Cheese Model (Figure 7-1). The hazard management barriers are as follows:
Structural Integrity
Process Containment
Ignition Control
Detection Systems
Protection Systems
Shutdown Systems
Emergency Response
Life Saving Equipment
Each SCE belongs to one hazard management barrier. Generally, the Structural Integrity,Process Containment and Ignition Control SCEs together with some aspects of thePSD/ESD system, reside on the left hand-side of the bow-tie top event. Failure of any ofthese barriers could cause or significantly contribute to a MAH. The remaining SCEsnormally reside on the left hand-side of the bow-tie top event. These SCEs are providedto control or mitigate the effects of a MAH after it has occurred.
-
8/12/2019 163404540 SP 2062 HSE Specification Specifications for HSE Cases
26/84
Petroleum Development Oman LLC
Revision: 1.0Effective: Mar-11
Page 26 SP-2062 Specification for HSE Cases Printed 04/08/14
The controlled version of this CMF Document resides online in Livelink. Printed copies are UNCONTROLLED.
Figure 7-1: SCE Hardware Barriers and SCE Groups
The hardware barriers in Figure 7-1 are depicted with a number of small holes thatrepresent an integrity failure either in design or operating performance. On their own,these failures may not be significant but, if the holes line up, there may be no effectivebarriers in place between safe operations and escalating consequences, leading to amajor incident.
For example, a loss of containment in a sweet gas facility would not normally beexpected to cause fatalities unless it is ignited. An integrity failure in the processcontainment system combined with a failure in the ignition control system could cause anignited event, i.e. a fire or explosion. If there are no personnel in the area then this initself would not cause fatalities. However, if there are integrity failures in the fire and gasdetection system then the event may not be detected and the process system notisolated and the event may have the potential to escalate to adjacent inventories. Thiswould also be the case if an ESD Valve or Blowdown Valve failed to operate on demand.Finally, if adequate assembly points and EER systems such as emergency telecoms arenot provided or are not suitable, then personnel may not be evacuated quickly enoughand the process release would have the potential to cause fatalities. The example showsthat a number or what on their own would sometimes be considered as minor failures
have combined to produce a Major Accident causing fatalities.
-
8/12/2019 163404540 SP 2062 HSE Specification Specifications for HSE Cases
27/84
Petroleum Development Oman LLC
Revision: 1.0Effective: Mar-11
Page 27 SP-2062 Specification for HSE Cases Printed 04/08/14
The controlled version of this CMF Document resides online in Livelink. Printed copies are UNCONTROLLED.
Figure 7-1 shows the importance of maintaining and monitoring and ensuring theintegrity status of all hardware barriers, so that what might be considered to be relativelysmall faults in individual barriers do not combine together in an unforeseen manner thatcompromises the ability if the barriers to prevent or control a major incident.
Note that it is not necessary for all barriers to fail to lead to a major incident. Forexample, failure of a single barrier such as process containment on a high sour facilitymay lead directly to major incident.
Each SCE is attached to a relevant discipline who are designated as the owner of theassociated Performance Standard.
7.2 SCE Selection
SCEs should be colour coded green on the Bow-tie and the specific SCE categorydenoted beneath the barrier that appears in the Bow-tie.
The process for selection of SCEs starts with a review of the generic list of SCEs provided in the
SCE Management Manual [Ref.10]to identify those SCEs that are applicable to the facilities, for
each of the identified Major Hazards. The list of selected SCEs shall be reviewed and agreed by
the relevant discipline engineers during the define phase.
Figure 7-2 depicts the process for the selection of SCEs.
The HSE Case shall contain a list of the SCEs identified in the bow-tie diagrams as perthe table provided inAppendix 5.
The HSE Case shall contain a table showing each SCE against the MAH bow-ties wherethey appear as hardware barriers, and an example is shown for the SCE group ProcessContainment inAppendix 6.
Is the purposeof this elementto preventa
Could failure ofthis element
causea MAH?
Could failure of
this elementcontribute
substantiall to a
Is the purposeof this element
to limit theeffectsa
This item isaSafety Critical
Element.
This item isnot a Safety
Critical
No
No No
No No
No No
Ye
No
Ye
No
Ye
No Ye
No
Generic Listof SCEs
EP9009-2009
-
8/12/2019 163404540 SP 2062 HSE Specification Specifications for HSE Cases
28/84
Petroleum Development Oman LLC
Revision: 1.0Effective: Mar-11
Page 28 SP-2062 Specification for HSE Cases Printed 04/08/14
The controlled version of this CMF Document resides online in Livelink. Printed copies are UNCONTROLLED.
Figure 7-2: Selection Process for Safety Critical Elements
7.3 Performance Standards
A Performance Standard is a statement, which can be expressed in qualitative orquantitative terms, of the functional performance required of a SCE, and which is used asthe basis for managing the risk from the Major Hazards. Defining and ensuringcompliance with suitable Performance Standards provides assurance that the SCE is andwill remain a barrier to the identified MAH.
Generally, the SCEs and Performance Standards follow a one-to-one relationship whereeach SCE has its own Performance Standard.
Performance Standards are used as the basis for design and technical (operational)integrity verification and are expressed in terms of functionality, availability, reliability,survivability and dependencies/interactions with other SCEs.
Functionality
Functionality is an expression used to define what the system or equipment is required toachieve in order to ensure design integrity.
Reliability and Availability
Reliability is defined as the required probability that the system or equipment will operateon demand, when required.
Availability is defined as the extent to which the system or equipment is required in orderto retain its functional integrity.
Survivability
Survivability defines the external loading events such as fires, explosions or extremeweather, associated with the various MAHs against which the system or equipment is
required to retain its functional integrity.
Dependencies and Interactions
This is used to identify other systems or equipment that are critical to the functionality ofthe primary system or equipment. By identifying these dependencies and interactions itis ensured that all interfaces have been covered.
There are two types of Performance standards;
Design Performance Standards. Design Performance Standards must be developedduring the Define phase. They shall provide a list of key functional criteria to whichthe SCE must comply with during the design. In practice the content of the
performance standards will be largely taken from the design and engineeringstandards that apply to the item or SCE. However, other information may be takenfrom the basis for design, the design philosophies, or the results of workshops andHEMP Studies such as HAZID/HAZOP, Design Review, Layout Reviews, Fire &Explosion Analysis, QRA, IPF, SAFOP, etc.
The Design Performance Standards will mature further during the execute phase andwill check that the SCEs have been constructed as designed. The existing QA/QCprocedures and practices should be used to support the Design PerformanceStandards. The design must take into account operational demands so thatsuitability can be ensured into the operate phase.
The Design Performance Standards will evolve into Operate phase PerformanceStandards at the end of the execute phase before handover.
Operations Performance Standards. The Operate phase Performance Standards forSCEs should evolve from the Design Performance Standards. These Performance
-
8/12/2019 163404540 SP 2062 HSE Specification Specifications for HSE Cases
29/84
Petroleum Development Oman LLC
Revision: 1.0Effective: Mar-11
Page 29 SP-2062 Specification for HSE Cases Printed 04/08/14
The controlled version of this CMF Document resides online in Livelink. Printed copies are UNCONTROLLED.
Standards are formatted to comply with the requirements of SAP-PM and SAP-QM interms of minimum assurance tasks, assurance measures, assurance value and unitsof measure for the correct allocation to the appropriate level in the asset hierarchy.
Examples of the two types of Performance Standard are provided in Appendix 7 andAppendix 8,respectively.
7.3.1 Performance Standard Approval
Each performance standard is allocated an owner. The owner is responsible forensuring that the content of the performance standard is appropriate and achievable. Theperformance standard owner is normally the CFDH for the items covered by the SCE.However, the CFDH may delegate the review and approval of their performancestandards to the relevant TA2.
-
8/12/2019 163404540 SP 2062 HSE Specification Specifications for HSE Cases
30/84
Petroleum Development Oman LLC
Revision: 1.0Effective: Mar-11
Page 30 SP-2062 Specification for HSE Cases Printed 04/08/14
The controlled version of this CMF Document resides online in Livelink. Printed copies are UNCONTROLLED.
8 HSE CRITICAL TASKS
An HSE Critical Tasks is one that is in place to develop, implement or maintain theeffectiveness and integrity of a Barrier, Escalation Factor Control or Recovery Measure
Control in the MAH bow-ties.An HSE Critical Position are those that execute HSE critical tasks.
The minimum information required for a HSE critical task shall be:
The description and purpose of the HSE critical task required
The person (position and reference indicator) responsible for performing each task
Reference to supporting documentation, e.g. work instructions, SAP, procedure, etc
The method and criteria to verify that the task is performed as required to maintainbarrier effectiveness.
HSE critical tasks should be developed to the level of the party responsible for ensuring that
tasks are completed on time and to the required standard, e.g. Managers, Supervisors andSpecialiststhe position responsible for ensuring that the task is done and not the personwho is actually undertaking the work.
Bow-tie XP software enables the HSE critical tasks to be linked to the relevant barriers.
Inspections and preventative maintenance activities for hardware SCEs are implementedvia the Maintenance Management System, i.e. SAP. The task information is containedwithin the task description in SAP for all SCE barriers and is NOT listed as an HSE criticaltask, and is considered part of the hardware barrier itself. This applies to for examplemaintenance and calibration of a gas detector.
Implementation tables shall be developed for each HSE Critical Position. Theimplementation tables describe each HSE Critical Task, its supporting business controlsand the business records required to verify that the task is being adequately executed. Theimplementation tables also provide a link to relevant barriers (HSE Critical Activities) andhazards on the Bow-Tie diagrams.
SeeAppendix 9 for an example extract from an Implementation table. Communication ofHSE Critical tasks to affected people in affected position is the responsibility of the HSECase Custodian.
-
8/12/2019 163404540 SP 2062 HSE Specification Specifications for HSE Cases
31/84
Petroleum Development Oman LLC
Revision: 1.0Effective: Mar-11
Page 31 SP-2062 Specification for HSE Cases Printed 04/08/14
The controlled version of this CMF Document resides online in Livelink. Printed copies are UNCONTROLLED.
9 MATRIX OF PERMITTED OPERATIONS (MOPO)
A matrix of permitted operations (MOPO) is an information tool to assist Supervisors andLine Managers during the planning and coordination of operations and activities by
providing useful information on: The operation or activity operating envelope and safe operating limits. Actions(s) to take if/when certain situations arise that could compromise safe
operations.
The MOPO is a set of matrices that maps operational activities against foreseeablesituations that if or when they arise could compromise safe operating limits thesesituations are identified from:
The Threats and Escalation Factors identified as part of the Bow-tie assessmentsfor severity 5 and high risk hazards.
An assessment of other operations and activities that could contribute to theescalation of an incident, e.g. continuing with hot work when fire pumps (a safety
critical element (SCE)) are unavailable.Circumstances that could compromise safe operations are grouped into three categories:
Simultaneous operations (SIMOPs), where large work parties under differentmanagement structures carry out work which results in hazards that may impact theother. e.g. removal or overhaul of equipment and/or production and/or constructionand/or drilling in the same area (MOPO entitled SIMOPs MOPO)
External influences, e.g. extreme weather, visibility, security issues (MOPO entitledAdverse Weather MOPO)
Inactive safeguards; i.e. SCE unavailability or impairment, e.g. ESD systems,firefighting systems (MOPO entitled SEC Impairment MOPO).
The MOPOs shall identify and differentiate between stop (red) conditions, i.e. operationNOT permitted and what are proceed with caution (amber) conditions, i.e. continuefollowing appropriate risk assessment and provide additional controls where necessary. Allother activities in the MOPO that do not require further assessment or controls are denotedsafe to proceed (green).
For developing a new MOPO or reviewing and updating an existing MOPO, refer toAppendix 10.
9.1 Using the MOPO
Copies of the MOPO shall be readily available in a suitable format (poster size,laminated, etc) and displayed in the control room and other operational and job planning/coordination areas.
The MOPO shall be referred to during both routine work planning and coordination andin responding to unforeseen conditions.
9.2 Deviations from the MOPO
In event of a situation arising where the preferred option is contrary to that given in theMOPO, this shall be assessed and approved by the Delivery Team Leader and relevantdiscipline authority as defined in DCAF. In the event of a SCE being impacted, relevantdiscipline authorities shall also be consulted using the FSR process.
-
8/12/2019 163404540 SP 2062 HSE Specification Specifications for HSE Cases
32/84
Petroleum Development Oman LLC
Revision: 1.0Effective: Mar-11
Page 32 SP-2062 Specification for HSE Cases Printed 04/08/14
The controlled version of this CMF Document resides online in Livelink. Printed copies are UNCONTROLLED.
10 ALARP demonstration
10.1 ALARP Definition
ALARP (As Low As Reasonably Practicable) allows a proportional level of effort to be putinto risk reduction once the initial level of risk has been assessed for a particularoperation or process. The ALARP principle is used to determine whether risks arebroadly acceptable, tolerable or intolerable via comparison against company risk criteria.
The use of the ALARP principle requires judgement to determine whether or not risklevels are as low as reasonably practicable. ALARP can be demonstrated when thesacrifice (cost, time, effort) required to reduce the risk any further, would bedisproportionate to the risk reduction potentially achieved (the benefit). The termsacrifice relates to the time, effort and/or cost of the complete implementation and futuremaintenance and operation of the particular risk reduction measure in question. Benefitrelates to the level of risk reduction offered by a risk reduction measure. Reasonablypracticable is the balance between the sacrifice and benefit of implementing the riskreduction measure, or suite of measures.
ALARP justification also requires demonstration that all risk reduction measuresassessed as reasonably practicable have been implemented. The use of reasonablypracticable uses a goal setting approach to risk reduction rather than a prescriptive one .This is a standard approach for all high risk industries including the oil and gas industry.
ALARP demonstration can be based on a comparison of the suite of barriers and controlmeasures that are in place, versus those expected to be seen in equivalent assets orindustries. This represents good practice and can be identified as standards forcontrolling risk that have been judged and recognised as satisfying a particular set oflaws or regulations. In the absence of a developed regulatory system, companystandards, corporate global standards, best engineering practice and engineering
judgement may be used as a basis for comparison.
For ALARP to be demonstrated, all hazards and risks must have been identified as far aspracticable and assessed against the PDO Risk Assessment Matrix (RAM) (Figure 2-1)and as described in Section 5. This provides a prioritised listing of hazards. As aminimum, all Major Accident Hazards (High Risk and Severity 5 hazards) shall besubjected to Bow-Tie analysis as described in Section6. This is a qualitative approach todemonstrating ALARP using the engineering, process, Process Safety and HSEknowledge and experience of the selected workshop group.
In addition to this approach, ALARP demonstration can employ a combination ofqualitative and quantitative techniques dependent on the novelty, complexity and type ofprocess or project under assessment. The HSE Cases are assessed in line with theFramework for risk related decision support in PDO as shown inFigure 2-1 and the levelof risk assessment performed proportional to the level of risk associated with the processor project.
Refer also to GU-648 Guide for Applying Process Safety in Projects [Ref. 4]and CP-117 Project Engineering Code of Practice [Ref. 6] for further description of ALARPrequirements.
-
8/12/2019 163404540 SP 2062 HSE Specification Specifications for HSE Cases
33/84
Petroleum Development Oman LLC
Revision: 1.0Effective: Mar-11
Page 33 SP-2062 Specification for HSE Cases Printed 04/08/14
The controlled version of this CMF Document resides online in Livelink. Printed copies are UNCONTROLLED.
10.2 How to Undertake an ALARP Assessment
10.2.1 Principles of Hazard Management
The hazard management hierarchy as shown in Error! Reference source not
ound. is used to manage HSE risks and shall be referenced when demonstratingALARP. .
Nevertheless, all hazard management controls should be considered at each stageof the development.
Figure 10-1: Hazard Management Hierarchy
The strategy selected for managing a hazard will differ depending on the projectphase, and this principle shall form part of the evaluation when making ALARPdemonstrations.
As the opportunity for influencing the facility design is greatest during early designphases, the focus shall be on elimination or substitution of the hazards. Thistypically applies to Identify& Assess and Select phases of the ORP process.
As the project matures into Define and Execute, there is less opportunity to apply
elimination or substitution and hence the predominant hazard management controlsconsist of isolation/separation and engineering solutions that can be put in place.
Once a facility becomes operational, the hazard management will largely focus onthe organizational and procedural controls. PPE is generally regarded as the lastprinciple of hazard management and therefore also the least effective.
10.2.2 Good Engineering Practice
In most situations, deciding whether HSE risks have been reduced to ALARPinvolves a comparison between the control measures a project is proposing and themeasures PDO would normally expect to see in such circumstances i.e. therequirements of relevant good practice captured in Company specifications andprocedures listed in GU-611.
PPE
Isolate
Engineer
Admin
Isolate/Separate
PPE
Engineer
Organisation
Procedures
MOST
EFFECTIVE
LEAST
EFFECTIVE
EliminateSubstitute
Notassessed in
quantitative
termsPPE
Isolate
Engineer
Admin
Isolate/Separate
PPE
Engineer
Organisation
Procedures
MOST
EFFECTIVE
LEAST
EFFECTIVE
EliminateSubstitute
Notassessed in
quantitative
terms
EliminateEliminate the hazard
Substitute -
Use processes or methods with lower risk impact
Isolation / Separation Segregate hazards and/or targets
Engineered SafeguardsPREVENTION Design to prevent an unwanted event
RECOVERY Design to mitigate harmful consequences
Organisational ControlsTraining, Competency, Communication
Procedural Controls -Operating procedures, Work instructions, Permits
Maintenance regimesEmergency Response procedures
Personal Protective EquipmentProtect the person
-
8/12/2019 163404540 SP 2062 HSE Specification Specifications for HSE Cases
34/84
Petroleum Development Oman LLC
Revision: 1.0Effective: Mar-11
Page 34 SP-2062 Specification for HSE Cases Printed 04/08/14
The controlled version of this CMF Document resides online in Livelink. Printed copies are UNCONTROLLED.
The scope for eliminating hazards and threats and reducing the scale ofconsequences is greatest at the beginning of the project and progressively reducesas the project develops. In part this is because the cost and difficulty of delivering agiven risk reduction solution increases as the project develops. ALARPdemonstrations must be robust for each of the HSE Cases as perFigure 3-1.
CP-122 Health, Safety and Environment Mgmt SystemCoPdescribes applicationof the AI-PSM process from CCPS RBPS within PDO to demonstrate compliance togood engineering practice and to ensure that risk levels are ALARP. This is madevia demonstrating compliance against the 20 Process Elements shown inAppendix12.
10.2.3 Good Engineering Principles
Company specifications and engineering standards should be followed unless thereis sound justification, and then consideration given to whether there is any more thatcan be done to reduce the risk. If there is more that can be done, these furthermeasures need to be assessed by comparing the risk reduction with the cost andeffort involved in further reducing it.
Simply following standards does not in itself demonstrate ALARP, particularly formore complex or novel projects, where additional considerations shall be made.
10.2.4 HEMP Studies
HEMP studies undertaken during the select, define, execute and/or operate phasesof the development are used to assess risk levels and identify any further riskreduction measures.
Applicable HEMP studies for each project phase are defined in DCAF.
10.2.5 ALARP Review
In assessing the risks associated with the Design or Operations HSE Case hazards,
a qualitative review of the Bow-ties shall be undertaken. The review shall be led byan experienced facilitator and the review team shall be comprised of experiencedstaff from the following areas of expertise:
o Engineering
o Process
o HSE
o Maintenance
o Operations
o Management
o Asset stakeholders.
Each of the threat lines in the bow-ties shall be reviewed in turn and the discussionshould cover such questions such as:
o Does industry best practice state what should be done or make anyrecommendations?
o Can a benchmark exercise be undertaken against other operators and similarcontrols implemented?
o Where are the gaps/shortfalls and what action needs to be taken to address thesegaps/shortfalls? See Section11.2.
o Is there sufficient quantity and quality of barriers?
o Is there anything else that can be done to further reduce the risk?
-
8/12/2019 163404540 SP 2062 HSE Specification Specifications for HSE Cases
35/84
Petroleum Development Oman LLC
Revision: 1.0Effective: Mar-11
Page 35 SP-2062 Specification for HSE Cases Printed 04/08/14
The controlled version of this CMF Document resides online in Livelink. Printed copies are UNCONTROLLED.
Both barrier effectiveness and the number of barriers contribute to the overalleffectiveness of control, although in general, the effectiveness of individual barriersis more critical.
The number, independence and reliability of the control and recovery measures shallbe commensurate with the risk.
By approaching the bow-tie review in this systematic fashion, the barriers can bechallenged in terms of completeness and adequacy and gaps identified andaddressed so that the review team is satisfied that the risks arereduced to ALARP.
The HSE Case process enables an ALARP argument to be formulated although inisolation, a complete ALARP argument cannot be made. The claims made againstthe numbers, quality, performance and location of the barriers must also be verified.This verification of the safeguards (both hardware and procedural controls) isperformed via AI-PSM audit and the TR-MIE and TI-HBV processes. Theseprocesses substantiate the claims made within the Bow-Ties and MOPO in terms ofbarrier integrity and performance.
10.3 Assessment of Complex DecisionsDemonstrating ALARP shall involve consideration of fundamentally different options toprovide assurance that the Company gets the best value for money over the lifetime ofthe facility. The assessment of fundamentally different options normally takes place inthe identify, assess and select phases.
Assessment of complex decisions requires consideration of all the hard and soft issuesrelated to a range of options and should reflect a decision taken at the right level in theorganisation with full knowledge of all the options and their associated risks and costs.
The following structure is recommended for documenting ALARP demonstration forcomplex project decisions:
1. IDENTIFY
a. Problem Definition
b. HSE Issues and Potential Risk
c. HSE Standard & Tolerability Criteria
2. ASSESS
a. Options Considered
b. Basis for Selection and Uncertainties
c. Justification for Chosen Option
3. CONTROL & EVALUATION
a. Residual HSE Risksb. Recommendation for Next Project Phase
c. Requirements for the Operations HSE Plan/Case
The ALARP demonstration for such decisions shall be signed by the person developingthe demonstration as well as relevant discipline Technical Authorities.
-
8/12/2019 163404540 SP 2062 HSE Specification Specifications for HSE Cases
36/84
Petroleum Development Oman LLC
Revision: 1.0Effective: Mar-11
Page 36 SP-2062 Specification for HSE Cases Printed 04/08/14
The controlled version of this CMF Document resides online in Livelink. Printed copies are UNCONTROLLED.
11 OPERATE PHASE CONTINUOUS IMPROVEMENT
11.1 Drivers for Improvement
Key Performance Indicators (KPIs) have been established for the AI-PSM programmewithin PDO. AI-PSM KPIs consist of:
o A set of KPIs defined by Operational and Functional Leadership, collected on auniform basis at all assets (Corporate KPIs).
o Any additional asset-specific KP