4 Overall Approaches: Prescriptive and Safety Case Regimes

4.1 Origins of Safety Case Regimes

On July 6, 1988, the Piper Alpha platform, located in the United Kingdom sector of the North Sea, exploded and burned, resulting in the deaths of 165 of the 226 personnel on board, and £1.7 billion worth of property damage. At the time, the platform's production accounted for approximately 10% of North Sea output. The structure was almost completely destroyed within a few hours and the direct cause was a lack of containment of flammable hydrocarbon vapors.

Prior to the Piper Alpha tragedy, offshore process safety was regulated by prescriptive regimes, wherein a series of regulations specified exactly what was required to meet a country's safety expectations. This approach, still used in some countries (e.g., Nigeria and China), is unpopular with many operators due to its inflexible nature. Operators, however, do see at least one overall benefit in the approach—the perceived retention by governments of accident liability when operators comply with all the specific requirements of the prescribed regulations.

A downside of prescriptive regulation occurs when operators install equipment they consider unnecessary or inappropriate for the sole purpose of complying with regulatory requirements and obtaining a classification certificate, permit to operate, or similar. Doing so can mean missing opportunities to apply best industry practice and/or installing the latest and best safety equipment and systems.

Following the Piper Alpha disaster, a public inquiry, chaired by Lord Cullen, was initiated by the United Kingdom government. In addition to his original mandate to investigate the event's causes, Lord Cullen offered 106 recommendations to prevent reoccurrences. In view of its failure to prevent the disaster, the previous prescriptive regulatory approach was rejected in favor of a safety case regime for offshore oil and gas installations.

Lord Cullen's recommendation to adopt a safety case/goal setting regime was accepted in the United Kingdom and has gradually been utilized to different degrees and with different formats in other locations. Under these regimes, the operator is completely responsible for any and all accidents and is required to establish a safety case to ensure that the risk to personnel due to MAEs is ALARP.

The ALARP principle is a key element of the safety case approach and was based on a judgment by Lord Justice Asquith in the United Kingdom in 1949 and subsequently confirmed by the Australian high court. It is interpreted in the industry as meaning that the cost, in terms of either time or money, to further reduce an identified level of risk is disproportionate to the risk reduction potentially achieved.

The goal setting/safety case approach is popular in that it provides flexibility in how the zero accident goal is achieved, but the duty holders have realized there is nowhere to hide—by definition any accident is a failure in the safety case's suitability.

In some countries retaining primarily prescriptive regulatory approaches, for example, the United States and Canada, some form of safety case, or at least the basic elements of one, is often one of the prescriptive requirements.

4.2 Safety Case Development

The format for safety cases is similar globally, but differences in emphasis exist between countries and operators. In the United Kingdom, for example, the template requires the inclusion of the following main sections:

• Introduction.

• Description of safety systems.

• Safety management system.

• Management of major hazards.

• Justification for continued operation (including following repairs, modifications, or unexpected events).

Examples of the steps, elements, and terminology used to develop and execute a safety case are as follows:

• Safety reviews: These consider the overall safety of an installation and usually comprise multiday workshop style meetings attended by qualified and knowledgeable safety representatives of the owner and any of its contractors familiar with the facility's safety arrangements.

• Hazard and operability studies (HAZOPs): These are formal, facilitated, documented systematic workshops intended to identify and classify the facility's hazards and their causes. They are most effective when representatives from many departments and disciplines are included.

• Hazard identification studies (HAZIDs): Similar to HAZOP studies, these are formal documented workshops intended to systematically identify all credible hazards in a facility or plant. They benefit from multidiscipline participation, including, for example, the responsible design engineer, project manager, installation manager, maintenance engineer, and several project engineers. The HAZID output is usually a list of hazards which can be used, for example, in quantitative or qualitative risk assessments (QRAs).

• Development and population of a hazard/safety risk register: This is usually the output from safety reviews, HAZOPs and HAZIDs. Experienced facilitators are often employed to ensure that sufficient rigor is applied to the process and all hazards have been evaluated.

• Quantitative/qualitative risk assessment studies (QRAs): The purpose of these activities is to assess the risk, comprised of both probability of occurrence and consequence, of each identified event.
Quantitative approaches involve calculating risk by multiplying together the assigned numerical values of probability of occurrence and consequence. The process has drawn criticism from some industry participants who questioned the accuracy and suitability of applying numbers to some risk elements, for example, the value of a human life. Conclusions based on the result of multiplying what are sometimes very small numbers together to produce an even smaller number were also considered by some to be somewhat unconvincing and difficult to accept.
Qualitative approaches have become more popular, wherein probability of occurrence is subjectively evaluated along a range, for example, from “remote” to “certain,” and consequences are categorized from “negligible” to “catastrophic.” Plotting both results along orthogonal axes then leads to an overall risk assessment, with conclusions potentially including actions such as “tolerate,” “monitor controls,” and “stop all production until corrective action is effectively implemented.” An example of this system is shown in Fig. 4.

• Generation of a list of potential MAEs: These are project specific and can include natural events. Most often they are defined as an event having the potential to cause multiple fatalities. In some cases, however, the definition is expanded to include, for example, environmental damage, asset damage, and even corporate reputational damage. It is noteworthy that in many cases events having the potential to result in only a single fatality are excluded from safety case analyses. These would then include the events which, statistically, produce the most offshore injuries and fatalities—slips, trips, and falls.

• “Bow-tie” analysis and workshop: The title originates from the shape of a pictorial description of the work (see Fig. 5): The MAE is at the center of the “tie,” with threats and consequences forming the opposite sides. The SCE form barriers on either side of the MAE, with those on the threat side representing steps taken to ensure that the threats do not cause a MAE, and those on the consequence side representing the effective performance of SCEs meant to mitigate the effects of MAEs.

One of the outputs of the bow-tie analysis is a list of SCEs. There are two types:

• Structure, plant, equipment, system, or other elements, the failure of which could lead to a MAE. Examples would be pressure vessels, main structure, process piping, and electrical cabling.

• Equipment or systems whose purpose is to prevent or limit the consequences of a MAE. Examples of this type of SCE would be gas detection equipment, deluge systems, fire pumps, life boats, and temporary refuges.

Care needs to be taken to include both types of SCEs in safety case discussions and considerations, and not only the second type, which are traditionally considered to comprise a project's safety equipment.

• Establishment of PSs, which, if complied with, ensure SCE effectiveness: Each SCE has an associated specific PS or series of PSs. In theory, if the PS is complied with, the SCE is effective in doing its part to prevent the occurrence or mitigate the effects of a MAE. Examples of PSs might be:

– Firewater pumps to provide a given flow rate.

– Main structure to withstand the effects of a hurricane of a given strength for a given time period.

– Temporary refuge to provide safe cover for personnel for a given time period following the most intense credible identified fire or explosion.

– Cables supplying power to emergency equipment to remain operational for a given time period following initiation of the most intense identified fire.

– Hull structure to meet all requirements of a recognized classification society's applicable rules.

• PS requirements are of five types: functionality, availability, reliability, survivability, and interdependencies, often referred to by the acronym “FARSI.” These terms are defined as follows:

– Functionality: The specific functions required to be performed by the SCE—for example, hydrocarbon carrying piping should withstand, without loss of containment, all static and dynamic loads applied by internal fluid motion and external supports.

– Availability: The ability of the SCE to perform its function under the specific expected conditions—for example, systems should not be adversely affected by electromagnetic interference generated by other proximate equipment.

– Reliability: The probability that the equipment will operate without failure under the expected conditions. In some cases, the probability is defined in project-specific programs such as QRA or a defined safety integrity level (SIL). In others, the probability of failure is defined in external codes and standards.

– Survivability: The ability of the SCE to operate for as long as is required following an event—for example, a temporary refuge is required to provide protection for occupants for as long as is required to safely evacuate all persons on board under the most extreme fire and/or explosion event. Similarly, passive fire protection (PFP) would be required to prevent any collapse of the structure which would jeopardize evacuation for as long as it would take to safely evacuate all personnel under the most extreme fire and/or explosion event.

– Interdependencies: Any other systems upon which an SCE depends to perform properly—for example, process emergency shutdown (ESD) valves require that the cabling carrying signals to them operate properly under the expected conditions, and that the control logic governing their use has been correctly developed and coded within the ESD system. Additionally, an ESD system typically requires interfaces with other SCE systems such as ignition prevention, fire and gas detection and signaling, and emergency power.

• It is usually a regulatory requirement that compliance with the PSs is verified. This needs to be done by the builders and operators as a normal part of project due diligence. There is also usually a regulatory requirement to have an independent third party assess the arrangements and confirm PS compliance. This role is usually performed by one of the classification societies.

5.1 SCEs, the Failure of Which Could Lead to a MAE

• Main structure supporting process equipment: The structures (e.g., beams supporting decks, decks themselves, and pipe supports) supporting process equipment need to be sufficiently robust to allow the equipment to operate under normal operating conditions. Failure to do so could lead to, for example, piping or pressure vessel failure, subsequent release of hydrocarbon, and, upon ignition, an explosion or fire resulting in multiple fatalities and/or other serious events.

• Pressure vessels, heat exchangers, fired heaters: This equipment needs to be designed and constructed properly, thereby preventing either sudden catastrophic explosive failures or process leaks. The former would likely lead to serious fires and/or explosions, the latter, in combination with a source of ignition, could likewise lead to serious explosions and/or fires.

• Storage tanks: Leaks in storage tanks, in combination with a source of ignition, can quickly lead to serious fires and explosions. If under pressure, undetected fabrication or design flaws in tanks can lead to more sudden explosions.

• Piping systems: Failures in piping systems, whether induced by design or fabrication flaws, can lead to MAEs either through sudden explosions or the production of standing hydrocarbons, which provide a fuel source for fires/explosions. Pipe supporting arrangements are critical in the prevention of piping systems induced MAEs. For floating offshore installations, forces induced by the movement of the carried fluids combined with those related to vessel movement all need to be considered in pipe support design and installation.

6 Some Examples of Regulatory Regimes

6.1 Overview

The process whereby chemical process safety is regulated varies from country to country. Some, for example, Nigeria and China, operate primarily prescriptive regimes, wherein detailed safety requirements are specified in regulations. Others, for example, the United Kingdom and Australia, regulate process safety within safety case regimes. For the latter, the operator generates and is responsible for all aspects of a safety case, wherein a series of SCEs and PSs are defined. Theoretically, if the PSs are complied with, a level of safety ALARP is achievable. Other countries, for example, Canada, the United States, Norway, and Denmark, operate hybrid regimes wherein many of the elements present in safety cases are embedded within prescriptive regulations.

Key elements and philosophies of the regimes in Canada, the United States, the United Kingdom, Australia, Denmark, Norway, Nigeria, and China are described in this section. Because of differences in the various regimes’ structures and the style of information available in the literature describing each, the descriptions are not completely consistent in their presentation. Emphasis has been placed on any distinctive aspects of the countries’ contributions to process safety regulation, for example, the UK's influence on all the other regimes resulting from its formal adoption of a safety case approach, and Australia's definition of Validation as an activity to be kept separate and distinct from all other aspects of facility regulation.

Table 2 summarizes each country's primary methods of regulation and their overarching acts and main regulations.

6.3 The United States: Code of Federal Regulations

Crowl and Louvar (2002) describe the United States government process for generating and enacting laws and regulations, as summarized below.

6.6 Denmark Offshore

Energy supply administration in Denmark is the responsibility of the Danish Energy Agency (DEA), which is part of the Ministry of Energy, Utilities, and Climate (Ens.dk (2016)). The Minister grants licenses to produce oil and gas when all legislation has been complied with. The overarching legislation is the Danish Subsoil Act together with its accompanying executive orders, guidelines, etc. Safety of offshore installations is regulated by the Offshore Safety Act (Act). The regime can be considered to be primarily prescriptive, in that the requirements of the Act must be complied with. However, many of the Act's requirements are similar to those defined within operator-generated safety cases utilized in other regimes. This section describes the Danish offshore safety regime only.

6.7 Norway

Safety in the Norwegian petroleum industry is regulated by the Petroleum Safety Authority (PSA) (psa.no, 2016). The PSA proposes to take a confident leadership role in improving safety, stating on its website, “The past 2 years have been characterized by serious incidents and safety challenges. This trend will be reversed in 2017—with us as the driving force and industry as implementer.”

Similar to the transformation in the UK after the Piper Alpha incident, a philosophical change has taken place within the Norwegian regulatory regime, whereby the responsibility for safety has migrated from the regulator to the duty holder. This is emphasized by the characterization above of industry owners as “implementers.”

6.8 Nigeria

Process safety regulation and compliance in Nigeria are primarily prescriptive and managed by the Ministry of Petroleum and its regulatory arm, the Department of Petroleum Resources. Areas of interest include any locations where petroleum is processed, stored, or sold, including producing wells, production platforms, and flow stations, crude oil export terminals, refineries, storage depots, pump stations, and pipelines.

Some safety-related activities of the government agencies include but are not limited to:

• Supervising operations being carried out under licenses and leases in the country.

• Monitoring flaring operations.

• Ensuring that health and safety regulations conform with international best oilfield practice.

6.9 China

Process safety in China is regulated within a prescriptive regime. The primary safety-related laws and regulations include:

• Safety Production Law.

• Offshore Oil Safety Production Regulations.

• Detailed Rules on Offshore Oil Safety Management.

• Provisional Regulations on the Supervision and Administration of Oil and Gas Pipelines Safety.

• Safety Rules for Coalbed Methane Surface Mining (for trial implementation).

• Health, Safety, and Environment Management System for Oil and Gas Industries.

Key state-owned oil company internal documents are also considered to be applicable to the wider industry, for example, China National Petroleum Corporation's (CNPC) Guidelines on Health, Safety and Environmental Management System for Oil and Gas Drilling, and China National Offshore Oil Corporation's (CNOOC) Requirements for Offshore Oil Operations Safety Training.

Operators are required to provide formal documentation to local governmental agencies prior to conducting hydrocarbon operations. The authorities review and approve the documentation and in some cases conduct a site visit. Some elements of the submissions include the following:

• Appropriate storage and management of life-saving and fire-fighting equipment and hazardous items.

• Appropriate maintenance of stand-by vessels and helicopters.

• Appropriate safety training of all personnel.

• Antihydrogen sulfide safeguarding measures.

• Establishment of an accident/emergency contingency plan.

• Establishment of an effective reporting program.

• The rights of workers to stop work and evacuate in the event of an emergency.

• The duty of workers to report any safety hazards to management.

• Suitable training and appropriate certification of management personnel, including full-time process safety managers.

• Documented confirmation that pipelines have been constructed, checked, and accepted in accordance with national standards.

6.10 Approach Where Safety Cases or Prescriptive Regulations Are Not Required by Legislation

In some cases, particularly regions where offshore oil and gas development is relatively new, prescriptive regulations or the development of a safety case and the associated requirement to comply with PSs are not mandated by legislation.

In most of these cases, however, as part of their due diligence process, multinational owners/operators nevertheless decide to establish safety cases and have them verified by an independent competent body, usually one of the classification societies. Compliance with industry best practice safety standards has come to be accepted as a matter of good business practice, particularly in light of the financial, reputational, environmental, and moral consequences of MAEs.

Duty holders usually choose the safety case process with which they are most familiar, often the one required by the country where the duty holder's headquarters is situated. In addition to safety case requirements, duty holders routinely request their contractors to comply with company-specific standards and practices, as well as any applicable requirements of the chosen classification society's rules. Achieving compliance with these three sets of requirements needs careful management by the duty holders, EPIC contractors, and the classification society, throughout the design, build, and operate phases. This is particularly true with respect to equipment package procurement.

6.11 Comparison of a Safety Result Indicator (TRIF) by Countries Considered

It is tempting to evaluate the approaches used in different countries by comparing the country-specific safety results achieved. There are many sources of statistics available in the literature and electronic media. For example, The International Association of Oil and Gas Producers (IOGP) generates an annual report showing accident statistics divided by many categories—by region and country, accident category, activity being undertaken, and time (International Association of Oil & Producers, 2015). The 2012–2014 average TRIR* in the eight countries considered in this section, as reported in the IOGP's 2015 report are shown in Fig. 7.

The reasons for the comparatively high TRIR value in Denmark and low values in Nigeria and China are unknown. However, despite differences in regulatory approaches, the TRIR results from five countries (Canada, the United States, the United Kingdom, Australia, and Norway) with similar levels of oil and gas experience are fairly consistent, ranging from 2.6 to 3.1. This might indicate that the differences in approaches in process safety regulation may not be as important as having some form of reasonably well defined and enacted form of regulation, regardless of, for example, whether the safety case is considered the primary tool for regulation, or its requirement is embedded in a defined prescriptive regulation.

*TRIR: The number of recordable injuries (fatalities+lost work day cases+restricted work day cases+medical treatment cases) per million hours worked.

7.1 Piper Alpha: Offshore Oil and Gas Production Platform Explosion and Fire in the UK North Sea, 1988

The Piper Alpha platform exploded and burned in the North Sea on July 6, 1988 (Wikipedia, Piper Alpha, 2016), resulting in the deaths of 167 personnel and causing property damage of £1.7 billion. The platform, originally designed and constructed for oil only operation but subsequently modified to add gas production, accounted for about 10% of North Sea production. At the time, the accident was the worst ever offshore oil disaster, both in terms of lost lives and property damage.

The direct cause of the accident was overpressure in one of the two parallel condensate pumps, which could not be withstood by an improperly fitted temporary blind flange. The first pump, originally called upon, failed. The second, subsequently called upon, had its pressure safety valve removed and replaced by the loosely fitted blind flange by an earlier shift as part of partially completed routine maintenance. Gas then leaked out of the pump/flange and was ignited, causing an explosion which blew through a firewall designed to withstand fire, but not explosions. Some other issues associated with the accident were as follows, together with suggestions of how a rigorous regulatory program might have averted the disaster.

• Ineffective PTW process. A PTW covering the status of the pump undergoing maintenance was in place. It was generated by day shift personnel and stated that the pump was not ready and should not be switched on under any circumstances. Unfortunately, the situation was not discussed directly with the incoming night shift foreman. Instead, the permit, which could not subsequently be found, was simply left in the control center.
PTW systems and procedures are key elements of safety cases and are also mandated by other regulatory requirements. PTW procedures are usually required to be part of the formal documentation submitted for review and approval to the regulator, classification society, and/or CA. Procedures generally require sign-off at all stages of the work, including handover from one group or shift to the next. The argument could be made that had the night shift foreman been required to formally sign-off all active work permits in place during his upcoming shift, the disaster may have been averted.
Communication is also a key element of the safety case process. Usually a communications plan is required, which would include, for example, short tool-box style meetings between personnel ending and beginning their shifts. It is quite possible that had such a meeting taken place, the condition of the pump undergoing maintenance would have been known to the night shift staff.

• Unacceptable design. A contributory factor in the disaster was the inability of the firewall to withstand an explosion. In fact one panel from the firewall was violently dislodged and caused a rupture in another pipe and subsequently another fire. Design review and approval of all safety-related structures and equipment are primary elements of all regulatory programs, both prescriptive and those relying on safety cases. It is quite likely that the unsuitability of the firewall for the facility's current configuration would have been picked up by the design appraisal process.

• Notification of changes to the facility. Regulatory programs require operators to advise the regulator, classification society, and/or CA when any significant changes are made to the facility. The Piper Alpha platform was originally intended to produce oil only, but was reconfigured to add gas production. This would certainly constitute a significant change.
One of the significant changes associated with this would have been the upgrade of the firewall to a blast wall. Had there been a rigorous process in place to review all aspects of the changes it is quite possible that the effect of this contributory factor could have been minimized or eliminated altogether.
A second and more fundamental result of the change from oil only to oil and gas production was the breaking of the basic safety concept that the most dangerous operations should be kept as far away as possible from personnel areas. The change resulted, for example, in gas compression equipment being located next to the control room. This change was also considered to be a contributory factor in the disaster.

• Ineffective interfield communications and levels of authority. The fire would have burned out more quickly except that oil from two adjacent platforms, Tartan and Claymore, continued to feed it. The managers of the adjacent platforms either believed they had no authority to stop production, or they were directly instructed by their superiors to continue production.
Regulatory programs and safety cases have requirements for clearly defined, submitted, and approved communications plans, level of authority matrices and similar. It is quite likely that such plans would provide for communications protocols in emergency situations and give offshore installations managers the complete authority to take any appropriate steps they considered necessary to safeguard life and property in the event of an incident. This would have been an obvious mitigative step in dealing with the disaster.

7.2 Texas City Hydrocarbon Refinery Explosion, 2005

A refinery in Texas City, United States exploded on March 23, 2005 (Wikipedia, Texas City, 2016), resulting in the deaths of 15 workers and injuries to 170 others. The direct cause was the ignition of a flammable hydrocarbon vapor cloud, which was released from an overfilled and overheated pressure vessel. Secondary and root causes of the accident are listed below, together with some suggestions of how a rigorously enacted regulatory process may have eliminated the causes and prevented the disaster.

• Heavier than air hydrocarbon vapors coming into contact with an ignition source (suspected to have been a running vehicle's engine).
Prevention of unintentional escapes to the external environment of hydrocarbon vapors is a key regulatory objective at several project/facility stages. The design approval process ensures that pressure vessels are sufficiently robust to withstand all applied forces for the life of the facility. Suitable corrosion allowances are required to be included, which specifically need to be approved by the authorities and/or classification society/CA. The effective and appropriate construction of vessels should be confirmed during mandatory new-construction surveys. The ongoing fitness for purpose of hydrocarbon containing equipment is to be confirmed during annual (or more frequent) poststartup surveys.
A major component of modern safety cases is the identification and management of sources of ignition. Operators are required to execute systematic hazard identification exercises (HAZIDs and HAZOPs), usually in a workshop format with government representatives and the classification society present, in order to identify and manage all potential sources of ignition. It is possible that such a session would have led to the prohibition of vehicles in proximity to any hydrocarbon containing vessels having the possibility of leaking gaseous mixtures.

• Engagement of the overpressure protection system following overfilling and overheating of a production vessel.
Regulatory regimes require that effective overpressure protection systems be designed, constructed, and installed according to industry recognized codes and standards. This includes the requirement that any release of hydrocarbons be only to a “safe” area, thereby minimizing the risk of ignition. In the present case, the protection system was effective in that it operated to relieve pressure from the vessel, but ineffective in terms of the location of gas release.

• Numerous technical and organizational failings at the refinery and within BP. Regulatory regimes, in combination with mandatory QA requirements, require that effective management systems be enacted. It is likely that the overarching system requirements required would address at least some of the organizational failings.

• Poor maintenance for several years (the refinery was built in 1934). All current regulatory regimes require that detailed maintenance plans be submitted and approved by the authorities, including the verifier/classification society/CA. Furthermore, annual inspections are required following startup of facilities, and these annual inspections always require a review of adherence to the maintenance program.

Postincident reviews of the conditions at the plant revealed the following situations, which, although they did not directly cause this accident, may have caused one having equal or even greater consequences.

• Broken alarms. Current regulatory regimes require that the design, installation, and subsequent effective operation of alarm equipment and systems is according to industry accepted codes and standards. Testing of alarm equipment and systems is a prime activity during annual (or more frequent) surveys. Such testing, done with sufficient rigor, will ensure that alarms remain in good operational efficiency throughout the operational life of the facility.

• Thinned pipe. This is addressed by regulatory regimes at both the design and operational phases of a facility's life cycle. At the design stage, a corrosion allowance for all equipment is included which should prevent dangerous pipe thinning. The annual survey acts as a backup to detect and manage corrosion before it gets to dangerous levels.

• Chunks of concrete falling. This is addressed by regulations covering the design, construction, and operational phases of the facility's life cycle. Concrete and any other main structural elements (e.g., steel for floating vessels or fixed offshore platforms) are required to be designed to effectively withstand (including agreed factors of safety) the effects of environmental and any other applied forces for the operational lifetime of the facility. The effective and code-compliant construction of the structure is required to be surveyed during new-construction surveys. Annual surveys confirm that the structure remains fit for purpose and that any unacceptable degradation is corrected.

• Bolts dropping 60 feet. This is addressed in both the design and ongoing survey stages of regulatory approval. At the design stage, a dropped object study is a common requirement, which addresses the types of objects that could fall, the consequences of potential events, and measures taken to prevent objects from falling. Other common design requirements include, for example, kick boards, which prevent tools or other items from being accidentally kicked over the side of a deck to one below. At the annual survey, the ongoing fitness for purpose of the dropped object prevention measures are evaluated, as well as the observance of any areas which may have been missed at the design phase.

• Staff being overcome with fumes. Modern regulatory regimes require the implementation of an effective and rigorous notifications process. This would require, for example, the authorities (governmental, classification society, and CA) to be formally advised within specified time periods of any safety-related event, which would certainly include the observed presence of gas fumes at a facility. The reporting time and level of detail required to be submitted are dependent upon the seriousness of the event.

• Five managers in 6 years. Regulatory regimes require effective management systems, covering both safety and quality. It is likely that having so many managers over a short period of time would trigger questions, comments, or noncompliances within the regulatory process.

7.3 Bhopal: Toxic Gas Release From the Union Carbide Insecticide Production Facility, 1984

The Bhopal (India) disaster (Crowl & Louvar, 2002) occurred on December 3, 1984, when more than half a million people were exposed to 42 tons of toxic methyl isocyanate gas released from a Union Carbide pesticide plant. Thousands died immediately, and many more were trampled in the ensuing panic. More than 18,000 people are estimated to have died from the immediate, short-term, and long-term effects of the event. Cost cutting in response to poor selling of the plant's end product, Carbaryl, and the associated reduction in maintenance frequencies, was proposed as the fundamental root cause of the accident. It is noteworthy that at the time of the disaster, there was no production underway since there was a surplus of Carbaryl on the market.

The events leading to the incident have been proposed as follows:

• Unintentional water ingress into a pressure vessel during routine cleaning of adjoining pipe. This hypothesized initiating cause was later challenged, when in 1985 the scenario was tested in the presence of official investigators and demonstrated to be invalid. The plant owners proposed the alternative scenario of sabotage by a disgruntled worker who may have intentionally introduced water into the tank.

• A chemical reaction resulting from the presence of water, leading to a build-up of carbon monoxide. The rate and volume of the reaction were exacerbated by the rusty condition of the vessel.

• A resulting increase in internal temperature and pressure to a level higher than the vessel was designed to withstand.

• A resulting opening of pressure relief valves and release of gas to the environment for a period of approximately 2 h.

A 1985 report on the disaster suggested several causal factors, as below. It can be reasonably suggested that the effective and rigorous application of some of the basic fundamental safety case and management system requirements mandated by most regulatory regimes could have prevented the tragedy. The specific regulatory elements which may have eliminated each causal factor are described below.

• Failure to use, where possible, less dangerous chemicals than the ones actually used. One of the basic principles of risk management is to replace, where possible, a hazardous substance with a less dangerous one. The choice of chemical used may have been challenged as part of hazard analysis exercises, “what if” workshops, and similar, which are part of current safety case generation activities.

• Storage of chemicals in larger than necessary tanks. This would likely have been challenged within the design appraisal function at the early stages of plant design, possibly front end engineering and design (FEED), when overall configuration is considered. Regulatory or third party verifier review of the facility's safety case is another activity which may have discovered this problem.

• Possible piping and vessel corrosion. At the design stage, submission and approval of design plans, including a suitable corrosion allowance, are a requirement of most current regulatory regimes. Furthermore, the plans and procedures for routine maintenance, which would have included checking for excessive corrosion, are required to be submitted for review and approval to the authorities and classification society/CA. The problem would also have been apparent and likely found during mandatory annual third party surveys of the facility and the operator's routine maintenance activities.

• Poor maintenance after the plant stopped production. See the above related to submission of maintenance plans and annual surveys. More fundamentally, however, the mandatory safety cases in most of today's regulatory regimes require a “cradle to grave” philosophy, wherein the operator needs to demonstrate safety at all project phases, including design, fabrication, procurement, installation, life extension, and decommissioning. The philosophy would require that appropriate, albeit probably reduced, maintenance was conducted even during periods of shutdown.

• Failure of safety systems. This is a general causal factor, but current safety case regimes require a facility wide rigorous and systematic approach which looks at all safety critical systems.

• Plant design modifications in response to economic pressures. One of the key requirements of all regulatory regimes is that the operator must advise the regulator, classification society, and/or CA when significant modifications affecting safety are made. In this case, weaknesses or errors associated with the modifications may well have been discovered and prevented, thereby averting the tragedy.

7.4 Flixborough, England: Explosion of the Nypro Limited Nylon Component Fabrication Facility, 1974

The Flixborough factory of Nypro Limited exploded in June 1974, completely destroying the facility, killing 28 people and injuring 36 others (Crowl & Louvar, 2002). The plant produced caprolactam, a material used in the production of nylon. The accident was believed to have been caused when inadequately supported and overflexing 20 inch feed stock, which was used to replace existing cracked and leaking 28 inch feed stock, ruptured under internal pressure. Thirty tons of cyclohexane were released, and the resulting vapor cloud was subsequently ignited by an unknown source. Several of the root causes mentioned below could reasonably be expected to have been prevented by an effective and rigorously enacted regulatory regime.

• Lack of a safety review following the replacement of the piping. Regulatory regimes require any significant repairs or modifications to be subjected to an effective internal safety review, including approval and sign-off by duly authorized personnel, some of whom are independent from the production and commercial departments of the company. Furthermore, the appointed classification society/verifier/CA/is required to be made aware of the details and approve the repair/modification. In this case, no safety review was conducted. A safety review and/or involvement of the third party agency may have discovered any safety weaknesses in the proposed modifications at the drawing stage and prevented them from becoming part of the physical changes, which may then have averted the disaster.

• Documentation of repairs and qualifications and background of supervisory and technical personnel. Regulatory regimes require repairs and modifications to be formally documented, approved, and signed off by experienced and qualified technical personnel. In the present case, the technical proposal was found to have been sketched on the machine shop floor using chalk.

• Inadequacy of design. Subsequent reviews of the accident showed that the design details of the repair were unacceptable. Design appraisal is a significant component of modern regulatory regimes. Approval is required both prestartup and before the physical implementation of any significant changes or repairs. An effective regulatory program would have required the submission of the repair details to the classification society/CA/verifier, and any deficiencies against either industry codes, standards, or good practice, may well have been discovered and rectified, thereby preventing the disaster.

• Excessive inventories (330,000 gallons of cyclohexane, 66,000 gallons of naptha, 11,000 gallons of toluene, 26,400 gallons of benzene, and 450 gallons of gasoline). The excessive inventories contributed to the duration and general destructiveness of the postexplosion fires, which burned for 10 days. Modern regulatory regimes require workshop-based exercises such as hazard identification (HAZID) and hazard and operability (HAZOP) studies. Potential consequences of all credible accident scenarios are considered, which contribute to the determination to each hazard's risk. It is probable that during the analysis of potential explosion consequences during HAZID/HAZOP/risk assessment exercises, the inventory level would have been challenged, and quite possible that alternatives would have been considered and evaluated.

7.5 Pasadena, Texas, Explosion of a High Density Polyethylene Plant, 1989

A high density polyethylene plant in Pasadena, Texas, exploded on October 23, 1989, resulting in 23 deaths, 314 injuries, and $715 million in property damage (Crowl & Louvar, 2002). The direct cause of the disaster was the ignition of an accidentally released 85,000 pound gas cloud comprised of ethylene, isobutene, hexane, and hydrogen. The subsequent accident investigation revealed that standard operating procedures had not been followed during routine maintenance procedures on some process valves. Some of the secondary and root causes are as below, together with suggestions of how an effective regulatory program may have prevented the disaster.

• Failure to follow maintenance procedures: Modern regulatory regimes require that procedures and other documentation describing maintenance plans and programs are reviewed and approved by the regulator, classification society, CA, and/or verifier prior to startup. Furthermore, the effective implementation of the approved maintenance procedures is the subject of regular (usually annual) inspections and surveys. It is probable that any weaknesses in the maintenance plan documentation would have been discovered in the initial review, and that any implementation nonconformances would have been discovered and rectified during the annual survey process. Either of these activities may have prevented the problems in compliance with documented maintenance procedures which contributed to the disaster.

• Failure to conduct ongoing routine process safety hazard analyses, resulting in the ongoing existence of serious safety deficiencies. The planning and execution of hazard analyses are key components of management systems required by current safety case/goal setting regimes. The ongoing inclusion of such activities may have identified safety concerns and prevented the disaster.

• Unacceptable design of process valves (not designed to fail to a “safe” condition). Modern regulatory regimes all include requirements for design appraisal. A main design principle is that, upon loss of power or other unexpected event, equipment fails to a safe position. An example is fuel supply line valves which fail to a closed position in the event of loss of power, so that a continuous fuel supply in an emergency (fire) situation is prevented. A rigorous design appraisal, which would include not just the valves themselves but the system in which they were installed, may well have picked up and corrected this deficiency.

• Absence of a permitting system covering plant activities. A PTW system is a key element of safety management systems required under all regimes, particularly those based on safety case philosophies. The permitting system generally requires sign-off by many levels of management as well as all participants in the activity. The requirement for sign-off generally ensures that all disciplines assume their appropriate share of the responsibility that a particular activity is conducted in both a safe and technically correct fashion.

• Absence of a combustible gas detection and alarm system. Modern regulatory regimes demand the presence of such systems, and their proper design, construction, and operation are all checked. The overall design appraisal function would have noted its absence, or it would have been picked up during the mandatory safety risk assessment, hazard identification, or hazard and operability workshops. In the unlikely event that these functions failed to identify the absence of this key safety element, final prestartup surveys would almost certainly capture and rectify the omission.

• Proximity of high occupancy structures to hazardous operations. Current regulatory regimes encourage and in many cases mandate that a third party verifier become involved in plant design very early in the design process. The classification society, CA, or independent verification body is usually engaged at the FEED phase, when overall design aspects such as module and/or building occupancy and location are considered. This would have been the opportunity to identify and rectify a dangerous overall design flaw such as this.

• Inadequate building separation. Under a rigorously implemented regulatory regime, this type of problem would likely have been identified and corrected during the interaction between the designer and the third party agency during FEED review activities.

• Crowded process equipment. As in the previous root cause, this type of issue can be discovered at the FEED project stage, either by the designer or by the third party checking process mandated by the regulator.

7.6 ARCO Chemical Plant Explosion, Channelview, Texas, USA, 1990

A 900,000 gallon process wastewater tank at the ARCO chemical plant in Channelview, Texas, exploded on July 5, 1990, killing 17 people and causing $100 million in damage (Ness, 2016). The direct cause of the explosion was the development, during routine maintenance, of an explosive atmosphere in the tank, which was ignited when the plant was restarted. There were several secondary and root causes of the incident, which are listed below together with suggestions of how an effective regulatory regime might have averted the disaster.

• No MOC review was conducted. The technical root causes will be discussed below, but from an overarching management perspective, regulatory regimes require documented, and effectively implemented fundamental programs and procedures, such as MOC, to be in place. These programs require a series of formal steps to be taken by the appropriate group of duly certified and qualified management representatives, including those representing operations, design, and safety. The steps would include, for example, a review of the design of the equipment installed to ensure safety during normal operations and the suitability of steps taken to ensure ongoing safety during maintenance activities, when some of the main systems may be turned off. All management representatives are required to sign the resulting MOC report, which ensures that all are aware of the responsibility they are assuming. There is a reasonable chance that a rigorous MOC process would have averted this accident.

• No prestartup safety review was conducted. Modern regulatory regimes require safety reviews to be conducted at appropriate times. The most obvious of these is prior to the original startup of a facility, but legislation also requires that safety reviews be undertaken whenever significant changes are made, as well as following periods of shut down and/or maintenance. Such a safety review would most likely have identified and prevented the technical causes of the incident described below, thereby averting the accident.

• The wastewater tank was not considered to be part of the operating facility. Historical reviews of accident causation sometimes describe misjudgments about the degree to which apparently harmless equipment and processes can affect overall facility safety. Compared to the hydrocarbon containing tanks and equipment at the large and complicated chemical process facility, safety issues associated with the wastewater tank were not given the same consideration, with tragic consequences. A rigorous safety review, which would have taken an overview of facility wide safety considerations, may well have detected this misconception and ensured that the appropriate safety measures were taken.

• Nitrogen purge was significantly reduced during maintenance. The effectiveness of a nitrogen purge system, which was designed to maintain an inert condition in the tank, had been significantly reduced during the maintenance activity. Safety was expected to be maintained through the installation of a temporary oxygen analyzer (see below). It is not unusual for systems ensuring ongoing safety during regular operations to be turned off or reduced during maintenance activities, when less chemical is circulating through pipes. However, a safety review or MOC session might be expected to consider the consequences of reduced or eliminated safety systems and take the appropriate steps, thereby eliminating this accident root cause.

• A temporary gas analyzer was located incorrectly during the maintenance activity. The analyzer should theoretically have detected the dangerous build-up of gases. However, the analyzer was installed between roof beams in the headspace of the tank, which was effectively a stagnant dead zone, and therefore the dangerous condition was not detected. Unfortunately, this type of error, which can be well understood by most, is very common in historical accident accounts. There is no guarantee that safety reviews will pick up every safety concern, but their rigorous and systematic performance certainly increases the likelihood of accident prevention.

7.7 Summary of Accident Causation

A summary of the causes of the major accidents described in this section is shown in Table 3. Many, perhaps all, of the direct and secondary/root causes of the accidents could have been eliminated had an effective regulatory regime been rigorously implemented.

8 Classification Societies: An Introduction and Their Role in Process Safety

8.1 Introduction

Classification societies originated when insurance companies wished to assign appropriate premiums to goods being transported on ships about which they knew little or nothing. The first society surveyors were retired ships’ captains and first mates to whom the insurance companies assigned the task of rating ships against an agreed series of categories, resulting in a “classification” of the ship. From those beginnings hundreds of years ago, class society activities have expanded to other industries, particularly the offshore oil and gas sector. Today's role in the energy sector is not philosophically dissimilar from that first assignment, except that now facilities are evaluated against the requirements of safety cases or prescriptive regulations.

Some details of four prominent classification societies are as follows:

• Lloyd's Register (LR). LR was founded in 1760 at Edward Lloyds’ coffee house in London, England (lr.org (2016)). Its corporate headquarters continue to be in London, but it has created centers of technical excellence in Southampton, UK, and Singapore. The world's oldest classification society is a “global engineering, technical, and business services organization.” LR's more than 9000 employees operate in 78 countries across three regions: the Americas, Europe/Middle East/Africa, and Asia.
LR's areas of business are marine, oil and gas, low carbon power, QA, industrial manufacturing, utilities and buildings, rules and regulations, and research and innovation.
LR's mission statement is “We secure, for the benefit of the community, high technical standards of design, manufacture, construction, maintenance, operation, and performance for the purpose of enhancing the safety of life and property at sea, on land, and in the air … because life matters. We advance public education including within the transportation industries and any other engineering and technological disciplines.”
LR's historical strength in the oil and gas sector has been in the fixed offshore platform market and it has recently become involved in new-concept energy megaprojects in Kazakhstan and Australia.

• Det Norske Veritas-Germanischer Lloyd (DNV-GL, formed by the merger of DNV and GL). DNV was founded in 1864 and is headquartered in Oslo, Norway (Dnvgl.com, 2016). Germanischer Lloyd was founded in 1867 and was headquartered in Hamburg, Germany. The two organizations were considering joining forces from as early as 1868, but the combined organization finally became operational in September 2013. The combined group comprises about 15,000 employees operating in more than 100 countries.
DNV-GL is organized functionally into the maritime, oil and gas, business assurance, energy, software, technology and innovation, and rules and standards sectors. It provides its clients with classification, technical assurance, software, and independent expert advisory services.
DNV-GL’s strength has been in the research, innovation, and rule development areas, although it competes effectively with the other societies in all traditional market areas.

• American Bureau of Shipping (ABS). ABS was founded in 1862, and is headquartered in Houston, Texas, United States (Abs-group.com, 2016). It operates in the marine, offshore, oil, gas and chemical, power, and government sectors across three geographical regions—the Americas, Europe/Middle East/Africa, and Asia Pacific.
ABS offers risk management services to industries that “power, fuel, and regulate our world.” Its mission is “to be a leading global provider of technical services that better enables our clients to operate safely, reliably, efficiently, and in compliance with applicable regulations and standards.”
ABS has traditionally dominated the drilling rig classification and certification market and also participates in various other energy activities.

• Bureau Veritas (BV). BV was founded in 1828 in Antwerp, Belgium (Bureauveritas.co.uk, 2016). BV is structured along eight global businesses: marine, industry, inspection/in-service verification, health, safety and environment, construction, certification, consumer product services, and government services/international trade. Its 66,000 employees operate from 1400 offices and laboratories, geographically divided into four regions: the Americas, Europe, Middle East/Africa/Eastern Europe, and Asia/Pacific.
BV's mission is “To deliver economic value to customers through quality, health, safety, environment and social responsibility management of their assets, projects, products and systems, resulting in licenses to operate, risk reduction and performance improvement.”
BV has traditionally offered inspection services to all types of projects in many different disciplines. This strategy ensures a presence on a variety of energy projects, including ones where it is not the primary verifying agency.

8.2 General Role

Classification societies execute different roles within the overall initiative of maintaining and improving process safety. In some cases, specialist technical expertise is provided within a consultancy/subject matter expert role. More commonly, however, class societies act either in a third party verification capacity on behalf of flag administrations and/or national petroleum boards, or as second party inspection organizations on behalf of operators having no legal requirement to have a third party evaluation of their safety arrangements.

When acting as a second or third party verifier, the society evaluates a facility's safety arrangements from both the design and construction perspectives, with the objective of issuing certification attesting that the arrangements meet the requirements of the mandatory codes and standards and provide a level of safety which is ALARP.

The basic class society scope of work required to achieve the foregoing objective is as follows:

• For design appraisal, to identify the required drawings from a client generated master document register (MDR), review them against the agreed codes and standards (usually listed in the safety case/PS documentation), and issue comments and request changes until it can be confirmed that the design meets the requirements of the codes and standards.

• For construction, to attend at construction facilities to confirm that:

– The materials and construction practices comply with the agreed codes and standards.

– The finished product is in compliance with the requirements of the design appraisal process and the codes and standards.

Modern economics has driven multinational oil companies to favor megaprojects, with an associated requirement for the classification societies to provide much more detail and structure in their service offerings than previously. Where shipyards’ assessments of the situation with the class society was at one time expressed simply by questions such as “is the Class man happy?,” today's requirements are much more demanding. LR has adopted a structured project management approach to megaprojects, which includes:

• Internal and external review boards which oversee project teams’ performance.

• Extensive project-dedicated organizations, including discipline specialists who remain on the project from FEED to abandonment. The organizations provide management, technical, commercial, and administrative functions.

• The specification of quality, documentation, and other project management requirements at all project phases from FEED to abandonment.

• Quality programs structured to cover each project component at all levels, from overarching quality and execution plans to detailed work instructions for site surveyors and design appraisal specialists.

LR's approach to megaproject classification, certification, and verification is described in the next sections (Attwood, Bates, & Price, 2013).

8.3 LR Project Management Framework

All projects, but especially large ones, benefit from a documented project management framework supported by robust tools and processes and with clear control points. Fundamental processes, for example, project risk management, are continuously applicable throughout all project stages.

The benefits, both to the specific project and the wider internal organization, of using a standard framework are:

• Consistent and repeatable approach to delivery of all projects within an organization.

• Increased likelihood of successfully achieving objectives.

• Continuous improvement of processes and tools.

• A scalable approach that can be adopted to both large and small projects.

• A common understanding of project roles, responsibilities, and terminology.

• Reduced risk from the loss/transfer of critical project staff from an in-progress project.

• Ability of management to quickly digest project reports, which will be in a consistent format across the project portfolio, and focus on principal issues.

The main aspects of a standard defined process are shown in Fig. 8. The processes, controls, and project management deliverables within the execution stage of a project lifecycle are highlighted. Each stage has inputs from the previous stage and expected outputs to be delivered to the next.

Some of the principles covered by the project framework are as follows. A rigorous implementation of the process will produce significant project benefits.

• A systematic approach to risk management is essential to successful project delivery. Risk identification, formal documentation in a project risk log, and subsequent management is an activity for all project team members. The review board also becomes involved in any intolerable or otherwise problematic risks.

• Early engagement. Most industry participants agree that the sooner the class society becomes involved in a project, the better. The purpose is to facilitate the documentation of a fully understood scope, broken down sufficiently to form detailed execution plans that have been agreed by the project team and client at an early stage.

• Maintaining open, regular, and accurate channels of communication with all levels of project stakeholders is vital to ensuring the smooth flow of instructions and sufficient warning of risks and changes to enable early assessment and appropriate management.

8.4 LR Approach to Megaproject Organization

A typical organizational chart for a large project is shown in Fig. 9. There are three main groups having the following roles:

• Project team—responsible for the effective execution of the project.

• Governance group (includes senior representatives up to the senior vice president/director level)—internal governance, guidance, support, and corporate accountability.

• Client group—external governance, provision of information, and access to sites and vendors’ works to allow the class society to execute its function.

A key governance element is regular project review board meetings, the objectives of which are:

• To give the project manager an opportunity to seek support from senior management.

• To give senior management an opportunity to assess project performance and plans.

• To give all internal stakeholders an opportunity to share ideas, ask questions, and assign and accept actions related to project activities.

• To share financial and technical project status and thereby enable informed decisions.

Some noteworthy points with respect to the organization are:

• The lead discipline engineers remain with the project throughout its lifecycle. The dotted lines between them and the site teams indicate that in addition to their design appraisal responsibilities they also provide support to the surveyors whenever necessary.

• The specialist team includes representatives for all critical disciplines, including a process, plant, and machinery (PPM) expert, whose responsibility specifically includes chemical process safety.

• Equipment package management can be very complicated on megaprojects, with in some cases more than 1500 individual certificates required. A separate project management group is required and is shown on the organizational chart.

8.5 LR Megaproject QA Program

The classification/verification process involves a series of activities described in quality documents such as project management execution plans, classification plans, survey work instructions, and similar. These documents have become more critical to the process as the geographical spread of megaproject activities widens and consistency expectations increase.

A typical map of quality documents for a megaproject is shown in Fig. 10. Some noteworthy points are as follows:

• The requirements extend from the very general corporate and local nonproject-specific requirements near the top of the diagram (e.g., corporate human resources procedures) to very project-specific instructions for site surveying and design appraisal near the bottom.

• Looking horizontally, the range of facility components is observable. For a megaproject, different modules are often designed and constructed by different EPIC contractors, resulting in separate contracts with the classification society. This provides challenges for the overall project managers and directors.

• In Australia, the regulator requires that Validation be kept independent from all other classification society activities. This concept is indicated by the lines surrounding Validation processes in the lower right corner of the diagram.

• Equipment package management is often the most complicated element of the megaproject classification process. Therefore separate dedicated execution and quality plans and procedures are required, as shown.