SP-2062 - HSE Specification Specifications For HSE Cases

Revision: 1.
0
Petroleum Development Oman LLC Effective: Mar-11
Petroleum Development Oman

L.L.C.
Document Title: Specification for HSE

Cases
Document ID SP-2062
Document Type Specification
Security Unrestricted
Discipline Technical Safety Engineering
Owner MSE/4 Head of Technical Safety Engineering
Issue Date 31 March 2011
Version 1.0
Keywords: This document is the property of Petroleum Development Oman, LLC.

Neither the whole nor any part of this document may be disclosed to others or
reproduced, stored in a retrieval system, or transmitted in any form by any
means (electronic, mechanical, reprographic recording or otherwise) without prior
written consent of the owner.
Page 1 SP-2062 Specification for HSE Cases Printed 27/03/11

The controlled version of this CMF Document resides online in Livelink. Printed copies are UNCONTROLLED.
Revision: 1.0
This page was intentionally left blank

Revision: 1.0
i Document Authorisation

Revision: 1.0
ii Revision History
The following is a brief summary of the 4 most recent revisions to this document. Details of all
revisions prior to these are held on file by the issuing department.
Version Date Author Scope / Remarks

No.
Draft 22/02/2011 Karen McConnachie New document

Revision: 1.0
iii Related Business Processes

Code Business Process (EPBM 4.0)

Revision: 1.0
iv Related Corporate Management Frame Work (CMF)

Documents
The related CMF Documents can be retrieved from the Corporate Business Control
Documentation Register CMF.

Revision: 1.0
TABLE OF CONTENTS
i Document Authorisation........................................................................................................ 3
ii Revision History.................................................................................................................... 4
iii Related Business Processes................................................................................................. 4
iv Related Corporate Management Frame Work (CMF) Documents........................................4
1 Introduction........................................................................................................................... 8
1.1 Purpose........................................................................................................................... 8
1.2 General Definitions.......................................................................................................... 8
1.3 Review and Improvement (SP 2062)...............................................................................8
1.4 Deviation from Standard.................................................................................................. 8
2 WHEN ARE HSE CASES REQUIRED?................................................................................9
3 WHAT TYPES OF HSE CASES ARE THERE?...................................................................11
3.1 Asset/Facility HSE Cases at different ORP phases.......................................................11
3.1.1 Identify and Assess......................................................................................12
3.1.2 Select........................................................................................................... 12
3.1.3 Define........................................................................................................... 12
3.1.4 Execute........................................................................................................ 12
3.1.5 Operate........................................................................................................ 13
3.2 Roles and Responsibilities for the HSE Case................................................................13
3.2.1 Sign Off Dates.............................................................................................. 13
3.3 Roles and Responsibilities within the HSE Case...........................................................13
3.4 Workforce Involvement.................................................................................................. 16
3.5 Deliverables................................................................................................................... 16
3.6 Performance Monitoring................................................................................................ 16
3.6.1 Review and Improvement (HSE Cases).......................................................17
3.6.2 Material Change........................................................................................... 17
4 ASSET INTEGRITY - PROCESS SAFETY MANAGEMENT..............................................18
4.1 Process Safety Manual, HSSE Control Framework, Section.........................................18
4.2 Centre for Chemical Process Safety Guidelines for Risk Based Process Safety (CCPS
RBPS)..................................................................................................................................... 18
4.3 Process Safety in Projects............................................................................................. 19
4.4 Critical Drawings............................................................................................................ 19
5 HEMP.................................................................................................................................. 20
5.1 Hazards and Effects Register........................................................................................ 21
6 BOW-TIES.......................................................................................................................... 22
7 SAFETY CRITICAL ELEMENTS......................................................................................... 25
7.1 SCE (Hardware) Barriers............................................................................................... 25
7.2 SCE Selection............................................................................................................... 27
7.3 Performance Standards................................................................................................. 28
7.3.1 Performance Standard Approval..................................................................29
Revision: 1.0
8 HSE CRITICAL TASKS....................................................................................................... 30

9 MATRIX OF PERMITTED OPERATIONS (MOPO).............................................................31
9.1 Using the MOPO........................................................................................................... 31
9.2 Deviations from the MOPO............................................................................................ 31
10 ALARP demonstration................................................................................................... 32
10.1 ALARP Definition......................................................................................... 32
10.2 How to Undertake an ALARP Assessment...................................................33
10.2.1 Principles of Hazard Management...............................................................33
10.2.2 Good Engineering Practice..........................................................................33
10.2.3 Good Engineering Principles........................................................................34
10.2.4 HEMP Studies.............................................................................................. 34
10.2.5 ALARP Review............................................................................................. 34
10.3 Assessment of Complex Decisions..............................................................35
11 OPERATE PHASE CONTINUOUS IMPROVEMENT....................................................36
11.1 Drivers for Improvement...............................................................................36
11.2 Remedial Actions......................................................................................... 36
11.2.1 Qualitative Analysis of RAP Items................................................................37
11.2.2 Interpreting the RAP.....................................................................................38
12 STATEMENT OF FITNESS........................................................................................... 39
13 MANAGEMENT OF CHANGE.......................................................................................41
14 CONCEPT SELECTION REPORT................................................................................43
14.1 DCAF Deliverables for Identify, Assess and Select Phases.........................44
15 DESIGN HSE CASE REQUIREMENTS........................................................................45
15.1 Basic Requirements.....................................................................................45
15.2 Format.......................................................................................................... 45
15.2.1 Contents....................................................................................................... 45
15.2.2 Part 1 Introduction........................................................................................ 45
15.2.3 Part 2 CSR ALARP demonstration Summary..............................................46
15.2.4 Part 3 Design Basis & Facility Description...................................................46
15.2.5 Part 4 Hazards & Effects Management Process..........................................46
15.2.6 Part 5 Improvement (Action Plan)................................................................47
15.3 DCAF Deliverables for Define and Execute phases.....................................47
16 OPERATIONS HSE CASE REQUIREMENTS..............................................................49
16.1 Basic Requirements.....................................................................................49
16.2 Format.......................................................................................................... 49
16.2.1 Contents....................................................................................................... 49
16.2.2 Part 1 Introduction........................................................................................ 50
16.2.3 Part 2 Facility Description............................................................................50
16.2.4 Part 3 People, HSE Critical Tasks................................................................50
16.2.5 Part 4 Hazard and Effects Management......................................................50
Revision: 1.0
16.2.6 Part 5 Improvement (Action Plan)................................................................51

16.3 DCAF Deliverables for Execute and Operate Phases..................................51
Appendix 1 Glossary of Definitions, Terms and Abbreviations........................................53
Appendix 2 Related Business Control Documents and References...............................55
Appendix 3 Hazard Inventory Checklist..........................................................................56
Appendix 4 Example Hazard and Effects Register.........................................................63
Appendix 5 Safety Critical Elements Categories.............................................................64
Appendix 6 Example Safety Critical Elements Register..................................................65
Appendix 7 Example Design Performance Standard......................................................66
Appendix 8 Example Operations Performance Standard (EP 2009-9009, Ref. 10)........69
Appendix 9 Example of Implementation Table................................................................70
Appendix 10 MOPO.......................................................................................................... 72
Appendix 11 Operations HSE Case Change Approval.....................................................78
Appendix 12 CCPS RBPS Process Safety Elements.......................................................83

Revision: 1.0
1 Introduction
An HSE Case provides a documented demonstration that risk reduction philosophies and
measures have been developed and implemented at each phase of the Opportunity
Realisation Process (ORP) to ensure that the risks are tolerable and as low as reasonably
practicable (ALARP) through the systematic application of the Hazards and Effects
Management Process (HEMP) as set out in the PDO HSE Management System (HSE-
MS).
This document should be read in conjunction with the guideline Applying Process Safety in
Projects GU-648 [4].

Revision: 1.0
1.1 Purpose
This purpose of this specification is to establish minimum requirements for the content of
HSE Cases and it shall be used for the development of HSE Input to Concept Select
Reports, Design HSE Cases and Operations HSE Cases.
This specification SHALL [PS] be used for demonstration of the following requirements of
the Process Safety Manual in the Shell HSSE & SP Control Framework [Ref. 7]:
Identify and document Hazards with RAM red and yellow 5A and 5B Process
Safety Risks for existing and new Assets (Requirement 1).
Develop a Statement of Fitness for the Assets (Requirement 7)
Review the Process Safety Risks to the Asset at least annually, in line with 8
Management Review (of the HSSE & SP Management System) (Requirement
20).
This specification contains information on the contents of each type of HSE Case and
gives guidance and examples of information to be contained in specific sections.

Revision: 1.0
1.2 General Definitions

The capitalised term SHALL [PS] indicates a process safety requirement.
The lower case word shall indicates a requirement.
The word should indicates a recommendation.

Revision: 1.0
1.3 Review and Improvement (SP 2062)

Responsibility for the upkeep of this Specification shall be with the CFDH Technical
Safety Engineering (Owner of this Specification). Changes to this document shall only be
authorised and approved by the Owner.
Any user of this document who encounters a mistake or confusing entry is requested to
immediately notify the Document Custodian using the form provided in CP 122 Health,
Safety and Environment Management System [Ref. 1].
This document shall be reviewed as necessary by the Owner, but not less than every two
years.

Revision: 1.0
1.4 Deviation from Standard

Deviation to this Specification shall follow the requirements of PR-1247 Project Change
Control & Standards Variance Procedure, Version 1 31/8/1999.

Revision: 1.0
2 WHEN ARE HSE CASES REQUIRED?

HSE Cases are mandatory for all PDO operated (owned, leased or contracted)
projects/operations containing hazards rated severity five or high risk on the PDO risk
assessment matrix (RAM) as per Figure 2-1 [Ref. 1]. Hazards to that fall into this category
are referred to as Major Accident Hazards (MAH), and are typically identified during the
HAZID conducted at the start of concept phase of a project.
However, for smaller, less complex projects or modifications to an existing asset where an
Operations HSE Case already exists, it may be suitable to undertake a design review in
place of a Design HSE Case and then update the existing Operations HSE Case.
For projects that fall into Category C as per Figure 2-2 overleaf, both qualitative (bow-tie
analysis) and quantitative analysis (QRA) are required to determine the level of risk and to
demonstrate that risks are reduced to tolerable and ALARP, thus a Design and Operations
HSE Case must be compiled.
Guidance and confirmation shall be sought from MSE/4 on an individual project basis.
Consequences Increasing likelihood

A B C D E
Never Heard of in Has Has Has
Environment
Reputation
Severity
heard of in the Industry happened happened happened

People
Asset
the Industry in PDO or at the more than

more than Asset or 1>yr at the
1>yr in the more than Asset
Industry 1>yr in
PDO
No injury or No No
0 health effect No damage effect impact
Slight injury
Slight Slight Slight
1 or health
damage effect impact
effect
Minor injury
Minor
2 or health
damage
Minor effect Minor impact
effect
Major injury
Moderate Moderate Moderate
3 or health
damage effect impact
effect
PTD or up to Major
4 3 fatalities damage
Major effect major impact
More than 3 massive massive Massive

5 fatalities damage effect impact
Figure 2- 1: PDO Risk Assessment Matrix

Figure 2-2 shows the industry guidelines for a framework for risk related decision support by
Oil and Gas UK in 1997 (formerly the UK Offshore Operations Association, UKOOA).
Once a new project has been assessed against the risk assessment matrix in Figure 2-1
and found to contain level 5 or high risk hazards, it shall be categorised as per the chart in
Figure 2-2.

Revision: 1.0
Figure 2-2: Framework for risk related decision support in PDO
To use the Framework, first relate the decision being considered to the decision context
characteristics on the right hand side of the Framework. Establish a horizontal line across
the Framework at the point that best fits the nature of the decision. The segments of this
horizontal line define the relative weight that should be given to the different decision
making approaches in the ALARP determination. The descriptors on the lefthand side of the
diagram describe the type and extent of consultation that is needed for the selected
decision context and type.
Type B and C decisions shall be taken at higher levels within an organisation than Type A
decisions.
Type A decisions are those involving well-understood hazards and proven solutions. The
lessons learned from past years have been incorporated into authoritative Good Practice.
Reference to the relevant Good Practice, supported by expert judgment, is sufficient to
define the barriers needed to reduce the risks to both tolerable and ALARP.
Type B decisions are those involving less well-understood hazards. Good Practice has to
be supplemented by more detailed analytical methods such as quantified risk assessment
(QRA) particularly to address the uncertainties of novel aspects of design. However, risk-
based analysis cannot be the only approach, as illustrated by the fact that it forms no more
than 40% of a horizontal line through the Type B band.
Type C decisions are those involving hazards that may create societal concerns. The more
technological factors in the ALARP determination need to be conditioned, or viewed in the
context of how the situation will be seen by stakeholders.
The A, B, C groupings are not intended to split the framework into three discrete sections,
but should be used to indicate a continuum of decision context types from a strongly Type A
(technology based) at one extreme to a strongly Type C (judgment based) at the other
extreme. A range of decision-making approaches will contribute, especially to Type B and C
decisions. The background to the Framework is described in [4].

Revision: 1.0
3 WHAT TYPES OF HSE CASES ARE THERE?

PDO activities and operated facilities fall into different categories and the different types of
HSE Cases used to cover these are listed below:
o Asset/facility: hydrocarbon gathering/production facilities organised into delivery
teams or hydrocarbon transporting infrastructure and storage facilities. The majority of
PDO HSE Cases fall into this category and the content shall meet the requirements of
this HSE Case Specification
o Contractor drilling rigs and hoists; the content shall meet the requirements of
International Association of Drilling Contractors (IADC) [Ref. 4] and this HSE Case
Specification
o Air Operations; the content shall meet the requirements of EP 2005-0263 Air
Transportation Standard and this HSE Case Specification
o Land Transport; the content shall meet the requirements of EP 2005-0261 Road
Transportation Standard and this HSE Case Specification
Air transport operations, road transport operations and marine operations with severity 5 or
high level hazards (as defined by the RAM in Figure 2-1) that are PDO operated (owned,
leased or contracted) shall have an Operations HSE Case.
The nature of Transport and Drilling Rig HSE Cases is that they are developed to describe
the hazards and set out controls associated with the respective operation or activity. These
cases are reviewed and updated as they develop, but rarely is there a requirement to
develop a new HSE Case for these activities.
Asset/Facility HSE Cases differ in that new design projects or production stations may
require that a new HSE Case is developed in accordance with this specification.
Asset/Facility HSE Cases are further separated into the following types of HSE Cases:
o Concept Select Report: This demonstrates that there has been a systematic
application of HEMP during the Identify, Assess and Select phases, that the HSE risks
associated with each development option have been identified and assessed, the
lowest risk option has been chosen or that the cost/effort required to adopt the lowest
risk concept is grossly disproportionate to the benefit.
o Design HSE Case: This demonstrates that there has been a further systematic
application of HEMP during the Define and Execute phases, demonstrates that the
severity 5 or high level hazards identified are both tolerable and ALARP and that all
safety critical elements (with associated performance standards) have been identified
and meet the performance standards.
o Operations HSE Case: This describes management of the severity 5 or high level
hazards to ensure that they are tolerable and ALARP, bow-tie diagrams showing the
hazards and the barriers to the hazards, a list of HSE critical tasks, references to
operational management systems and a statement of fitness. This acts as
confirmation that the HSE Case Owner (Director) is satisfied that the arrangements
are in place for the facility to operate safely.

Revision: 1.0
3.1 Asset/Facility HSE Cases at different ORP phases

The opportunity realisation process (ORP) is split into 5 phases punctuated by Decision
Gates (Dg1-5) and Value Assurance Reviews (VAR1-5). Once the need for an HSE Case
has been identified, the type of HSE Case and when it should be compiled needs to be
identified as per Figure 3-3.
The Identify & Assess; Select; Define; Execute and Operate phases are discussed in the
following sections.
Figure 3-3: 5 stages and applicable HSE Cases
3.1.1 Identify and Assess

This phase initiates opportunities and demonstrates the feasibility of those
opportunities. Ideas are generated and aligned with business principles and
strategies and potential values established so a decision to fund and staff further
development of these ideas can be made.
This phase also asks the question as to whether the project has looked sufficiently at
the risks, different development options, realisations and all possible outcomes. Is
there at least one solution that would work in most, perhaps all, of the realisations?
The project must understand what it is going to be taking into the Select phase.
HSE input at this stage is at a high level and includes a preliminary HAZID, HSE-SD
Plan and input to the Risk Register.
3.1.2 Select
This stage must select the best concept solution for delivering value from the
opportunity and make it clear why one choice was the preferred option.
HSE input into the select phase has potentially the greatest impact. The option
selected to take forward into the define phase must be ALARP. An ALARP
demonstration must be provided in the CSR (see section 14).

Revision: 1.0
3.1.3 Define
The selected concept must be defined technically (scope, cost, schedule) or
commercially (JVA, JOA, country entry) for final investment decision (FID). Note that
the timing of a technical FID may not coincide with a commercial FID.
HSE activities and deliverable at the define stage include a Design HSE Case and
other HEMP Studies.
3.1.4 Execute
The project is to be delivered as a facility consistent with the forecast scope, cost,
schedule and proven performance and has to be accepted by the Owner of
operations (usually the Relevant Director) for use.
During the execute phase the Design HSE Case is refined. The Operations HSE
Case is developed prior to handover to operations. Further HEMP studies are
carried out to support the ALARP Demonstration.
3.1.5 Operate
The project is operating as per expected and is maximising returns to Shareholders
and protecting the License to Operate. The Owner of operations (usually the
relevant Director) has accepted responsibility for continued safe operations.
The Operations HSE Case will contain the ALARP demonstrations for the Operate
phase. This is built and maintained throughout the operate phase, (see section 16).

Revision: 1.0
3.2 Roles and Responsibilities for the HSE Case

Delivery Team Leaders (DTL): DTLs are responsible for ensuring that the HSE Cases
are developed and maintained for their assets and meet the requirements of this
specification.
Project Managers: Project Managers are responsible for ensuring that the Concept
Select Report and Design HSE Cases are developed and meet the requirements of this
specification.
Contract Holders: For Air Operations, Road Transport and Drilling & Hoist Rigs, it is the
Contract Holders that are responsible for ensuring that their Contractors develop and
maintain HSE Cases that meet the requirements of this specification.
3.2.1 Sign Off Dates

Sign off dates for the CSR/HSE Cases shall be as follows:
o The Concept Select Report Case shall be signed off prior to VAR3.
o The Design HSE Case shall be signed off prior to VAR4.
o The Design HSE Case during detailed design phase shall be signed off when
completed and prior to the PSUA.
o The Operations HSE Case shall be signed off prior to start up.

Revision: 1.0
3.3 Roles and Responsibilities within the HSE Case

There are three main roles for developing, implementing and maintaining an HSE Case; the
HSE Case Owner, HSE Case Custodian and the HSE Case Administrator. These roles for
each type of HSE Case are shown in Table 3-1 and cover new projects and modifications to
existing facilities.
Table 3-1: Roles and responsibilities within an HSE Case
HSE Input to Concept Design HSE Case Operations HSE Case

Select Report (CSR)
HSE Project Manager Project Manager Asset Director

Case
Owner
Identifies the Identifies the Identifies the
requirement for a HSE requirement for an HSE requirement for an HSE
Section in the CSR in Case in accordance with Case in accordance with
accordance with this this specification this specification
specification Appoints HSE Case Initiates Operations
Appoints HSE resource Custodian and assigns Case and assigns
Approves the Concept responsibilities responsibilities
Select Report Approves outcome of Develops a Statement of
ALARP multi-disciplinary Fitness for the Asset
reviews Approves outcome of
Develops a Statement of HEMP studies
Fitness for the Asset Approves the Operations
Approves the Design HSE CaseAssigns HSE
HSE Case Critical Element
ownership to the
appropriate Technical
Authority/HSE Adviser;
Ensures ongoing
compliance with this
specification
Conducts periodic
Operations HSE Case
reviews
Ensures facility is
operated according to
the Operations HSE
Case

Revision: 1.0
HSE Input to Concept Design HSE Case Operations HSE Case

Select Report (CSR)
HSE Project HSE Lead Lead Technical Safety Delivery Team Leader
Case Engineer
Custodi
an Manages HEMP studies, Ensures the HSE Cases
ensures risk tolerability Identifies HEMP studies are developed and
and suitable and robust to assess the hazards maintained for their
ALARP demonstrations and risk associated with assets in accordance
are made the project with latest requirements.
Prepares HSE content of Develops risk reduction Ensures participation in
the CSR and checks strategies, identifies development and
DCAF content all signed safety critical elements awareness and proper
off (SCE) and associated use of the HSE Case by
Coordinates the Performance Satandards the organisation
development of the HSE in conjunction with SCE Validates HEMP studies
Input to the CSR. Technical Authorities and technical accuracy
(TA) of the contents of the
Facilitates that suitable HSE Case
and robust ALARP Co-ordinates review of
demonstrations are HSE critical tasks listings
made. and associated
Reviews and approves Performance Standards
all action items raised for Ensures that revisions
correct detail, action and updates are
party and target date prepared when
Compiles/co-ordinates necessary, adequately
the HSE Case controlled and
distributed
Reviews facility specific
emergency response
plans
Reviews and approves
all action items raised for
correct detail, action
party and target date
N/A N/A
HSE Directorate Technical Safety
Case Engineer
Adminis
Compiles/co-ordinates
trator
the HSE Case and
subsequent reviews and
updates
Supports the HSE Case
Custodian

Revision: 1.0
3.4 Workforce Involvement

The HSE Case shall demonstrate that the workforce have been part of the development
and review of the HSE Case. Workforce in this context is the front line operations and
maintenance staff that are directly involved in the day-to-day running of the facilities.
The purpose of this requirement is to ensure that front line operations and maintenance
staff:
have knowledge of the Major Accident Hazards that have been identified for the
facility where they work
are aware of the controls and barriers in place to manage these MAHs (SCEs,
performance Standards, HSE Critical Tasks, MOPOs)
have knowledge of how these controls are managed (MIE, FSR, assurance
reviews)
For Design HSE Cases, workforce involvement can be demonstrated by ensuring that
relevant staff representatives have been involved in the design. This may be done by
ensuring they participate directly in the design activities (HAZIDs, HAZOPs, HEMP
studies) and by participating in project assurance reviews such as Design Reviews, peer
reviews and project Audits.
Operations HSE Cases shall be communicated to the operations and maintenance teams
on site. The focus shall be on what the case means to them and what impact is it likely to
have. In addition, representatives from current operational, engineering, and
maintenance teams and workforce representatives (where applicable) shall be included in
the regular reviews as described in Section 13. This engagement may be demonstrated
by ensuring that the HSE case is reviewed regularly by operations and maintenance staff,
which can be achieved through
job descriptions and staff performance contracts
dedicated communications initiatives
staff onboarding
committees or working groups (e.g. AIPSALT).
For both types of HSE Cases, the details of how workforce involvement has been
achieved shall be described in the HSE Case or in the documentation of the periodic
review of the HSE Case.

Revision: 1.0
3.5 Deliverables
Design and Operations HSE Cases are classified as Essential Records according to CP-
102 Documents & Records Management and shall be maintained on Livelink by the
HSE Case Administrator.
Design and Operations HSE Cases are mandatory deliverables for new projects and
existing assets, as described by the Discipline Control and Assurance Framework (DCAF)
section in SP-2061 Technical Authority System [Ref. 7].

Revision: 1.0
3.6 Performance Monitoring

Routine performance monitoring of HSE Cases shall include:
o Assurance of Design HSE Cases at VARs
o Review of Operations HSE Cases during Pre-Start up Audits
o AI-PSM Assurance of Operations HSE Cases
o Monitoring of Operations HSE Case KPIs
3.6.1 Review and Improvement (HSE Cases)

Once the Concept Select Report is signed off, it is not anticipated that any revisions
will be required as further project work will be covered in the Design HSE Case.
The Design HSE Case may need to go through several revisions during the Define
and Execute phases depending on the nature of the design of the new project.
The Operations HSE Case shall be reviewed and updated at a maximum interval of
5 years unless any of the following circumstances occur:
o As part of a Material Change to the Facility, operation or surrounding environment
that may have a potential impact on the risk profile
o When it cannot be verified that the performance of safety critical elements (SCEs)
meet the performance standards and/or when mitigation measures have been
employed for extended periods to compensate for this shortfall
o Prior to any material changes to the organisational arrangements or personnel
levels
o Following a major incident involving the Facility or operation, or from lateral
learning from other major incidents applicable to the Facility or operation
o Enhancements in knowledge or technology that change the basic assumptions on
which the risk tolerability and ALARP demonstrations are based
o If there is a change to any of the signatory parties for the HSE Case, i.e. HSE
Case Owner (Director), HSE Case Custodian (Delivery Team Leader) or HSE
Case Administrator (Technical Safety Engineer)
3.6.2 Material Change

A material change is any change that significantly affects the basis for original the
ALARP demonstration in the HSE Case. In practice this usually includes changes
that have the potential to affect the major accident hazards or their controls, either
directly or indirectly.
Examples of direct effects are:
o Significant modifications or repairs to the plant or equipment, either as
single large modifications or multiple smaller modifications.
o an increase in hydrocarbon inventory,
o new technology, processes or operational complexity,
o new types of combined operations, or new activities in connection with an
installation,
o new operational risk controls.
Examples of indirect effects are:
o new ownership or operatorship, introducing a change in the management
system,
o a major change of contractor, and

Revision: 1.0
o extension of the use of the installation or its components beyond the

original design life.

Revision: 1.0
4 ASSET INTEGRITY - PROCESS SAFETY MANAGEMENT

Assuring the safety of people, assets, the environment and reputation is a core value and
providing assurance that major process safety risks are being managed is a critical aspect
of PDO corporate governance. Asset Integrity Process Safety Management (AI-PSM)
describes the way in which PDO assets are managed so that the process risk is as low as
reasonably practicable (ALARP).
There are two Process Safety implementation mechanisms within PDO:
1. The Process Safety Manual of the Shell Group HSSE Control Framework [Ref. 6]
2. AI-PSM as developed by Centre for Chemical Process Safety Guidelines for Risk
Based Process Safety (CCPS RBPS) [Ref. 9].

Revision: 1.0
4.1 Process Safety Manual, HSSE Control Framework, Section

The HSSE & SP Control Framework replaces the mandatory requirements in EP2005
series, and includes mandatory Standards, Manuals, Specifications and Glossary terms,
and non-mandatory Assurance Protocols and Guides.
The Process Safety Manual of the HSSE & SP CF comprises four elements:
1. Asset Integrity Process Safety Management Application Manual
2. Design and Engineering Manual 1 (DEM1)
3. Design and Engineering Manual 2 (DEM2)
4. Override of Safeguarding Systems.
A full description of each element can be obtained in The HSSE & SP Control Framework
[Ref. 6]
Compliance to the detailed requirements of the Process Safety Manual is demonstrated
by signing a Statement of Fitness (SoF). The Statement of Fitness is shown in section 12
and testifies that the hazards have been appropriately managed in accordance with
HEMP and that a suitable and robust ALARP demonstration has been made.
The Statement of Fitness is a requirement of the AI-PSM Application Manual and a
signed SoF shall be included in Design and in Operations HSE Cases, respectively.
For operational assets the SoF shall be signed by Asset Directors, and for new projects
by the Project Manager before handover to operations.

Revision: 1.0
4.2 Centre for Chemical Process Safety Guidelines for Risk

Based Process Safety (CCPS RBPS)
The CCPS RBPS AI-PSM process is an assurance process containing 20 elements 1that
describe minimum expected standards and stipulates the requirements for a range of
process related activities ranging from organisational culture, workforce involvement, risk
management, HEMP and audit through to design.
The assurance process includes routine checking, self-assessments and audits, as well
as independent 3rd party verification that the AI-PSM system and practices are consistent
with industry best practice and are controlling process risk to ALARP.
The assurance process also identifies opportunities for improving the management and
control of process risk and therefore, is a key driver for continuous improvement.
HEMP is an integral element of the AI-PSM process and the HSE Case and provides a
clear link between the two processes. Both the AI-PSM and HSE Case processes aim to
identify, control and reduce risk levels to ALARP.
1 A description of the 20 AI-PSM elements is provided in Appendix 418.

Revision: 1.0
4.3 Process Safety in Projects

AI-PS requirements in projects, from project identification through to execution, is
described in GU-648 Guide for Applying Process Safety in Projects [Ref. 4].
This guideline extracts all the relevant information from the existing ORP documentation
that is necessary to meet the AI-PS requirements at handover. It also provides further
clarity with regards to the assurance processes which underpin the project teams ability
to demonstrate that AI-PS requirements are met at the end of every project phase.
The main objective of this guideline is to explain the key AI-PS objectives and
deliverables throughout the project phases that demonstrate the facility is fit for the safe
introduction of process fluids and that systems, processes and procedures are in place so
that AI-PS can be safeguarded in the subsequent operate phase.
This will allow PDO to make the statement that Our Asset is Safe and we know it after
each project phase.

Revision: 1.0
4.4 Critical Drawings

Critical drawings are those drawings which are required to be maintained in order to
support the implementation of critical tasks. Critical drawings are required to ensure that
the risks from MAHs are ALARP.
A list of critical drawings shall be made for each facility. All critical drawings shall be
stored in an easily accessible database to reflect the current design and status of the
asset (as-built status).
This will ensure that all personnel have access to reliable and up to date information to
allow accurate planning of work operations and activities, management of change and
investigative activities (when an incident has occurred).
Critical drawings include, but are not limited to:
o PFS
o PEFS
o Cause and Effect matrix
o Hazardous area classification
o Area Layout
o Site plan (sub-field layout)
o Key plan and Plot plan
o Escape routes
o Safety equipment layout
o Critical valve list (including locked open and locked closed valves)
o Fire and Gas layouts.

Revision: 1.0
5 HEMP
The hazards and effects management (HEMP) process identifies and asses HSE hazards,
implements control and recovery measures and maintains a documented demonstration
that major HSE risks have been reduced to a level that is as low as reasonably practicable
(ALARP).
HEMP shall be applied to all activities over which PDO has operational control and shall
cover the entire lifecycle of the asset or operation; from concept through to
decommissioning and disposal. Work undertaken by a Contractor and under the
Contractors own management system shall have a requirement for an equivalent HEMP
approach expressly stated in the contract.
HEMP is fundamental to all analysis and assessment elements of the formal HSE activities,
and is at the heart of the HSE management system used in PDO. The HEMP process
comprises four basic steps:
Systematic identification of hazards, threats, unwanted events and their effects
Assessment of the risks against screening criteria, taking into account the
likelihood of unwanted events and the potential severity of the consequences in
terms of effects to people, assets, the environment and reputation of PDO
Implementation of suitable risk reduction measures to control or mitigate the
hazard and its effects
Planning for recovery in the event of a loss of control leading to an unacceptable
effect.
The main objective of HEMP activities is to demonstrate that hazards (and associated risks)
have been identified and where the hazard cannot be eliminated the risks are controlled to a
level that is tolerable and as low as reasonably practicable (ALARP). The HEMP model is
characterised by Figure 5-4.
RISKS TOLERABILITY & ALARP
Identify Assess Control Recover
DOCUMENT
Figure 5- 4: HEMP Model

HEMP studies shall be performed by staff who are knowledgeable about the facility and
operations and who are competent in the HEMP techniques necessary. The studies shall
be planned and implemented in a timely manner to enable the results to be incorporated
without incurring avoidable rework and costs. The studies should be documented such that
key information and decisions made are transparent and available for future reference.
Recommendations arising from HEMP studies shall be recorded in an appropriate action
tracking system.

Revision: 1.0
5.1 Hazards and Effects Register

Hazards and their effects on people, the environment, the assets and the reputation of
PDO shall be systematically identified and listed for the full lifecycle of the asset and
operations.
The hazards are identified in a Hazard Identification (HAZID) meeting, and the outcome
of this meeting is used to develop the Hazards and Effects Register.
PDO use a checklist of potential hazards to populate the Hazards and Effects Register. It
is recommended that a multi-disciplinary team facilitated by an experienced person go
through the list of hazards and identify those relevant to the specific facility/asset/
operation under consideration. Ideally the team should be made up of Management,
Operations, HSE, Maintenance and Engineering Disciplines (Concept, Detailed Design as
appropriate) personnel.
The PDO Risk Assessment Matrix in Figure 2-1 shall be used to assess the hazards and
their severity and frequency of occurrence. The experience of the team will be used to
brainstorm hazards known to have been realised from previous experience or thinking
whether it is a credible hazard that could occur within PDO operations. This is a
subjective process and care must be taken not to over-complicate the process by thinking
of multiple events, double jeopardy events or highly unlikely events.
Examples of credible scenarios could include major leak from oil storage tank at MAF,
leak at a Booster station on the main oil line, leak from offtake tanker hose, loss of
containment from on-plot processing facilities, loss of containment of H2S (affecting both
onsite personnel and the general public). Consequences from such incidents usually
cover injury/fatalities, fires/explosions, environmental impact, loss of facility and negative
impacts on reputation.
For low and medium risk hazards, the controls for the hazards, i.e. permit to work, job
safety assessment, operating procedures, competence assessments, tool box talks, etc.,
are discussed and then added to the Hazards and Effects Register.
Hazards that have been assessed as being a severity 5 or high risk on the risk
assessment matrix are then modelled further using bow-tie methodology as described in
next section.
See Appendix 3 for the full checklist of potential hazards, and an example of a Hazard
and Effects Register is provided in Appendix 4.

Revision: 1.0
6 BOW-TIES
The Hazards and Effects Register documents that all hazards associated with the facility
and that control and mitigation measures have been identified. Hazards that have been
assessed as being a severity 5 or high risk on the risk assessment matrix (Figure 2-1) are
then modelled further using bow-tie methodology.
The Bow-Tie is a model that represents how a Hazard can be released, escalate, and how it
is controlled. It contains the elements required to effectively manage the Hazard such that
the risks are tolerable and ALARP. Bow-Ties can also be used to support risk management
of non-HSE processes.
For each severity 5 or high level hazard, the bow-tie methodology allows for:
1. Identification of the hazard release, escalation and consequence scenarios
2. Identification of controls, e.g. barriers and escalation factor controls required to
manage the hazards
3. Categorisation of controls into Inherent Safety, Safety Critical Element (hardware)
or Critical activity (procedures, processes, operator action)
4. A clear visual representation to enable the ALARP review to be undertaken
5. An aid in the incident review process if occurrence of such a major incident has
occurred.
The bow-tie is a model that represents how a hazard can be released, escalate and how it
is controlled. Bow-Tie XP is the PDO preferred software tool
Figure 6-5: Generic bow-tie model

Revision: 1.0
Table 6- 2: HEMP definitions and Bow-tie terminology
ALARP As Low As Reasonably Practicable (Risk) means that having

reviewed all practical alternatives for Major Accident Hazard
elimination, Threat Controls and Recovery Measures, further
reduction in risk would involve disproportionate cost or resources
for the risk reduction achieved.
Barrier Barriers prevent or reduce the probability of each Threat (left
hand side of the bow-tie), limit the extent of, of provide
immediate recovery from the Consequences (right hand side of
the bow-tie). Barriers may be hardware, such as safety systems
(e.g. F&G ESD, etc) or management systems and procedures.
Consequence Consequences in the bow-tie are a direct result of the Top Event
occurring. Indirect consequences, if applicable shall be modelled
in a separate bow-tie, Can include potential consequences that
have not been heard of in the industry.
Escalation Factors that defeat, or reduce the effectiveness of a Barrier
Factor
Escalation Measures put into place to prevent or mitigate the effects of
Factor Control Escalation Factors.
Hazard Any situation with the potential for harm to people, environment,
asset or reputation e.g. hydrocarbons under pressure, dropped
load.
HSE Critical An HSE Critical Task develops, implements or maintains the
Task effectiveness and integrity of a Barrier or Escalation Control
Factor in Bow-Ties for Severity 5 or High Risk Hazards. HSE
Critical Positions are those that execute HSE Critical Tasks
HSE Critical HSE Critical Positions are those that execute HSE Critical Tasks
Position
Major Accident Hazards that are classed as High Risk (Red) or severity 5 on the
Hazards (MAH) PDO Risk Assessment Matrix. This means any situation with the
potential for major consequences (harm) to people, environment,
asset and reputation if released.
Recovery Any measure put in place to manage Consequences and assist
Measure recovery from a Top Event.
Risk The likelihood of a Top Event combined with the severity of the
Consequences (The risk is from the Hazard to people,
environment, asset and reputation).
Threat Any action or mechanism that could bring about the unplanned
release of a hazard.
Threat Control Any measure put in place to prevent a Threat being successful.
Tolerable Risk Tolerable Risks are those that have been reduced to a level
where they comply with the applicable laws and regulations,
standards, strategic objectives and other agreed Tolerability
Criteria.
Top Event The first thing that happens when a hazard is released.
Individual bow-ties shall have a single Top Event.
The role of a barrier on the bow-tie diagrams is to prevent (Left hand side of BT) or limit
(Right hand side of BT) the consequence of a major incident. Barriers may be:

Revision: 1.0
1. Design (inherent) features, e.g. separation distances, reduction of process pressures,

minimisation of leak sources, etc. (depicted blue on the bow-tie).
2. Safety Critical Elements (hardware and logic software), e.g. Process Containment
Systems, Pressure Relief Valves, ESD, Fire and Gas Detection, Escape & Evacuation
Systems, Breathing Protection, etc. (depicted green on the bow-tie)
3. Operational Safety Processes, e.g. valve lock out/tag out, breaking containment
procedures, permit to work, etc. (depicted yellow on the bow-tie)
4. Operational Intervention Tasks, e.g. Plant Monitoring, Alarm Response, Shutdown, etc.
(depicted yellow on the bow-tie)
Barriers shall be:

1. Effective in preventing the Top Event or Consequence
2. Able to prevent a specific Threat from releasing the Hazard
3. Verifiable how shall the effectiveness of the barrier be confirmed?
4. Independent of other barriers in the same Threat line, e.g. no common mode failure.
Hardware Barriers for Severity 5 or High Risk Hazards (HSE) shall be classified as HSE
Critical Elements. Selection of these Barriers shall be in accordance with EP2009-9009
SCE Management Manual [Ref. 10]and is further described in Section 7.
Common barriers or escalation factor controls that appear frequently, e.g. such as those to
do with Operator/Human Error, should be modelled using a separate bow-tie to manage the
single Threat of Operator/Human Error.
See Section 10 ALARP demonstration for further information.

Revision: 1.0
7 SAFETY CRITICAL ELEMENTS

A Safety Critical Element (SCE) is any item of hardware, system or logic software the failure
of which could cause a major Accident Hazard (MAH) or whose purpose is to prevent or
mitigate the effects of a MAH. SCEs groups are categorised according to Shell EP2009-
9009 Safety Critical Element Management Manual [Ref. 10]. These groups or barriers
(see section 7.1) contain the definitions of those items that may be classed as safety critical
on any given facility.
Safety Critical Elements shall be selected from these groups during the bow-tie
development process. The bow-tie diagrams show the SCEs as barriers to the MAH. A
deliverable of the Bow-Tie development process is a list of SCEs applicable to the facility.
This list shall be further developed as part of a SCE identification process that defines the
safety critical components of each SCE barrier.
The role of a barrier on the bow-tie diagrams is to prevent or limit the consequence of a
major incident. Barriers may be:
1. Design (inherent) features, e.g. separation distances, reduction of process pressures,
minimisation of leak sources, etc.
2. Safety Critical Elements (hardware and logic software), e.g. Process Containment
Systems, Pressure Relief Valves, ESD, Fire and Gas Detection, Escape & Evacuation
Systems, Breathing Protection, etc.
3. Operational Safety Processes, e.g. valve lock out/tag out, breaking containment
procedures, permit to work, etc.
4. Operational Intervention Tasks, e.g. Plant Monitoring, Alarm Response, Shutdown, etc.
The SCE management manual [Ref. 10] describes the activities and processes for
managing the critical hardware barriers (SCEs) that appear in the MAH bow-ties.

Revision: 1.0
7.1 SCE (Hardware) Barriers

Each SCE is grouped under one of 8 hazard management barriers, as depicted in the
Swiss Cheese Model (Figure 7-6). The hazard management barriers are as follows:
Structural Integrity
Process Containment
Ignition Control
Detection Systems
Protection Systems
Shutdown Systems
Emergency Response
Life Saving Equipment
Each SCE belongs to one hazard management barrier. Generally, the Structural Integrity,
Process Containment and Ignition Control SCEs together with some aspects of the
PSD/ESD system, reside on the left hand-side of the bow-tie top event. Failure of any of
these barriers could cause or significantly contribute to a MAH. The remaining SCEs
normally reside on the left hand-side of the bow-tie top event. These SCEs are provided
to control or mitigate the effects of a MAH after it has occurred.

Revision: 1.0
Figure 7-6: SCE Hardware Barriers and SCE Groups
The hardware barriers in Figure 7-6 are depicted with a number of small holes that
represent an integrity failure either in design or operating performance. On their own,
these failures may not be significant but, if the holes line up, there may be no effective
barriers in place between safe operations and escalating consequences, leading to a
major incident.
For example, a loss of containment in a sweet gas facility would not normally be
expected to cause fatalities unless it is ignited. An integrity failure in the process
containment system combined with a failure in the ignition control system could cause an
ignited event, i.e. a fire or explosion. If there are no personnel in the area then this in
itself would not cause fatalities. However, if there are integrity failures in the fire and gas
detection system then the event may not be detected and the process system not
isolated and the event may have the potential to escalate to adjacent inventories. This
would also be the case if an ESD Valve or Blowdown Valve failed to operate on demand.
Finally, if adequate assembly points and EER systems such as emergency telecoms are
not provided or are not suitable, then personnel may not be evacuated quickly enough
and the process release would have the potential to cause fatalities. The example shows
that a number or what on their own would sometimes be considered as minor failures
have combined to produce a Major Accident causing fatalities.
Figure 7-6 shows the importance of maintaining and monitoring and ensuring the
integrity status of all hardware barriers, so that what might be considered to be relatively
Revision: 1.0
small faults in individual barriers do not combine together in an unforeseen manner that
compromises the ability if the barriers to prevent or control a major incident.
Note that it is not necessary for all barriers to fail to lead to a major incident. For
example, failure of a single barrier such as process containment on a high sour facility
may lead directly to major incident.
Each SCE is attached to a relevant discipline who are designated as the owner of the
associated Performance Standard.

Revision: 1.0
7.2 SCE Selection

SCEs should be colour coded green on the Bow-tie and the specific SCE category
denoted beneath the barrier that appears in the Bow-tie.
The process for selection of SCEs starts with a review of the generic list of
SCEs provided in the SCE Management Manual [Ref. 10] to identify those SCEs
that are applicable to the facilities, for each of the identified Major Hazards.
The list of selected SCEs shall be reviewed and agreed by the relevant
discipline engineers during the define phase.
Figure 7-7 depicts the process for the selection of SCEs.
The HSE Case shall contain a list of the SCEs identified in the bow-tie diagrams as per
the table provided in Appendix 60.
The HSE Case shall contain a table showing each SCE against the MAH bow-ties where
they appear as hardware barriers, and an example is shown for the SCE group Process
Containment in Appendix 174.
GenericListofSCEs
EP90092009
CouldfailureofthiselementcauseaMAH? ThisitemisaSafetyCriticalElement.
No
CouldfailureofthiselementcontributesubstantiallytoaMAH?
No No
IsthepurposeofthiselementtopreventaMAH?
No
No No
IsthepurposeofthiselementtolimittheeffectsaMAH?
ThisitemisnotaSafetyCriticalElement.
No
No
Figure 7-7: Selection Process for Safety Critical Elements

Revision: 1.0
7.3 Performance Standards

A Performance Standard is a statement, which can be expressed in qualitative or
quantitative terms, of the functional performance required of a SCE, and which is used as
the basis for managing the risk from the Major Hazards. Defining and ensuring
compliance with suitable Performance Standards provides assurance that the SCE is and
will remain a barrier to the identified MAH.
Generally, the SCEs and Performance Standards follow a one-to-one relationship where
each SCE has its own Performance Standard.
Performance Standards are used as the basis for design and technical (operational)
integrity verification and are expressed in terms of functionality, availability, reliability,
survivability and dependencies/interactions with other SCEs.
Functionality
Functionality is an expression used to define what the system or equipment is required to
achieve in order to ensure design integrity.
Reliability and Availability
Reliability is defined as the required probability that the system or equipment will operate
on demand, when required.
Availability is defined as the extent to which the system or equipment is required in order
to retain its functional integrity.
Survivability
Survivability defines the external loading events such as fires, explosions or extreme
weather, associated with the various MAHs against which the system or equipment is
required to retain its functional integrity.
Dependencies and Interactions
This is used to identify other systems or equipment that are critical to the functionality of
the primary system or equipment. By identifying these dependencies and interactions it is
ensured that all interfaces have been covered.
There are two types of Performance standards;

Design Performance Standards. Design Performance Standards must be developed
during the Define phase. They shall provide a list of key functional criteria to which
the SCE must comply with during the design. In practice the content of the
performance standards will be largely taken from the design and engineering
standards that apply to the item or SCE. However, other information may be taken
from the basis for design, the design philosophies, or the results of workshops and
HEMP Studies such as HAZID/HAZOP, Design Review, Layout Reviews, Fire &
Explosion Analysis, QRA, IPF, SAFOP, etc.
The Design Performance Standards will mature further during the execute phase and
will check that the SCEs have been constructed as designed. The existing QA/QC
procedures and practices should be used to support the Design Performance
Standards. The design must take into account operational demands so that suitability
can be ensured into the operate phase.
The Design Performance Standards will evolve into Operate phase Performance
Standards at the end of the execute phase before handover.
Operations Performance Standards. The Operate phase Performance Standards for
SCEs should evolve from the Design Performance Standards. These Performance
Standards are formatted to comply with the requirements of SAP-PM and SAP-QM in
terms of minimum assurance tasks, assurance measures, assurance value and units
of measure for the correct allocation to the appropriate level in the asset hierarchy.
Revision: 1.0
Examples of the two types of Performance Standard are provided in Appendix 293 and
Appendix 394, respectively.
7.3.1 Performance Standard Approval

Each performance standard is allocated an owner. The owner is responsible for
ensuring that the content of the performance standard is appropriate and achievable. The
performance standard owner is normally the CFDH for the items covered by the SCE.
However, the CFDH may delegate the review and approval of their performance
standards to the relevant TA2.

Revision: 1.0
8 HSE CRITICAL TASKS

An HSE Critical Tasks is one that is in place to develop, implement or maintain the
effectiveness and integrity of a Barrier, Escalation Factor Control or Recovery Measure
Control in the MAH bow-ties.
An HSE Critical Position are those that execute HSE critical tasks.
The minimum information required for a HSE critical task shall be:
The description and purpose of the HSE critical task required
The person (position and reference indicator) responsible for performing each task
Reference to supporting documentation, e.g. work instructions, SAP, procedure, etc
The method and criteria to verify that the task is performed as required to maintain
barrier effectiveness.
HSE critical tasks should be developed to the level of the party responsible for ensuring that
tasks are completed on time and to the required standard, e.g. Managers, Supervisors and
Specialists the position responsible for ensuring that the task is done and not the person
who is actually undertaking the work.
Bow-tie XP software enables the HSE critical tasks to be linked to the relevant barriers.
Inspections and preventative maintenance activities for hardware SCEs are implemented
via the Maintenance Management System, i.e. SAP. The task information is contained
within the task description in SAP for all SCE barriers and is NOT listed as an HSE critical
task, and is considered part of the hardware barrier itself. This applies to for example
maintenance and calibration of a gas detector.
Implementation tables shall be developed for each HSE Critical Position. The
implementation tables describe each HSE Critical Task, its supporting business controls and
the business records required to verify that the task is being adequately executed. The
implementation tables also provide a link to relevant barriers (HSE Critical Activities) and
hazards on the Bow-Tie diagrams.
See Appendix 397 for an example extract from an Implementation table. Communication of
HSE Critical tasks to affected people in affected position is the responsibility of the HSE
Case Custodian.

Revision: 1.0
9 MATRIX OF PERMITTED OPERATIONS (MOPO)

A matrix of permitted operations (MOPO) is an information tool to assist Supervisors and
Line Managers during the planning and coordination of operations and activities by
providing useful information on:
The operation or activity operating envelope and safe operating limits.
Actions(s) to take if/when certain situations arise that could compromise safe
operations.
The MOPO is a set of matrices that maps operational activities against foreseeable
situations that if or when they arise could compromise safe operating limits these
situations are identified from:
The Threats and Escalation Factors identified as part of the Bow-tie assessments
for severity 5 and high risk hazards.
An assessment of other operations and activities that could contribute to the
escalation of an incident, e.g. continuing with hot work when fire pumps (a safety
critical element (SCE)) are unavailable.
Circumstances that could compromise safe operations are grouped into three categories:
Simultaneous operations (SIMOPs), where large work parties under different
management structures carry out work which results in hazards that may impact the
other. e.g. removal or overhaul of equipment and/or production and/or construction
and/or drilling in the same area (MOPO entitled SIMOPs MOPO)
External influences, e.g. extreme weather, visibility, security issues (MOPO entitled
Adverse Weather MOPO)
Inactive safeguards; i.e. SCE unavailability or impairment, e.g. ESD systems,
firefighting systems (MOPO entitled SEC Impairment MOPO).
The MOPOs shall identify and differentiate between stop (red) conditions, i.e. operation
NOT permitted and what are proceed with caution (amber) conditions, i.e. continue
following appropriate risk assessment and provide additional controls where necessary. All
other activities in the MOPO that do not require further assessment or controls are denoted
safe to proceed (green).
For developing a new MOPO or reviewing and updating an existing MOPO, refer to
Appendix 416.

Revision: 1.0
9.1 Using the MOPO

Copies of the MOPO shall be readily available in a suitable format (poster size,
laminated, etc) and displayed in the control room and other operational and job
planning /coordination areas.
The MOPO shall be referred to during both routine work planning and coordination and in
responding to unforeseen conditions.

Revision: 1.0
9.2 Deviations from the MOPO

In event of a situation arising where the preferred option is contrary to that given in the
MOPO, this shall be assessed and approved by the Delivery Team Leader and relevant
discipline authority as defined in DCAF. In the event of a SCE being impacted, relevant
discipline authorities shall also be consulted using the FSR process.

Revision: 1.0
10 ALARP demonstration

Revision: 1.0
10.1ALARP Definition
ALARP (As Low As Reasonably Practicable) allows a proportional level of effort to be put
into risk reduction once the initial level of risk has been assessed for a particular
operation or process. The ALARP principle is used to determine whether risks are
broadly acceptable, tolerable or intolerable via comparison against company risk criteria.
The use of the ALARP principle requires judgement to determine whether or not risk
levels are as low as reasonably practicable. ALARP can be demonstrated when the
sacrifice (cost, time, effort) required to reduce the risk any further, would be
disproportionate to the risk reduction potentially achieved (the benefit). The term
sacrifice relates to the time, effort and/or cost of the complete implementation and future
maintenance and operation of the particular risk reduction measure in question. Benefit
relates to the level of risk reduction offered by a risk reduction measure. Reasonably
practicable is the balance between the sacrifice and benefit of implementing the risk
reduction measure, or suite of measures.
ALARP justification also requires demonstration that all risk reduction measures
assessed as reasonably practicable have been implemented. The use of reasonably
practicable uses a goal setting approach to risk reduction rather than a prescriptive one.
This is a standard approach for all high risk industries including the oil and gas industry.
ALARP demonstration can be based on a comparison of the suite of barriers and control
measures that are in place, versus those expected to be seen in equivalent assets or
industries. This represents good practice and can be identified as standards for
controlling risk that have been judged and recognised as satisfying a particular set of laws
or regulations. In the absence of a developed regulatory system, company standards,
corporate global standards, best engineering practice and engineering judgement may be
used as a basis for comparison.
For ALARP to be demonstrated, all hazards and risks must have been identified as far as
practicable and assessed against the PDO Risk Assessment Matrix (RAM) (Figure 2-1)
and as described in Section 5. This provides a prioritised listing of hazards. As a
minimum, all Major Accident Hazards (High Risk and Severity 5 hazards) shall be
subjected to Bow-Tie analysis as described in Section 6. This is a qualitative approach to
demonstrating ALARP using the engineering, process, Process Safety and HSE
knowledge and experience of the selected workshop group.
In addition to this approach, ALARP demonstration can employ a combination of
qualitative and quantitative techniques dependent on the novelty, complexity and type of
process or project under assessment. The HSE Cases are assessed in line with the
Framework for risk related decision support in PDO as shown in Figure 2-1 and the level
of risk assessment performed proportional to the level of risk associated with the process
or project.
Refer also to GU-648 Guide for Applying Process Safety in Projects [Ref. 4] and CP-117
Project Engineering Code of Practice [Ref. 6] for further description of ALARP
requirements.

Revision: 1.0
10.2How to Undertake an ALARP Assessment

10.2.1 Principles of Hazard Management
The hazard management hierarchy as shown in Error: Reference source not found is
used to manage HSE risks and shall be referenced when demonstrating ALARP. .
Nevertheless, all hazard management controls should be considered at each stage
of the development.
MOST
EFFECTIVE Eliminate Eliminate
Eliminate sources of f lammable gas release
Eliminate
Substitute
Substitute
Eliminate
Substitute theHouse
Compressor hazard
for open arrangement
Substitute
Separation -
Use processes
Separate or from
c ompressors methods with lower
each other risk impact
Isolate/Separate
Separate c ompressors from rest of plant
Isolation / Separation
Separate gas cloud from ignition sources
Segregate hazards and/or targets

Engineered Safeguards
Engineer
Isolate
PREVENTION Design f or proc ess containment integrity
Engineered
PREVENTION
Safeguards
MITIGATION Gastodetec
Design tion, shutdown,
prevent blowdown
an unwanted
Isolation of ignition sources
event
RECOVERY Design to mitigate harmful consequences
Forced ventilation
Engineer
Organisation Organisational Controls
Organisational Controls
Training, Competency, Communication
Operator training f or Compressor upset conditions
Communication for emergency response
ProceduralNot
Controls -
Procedures
Admin Operating procedures,
assessed in Work instructions, Permits
Procedural Controls -
Maintenance regimes Operating procedures
quantitative
Emergency Response
terms procedures
Emergency response procedures
LEAST PPE
PPE
EFFECTIVE Personal Protective Equipment
Personal Protective Equipment
Protect the person N/ A there is no PPE effec tive against explosion
Figure 10-8: Hazard Management Hierarchy
The strategy selected for managing a hazard will differ depending on the project
phase, and this principle shall form part of the evaluation when making ALARP
demonstrations.
As the opportunity for influencing the facility design is greatest during early design
phases, the focus shall be on elimination or substitution of the hazards. This
typically applies to Identify& Assess and Select phases of the ORP process.
As the project matures into Define and Execute, there is less opportunity to apply
elimination or substitution and hence the predominant hazard management controls
consist of isolation/separation and engineering solutions that can be put in place.
Once a facility becomes operational, the hazard management will largely focus on
the organizational and procedural controls. PPE is generally regarded as the last
principle of hazard management and therefore also the least effective.
10.2.2 Good Engineering Practice

In most situations, deciding whether HSE risks have been reduced to ALARP
involves a comparison between the control measures a project is proposing and the
measures PDO would normally expect to see in such circumstances i.e. the
requirements of relevant good practice captured in Company specifications and
procedures listed in GU-611.
The scope for eliminating hazards and threats and reducing the scale of
consequences is greatest at the beginning of the project and progressively reduces
Revision: 1.0
as the project develops. In part this is because the cost and difficulty of delivering a
given risk reduction solution increases as the project develops. ALARP
demonstrations must be robust for each of the HSE Cases as per Figure 3-3.
CP-122 Health, Safety and Environment Mgmt System CoP describes application
of the AI-PSM process from CCPS RBPS within PDO to demonstrate compliance to
good engineering practice and to ensure that risk levels are ALARP. This is made
via demonstrating compliance against the 20 Process Elements shown in Appendix
418.
10.2.3 Good Engineering Principles

Company specifications and engineering standards should be followed unless there
is sound justification, and then consideration given to whether there is any more that
can be done to reduce the risk. If there is more that can be done, these further
measures need to be assessed by comparing the risk reduction with the cost and
effort involved in further reducing it.
Simply following standards does not in itself demonstrate ALARP, particularly for
more complex or novel projects, where additional considerations shall be made.
10.2.4 HEMP Studies

HEMP studies undertaken during the select, define, execute and/or operate phases
of the development are used to assess risk levels and identify any further risk
reduction measures.
Applicable HEMP studies for each project phase are defined in DCAF.
10.2.5 ALARP Review

In assessing the risks associated with the Design or Operations HSE Case hazards,
a qualitative review of the Bow-ties shall be undertaken. The review shall be led by
an experienced facilitator and the review team shall be comprised of experienced
staff from the following areas of expertise:
o Engineering
o Process
o HSE
o Maintenance
o Operations
o Management
o Asset stakeholders.
Each of the threat lines in the bow-ties shall be reviewed in turn and the discussion
should cover such questions such as:
o Does industry best practice state what should be done or make any
recommendations?
o Can a benchmark exercise be undertaken against other operators and similar
controls implemented?
o Where are the gaps/shortfalls and what action needs to be taken to address these
gaps/shortfalls? See Section 11.2.
o Is there sufficient quantity and quality of barriers?
o Is there anything else that can be done to further reduce the risk?
Both barrier effectiveness and the number of barriers contribute to the overall
effectiveness of control, although in general, the effectiveness of individual barriers is
more critical.
Revision: 1.0
The number, independence and reliability of the control and recovery measures shall
be commensurate with the risk.
By approaching the bow-tie review in this systematic fashion, the barriers can be
challenged in terms of completeness and adequacy and gaps identified and
addressed so that the review team is satisfied that the risks arereduced to ALARP.
The HSE Case process enables an ALARP argument to be formulated although in
isolation, a complete ALARP argument cannot be made. The claims made against
the numbers, quality, performance and location of the barriers must also be verified.
This verification of the safeguards (both hardware and procedural controls) is
performed via AI-PSM audit and the TR-MIE and TI-HBV processes. These
processes substantiate the claims made within the Bow-Ties and MOPO in terms of
barrier integrity and performance.

Revision: 1.0
10.3Assessment of Complex Decisions

Demonstrating ALARP shall involve consideration of fundamentally different options to
provide assurance that the Company gets the best value for money over the lifetime of
the facility. The assessment of fundamentally different options normally takes place in the
identify, assess and select phases.
Assessment of complex decisions requires consideration of all the hard and soft issues
related to a range of options and should reflect a decision taken at the right level in the
organisation with full knowledge of all the options and their associated risks and costs.
The following structure is recommended for documenting ALARP demonstration for
complex project decisions:
1. IDENTIFY
a. Problem Definition
b. HSE Issues and Potential Risk
c. HSE Standard & Tolerability Criteria
2. ASSESS
a. Options Considered
b. Basis for Selection and Uncertainties
c. Justification for Chosen Option
3. CONTROL & EVALUATION
a. Residual HSE Risks
b. Recommendation for Next Project Phase
c. Requirements for the Operations HSE Plan/Case
The ALARP demonstration for such decisions shall be signed by the person developing
the demonstration as well as relevant discipline Technical Authorities.

Revision: 1.0
11 OPERATE PHASE CONTINUOUS IMPROVEMENT

Revision: 1.0
11.1 Drivers for Improvement

Key Performance Indicators (KPIs) have been established for the AI-PSM programme
within PDO. AI-PSM KPIs consist of:
o A set of KPIs defined by Operational and Functional Leadership, collected on a
uniform basis at all assets (Corporate KPIs).
o Any additional asset-specific KPIs targeted at the key risks of that asset.
Typical AI-PSM KPIs include:

o Number of Process Safety incidents reported YTD.
o Number of Process Safety near misses reported YTD.
o Percentage compliance with Level 2/3 audit schedule.
o Number of deviations/non-compliance with PTW discovered during worksite visits (in
the quarter).
o Number of approved waivers, forces and safeguarding overrides in place.
o Safety Critical Element corrective maintenance compliance.
o Safety Critical Element preventive maintenance compliance.
o Number of overdue actions arising from Process Safety studies (HAZOP, OBRA,
FERM, TI-HBV, PSBR, Incident investigations, LEVEL 1/2/3 AI-PSM audits, PSUA).
o Number of SCEs that failed to meet Performance Standard (per quarter).

Revision: 1.0
11.2 Remedial Actions

Action items can be raised during compilation of a new HSE Case or review and update
of an existing HSE Case. These areas for improvement in the systems or controls in
place to manage Major Accident Hazards need to be addressed to ensure that operations
continue to be maintained at ALARP.
All action items raised shall be reviewed and approved by the action party and the HSE
Case Custodian prior to be entered into the HSE Case and the action tracking system
(FIM) for close out. The HSE Case Administrator is responsible for ensuring that actions
are closed out in a timely manner. The HSE Case Custodian has overall responsibility for
ensuring all technical information within the action close out is correct and complete.
Target dates are dictated by the most reasonably practicable timescale within which the
actions can be completed. Items in the remedial action plan (RAP) must be rectified in
accordance with the timescales set out. Where an action is not to be taken because the
cost and resources required to complete the action are not considered reasonably
practicable in view of the benefits gained in risk reduction (ALARP evaluation), this is
stated in the RAP.

Revision: 1.0
11.2.1 Qualitative Analysis of RAP Items

Risk reduction measures, and in particular those warranting the implementation of
additional safeguards, shall be compared against a simplistic cost benefit matrix, as
detailed in the Cost, Benefit, Effort Multiplier in Table 11-3. This results in each of
the potential risk reduction measures being categorised as:
o Do - Implement the option
o Study - Investigate the option further and implement if practicable
o Pass Review category to confirm rating, if still assessed as Pass, record decision
making process and do not invest further effort. Review in future for
practicability.
The decision on whether to take the action shall be dependent on the resulting
score. The multiplication results in a numerical score from 1 (most attractive) to 27
(least attractive).
The result of this iterative process shall be tabulated in the Remedial Action Plan
within the HSE Case.
Table 11- 3: Cost * Benefit * Effort Multiplier
Score 1 2 3
Cost (over 3 <$50K $50-$500k >$500k
years)
Benefit High Medium Low
Effort Quick fix Simple Fix Complex
Solution Matrix Sample Score Assignments

M Range Proposed Action
Cost x H Benefit L Benefit
Benefit 1-4 Do
Effort 1 3
2 6-9 Study
1 1 2 3 12 or greater Pass
2 2 4 6
3 3 6 9
4 4 8 12
6 6 12 18
9 9 18 27

Revision: 1.0
11.2.2 Interpreting the RAP

The remedial actions shall be included in a table as described below so that actions
and targets appear in a consistent format.
Table 11- 4: Example Remedial Action Plan
Bowtie Strategy to
Item Action Measure / Reso Action Targe Comments
Achieve the C B E S
no. ref. Description Indicator urce Owner t Date / Status
Action
1 H- Ensure Develop andDeveloped 1 2 1 2 OSO OSS Q10 Closed
compliance of implement and 9
01.005b 12/09/200
speed limits program to
implement
inside NRPS. reinforce program to 9
H- Speed limits awareness of
reinforce PDO
01.003a within NRPS speed limits
awareness conseque
are currently inside NRPS. of speed nce matrix
H- not complied limits inside implement
with. Implement PDO NRPS.
consequence ed. Drive
01.003d
Conduct drive management PDO for road
to further procedures for consequenc safety
H- (within the
communicate speeding. e
01.005d hazards of managemen 4MW).
speeding Install speed t procedures Various
H-04.002 within NRPS. limits signs (if for seeding campaign
not present). implemented s and
. posters
H-10.016
displaying
Speed limits conseque
installed (if nces for
required). breaking
road rules
(includes
speeding).
Table 11-5: Interpreting the RAP

TITLE SCOPE/COMMENTS
Action No Sequential action number or FIM reference
Bow-Tie Ref Reference number of the Bow-Tie diagram where the action was raised
Action Description Description of action
A qualitative assessment of the cost of implementation, derived using the
C
Qualitative ALARP matrix (Section )
A qualitative assessment of the HSE benefit from implementation, derived using
B
the Qualitative ALARP matrix (Section )
A qualitative assessment of the effort of implementation, derived using the
E
Qualitative ALARP matrix (Section )
S A qualitative score derived using the Qualitative ALARP matrix (Section )
Action Resource The person responsible for carrying out the action
Action Owner The individual who is accountable for the completion of the action.
Date Action Was
The date when the action was raised.
Logged
Date at which the target will be reached and action completed. Timescales can be
revised at the annual review stage of the action plan. If an action is no longer
Target Date
applicable and/or the target cannot be met, clear reasoning and steps to resolve
must be given.
Comments/Risks Opportunities and risks if action is not undertaken.

Revision: 1.0
12 STATEMENT OF FITNESS
A Statement of Fitness is required by CP-117 [Ref. 6] and CP-122 HSE Management
Manual and shall be included in the HSE Case.
A Statement of Fitness shall be developed for the Assets prior to teh pre start up audit for a
project, before starting or commissioning a new Asset or a modification to an existing Asset.
Table 12-6 contains each element of the Statement of Fitness together with a guide to
minimum requirements for demonstrate compliance with each element. Further guidance is
provided in GU-648.
Table 12-6: Statement of Fitness
REQUIREMENT DEMONSTRATION
Process Safety Risks have been HSE Risk studies including HAZOP, HEMP, FERM
identified and documented and are and Bow-Ties have been completed
managed to ALARP ALARP demonstration has been made for the asset
ALARP demonstration includes assessment of
SIMOPS and development of a MOPO
Risk register and Risk Management Plan in place
An Emergency Response Plan addressing each of
the identified Major Accident Hazards has been
developed and is routinely tested
Critical PCAP deliverables
No outstanding unapproved variations to DEM1,
DEM2 or actions from ALARP workshops
Employees or Contractors executing Operator competence assurance plans with HSE

HSE Critical Activities are competent critical roles indentified in job descriptions
and fit to work Personnel in HSE Critical roles are fit to work
TA approval framework is in place (DCAF or similar)
Safety Critical Equipment meets its SCEs have been indentified and documented and
Technical Integrity Requirements included in the HSE Case
Performance Standards have been developed for all
identified SCEs and approved by TAs
PCAP in place & followed
TIV Report (assurance and verification of the SCEs)
finalized all punch listed items closed out
Design and Construction of new All requirements of DEM 1 are met a derogation
Assets and modifications to existing register is maintained where DEPs cannot be
Assets meet design and engineering satisfied
requirements Critical documents and drawings are prepared and
approved.
Well Handover Document completed
Process Safety Basic Requirements All applicable PSBRs are met (DEM2)
are met
Procedures are in place to operate Operations procedures are in place

Safety Critical Elements within its Integrity operating envelopes and Alarm Catalogues
Operational Limits. are completed
The Asset Register, Safety Critical Protection Device (Trip) settings in place, including
Elements (SCEs), SCE related wells
Performance Standards (PSs) Operations Procedures in place
acceptance criteria and Maintenance / Performance Standards and maintenance/
Revision: 1.0
REQUIREMENT DEMONSTRATION
Inspection Routines are identified and inspection routines are current and uploaded to
loaded into the maintenance SAP
management system (SAP). Asset register is current and uploaded to SAP
CMMS and SCE Management system is populated
and available
Corrosion management plans are in place
Well integrity management is in place
FSR is in place
Modifications are complete and have Management of Change (MOC) Process is

been managed via the Management documented
of Change process (PR-1001) Staff in HSE Critical Positions are trained and a log
maintained
MOC procedures are in place and used
A change register is maintained
HSE audit and inspection Level 1, 2 and 3 audits are scheduled and completed
programmes test compliance with the as per the HSE Business Plan
AI-PSM and HSE Case Standards Audit findings are internally communicated to all
levels in the organisation and a RAP developed

Revision: 1.0
13 MANAGEMENT OF CHANGE
All PDO Operations HSE Cases shall be reviewed on an annual basis (by year end) to
ensure that all the following sections of the HSE Case remain true and valid to operations.
It is the responsibility of the Delivery Team Leader as the HSE Case Custodian to ensure
these updates are completed, with support from the HSE Case administrator.
Bow-tie assessment
o Have any new severity 5 or high level risks been identified?
o Are all barriers still valid?
o Have any new barriers been identified?
o Are all barriers correctly categorised (Inherent Safety, SCE, Critical Activity)?
SCE listing
o Is the hardware barrier correctly identified as an SCE?
o Does the barrier have the correct SCE identifier attached?
o Are all the performance standards complete and up to date?
o Has all SCE been entered into the Asset Register?
o Has the task information embedded within the system been added to the HSE
Critical Task information?
HSE Critical Tasks

o Has there been any Directorate/Departmental re-organisation?
o Are all the reference indicators and positions still current?
o Have all personnel signed off to say they are aware of their tasks (annual
requirement) and that their assigned tasks are correct?
Remedial Actions
o Are any of the remedial actions overdue?
o Do any of these open action items compromise safe operations of the plant as
signed in the Statement of Fitness?
Statement of Fitness
o Annual review of the Statement of Fitness to ensure that it is correct and accurately
reflects the status of operations.
o The Statement of Fitness shall be signed off by the HSE Case Custodian after each
review.
Other changes that may trigger a revision to the Operations HSE Case are listed below:
o As part of a Material Change to the Facility, operation or surrounding environment

that may have a potential impact on the risk profile
o When it cannot be verified that the performance of safety critical elements (SCEs)
meet the performance standards and/or when mitigation measures have been
employed for extended periods to compensate for this shortfall
o Prior to any material changes to the organisational arrangements or personnel levels
o Following a major incident involving the Facility or operation, or from lateral learning
Revision: 1.0
from other major incidents applicable to the Facility or operation

o Enhancements in knowledge or technology that change the basic assumptions on
which the risk tolerability and ALARP demonstrations are based
o Updated HEMP study findings/results
o If there is a change to any of the signatory parties for the HSE Case, i.e. HSE Case
Owner (Director), HSE Case Custodian (Delivery Team Leader) or HSE Case
Administrator (Technical Safety Engineer)
All identified changes to the HSE Case, whether as a result of a periodic review or any of
the other criteria listed above shall be assessed by the HSE Custodian, the Technical Safety
Engineer and the HSE Case administrator (where this is not the TSE). Where relevant, the
change should also be assessed by a discipline Technical Authority.
The roles and responsibilities for changes to the HSE Case and how these changes shall
be recorded are further described in Appendix 417.

Revision: 1.0
14 CONCEPT SELECTION REPORT

The Concept Selection report forms the basis for the engineering activities in the Define
phase. It clarifies the context in which the selection decision has been made, the data that
have been used, the alternatives that have been studied, and the values and trade- offs
between alternatives.
The purpose of the HSE content of the Concept Selection report is to:
1. Demonstrate that there has been a systematic application of HEMP during the
Identify & Assess and Select Concept phases of the ORP [18] for each option
being considered;
2. Confirm that the lowest risk option have been actively sought and selected; or
alternatively, demonstrate that the cost/effort required to adopt the lowest risk
concept is grossly disproportionate to the benefit (ALARP).
The HSE content of the Concept Selection report shall include:

o Reference to descriptions of the options being considered;
o A Hazards and Effects Register in accordance with EP Tool Hazards and Effects
Register [14] for each development option considered;
o Summary of the risk profiles associated with each option;
o A summary of the HEMP studies and key assumptions that have been made in the
Hazard identification and risk assessments studies;
o Summaries of the philosophies and measures implemented during this phase to
reduce residual risks to ALARP
o The justification that the selected option shall present the lowest overall risks, or
alternatively, the ALARP demonstration showing that the cost/effort required to adopt
the lowest risk concept is grossly disproportionate to the benefit;
o Any issues that may have an impact on the risk profile and so need to be addressed
during the Define and Execute phases.
o Summary of rejected options with a description of reason for not pursuing the
respective options.
o SIMOPS considerations for Sour projects
Relevant HEMP studies will depend on the nature, size and complexity of the project.
Large and complex projects will typically require a separate ALARP demonstration report to
meet the above requirements.

Revision: 1.0
14.1DCAF Deliverables for Identify, Assess and Select Phases

Individual components of the Concept Select Report are required deliverables under the
Discipline Controls and Assurance Framework (DCAF). The Concept Select Report is
itself a required DCAF deliverable.
The full list of HSE DCAF deliverables for the Select phase which should be produced
and signed off individually by the relevant competent person/Technical Authority is given
below. Ensure DCAF is consulted for latest version of specified deliverables and the
Discipline Authority Manual (TAs):
o ALARP Demonstration Report

o HEMP Findings and Close out Report
o HAZID Report
o Concept Risk Assessment Report (i.e. the Qualitative Risk Assessment (QRA))
o Preliminary Hazard and Effects Register
o Greenhouse Gas (GHG) and Energy Efficiency Report
o Fire and Explosion Assessment
o Sustainable Development Strategy
o Regulatory Compliance and Permitting Plan
o HSSE and SP (Social Policy) Plan
o HSSE and SP Philosophy Document
The Concept Select Report shall contain summaries and/or references to all the above
documents.

Revision: 1.0
15 DESIGN HSE CASE REQUIREMENTS

The Concept Select Report is the starting point for developing the Design HSE Case as it
describes the Identify & Assess and Select phases in detail.
The Design HSE Case focuses on the chosen concept through the Define and Execute
phases and is a DCAF Deliverable. It must be signed off by the project management prior
to VAR4 (for FEED) and prior to the Pre-Start Up Audit for HSE Cases at the end of detailed
design. The final design HSE Case is used as part of the ALARP demonstration in the
Operations HSE Case.

Revision: 1.0
15.1Basic Requirements
The Design HSE Case:
o Is required to demonstrate that there has been a systematic application of HEMP

during the Define and Execute phases and that the risk has been actively and
systematically reduced to ALARP
o shall incorporate any design changes made during the Define and Execute phases
that impact severity 5 or high level hazards and updating the risk tolerability and
ALARP demonstrations
o shall incorporate a full list of safety critical elements (SCEs) with relevant
performance standards (SCEs shall be identified in accordance with EP2009-9009)
o shall be signed off by the Project Manager
o shall be used to develop the Operations HSE Case prior to the pre-start up audit
(PSUA) and subsequent operate phase

Revision: 1.0
15.2Format
The Design HSE Case shall be based on the following structure:
o Contents
o Part 1 Introduction
o Part 2 Concept Select Report Summary
o Part 3 Design Basis & Facilities Description
o Part 4 HEMP and major accident hazard (MAH) assessment (including ALARP
Demonstration, safety critical elements (SCE) and Bow-ties)
o Part 5 Improvement (Remedial Action Plan)
15.2.1 Contents
This part shall contain:
o Document authorisation, identification of the HSE Case Owner, HSE Case
Custodian, and HSE Case Administrator and their responsibilities
o Version control, showing the scope of each revision
o Signed off Statement of Fitness for the Design HSE Case by the HSE Case Owner
(usually the Project Manager).
The Statement of Fitness is signed on the understanding that all remedial actions
outlined in Part 5 of the Design HSE Case are, or will be, closed out effectively by
their action target dates.
15.2.2 Part 1 Introduction

Part 1 shall:
o Describe the scope of the Design HSE Case
o State the relationship with the HSE Management System (HSE-MS) Manual, CP-
122
o Provide a summary of the change control process applied trhough the various
stages of the project.
o Include a project summary
15.2.3 Part 2 CSR ALARP demonstration Summary

Part 2 shall contain a summary of the ALARP demonstration in the Concept Select
Report which describes the process from the Identify & Assess phase to the Select
phase and the selection of the chosen concept. This includes a list of supporting
safety studies undertaken.
15.2.4 Part 3 Design Basis & Facility Description

Part 3 shall contain:
o A detailed description of the chosen concept, including site selection, plant layout,
material selection, etc., including a project overview to show boundaries of the
HSE Case
o A description of all of the safety critical elements and any other safety systems
provided.
o A list of all DEPs, codes, standards and specifications used in the design
o A summary description and reference to, the Operations and HSSE Philosophies,
including manning strategies and philosophies
o A list of identified HSE risks from the Project Risk Register.
Revision: 1.0
o A list of the MAH associated with the facilities

o A Variance Register, or reference to it, providing justification why the engineering
standards or specifications for the project deviate from applicable Design
Engineering practices (DEP)
o A list of all safety critical elements (SCE) - defined as hardware barriers on the
bow-ties (in accordance with EP2009-9009)
15.2.5 Part 4 Hazards & Effects Management Process

o A Hazard and Effects Register containing details of all severity 5 and high risk
hazards and an assessment of each hazard including the key assumptions
(assessed using the PDO risk assessment matrix in Figure 2-1)
o Bow-Tie diagrams for severity 5 and high risk hazards, with barriers categorised as
inherent safety, safety critical element (SCE), procedural control and remedial
action/shortfall
o ALARP Demonstration, to state how the qualitative Bow-Tie assessment has been
reviewed to ensure all applicable measures to reduce risk to tolerable and ALARP
have been assessed and implemented
o Details of utilised HSE Risk Tolerability, Acceptance Criteria, and ALARP
Framework
o Summaries of the philosophies and measures implemented during the Design
phase to reduce residual risks to ALARP
o Summary of HEMP studies undertaken since the Concept Select Report, e.g.
Hazard Identification studies (HAZID), Hazard and Operability studies (HAZOP),
Instrumented Protective Function (IPF), plant layout study, Quantified Risk
Assessment (QRA), Health Risk Assessment (HRA) Human Factors Engineering
(HFE), consequence modelling, EER Assessment, etc.
o A summary of practical risk reduction measures and their implementation unless
demonstrated not reasonably practicable. These may be represented on ALARP
Worksheets.
o Any issues that may have an impact on the risk profile and so need to be
addressed during the Operate phase
See Sections 5, 6 and 10 for more details on undertaking HEMP, Bow- Ties and
ALARP Demonstrations, respectively.
15.2.6 Part 5 Improvement (Action Plan)

Part 5 shall contain an action plan that is SMART (specific, measurable, agreed,
realistic and timely) which lists all the actions to be carried forward to, and dealt with,
in the Operations HSE Case.
All remedial action items arising from review and update of the HSE Case shall be
accepted by the appropriate action parties and approved by the HSE Case
Custodian (Delivery Team Leader).
Following approval, the action items shall then be entered into the PDO action
tracking system to be formally tracked and closed out. At the time of issue of this
Specification, the Fountain Incident Management (FIM) system is used for tracking
actions from HSE Cases.
See Section 11 for more details on continuous improvement.

Revision: 1.0
15.3DCAF Deliverables for Define and Execute phases

Many of the individual components of the Design HSE Case are required deliverables
under the Discipline Controls and Assurance Framework (DCAF) (note that the Design
HSE Case is a required deliverable in itself).
Some deliverables may simply require an update of the DCAF deliverable from I/A and
Select phase. The Design HSE Case shall contain summaries of, and/or references to,
the following HSE DCAF deliverables for the Define and Execute phases:
o ALARP Demonstration Report (Final)
o HEMP Findings and Close out Report (updated)
o HAZID Report (updated)
o Concept Risk Assessment Report (i.e. the Qualitative Risk Assessment (QRA)
updated)
o Hazard and Effects Register (Updated)
o Greenhouse Gas (GHG) and Energy Efficiency Report
o Facilities Layout Rational
o Living Quarters Specification and temporary refuge where applicable, e.g. Sour
projects.
o Performance Standards for Safety Critical Elements
o Impact Assessment Implementation (including Baseline studies)
o Fire and Explosion Assessment (updated)
o Sustainable Development Plan (Updated)
o HSSE and SP (Social Policy) Plan
o HSSE and SP Philosophies Document (updated)
o Environmental Permit
o Health Hazards Exposure Monitoring
o Medical facilities Assessment
o Matrix of Permitted Operations (MOPO) part of the Design HSE Case.
Consult DCAF for latest version of specified deliverables and the Discipline Authority
Manual (TAs)

Revision: 1.0
16 OPERATIONS HSE CASE REQUIREMENTS

The Operations HSE Case focuses on the Operate phase of the project and covers safe
and continuous operation of the facility. It ensures that all procedural (operational,
maintenance and inspection) controls are in place to ensure that the facility remains within
pre-set design limits and specifications (as per the Design HSE Case where relevant).
For new projects, the Design HSE Case will usually be the starting point for developing the
For brownfield projects, the Design HSE Case serves as the starting point for updating the
existing Operations HSE Case.
The Operations HSE Case shall be signed by HSE Case Owner, Custodian and
Administrator prior to the Start-Up of the facility.

Revision: 1.0
16.1Basic Requirements
The Operations HSE Case:
o Is required to demonstrate how severity 5 or high level hazards are managed during
operations to ensure that the risk is tolerable and ALARP
o Shall describe how the relevant management systems (asset integrity, Maintenance
Integrity Execution, competence and permit to work, etc.) implement the
requirements of the PDO HSE-MS and the AI-PSM systems, including management
of medium hazards
o Shall be accepted and signed off by the relevant Director (in the Statement of
Fitness)

Revision: 1.0
16.2Format
The Operations HSE Case shall be based on the following structure:
o Contents (including the Statement of Fitness)
o Part 1 Introduction
o Part 2 Facility Description
o Part 3 People, HSE critical tasks
o Part 4 HEMP and major accident hazard (MAH) assessment (including ALARP
Demonstration, safety critical elements (SCE) and Bow-ties)
o Part 5 Improvement (Action Plan)
16.2.1 Contents
This part shall contain:
o Document authorisation, identification of the HSE Case Owner, HSE Case
Custodian, and HSE Case Administrator and their responsibilities
o Version control, showing the scope of each revision
o Signed off Statement of Fitness of the Operations HSE Case by the HSE Case
Owner (the relevant Director).
The Statement of Fitness is signed on the understanding that all remedial actions
outlined in Part 5 are, or will be, closed out effectively by their action target dates.

Revision: 1.0
16.2.2 Part 1 Introduction

Part 1 shall:
o Describe the scope of the HSE Case
o State the relationship with the HSE Management System (HSE-MS) Manual, CP-
122
o State the purpose of the Operations HSE Case in relation to different users and
where relevant information can be found within the document
o Summarise the change control process to be applied to the HSE Case and the
mandatory review and update requirements.
16.2.3 Part 2 Facility Description

o A detailed description of the facility, including plant layout, material selection, safety
system, process systems, utilities, etc., including a project overview to show
boundaries of the HSE Case
o A description and reference to, the Operations and HSSE Philosophies, including
manning strategies and philosophies
o A list of the MAHs associated with the facilitiesA list of all safety critical elements
(SCE) defined as hardware barriers on the bow-ties (in accordance with EP2009-
9009)
o A list of major changes to the HSE Case since its inception
16.2.4 Part 3 People, HSE Critical Tasks

o Normal operation facility manning levels and listing of key positions
o An organogram showing the organisational structure and highlighting all personnel
within the Operations HSE Case who hold an HSE Critical Position, i.e. they have
HSE critical tasks assigned to them
o Tables arranged by HSE Critical Position identifying for each HSE Critical Task:
Where the HSE Critical Task fits into the Bow-ties e.g., Facilities/
Equipment and Hazards/Barriers
A brief description of the HSE Critical Task and link to the specifications
and procedures, documenting how the HSE Critical Task is implemented
The means by which the HSE Critical Task is assured e.g. PTW forms, FAIR
Reports, etc.
o A summary of the HSE Competency assurance system and links for further
information
16.2.5 Part 4 Hazard and Effects Management

o A Hazards and Effects Register containing all hazards identified for the
facility/operations are to be listed and assessed using the PDO risk assessment
matrix (Figure 2-1). The severity 5 and high risk hazards contain references to the
relevant Bow-Tie diagrams
o Bow-Tie diagrams for severity 5 and high risk hazards, with barriers categorised as
inherent safety, safety critical element (SCE), procedural control and remedial
action/shortfall
o ALARP Demonstration, to state how the qualitative Bow-Tie assessment has been
Revision: 1.0
reviewed to ensure all applicable measures to reduce risks to tolerable and ALARP
levels have been assessed and implemented see Section 10.2.5.
o Summary of HEMP studies undertaken since the Design HSE Case, e.g. Hazard
Identification studies (HAZID), Hazard and Operability studies (HAZOP),
Instrumented Protective Function (IPF), plant layout study, Quantified Risk
Assessment (QRA), SIMOPS QRA, Human Factors Engineering (HFE),
consequence modelling, etc.
o A matrix of permitted operations (MOPO) to define the operating envelope and
safe operating limits for the facility and provide guidance on action required in
event of abnormal situations. Situations mapped shall cover:
Adverse weather conditions
Simultaneous operations (SIMOPs)
Safety critical element (SCE) and critical manpower unavailability
See Appendix 416 for details on MOPO requirements.
16.2.6 Part 5 Improvement (Action Plan)

Part 5 shall contain an action plan that is SMART (specific, measurable, agreed,
realistic and timely) which lists all the actions raised during the development of the
All action items shall be entered into the PDO action tracking system to be formally
tracked and closed out once they have been fully approved by the HSE Case
Custodian. At the time of issue of this Specification, Fountain Incident Management
(FIM) is used for tracking actions from PDO HSE Cases.
Part 5 also contains a brief description of how the Operations HSE Case is
continually improved through the use of annual HSE Plans, HSE Case key
performance indicators (KPIs) and audit and review.
See Section 11 for more details on continuous improvement.

Revision: 1.0
16.3DCAF Deliverables for Execute and Operate Phases

Many of the individual components of the Operations HSE Case are required deliverables
under the Discipline Controls and Assurance Framework (DCAF) (note that the
Operations HSE Case is a required deliverable in itself).
The full list of HSE DCAF deliverables for the later Execute and Operate phases which
should be produced and signed off individually by the relevant competent
person/Technical Authority are:
o ALARP Demonstration (Bow-ties for qualitative ALARP demonstration)
o HEMP Findings and Close out Report (updated)
o HAZID/HAZOP Reports (updated)
o Concept Risk Assessment Report, i.e. the Qualitative Risk Assessment (QRA)
updated
o Hazard and Effects Register (updated)
o Greenhouse Gas (GHG) and Energy Efficiency Plan
o Performance Standards for Safety Critical Elements
o Impact Assessment
o Fire and Explosion Assessment (updated)
o Sustainable Development Plan (Updated)
o HSSE and SP (Social Policy) Plan (updated)
o HSSE and SP Philosophies Document (updated)
o Environmental Permit
o Health Hazards Exposure Monitoring Plan
o Health Risk Assessment report
o Medical facilities Assessment
o Job type Health Risk Assessment
o Emergency Response Plan
o Security Management Plan
Consulted DCAF for latest version of specified deliverables and the Discipline Authority
Manual (TAs)The Operations HSE Case shallcontain summaries and/or references to all
the above documents. The following DCAF documents will be incorporated into the
Operations HSE Case, either within the main body or as an appendix.
o Statement of Fitness (within the Operation HSE Case)
o Matrix of Permitted Operations (MOPO) (within the Operations HSE Case)
o Asset Register (updated) (Appendix)
o Safety Critical Element Register (Appendix)

Revision: 1.0
Appendix 1 Glossary of Definitions, Terms and

Abbreviations
Acronym Definition
AI-PSM Asset Integrity - Process Safety Management
ALARP As low as reasonably practicable
CFDH Corporate Functional Discipline Head
CSR Concept Selection Report
DCAF Discipline Controls and Assurance Framework
DEP Design engineering practise
DG Decision Gate
FEED Front End Engineering and Design
FERM Fire and Explosion Risk Management study
FID Final investment decision
GHG Greenhouse gas
HAZID Hazard Identification
HAZOP Hazard and operability study
HBV Hardware Barrier Verification
HEMP Hazards and Effects Management Process
HFE Human Factors Engineering
HSE Health, Safety and Environmental
HSE-MS Health, Safety and Environmental Management System
HSSE Health, Safety, Security and Environmental
IADC International Association of Drilling Contractors
IPF Instrumented protective function
JOA Joint Operating Agreement
JVA Joint Venture Agreement
KPI Key performance indicator
Major accident hazard - Any situation with the potential for major consequences (harm) to
MAH
people, environment, asset and reputation if released (severity 5 or high risk hazard)
MIE Maintenance Integrity Execution
MOPO Matrix of permitted operations
ORP Opportunity Realisation Process
PEFS Process engineering flow schematics
PSBR Process safety basic requirements
PSUA Pre-start up audit
PTW Permit to Work
QRA Quantitative Risk Assessment
RAM Risk assessment matrix
Recovery measure Any measure put in place to manage consequences and assist recovery from a top event
The likelihood of a Top Event combined with the severity of the Consequences (The risk is
Risk
from the Hazard to people, environment, asset and reputation).
SCE Safety Critical Element
SIEP Shell International Exploration and Production
SMART Specific, measurable, agreed, realistic and time-constrained

Revision: 1.0
Acronym Definition
SP Social policy
TA Technical Authority
Threat Any action or mechanism that could bring about the unplanned release of a hazard
Threat control Any measure put in place to prevent a Threat being successful
Tolerable Risks are those that have been reduced to a level where they comply with the
Tolerable risk applicable laws and regulations, standards, strategic objectives and other agreed
Tolerability Criteria.
Top event The first thing that happens when a hazard is released (also known as first consequence)
TR-HBV Total Reliability - Hardware Barrier Verification
TR-MIE Total Reliability - Maintenance integrity Execution
UKOOA UK Offshore Operators Association
VAR Value Assurance Review

Revision: 1.0
Appendix 2 Related Business Control Documents and

References
1. CP-122 - Health, Safety and Environment Management System CoP, Version 4,

22/04/02
2. Shell Yellow Guide, Risk Assessment Matrix, Issue 3.0, March 2006
3. A Framework for Risk-related Decision Support, UKOOA, 1999
http://www.ukooa.co.uk/
4. GU-648 - Guide for Applying Process Safety in Projects, Rev 1.0, 15th December 2010
5. International Association of Drilling Contractors (IADC) Drilling Contractors, Health,
Safety and Environment Case Guidelines for Land Drilling Contractors, Issue 1.0.1, 27
July 2009. Click Here for latest version of this document.
6. CP-117 - Project Engineering Code of Practice, Rev 4.0, 11 January 2011
7. SP-2061 - Functional Technical Directorates, Technical Authority System, Revision 2.0,
Jun-10
8. Shell Group HSSE & SP Control Framework, Section 03, Process Safety Manual.
http://sww.manuals.shell.com/HSSE/
9. Guidelines for Risk Based Process Safety. Center for Chemical Process Safety, 978-
0-470-16569-0, 2007. http://www.knovel.com/web/portal/browse/display?
_EXT_KNOVEL_DISPLAY_bookid=1794
10. Safety Critical Element Management Manual, Second Edition, EP2009-9009, Feb 2009.
Click Here for all Operational Excellence documentation on Shell Wiki.

Revision: 1.0
Appendix 3 Hazard Inventory Checklist

Ref. No Hazard Name Possible Source
H-01 Hydrocarbons (Unrefined)
H-01.001 Liquid Natural Gases (LNGs) Cryogenic plants, tankers.
Storage tanks, gas wells, gas pipelines, gas separation
H-01.002 Condensate
vessels.
Reservoirs, wells, oil/gas separators, gas processing plants,
H-01.003 Hydrocarbon gas
compressors, gas pipelines.
H-01.004 Coal Mining activities, boiler fuel source.
H-01.005 Crude (oil) Reservoirs, wells, pipelines, pressure vessels, storage tanks.
H-01.006 Hydrocarbons from Shale Mining activities, extracted oil shale deposits.
H-01.007 Oil Sands Tar sands, bituminous sands (clay, sand, water, bitumen).
H-01.008 Other Hydrocarbon source Sub sea gas hydrates.
H-02 Hydrocarbons (Refined)
Liquefied Petroleum Gases Process fractionating equipment, storage tanks, transport
H-02.001
(e.g. Propane) trucks and rail cars.
H-02.002 Gasoline's (Napthas) Vehicle fuelling stations, vehicle maintenance.
Aircraft, portable stoves, portable lanterns, heating
H-02.003 Kerosenes / Jet Fuels
systems, storage tanks.
Gas Oils (Diesel Fuels / Heating
H-02.004 Vehicle fuelling stations, vehicle maintenance.
Oils)
H-02.005 Heavy Fuel Oils Shipping fuel, bunkers, heating systems, storage tanks.
Engines and rotating equipment, hydraulic pistons, hydraulic
H-02.006 Lubricating Oil Base Stocks
reservoirs and pumps.
Heavy fuels, petroleum pitches and resins, rubber and
H-02.007 Aromatic Extracts
plastics, naphtha.
H-02.008 Waxes and Related Products Filter separators, well tubulars, pipelines.
Bitumen's and Bitumen
H-02.009 Road construction.
Derivatives
H-02.010 Petroleum Coke Furnaces, boilers
H-03 Explosives
H-03.001 Detonators Seismic operations, pipeline construction.
Seismic operations, blasting, construction, firework
H-03.002 Commercial Explosive Material
displays.
H-03.003 Shaped Charges Well completion activities, demolition.
Spent munitions, UXB, land mines, depleted uranium
H-03.004 Military Ordnance
rounds, improvised explosive devices.
H-04 Pressure
Welding bottles, laboratory gas, pipe-works, air lines, air
H-04.001 Gas under Pressure
brakes, air guns, diving operations (air tanks).
Water disposal, water floods and injection operations,
H-04.002 Liquid under Pressure strength testing of pipe works, well fracturing and
treatments.
H-04.003 Vacuum Tanks, accumulators.
H-04.004 Hyperbaric Operations Diving operations.

Revision: 1.0

H-04.005 Hypobaric Operations Working at high altitude (generally >2000m).
H-05 Differences in Height
Working on scaffolding, suspended access, ladders,
H-05.001 Personnel at Height >2m platforms, excavations, towers, stacks, roofing, working
overboard, working on monkey board.
Slippery/uneven surfaces, climbing/descending stairs,
H-05.002 Personnel at Height 0m<2m
obstructions, loose grating.
Objects falling while being lifted/handled or working at a
H-05.003 Objects Overhead height over people, equipment or process systems, elevated
work platforms, slung loads, hoists.
H-05.004 Ground / Slope Stability Pipeline trenches, excavations, repairing buried facilities.
H-06 Objects under Induced Stress
Guy and support cables, anchor chains, tow & barge tie-off
H-06.001 Objects under Tension
ropes, slings.
Spring-loaded devices such as relief valves and actuators
H-06.002 Objects under Compression
and hydraulically operated devices.
H-07 Dynamic Situations
Driving to and from locations and camps, transporting
H-07.001 Land Transport (Driving) materials, supplies and products, seismic field operations,
moving drilling rigs and work over rigs.
Boat transport to and from locations and camps,
transporting materials, supplies and products, marine
H-07.002 Water Transport (Boating)
seismic operations, barges moving drilling rigs and work
over rigs, boat collision.
Helicopter and fixed wing travel to and from locations and
H-07.003 Air Transport (Flying)
camps, transporting materials, supplies and products.
Equipment with Moving or Engines, motors, compressors, drill stems, rotary table,
H-07.004
Rotating Parts thrusters on DP ships.
H-07.005 Using Hand Tools Galley, seismic line clearing, grubbing operations.
H-08 Natural Environment
H-08.001 Weather Conditions Winds, temperature extremes, rain, storms.
Physical impact of waves, tides or other sea states, river
H-08.002 Marine / Water Conditions
currents, floods, tsunami.
H-08.003 Tectonic / Land Effects Earthquakes, landslips or other earth movement activity.
H-08.004 Fire Natural wild fire potential, forests, grasslands.
Working in open spaces, close to power lines, close to trees,
H-08.005 Lightning
near seismic spreads.
H-09 Electricity
Power cables, temporary electrical lines, electric motors,
electric switchgear, power generation, welding machines,
H-9.001 Voltage > 50v transformers, overhead power lines, office equipment, and
domestic equipment. Consider AC, DC, current, single and
three phase.
Contact between storage vessels and piping, product
H-9.002 Electrostatic Energy transfer hoses, wiping rags, unearthed equipment, high
velocity gas discharges, offimce carpets, door handles.
H-10 Physical
H-10.001 X rays <10nm (ionising) Medical scanners, inspection.

Revision: 1.0

Ultra Violet Light (UV) -
H-10.002 Wavelength 100 - 400 nm (Non Sunlight, arc welding.
Ionising)
Visible Light - Wavelength 400 -
H-10.003 Arc welding, sunshine, flood lighting, night lights.
780 nm (Non Ionising)
Infra Red (IR) - Wavelength 400
H-10.004 Flares, laser pointers.
- 1400 nm (Non Ionising)
H-10.005 Microwaves (750 - 2500nm) Domestic, industrial catering equipment.
Lasers - Wavelength: 100 - 1000
H-10.006 Instrumentation, surveying, metal cutting.
nm (Non Ionising)
Radio Wave / Microwave
H-10.007 Radiation - Wavelength: 1 mm - Telecoms, mobile phones.
30 km (Non ionising)
Extremely Low Frequency
H-10.008 Magnetic Radiation (ELF) - Transformers, power cables.
Wavelength: > 30 km
Well logging, radiography, densitometers, interface
H-10.009 Alpha, Beta Particles
instruments.
H-10.010 Gamma Rays Well logging, radiography.
H-10.011 Neutron Radiation Nuclear reactors, well logging.
Scales in tubulars, vessels and process plant fluids
(especially in C3 reflux streams), cosmic radiation
Naturally Occurring Ionising
H-10.012 (international air travel), radon gas (granites), mining
Radiation (NORM)
activity oil/gas/coal/mineral sands, phosphates, recycled
scrap steel.
Both impact (acute) and background (chronic), releases
H-10.013 Noise from relief valves, pressure control valves, engine rooms,
compressor rooms, drilling brake, air tools.
Hand / whole body vibration, hand power tools,
H-10.014 Vibration maintenance and construction worker, boating, motion
sickness.
Process piping, storage vessels, tankers, vapour lines,
H-10.015 Cold Temperature Differentials crogenic plants, cold stores / walk in refrigerators, arctic
climates, seas < 10oC.
Near flare, on the monkey board, in open exposed areas,
summer heat, process piping, steam outlets, exhausts,
H-10.016 Hot Temperature Differentials
confined closed spaces, glycol regeneration, steam
generators, hot oil heating systems, regeneration gases.
Climates where sweat evaporation rates are too low to cool
H-10.017 Humidity the human body, personal protective clothing, lack of
moisture (cold dry climates).
H-10.018 Cellulosic Materials Packing materials, wood planks, paper rubbish
Metal scale from vessels in sour service, scale on filters in
H-10.019 Pyrophoric Materials
sour service, iron sponge sweetening units
H-11 Toxic Atmosphere/Medium
Breach of oxygen / nitrogen balance. Confined spaces,
Oxygen concentration in air (in
H-11.001 tanks, nitrogen deluge systems, Oxygen depleting deluge
balance)
systems

Revision: 1.0

Welding/burning operations, blanking systems that are
Toxics in air (CO, H2S, heavy toxic, exhaust pipes, faulty heating devices, poorly vented
H-11.002
metals etc) workshops, condensate vapours, sour gas gantries, fuelling
points, aluminium oxides.
Smoke, soot, diesel fumes, cutting brickwork and concrete,
driving on unpaved roads, carpenter shops, grit blasting,
H-11.003 Particulates in Air / Dusts sand blasting, catalyst (dumping, screening, removal,
drumming), mineral fibres, powdered mud additives,
sulphure recovery plants.
H-11.004 Water Risk of drowning in rivers, creeks, swimming pools.
Note: If required a detailed Level 3 Hazard listing is
H-12 Chemical Substances provided in EP Guideline Explanatory Text to the Hazard
Inventory [2].
H-12.010 Additives
H-12.011 Asbestos all Forms CAS# 1332-21-4, CAS# 12001-28-4.
H-12.012 Brines Hydrocarbon production, well kill fluid, packer fluids.
H-12.013 Butanes Bottled gases.
H-12.014 Degreasers Maintenance shops (halogenated & non-halogenated).
MEG, TEG used for dehydration of natural gases. Used as
H-12.015 Glycols
antifreeze.
H-12.016 Halons Fire fighting equipment, refrigerants
H-12.017 Nickel Catalysts CAS# 7440-02-0.
H-12.018 Paints & Thinners Two-pack paint systems (isocyanates).
Polychlorinated Biphenyls Transformer oils (NB, approx. 50 congeners each with a
H-12.019
(PCBs) separate CAS number.).
H-12.104 Ammonia CAS# 7664-41-7.
H-12.105 Ammonium Bifluoride CAS# 1341-49-7.
H-12.108 Benzene CAS# 71-43-2.
H-12.115 Calcium Bromide CAS# 7789-41-5.
H-12.116 Calcium Chloride CAS# 10043-53-4.
H-12.119 Chlorine CAS# 7782-50-5.
H-12.130 Diisopropanolamine LFG90 Hand cleaning gel. CAS# 110-97-4.
H-12.132 Ethane CAS# 74-84-0.
H-12.133 Ethanol CAS# 64-17-5.
H-12.136 Ethylene CAS# 74-85-1.
H-12.141 Gluteraldehyde Cleaning agent. CAS# 111-30-8
H-12.142 Hexane CAS# 110-54-3 (Chem-SBP containing n-hexane >5%).
H-12.143 Hydrogen CAS# 1333-74-0.
Hydrogen Chloride
H-12.144 CAS# 7647-01-0.
(Hydrochloric Acid)
Hydrogen Fluoride
H-12.145 CAS# 7664-39-3.
(Hydroflouric Acid)
H-12.146 Hydrogen Sulphide CAS# 7783-06-4.
H-12.153 Mercury CAS# 7439-97-6.

Revision: 1.0

H-12.154 Methanol CAS# 67-56-1.
H-12.163 Nitric Acid CAS# 7697-37-2.
H-12.170 Phosphoric Acid CAS# 7664-38-2.
H-12-176 Propane CAS# 74-98-6.
H-12.180 Sodium Hydroxide CAS# 1310-73-2.
H-12.182 Sodium Hypochlorite Disinfecting agent (e.g. bleach), CAS# 7681-52-9.
H-12.183 Sulphur 7704-34-9.
H-12.184 Sulphuric acid CAS# 7664-93-9.
Note: If required a detailed Level 3 Hazard listing is
H-13 Biological provided in EP Guideline Explanatory Text to the Hazard
Inventory [2].
H-13.001 Plants Ivy, deadly nightshade, fungi.
H-13.002 Animals & Reptiles Dogs, cats, wild animals, snakes, rats.
Insects, Spiders, Scorpions,
H-13.003 Arthropods insects, spiders, scorpions, stinging bees.
Bees
Contaminated food, water. Includes WHO A15-A19; A20-28;
H-13.004 Bacteria
A30-49; A50-A64; A65-69; A70-74.
Protozoa, Mycoses and other
Includes WHO Classification A00 to A09; A75-79; B35-49;
H-13.005 Parasitical Diseases (includes
B50-64; B65-83; B85-89; B90-94; B99.
'other')
H-13.006 Virus Contaminated blood, blood products and other body fluids.
H-13.007 Fungal Growths Metal working fluids containing fungal growth.
Choices relating to smoking, alcohol / drug use, diet,
H-13.008 Lifestyle Factors
physical exercise, sexual behaviours.
H-14 Ergonomic
Awkward, difficult or uncomfortable working conditions,
H-14.001 Workspace
inadequate lighting, noise, etc.
Lack of knowledge or unrealistic expectations about the
physical abilities of the workforce (e.g. differences between
H-14.002 Physically Demanding Task
males and females in reach, strength, endurance), medical
unfitness.
Inability of the workforce to detect and comprehend the
feedback (visual and auditory) provided about
H-14.003 Human Machine Interface
machine/equipment identification and status during normal
and abnormal situations, thus leading to human error.
H-15 Psychological
Poor leadership, lack of clarity about organisational
objectives and structure, bureaucratic procedures;
formality of hierarchy, inability to talk openly to manager;
lack of support by colleagues, complex, new or unreliable
Organisation, Systems and
H-15.001 systems e.g. IT, inadequate tools to perform job,
Culture
information overload or under-communication, career
stagnation and uncertainty, under-promotion / over-
promotion, limited opportunities for learning or
development.

Revision: 1.0

Work overload/under load (boredom); lack of control over
work content or process; frequent deadlines; unclear or
conflicting roles and responsibilities; poor work/life
H-15.002 Job Demands
balance; Lack of training; travel requirements; badly
designed shift patterns and rosters; long or unpredictable
hours.
Frequent changes to organization and/or job; tele-working,
virtual teams; outsourcing and globalisation; introduction of
H-15.003 Experience of Change new systems; poor management and communication; not
understanding changing priorities; job insecurity;
expatriation and repatriation.
Poorly understood reward policies; perceived inequity;
mismatch of individual expectations; lack of
H-15.004 Reward and Recognition transparency/communication in assessment and reward
process; poorly managed performance management process;
poor status, pay and conditions.
Discrimination, bullying and harassment; lack of
inclusiveness and isolation; problems working with people
H-15.005 Diversity & Inclusiveness
from different cultures and backgrounds; interpersonal
issues with manager and/or colleagues.
Concern about personal liability resulting from actions;
difficulties in delivering due to legal constraints; fear of
H-15.006 Litigation & Liability prosecution; unpredictability of legal process; length of
legal processes involving the individual e.g. as witness in a
tribunal or court case.
Witnessing or being involved in a serious incident; natural
H-15.007 Critical Incidents at Work
disasters and terrorist attacks; travel fears and incidents.
Physical and mental health issues; substance abuse and
Personal Issues External to recovery; conflicting demands of work and home; domestic
H-15.008
Work issues involving family; lack of social support; care of
dependants; financial issues; housing and travel.
H-16 Security
War, Armed Insurrection, Insurgent Groups against legal
H-16.001 Armed Conflict
governments.
Unprovoked violent attacks against general public,
H-16.002 Terrorism
authorities.
H-16.003 Violent Crime Assault, violence against an individual.
Large scale criminal manipulation of Company operations,
H-16.004 Organised Crime
extortion, kidnap, piracy, Mafia, white collar, cyber hacker.
Pressure Groups, Single Issue Zealots, violet or threatening
H-16.005 Militant Activism
protests against Company, people, assets.
Breakdown of social order, riots, lawlessness, absence of
H-16.006 Civil Unrest
government authority.
Deliberate, targeted espionage and loss of commercially
sensitive information, documents, plans, financials,
H-16.007 Theft of Sensitive Information
telephone conversations, email loss, senior management
itineries.
Note: If required an example of a more detailed Level 3
H-17 Environmental Aspects1 Hazard listing is provided in EP Guideline Explanatory Text
to the Hazard Inventory [2].
Consumption of materials, water, land, raw materials, air,
H-17.001 Resource Use energy, steam, process chemicals, Habitat removal,
ecological degradation.

Revision: 1.0

Produced Water. Regular drainage of liquids including
sewage systems (grey/black water), water outfalls, &
H-17.002 Discharge to Water
overflows to surface waters; seepage of liquids to
groundwater.
Waste disposal including domestic, industrial (inc. Pig trash,
H-17.003 Discharge to Land oil based tank sludges, medical & hazardous chemicals, used
engine oils etc).
Discharge of chemicals to air (deluge systems), venting,
H-17.004 Emissions to Air fugitive emissions, flare stacks, exhaust, dusts, particulates,
smoke (normal and abnormal operations).
H-18 Social Performance
Supply chain management, local purchasing, employment
H-18.001 Procurement Philosophy
and labour.
Revenue transparency and revenue streams, equity, socio-
H-18.002 Revenue Streams
economic changes, corruption.
Land right entitlement, resettlement, loss/change of
H-18.003 Land Take
livelihood.
Change in make up of population, boom-bust, social
Temporary Project (e.g.
H-18.004 services, large workforces, disturbance impacts,
construction)
archaeological sites or artefacts, cultural and sacred sites.
Changes in power relations, community decision-making
structures and skills, high expectations, vulnerable groups,
H-18.005 (Lack of) Engagement
conflict, human rights, perceived health and environmental
impacts.
High prices paid for local commodities, use of local labour
H-18.006 Conflicting Use for Resources and talent, use of local accommodation, transportation, and
infrastructure.
H-99 Emergency response
H-99.000 Emergency Response Response to any emergency

Revision: 1.0
Appendix 4 Example Hazard and Effects Register
Appendix 7 Appendix 10 Appendix 12

Appendix 6 Risk
Acti Top
Appendix Haz
5 Appendix 11 Ranking Appendix 13
v Appendix 8 E
Ha a Appendix 9Controls Consequen Recovery
i Threats v
r ce Measures
t e Appendix
Appendix
Appendix
21 Appendix
22 23 24
d
y nt P E A R
Appendix 26
Appendix 27Appendix 28Appendix 29 Appendix 30 Programme of Appendix 34 Appendix 35 L Appendix
Appendix
36
Appendix
37
Appendix
1. 38Oil 39
spill
H- Crud Loa Integrity equipment inspections: Oil ocalised - C C C contingency
e d Fail Floating Hose daily S environm 2. Pollution control
i ure: Underwater hose- 6 mths pil ental capability
o n hos SBM topsides- daily l impact 3. Radio controlled
i g e, ESD from vessel
Submarine pipeline- 5 yearly
l flan 4. 3 yearly MOSAG
ge, Pipeline pigging -5 yearly oil spill audit
C
u r pipin Appendix 31 Corrosion protection:
n u g. Impressed current Anodes
d d
e e Appendix 32 Replacement:
r Change-out equipment on a time &
a condition basis
p t
r
e t
s h
s e
u
r S
e B
M

Revision: 1.0
Appendix 7 Appendix 10 Appendix 12

Appendix 6 Risk
Acti Top
Appendix Haz
5 Appendix 11 Ranking Appendix 13
v Appendix 8 E
Ha a Appendix 9Controls Consequen Recovery
i Threats v
r ce Measures
t e Appendix
Appendix
Appendix
21 Appendix
22 23 24
d
y nt P E A R
Appendix 40
Appendix 41Appendix 42Appendix 43 Ships Anchors lashed & checked Appendix 44 Appendix 45 L Appendix
Appendix
46
Appendix
47
Appendix
1. 48SBM/
49PL
Anchor Restricted area defined Dama ocalised - C B C redundancy
Han Pipeline route area under ge environm 2. OSR capability
dling observation d ental 3. Continuous diving
Pi impact capability
pe
lin
e
Appendix 50
Appendix 51Appendix 52Appendix 531. Engine use procedure Appendix 54 Appendix 55 L Appendix
Appendix
56
Appendix
57
Appendix
1. 58Spare
59 SBM
Vessel 2. Focsle watchkeeper Dama ocalised - C B C 2. SBM Redundancy
colli 3. Tug assistance available ge environm 3. Critical SBM
sion d ental spares available
with S impact
SB B
M M

Revision: 1.0
Appendix 60 Safety Critical Elements Categories

Appendix 61 Those SCEs in the SCE Management Manual relevant only to
offshore facilities have been omitted.
APPENDIX 62 APPENDIX 64
SCE SCE
C APPENDIX 63 SCE C APPENDIX 65 SCE
O DESCRIPTION O DESCRIPTION
D D
E E
Appendix 66Appendix 67 Found Appendix 68Appendix 69 Firewater
SI001 ation Structures PS00 Pumps
4
Appendix 70Appendix 71 Topsi Appendix 72Appendix 73 Firewater
SI002 des & Surface PS00 Ringmain
Structures 5
Appendix 74Appendix 75 Mech Appendix 76Appendix 77 Passive
SI003 anical Handling PS00 Fire Protection
Equipment 6
Appendix 78Appendix 79 Road Appendix 80Appendix 81 Gaseous
SI005 Vehicles PS00 Fire Protection Systems
7
Appendix 82Appendix 83 Drillin Appendix 84Appendix 85 Fine
SI008 g Systems PS00 Water Spray Systems
8
Appendix 86Appendix 87 Press Appendix 88Appendix 89 Sprinkler
PC00 ure Vessels PS00 Systems
1 9
Appendix 90Appendix 91 Heat Appendix 92Appendix 93 Power
PC00 Exchangers PS01 Management Systems
2 0
Appendix 94Appendix 95 Rotati Appendix 96Appendix 97 Fixed
PC00 ng Equipment PS01 Foam Systems
3 1
Appendix 98Appendix 99 Onsh Appendix 100
Appendix 101 Sand
PC00 ore Tanks PS01 Filters
4 2
Appendix 102
Appendix 103 Piping Appendix 104
Appendix 105 Chemical
PC00 Systems PS01 Injection Systems
5 3
Appendix 106
Appendix 107 Pipeli Appendix 108
Appendix 109 ESD
PC00 nes SD00 Systems
6 1
Appendix 110Appendix 111 Relief Appendix 112Appendix 113 Depressu
PC00 Systems SD00 risation Systems
7 2
Appendix 114Appendix 115 Well Appendix 116Appendix 117 HIPPS
PC00 Containment SD00 Systems
8 3
Appendix 118Appendix 119 Fired Appendix 120
Appendix 121 Operation
PC00 Heaters SD00 al Well Isolation
9 4
Revision: 1.0
APPENDIX 62 APPENDIX 64
SCE SCE
C APPENDIX 63 SCE C APPENDIX 65 SCE
O DESCRIPTION O DESCRIPTION
D D
E E
Appendix 122
Appendix 123 Hazar Appendix 124
Appendix 125 Pipeline
IC001 dous Area Ventilation SD00 Isolation Valves
5
Appendix 126
Appendix 127 Non- Appendix 128
Appendix 129 Process
IC002 Hazardous Area SD00 ESDVs
Ventilation 6
Appendix 130
Appendix 131 Certifi Appendix 132
Appendix 133 Drilling
IC003 ed Electrical SD00 Well Control
Equipment 8
Appendix 134
Appendix 135 Earth Appendix 136
Appendix 137 Utility Air
IC005 Bonding SD00
9
Appendix 138
Appendix 139 Fuel Appendix 140
Appendix 141 Temporar
IC006 Gas Purge Systems ER00 y Refuge/Muster Areas
1
Appendix 142
Appendix 143 Inert Appendix 144
Appendix 145 Escape &
IC007 Gas Blanket Systems ER00 Evacuation Routes
2
Appendix 146
Appendix 147 Miscel Appendix 148
Appendix 149 Emergen
IC008 laneous Ignition ER00 cy/ Escape Lighting
Control Components 3
Appendix 150
Appendix 151 Flare Appendix 152
Appendix 153 Communi
IC009 Tip Ignition Systems ER00 cations Systems
4
Appendix 154
Appendix 155 Fire & Appendix 156
Appendix 157 Uninterru
DS00 Gas Detection ER00 ptible Power Supply
1 Systems 5
Appendix 158
Appendix 159 Securi Appendix 160
Appendix 161 Emergen
DS00 ty Systems ER00 cy Power
2 7
Appendix 162
Appendix 163 Water Appendix 164
Appendix 165 Drain
DS00 in Condensate (gas ER01 Systems
3 dew point) 0
Measurement
Appendix 166
Appendix 167 Delug Appendix 168
Appendix 169 Personal
PS00 e Systems LS00 Survival Equipment (PSE)
1 1 Drain Systems
Appendix 170
Appendix 171 Fire Appendix 172
Appendix 173
PS00 and Explosion -
2 Protection

Revision: 1.0
Appendix 174 Example Safety Critical Elements Register
Appendix 177
Appendix 178
Appendix 179
Appendix 180
Appendix 181
Appendix 182
Appendix 183
Appendix 184
Appendix 185
Appendix 186
Appendix 187
H-01.005d
H-01.003b
H-01.003d
H-01.005b
H-01.003a
H-01.003c
H-01.005a
H-01.005c
H-04.002
H-10.016
H-99.001
APPENDIX 175
APPENDIX 176 S
SCE AFETY
GRO CRITICAL
UP ELEMENT
Appendix 188 Appendix 189 P

AppendixAppendix
190 AppendixAppendix
191 192 193 AppendixAppendix
Appendix 194 195 196 AppendixAppendix
Appendix 197 198 199
Appendix 200
Process C001 Pressure
- - - - - -
Cont Vessels
ainm
ent Appendix 202 P
AppendixAppendix
203 204
Appendix 205
Appendix 206 AppendixAppendix
C002 Heat
- - - - - - - -
Exchangers
Appendix 215 P
AppendixAppendix
216 217
Appendix 218
Appendix 226
C003 Rotating
- - - - - - -
Equipment
Appendix 228 P Appendix 229

Appendix 230
Appendix 231
Appendix 232
Appendix 233
Appendix 238
Appendix 239
C004 Tanks - - - - - - - - - -
Appendix 241 P AppendixAppendix

242 243
Appendix 244
Appendix 252
C005 Piping - - - - - - -
Systems

Revision: 1.0
Appendix 177
Appendix 178
Appendix 179
Appendix 180
Appendix 181
Appendix 182
Appendix 183
Appendix 184
Appendix 185
Appendix 186
Appendix 187
H-01.005d
H-01.003b
H-01.003d
H-01.005b
H-01.003a
H-01.003c
H-01.005a
H-01.005c
H-04.002
H-10.016
H-99.001
APPENDIX 175
APPENDIX 176 S
SCE AFETY
GRO CRITICAL
UP ELEMENT
Appendix 254 P AppendixAppendix

Appendix 258
C006 Pipelines - - - - - - - -
Appendix 267 P
AppendixAppendix
268 269
Appendix 270
Appendix 272 273 AppendixAppendix
274 275 Appendix
276 277
Appendix 278
C007 Relief
- - - - -
System
Appendix 280 P
Appendix 281
Appendix 282
Appendix 287
Appendix 288
Appendix 289
Appendix 290
Appendix 291
C008 Well
- - - - - - - - - -
Containment
Appendix 292

Revision: 1.0
Appendix 293 Example Design Performance Standard

Appendix 294 B Appendix 297 Me
ARRIER Appendix 295 PROCESS CONTAINMENT Appendix 296 Assigned TA chanical
REFERENCE Static
Appendix 298 S
Appendix 299 PC001 Pressure Vessels Appendix 300 Review # Appendix 301
CE GROUP
Appendix 302 S
Appendix 303 To maintain integrity of the pressure envelope Appendix 304 Date Appendix 305
CE GOAL
Appendix 306
Functi
Appendix 307
o Appendix 310 Ve
Functional Appendix 308 Performance criteria Appendix 309 Assurance
n rification
Criteria
N
o.
Appendix 311Appendix 312 Appendix 313 1.1 Pressure Vessel External Inspection Appendix 315 These should be Appendix 323 Re
1 To maintain tasks/activities in a scheduled view flare
the Appendix 314 There shall be no unacceptable flaws in the Pressure Vessel as defined within assurance event specified in a relief and
pressur the Inspection Management Process. Company process/procedure.** blowdown
e * There shall be no unacceptable cracks in the vessel or supports. study and
envelop * There shall be no unacceptable corrosion in the vessel, flanges, bolting and supports Appendix 316 Approved Flare Relief 10% sample
e for * There shall be no unacceptable visible damage (gouges, dents, deformations, arc strikes) and blowdown Study. review of
conditio to vessel or supports. relief device
Appendix 317 Approved/checked
ns calculations for relief devices. calculations,
within specifications
design Appendix 318 Approved specification , vendor data
basis and data sheets. sheets and
supplier
Appendix 319 HAZOP review. quality field
Appendix 320 PCAP/DCAF Driven inspection
reports to
Appendix 321 TIVP/AIPSM Driven check that
performance
Appendix 322 OE/Flawless Driven criteria has
been
achieved.

Revision: 1.0
Appendix 326 1.2 Pressure Vessel Internal Inspection Appendix 327 These should be
There shall be no unacceptable internal flaws in the Pressure Vessel as defined within the tasks/activities in a scheduled
Inspection Management Process. assurance event specified in a
* There shall be no unacceptable cracks in the vessel. Company process/procedure.**
* There shall be no unacceptable corrosion inside the vessel. Appendix 331
* There shall be no unacceptable visible damage (gouges, dents, deformations, arc strikes) Appendix 328 PCAP/DCAF Driven
to vessel. Appendix 329 TIVP/AIPSM Driven
Appendix 330 OE/Flawless Driven
Appendix 334 1.3 Key Documents Appendix 335 These should be

The latest piping and instrument drawing(s) on which the pressure vessel appears shall tasks/activities in a scheduled
accurately represent the vessel configuration and design conditions. assurance event specified in a
Company process/procedure.**
Appendix 339
Appendix 336 PCAP/DCAF Driven
Appendix 337 TIVP/AIPSM Driven
Appendix 342 1.4 Wall Thickness Appendix 343 These should be

tasks/activities in a scheduled
There shall be no Pressure Vessel with a wall thickness less than its design. assurance event specified in a
Appendix 347
Appendix 350 1.5 Attachments Appendix 351 These should be

No bolting is missing or loose. tasks/activities in a scheduled
No valves or instruments are loose or damaged. assurance event specified in a
Appendix 355

Revision: 1.0
Appendix 358 2.1 Loss of containment Appendix 359 These should be

Appendix 357
There shall be no unacceptable leaks, weeps or seeps from the main body of the vessel tasks/activities in a scheduled
To prevent a
nozzles, or mechanical connectors onto the vessel. assurance event specified in a
release
Appendix 356 of
Appendix 363
2 hazardo Appendix 360 PCAP/DCAF Driven
us
material Appendix 361 TIVP/AIPSM Driven
s
Appendix 364 RELIABILITY / AVAILABILITY
Appendix 365
Functi
Appendix 366 Sys
o Appendix 369 Ve
tem /Sub Appendix 367 Performance criteria Appendix 368 Basis and Assurance
n rification
System
N
o.
Appendix 373 These should be

assurance event specified in a
Appendix 370 Appendix 371 Appendix 372 Appendix 377
Appendix 378 SURVIVABILITY
Appendix 379
Functi
o Appendix 380 Haz Appendix 383 Ve
Appendix 381 Performance criteria Appendix 382 Basis and Assurance
n ardous Event rification
N
o.
Appendix 384 Appendix 385 Appendix 386 Appendix 387 These should be Appendix 391
assurance event specified in a

Revision: 1.0
Appendix 392
Appendix 393

Revision: 1.0
Appendix 394 Example Operations Performance Standard (EP 2009-9009, Ref. 10)
Appendix 395
Appendix 396

Revision: 1.0
Appendix 397 Example of Implementation Table

Appendix 398 The table below provides guidance on interpreting the HSE Critical
Task implementation tables. This framework has been developed to set out the HSE
Critical Task implementation tables in a consistent and user-friendly format.
Appendix 399 Table 16- 7: Implementation Table Guidance
APPENDIX 400 APPENDIX 401 DESCRIPTION
TITLE
Appendix 402 Appendix 403 HSE Critical Task reference number as
Task ref. developed in BowTieXP software in accordance with PDO
activity model:
Project Engineering (e.g. 1.01)
Technical Integrity Management (e.g. 2.01)
Occupational Health (e.g. 3.01)
Operate Surface Assets (e.g. 4.01)
Communication (e.g. 5.01)
Organisation (e.g. 6.01)
Competence Assurance (e.g. 7.01)
Appendix 404 Appendix 405 Bow-Tie diagram/s on which activity
Bow-Ties appears e.g. H-01.001.
Appendix 406 Appendix 407 Threat or consequence line/s on which
Threats/Conseque HSE Critical Task appears e.g. internal corrosion, ignited
nces release
Appendix 408 Appendix 409 HSE Critical Activity (yellow barriers) for
HSE Critical which HSE Critical Task is carried out to ensure barrier is in
Activities place and functional.
Appendix 410 Appendix 411 Brief description of HSE Critical Task
Task Description
Appendix 412 Appendix 413 Supporting documentation for HSE Critical
Documentation Task
Appendix 414 Appendix 415 Document/audit control to provide
Verification assurance HSE Critical Task has been carried out.

Revision: 1.0
Table 16- 8: Example Implementation Table

3.1.1.South Operations Manager (OSO)
Task Threats/ HSE Critical Activities (Bow-
Bow-Ties Task Description Documentation Verification
Ref. Consequences Tie Barriers)
4.29 Implement company consequence management Plant Operations Manual Disciplinary reports
procedure for non compliance
H-01.003a Human error Consequence management PR-1029 Competence
H-01.003b (disciplinary procedures) for Assurance and
H-01.003c non-compliance Assessment
H-01.003d
H-01.005a
H-01.005b
H-01.005c
H-01.005d
H-04.002
H-10.016
4.49 Ensure asset security plan appropriate for CP-126 Personnel and Asset Security Plan
location risks is established and implemented. Asset Security
H-01.003a Sabotage/ 3rd party Asset Security Plan This should include dialogue and interface with
H-01.003b interference ROP presence the ROP. PL-10 Security &
H-01.003c Emergency Response
H-01.005a Policy
H-01.005b
H-01.005c
H-01.005d
H-10.016
6.03 Ensure the Manpower model is implemented for GU-4884 Planning and Manpower report
Nimr operations Scheduling Guidelines
H-01.003a Lack of manpower/ Man Power Model/ERROS -
H-01.003b resources Estimated Resources
H-01.003c Required on Site
H-01.003d
H-01.005b
H-01.005c
H-01.005d
H-10.016

Revision: 1.0
Appendix 416 MOPO

The team to develop or review the MOPO shall consist of operations, maintenance, HSE and
management personnel who are familiar with the operation of, and the activities required, at the
facility/asset.
The team shall be lead by an experienced facilitator and shall:
Identify Threats and Escalation Factors in the Bow-ties that could compromise safe operating
limits.
Identify other operations and activities that could compromise safe operating limits.
Develop the MOPO under the appropriate headings of SIMOPs, External Influences and
Inactive SCE
Identify the stops and proceed with cautions using the red/amber traffic light system.
Provide supporting guidance notes for the proceed with cautions that will assist Supervisors
etc if/when the situation arises.
Collectively review the matrices and ensure they reflect current practise and give clear
guidance for action to be taken under the specific circumstances.
A number of assumptions are used in the template MOPO:

The SIMOPs MOPO shall assume that two or more major activities, e.g. production, drilling,
are simultaneously being performed in the same location/area.
The Impaired SCE MOPO shall assume that the operation is in the vicinity of, or within the
area affected by, the impaired SCE.
The Impaired SCE MOPO shall define the minimum level failure mode assessed as having an
impact on one or more of the high level activities/operations. Failure modes below this level
shall be subject to risk assessment and remedial action in accordance with EP2009-9009.
When SCEs are in test mode, alternative controls shall be put in place to ensure that their
functionality is provided. Testing of these systems is not generally considered impairment for
purposes of this MOPO.
In case multiple barriers are unavailable/impaired, the combined effect of the simultaneous
failure on the activities shall be subject to risk assessment.
Additional controls required as indicated in the MOPOs (coloured amber) shall be listed. Wok shall
only be carried out under the formal control of the Permit to Work (PTW) system, including component
elements such as plant isolation certificates, vessel entry certificates, hot work permits, etc. All
applicable procedures and work instructions relating to the work to be undertaken shall be complied
with.
In certain cases, the specific operation is not directly impacted by the barrier that is impaired, but
consideration shall be given to proceeding with non-essential work that could increase the risk.
Where necessary, the requirement for undertaking risk assessment shall be noted. Measures shall be
taken to maintains risks at ALARP and the effectiveness of the measures shall be verified. All actions
involving bypassing the safeguarding systems shall be authorised by the Production Delivery Team
Leader who shallprepare individual procedures for all tasks not covered by existing procedures and
consult relevant discipline technical authority.
Examples of the three MOPOs (Adverse Weather, SIMOPs, and SCE Impairment) follow. These shall
be used as guidance for construction of a new MOPO or for review of an existing MOPO. The notes
within the MOPO are intended to support rather than supersede the specific risk assessments
required, particularly for SCE Impairment where FSR and CMPT processes shall be applied. For a
MOPO to be effective it must provide clear concise information to the Operator of immediate action to
be taken under the specified conditions, e.g. if working at height is ongoing and wind speed increases,
he needs to be able to quickly see when to stop the activity in question.

Revision: 1.0
MOPO NOTES TO ACCOMPANY THE EXAMPLE MOPOs

NO. REQUIREMENT
1 Operation specific. Subject to well engineering procedures; refer to WECO HSE case.
2 Loading and unloading pigs not permitted in adverse weather conditions.
3 Subject to task-based risk assessment.
4 Subject to appropriate risk assessment and PDO Journey Management Procedures.
5 Continued work subject to heat stress evaluation. Schedule work during cooler part of day. Provide forced
ventilation, shaded areas and cold water (not iced). Summer working hours and extended lunch breaks apply.
6 Simultaneous drilling and production operations permitted subject to compliance with minimum separation
distances between live wells and flowlines and drilling operations in accordance with WECO HSE Case.
Simultaneous drilling and production operations not permitted inside separation distances.
7 Permitted subject to pigging procedures (maximum flow rate for pigging operations).
8 Grit blasting/jet washing not permitted on live systems.
9 Venting permitted outside the sterile area only.
10 Permitted subject to risk assessment with specified controls or mitigation in place.
MOPO ADVERSE WEATHER CONDITIONS

ADVERSE WEATHER CONDITION
HEAVY SHAMAL
VISIBILITYHEAVY MIST -
FLOODINGHEAVY RAIN -
HIGH AMBIENT
WIND >20 KTS
SEVERELY
SEVERELY
TEMP >50 C
VISIBILITY
NIGHT TIME
LIGHTNING
REDUCED
REDUCED
WORKING
& WADI
ACTIVITY/OPERATION
Drilling 1 1 1 1 1 1 1

Revision: 1.0
MOPO SIMOPs
ACTIVITIESHIGH NOISE GENERATING
MAINTENANCENON-BREACHING
JETGRIT BLASTING / HP WATER
OPERATIONSFORK LIFT TRUCK

PLOTVEHICLE MOVEMENT OFF-
OPERATE WELLS/FLOWLINES
DRAINING TO OPEN SYSTEMS

GRADINGROAD MAINTENANCE/
STARTUP)BFW HEATER STARTUP (PLANT
STARTUP)HRSG STARTUP (PLANT
START-UPSTEAM DISTRIBUTION PLANT
VEHICLE MOVEMENT ON-PLOT
STRUCTURESWORKING ON TALL
TRUCKCHEMICAL DISPOSAL BY VAC

LIFTING/CRANE OPERATIONS
OIL & GAS PLANT START-UP
CONSTRUCTION ACTIVITIES
OPERATE OIL & GAS PLANT
BREACHING MAINTENANCE
PGC/PLANT UNIT START-UP
CONFINED SPACE ENTRY

OPERATE STEAM PLANT
EXCAVATION ACTIVITIES
CLASS B PERMIT WORK

CLASS A PERMIT WORK
CHEMICAL UNLOADING
WORKING OUTDOORS
N2/HE LEAK TESTING
OPERATE PIPELINES
QA MPS OPERATION
ZONE 1 AREA WORK
ZONE 2 AREA WORK

PIGGING (FUTURE)
WORK AT HEIGHT
APO OPERATION
WELL SERVICES
LOCAL VENTING
GT OPERATION
RADIOGRAPHY
HRSG ENTRY
SAMPLING
DRILLING
FLARING
ACTIVITY/OPERATION
Drilling
Well Services 6
Operate Wells/Flowlines 6 6
Operate Pipelines Y Y Y
Pigging (future) Y Y Y 7
QA MPS Operation Y Y Y Y Y
GT operation Y Y Y Y Y Y
BFW Heater Startup (plant
Y Y Y Y Y Y Y
startup)
HRSG Startup (plant
Y Y Y Y Y Y Y Y
startup)
Steam Distribution Plant
Y Y Y Y Y Y Y Y Y
start-up
Oil & Gas Plant start-up Y Y Y Y Y Y Y Y Y Y
PGC/Plant unit Startup Y Y Y Y Y Y Y Y Y Y Y
Operate Steam Plant Y Y Y Y Y Y Y Y Y Y Y Y
Operate Oil & Gas Plant Y Y Y Y Y Y Y Y Y Y Y Y Y
APO Operation Y Y Y Y Y Y Y Y Y Y Y Y Y Y
N2/He Leak Testing Y Y Y N N Y Y N N N N N N N N
Working Outdoors Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y N
Sampling Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y N Y
Radiography Y Y Y Y Y Y Y N N N N N Y Y Y N N N
Vehicle Movement on-plot Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y N Y N N
Vehicle Movement off-plot Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y N Y Y
Road Maintenance/
Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
Grading
Grit Blasting / HP Water
Y Y 8 8 8 Y Y N N N N N 8 8 8 N N N N N N Y
Jet
Lifting/Crane Operations Y Y N N Y Y Y N N N N N Y Y Y N N N N N N Y N
Fork Lift Truck Operations Y Y Y Y Y Y Y N N N N N Y Y Y N Y Y N Y Y Y N N
High Noise Generating
Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y N Y Y Y Y Y Y Y Y Y
Activities
Excavation Activities Y Y Y Y Y Y Y N N N N N Y Y Y N Y Y N Y Y Y N N N Y
Work at Height (outside
Y Y Y Y Y Y Y N N N N N Y Y Y N Y Y N Y Y Y N N Y Y Y
permanent structures)
Working on Tall Structures Y Y Y Y Y Y Y N N N N N Y Y Y N Y Y N Y Y Y N N Y Y Y Y
Zone 1 Area Work Y Y 3 3 3 Y Y N N N N N 3 3 3 N Y Y N N N N N N N Y N N N
Zone 2 Area Work Y Y Y Y Y Y Y N N N N N Y Y Y N Y Y N Y Y Y N N Y Y Y Y Y N
Breaching Maintenance Y Y N N N Y Y N N N N N Y Y Y N Y Y N N N N N N N Y N N N N N
Non-Breaching
Y Y Y Y Y Y Y N N N N N Y Y Y N Y Y N Y Y Y N N Y Y Y Y Y N Y N
Maintenance
Class A Permit Work Y Y 3 3 3 Y Y N N N N N 3 3 3 N Y 3 N Y Y Y N N Y Y Y Y Y N Y N N
Class B Permit Work Y Y Y Y 3 Y Y N N N N N Y Y Y N Y Y N Y Y Y N N Y Y Y Y Y N Y N Y Y
HRSG entry Y Y Y Y Y Y N N N N N N Y Y Y N Y Y N Y Y Y N N Y N Y Y Y N Y N Y Y Y
Confined Space Entry Y Y Y Y Y Y Y N N N N N Y Y Y N Y Y N Y Y Y N N Y N Y Y Y N Y N Y Y Y Y
Flaring Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y N N N Y Y Y Y Y Y Y
Local Venting Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y N N Y N N N N N N N Y N N N N N N N N N N N 9
Draining to open systems Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y N N Y N N N N N N N Y N N N N N N N N N N N Y Y
Chemical unloading Y Y Y Y Y Y Y N N N N Y Y Y Y N Y Y N Y Y Y N N Y Y N N N N N N N N N Y N Y N N
Chemical Disposal by Vac
Y Y Y Y Y Y Y N N N N Y Y Y Y N Y Y N Y Y Y N N Y Y N Y Y N N N N N N Y N Y N N N
Truck
Construction Activities Y Y Y Y Y Y Y N N N N Y Y Y Y N Y Y N Y Y Y N N Y Y Y Y Y N Y N Y N Y Y Y Y N N N N

Revision: 1.0
MOPO SCE & CRITICAL MANPOWER IMPAIRMENT/UNAVAILABILITY

ACTIVITY/OPERATION
(SAMPLING,VENTING,DRAININBREAKING HC-CONTAINMENT
LIFTING AND HOISTING OVER
UNLOADING ROAD TRANSPORT, ROAD

(MAINTENANCE, INSPECTION,
PRESSURE/LEAK TESTING
CONFINED SAPCE ENTRY

START-UP EQUIPMENT /
OPERATE EQUIPMENT /
TANKERS, LOADING/
GENERAL ACTIVITIES
(INCLUDING HRSG)
OPERATE FACILTY
START-UP PLANT
OPERATE PLANT
HC EQUIPMENT
HOT WORK
SYSTEM
SYSTEM
PAINTING, COLD WORK)

IMPAIRED/UNAVAILABLE SCE
SCE GROUP SCE FAILURE MODE
SI002 Civil Observed or detected N 10 N 10 10 10 10 10 10 10 10 10
Structures / structural defect resulting
G)
Structural Support in increased risk of MAH
SI003 Heavy lift Observed or detected Y Y Y Y Y N Y Y Y Y Y Y
cranes and structural/mechanical
mechanical defect resulting in
handling increased risk of MAH
due to dropped load
PC001 - PC006 Uncontrolled release of N N N 10 10 N N N N N N N
Process process fluids resulting in
Containment increased risk of MAH
PC007 Relief Unavailability of relief at N 10 N 10 Y 10 10 10 10 10 10 10
System design flow rate resulting
in increased risk of MAH
due to overpressure
PC008 Uncontrolled release of N Y N Y Y 10 10 10 10 10 10 10
Operational Well well fluid resulting in
Containment increased risk of MAH
PC009 Fired Unavailability of N Y N Y Y Y Y Y Y Y Y Y
Heaters (Burner BMS/IPS resulting in
Management increased risk of MAH
System)
IC003 Certified Certified electrical N 10 N 10 Y Y Y Y 10 Y 10 Y
Electrical equipment fails to meet
Equipment PS requirement resulting
in increased risk of
ignition
IC005 Earth Earth bonding fails to N Y 10 Y Y Y Y Y 10 Y N Y
Bonding meet PS requirement
resulting in increased
risk of ignition
IC006 Fuel Gas Inability to provide N N N 10 Y Y Y Y Y Y Y Y
Purge required fuel gas purge
flow to flare header
resulting in air ingress to
flare
IC007 Gas Total loss of gas blanket N N N N Y Y Y Y Y 10 Y Y
Blanket System - system resulting in
Total loss increased risk of ignition
IC007 Gas Inability to provide N 10 N 10 Y Y Y Y Y 10 Y Y
Blanket System - required gas blanket flow
Loss to individual individual equipment
equipment resulting in increased
risk of ignition
IC009 Flare Loss of primary & N N 10 10 10 10 10 10 10 10 10 10
Ignition Control secondary flare ignition
System systems resulting in flare
out
DS001 Fire and Total loss of F&G N N N N 10 10 10 10 N N 10 10
Gas - Total loss detection system

Revision: 1.0
ACTIVITY/OPERATION


OPERATE EQUIPMENT /
TANKERS, LOADING/
GENERAL ACTIVITIES
(INCLUDING HRSG)
OPERATE FACILTY
START-UP PLANT
OPERATE PLANT
HC EQUIPMENT
HOT WORK
SYSTEM
SYSTEM

DS001 Fire and Loss of F&G detection N 10 10 10 Y 10 10 10 10 10 10 10
Gas - Local or end element resulting in
partial loss impaired local
functionality e.g. 2ooN in
voted system & 1ooN in
non-voted systems
G)
DS002 Security Loss of access control to 10 Y 10 Y Y Y Y Y Y Y Y Y
Systems facilities
PS013 Chemical Inability to provide 10 Y 10 Y Y Y Y Y Y Y Y Y
Injection System required chemical
injection flow
SD001 ESD Total loss of ESD system N N N N N 10 10 10 10 10 10 10
System - Total
loss
SD001 ESD Local or partial loss of N 10 10 10 10 10 10 10 10 10 10 10
System - Local or ESD system
partial loss
SD002 Total loss of EDP system N N N N N 10 10 10 10 10 10 10
Depressurisation
System - Total
loss
SD002 Local or partial loss of N 10 N 10 10 10 10 10 10 10 10 10
Depressurisation EDP system
System - Local or
partial loss
SD004 Inability to isolate steam N Y N Y Y 10 10 10 10 10 10 10
Operational Well injection well or annulus
Isolation resulting in potential
back flow of HC
SD006 Process Inability of ESD end N 10 10 10 10 10 10 10 10 10 10 10
ESDV element valve to
adequately isolate
processes resulting in
potential escalation of
MAH
ER001 Temp Primary muster area 10 10 10 10 10 10 10 10 10 10 10 10
Refuge/ Muster impaired
Areas
ER002 Escape/ Escape/ evacuation 10 10 10 10 10 10 10 10 10 10 10 10
Evacuation routes impaired
Routes
ER003 Emergency/ escape 10 10 10 10 10 10 10 10 10 10 10 10
Emergency/ Lighting impaired
Escape Lighting
ER004 Loss of GA N N 10 10 10 10 10 10 10 10 10 10
Communication communication system
Systems - Loss of
GA
ER004 Loss of ER N N 10 10 10 10 10 10 10 10 10 10
Communication communication system
Systems - Loss of including radios and
ER landlines
communications
ER005 Inability to provide N N 10 10 10 Y Y Y Y Y Y Y
Uninterrupted emergency power supply
Power Supply to essential systems
(UPS)

Revision: 1.0
ACTIVITY/OPERATION


OPERATE EQUIPMENT /
TANKERS, LOADING/
GENERAL ACTIVITIES
(INCLUDING HRSG)
OPERATE FACILTY
START-UP PLANT
OPERATE PLANT
HC EQUIPMENT
HOT WORK
SYSTEM
SYSTEM

ER010 Drains Inability to provide N 10 10 10 Y Y Y Y Y Y 10 Y
System secondary containment
for HC/chemicals spills
resulting in potential
escalation of MAH
LS001 Personal Personal H2S monitors N N 10 10 10 N N N N N N N
G)
Survival below minimum level or
Equipment - faulty
Personal monitors
LS001 Personal Portable BA Sets below N N 10 10 10 N N N N N N N
Survival minimum level or faulty
Equipment - (Escape Sets)
Escape sets
LS001 Personal Portable BA Sets below N N 10 10 10 N N N N N N N
Survival minimum level (SCBA &
Equipment - Rescue Sets)
Rescue BA sets
LS001 Personal Insufficient number or 10 Y 10 Y Y Y Y Y Y Y N Y
Survival inadequate type of
Equipment - Chemical PPE available
Chemical PPE
LS001 Personal Safety showers/eye 10 Y 10 Y Y Y Y Y Y Y N Y
Survival wash stations not
Equipment - available or inoperable
Safety
showers/eye wash
stations
CRITICAL MANPOWER
UNAVAILABILITY
HSE Critical Competent persons not N N 10 10 10 N N N N N N N
Position available to fill HSE
Critical Position
ER - Team Competent persons not N N 10 10 10 N N N N N N N
Members available to fill ER team
member position
ER - QA Fire QA fire brigade not 10 10 Y Y Y 10 10 10 10 10 10 10
Brigade available for extended
period
ER - First Aider Insufficient number of 10 10 Y Y Y 10 10 10 10 10 10 10
first aiders available on-
site
LECC Competent persons not N N 10 10 10 N N N N N N N
available to fill LECC
positions or LECC not
available

Revision: 1.0
Appendix 417 Operations HSE Case Change Approval

This appendix details the process for identifying, assessing and implementing changes to
Operations HSE Cases to ensure that the hazards and risks associated with Major Accident
Hazards (MAHs) are maintained as low as reasonably practicable (ALARP).
This procedure is mandatory for Operations HSE Cases in PDO but may also be used for
Design HSE Cases.
It is to be used by all parties who may be responsible for initiating a change that may have an
effect on the underlying assumptions or information presented in a HSE Case.
A suitable system to ensure that the Steps described in this procedure are followed is provided
by the proforma HSE Case Change Approval Form at the end of this Appendix
RACI Matrix
Roles & Responsibilities
Custodian
Engineer/ HSE Case
Authorities
Stakeholders
Action Parties
Originator
HSE Case
Technical
Custodian Technical Safety
Task
1. Identify Change C C A I R -
2. Assess Impact of Change and R C C I C I
Develop Workscope
3. Perform Workscope A C C C C R
4. Prepare HSE Case Changes R I A I I I
5. Review proposed HSE Case R C A C C I
Changes
6. Approve Changes R C A C I I
7. Publish Changes R I A I I I
(R) Responsible: The party responsible for executing the task and obtaining parties
involvement
(A) Accountable Party accountable for approval
(C) Consult Party responsible for contributing when consulted
(I) Informed Party informed of outcome
Role Responsibilities
Originator Identifies and summarises need for change(s)
Individual or group who identifies the Discusses potential change with MSE/4 Dept. to
need for change(s). This function determine whether it will affect the HSE Case or its
describes a variety of roles: underlying assumptions
- Asset (management, Identifies relevant Stakeholders, with advice from
supervision or operations); MSE/4 Dept.
- Workforce;
Contributes to preparing text change(s) as required
- Technical Authorities (TAs);
Reviewing and approval of proposed change(s)
- Discipline engineers;
- Contractors.

Revision: 1.0
Role Responsibilities
Technical Safety Engineer Assesses the impact of the change(s) on the HSE
Case and its underlying assumptions
Supports the HSE Case by providing management,
technical support, knowledge and authoring
Ensures appropriate description of the change(s) in
the HSE Case
Liaises with other TAs as appropriate
Once the change has been agreed, logs the
change in the HSE Case MOC register
Maintains an up to date version of the HSE Case
MOC register
Action Parties Advise on impact of change(s)
Provide information on actions required
Provide input to HSE Case update
HSE Case Custodian (Delivery Team Propose change(s) resulting from, for example,
Leader / Asset Representative) changes to the operation of the asset or other
changes raised by personnel associated with the
asset
Review change(s) as a Stakeholder
Contribute to text change(s) in the HSE Case
Check proposed change(s) and co-ordinating
workforce involvement
Ensure that the information contained in the HSE
Case reflects the current status of the asset and its
operating practices
Technical Authorities Propose change(s) resulting from, for example,
change(s) to the engineering or operation of the
Asset or other change(s) raised as a result of
issues in their discipline
Review change(s) as a Stakeholder
Contribute to text change(s) in the HSE Case
Check proposed change(s) and co-ordinating
involvement of other TAs
Stakeholder Provide specialist knowledge and expertise
A person or person(s) who may be called Review and approve text change(s) in the HSE
upon to contribute to/consult on the Case
assessment of change(s) required, or
who may need to be advised of the
potential change(s) to the HSE Case.
This function describes a variety of roles:
- Asset (management,
supervision or operations);
- Workforce;
- Technical Authorities (TAs);
- Discipline engineers;
- Contractors.

Revision: 1.0
HSE Case Change Approval Form

HSE Case Change Approval Form Ref.: GD/2008/01
Step 1: Identify Change

Asset/Facility: Yibal Originator: A N Other Date raised: 24/07/2010
Details of proposed change(s) (summary of the change(s) use continuation sheet if required):
Step 2: Assess Impact of Change(s) and Develop Workscope

Significant Justification:
Change?
(Yes/No)
Details of Stakeholder engagement:
Description of assessment and statement of required work activities:
Step 3: Perform Workscope (record the summary of outcomes for Step 3):
Step 4 & 5: HSE Case Changes (record summary of changes use continuation sheet if required for detailed changes):
Part: Section: Heading: Comments:
Immediate publication of change Justification

required? (Yes/No)
Step 6: Approve Changes (signatories as required)

a. Originator Name: Signature: Date
:
b. Technical Name: Signature: Date
Authority :
c. HSE Case Name: Signature: Date
Custodian :
d. Technical Name: Signature: Date
Safety :
Engineer
Step 7: Publish Change

Date Rev Name: Signature
Completed: Number:

Revision: 1.0
Step 1: Identify Change(s)

As soon as it is practicable, discuss the potential change(s) with the Asset Technical Safety
Engineer to determine whether the proposed change(s) will affect the HSE Case or its
underlying assumptions.
Any proposed changes (e.g. engineering, procedural, organisational) that have an impact
on the risk profile of the Facility or Activity, shall be managed in accordance with this
Procedure (including an ALARP Demonstration) and the HSE Case shall be updated
accordingly.
The possible changes that might affect the HSE Case and its underlying assumptions are
those listed in Section 13.
Step 2: Assess Impact of Change(s) and Develop Workscope

a) Determine whether the proposed changes(s) will affect the Case content or its
underlying assumptions. If it is agreed that there is no effect on the Case or its
supporting studies, no further action is required.
b) Where it is agreed by there is an effect on the Case, develop workscope with
relevant Stakeholders.
c) Ensure that the workscope includes review and update, as required, to:
i. HEMP Studies and ALARP justification;
ii. QRA Studies;
iii. Bow-Tie assessments;
iv. HSE Critical Element and Performance Standards;
v. HSE Critical Task listings.
d) Agree and record actions with originator, action parties and Stakeholders.
e) Summarise details of the HSE Case Change Approval Form
f) Logs the HSE Case change in the HSE Case MOC register. The register should
ensure that all changes to the HSE Case are grouped together for review and to
allow assessment of cumulative effects or risk.
Step 3: Perform Workscope

a) Perform agreed workscope as identified in 2b above.
b) Representatives from the current operational, engineering and maintenance teams,
and workforce involvement representatives shall actively participate in performing
the workscope as appropriate.
c) Review outcomes for actions to determine final impact.
d) Consult with Stakeholders on effect on HSE Case (where appropriate).
e) Complete change(s) to relevant supporting studies or other associated
documents/processes/drawings etc.
Step 4: Prepare HSE Case Change(s)

a) Prepare change(s) to HSE Case in consultation with action parties and
Stakeholders.
Step 5: Review Proposed HSE Case Change(s)

Revision: 1.0
a) Issue the HSE Case Change Approval Form with proposed change(s) to the HSE
Case to relevant action parties and Stakeholders for comment/review.
b) Amend proposed change(s) as required reflect any comments received. On the
HSE Case Change Approval Form annotate which sections of the HSE Case have
been changed.
c) Determine need for immediate publication of change(s). Consider whether change
is significant and needs immediate update. Also consider cumulative effects of
changes to date.
Step 6: Approve Change(s)

a) Gain acceptance of proposed change(s) from relevant parties, including sign-off of
HSE Case Custodian (obtain signatures).
b) Update status of HSE Case Change Approval Form in the HSE Case MOC
Register including Date Agreed.
c) If applicable, update FIM to record any changes that affect any open items still
under review (e.g. Change to HSE Case Remedial Action Plan).
Step 7: Publish Change(s)

a) Make change(s) to HSE Case.
b) Publish HSE Case on Livelink / issue to document copy holders.
c) Update status of Update status of HSE Case Change Approval Form in the Change
Register including Date Completed.
HSE Case MOC Register

Ref. Description Significant FCP No. (if Date Date Date
change? applicable) raised agreed completed
Yes/No
GD/2008/0 Revision of Yibal HSE Yes n/a 01/01/2008 01/01/2008 01/10/2008
1 Case to address internal /
external audit findings
and issues raised at
workforce reviews.
Structure and content
changed to reflect PDO
adoption of EP2005-
0310-ST.
Yibal team involved in
engagement workshops,
bow tie review
workshops, ALARP
workshops, and roll out
sessions

Revision: 1.0
Appendix 418 CCPS RBPS Process Safety Elements

The AI-PSM process within PDO identifies 20 elements from the Centre for Chemical Process
Safety Guidelines for Risk Based Process Safety (CCPS RBPS) which describes minimum
expected standards and stipulates the requirements for a range of process related activities
ranging from organisational culture, workforce involvement, risk management, HEMP and audit
through to design.
ELEMEN
T AI-PSM ASSURANCE
ELEMENT AIMS AND OBJECTIVES
NUMBE ELEMENT
R
To establish and reinforce high standards of process safety

Process Safety performance through the organisational norms for employee
1
Culture and contractor values and behaviours at all levels in the
organisation.
To ensure that the facility conforms to the applicable
Compliance with
2 standards, codes and regulations so that the facility
Standards
operates in a safe and legal fashion.
A key aspect of demonstrating commitment to process
safety, the process safety competency element is about
Corporate Process developing, sustaining and enhancing organisational
3 Safety competency. This is different to individual competency
Competency assurance (which is covered in element 12). The key
concern here is the concept of the learning or
transformational organisation
Personnel at all levels of the organisation should have roles,
responsibilities and opportunities to effectively contribute to
process safety programmes. This element ensures that a
Workforce
4 system is developed for enabling the participation of
Involvement
operators, technicians and contractors in the development
and implementation of process safety activities through
employee participation
To ensure that internal and external stakeholders to the
Stakeholder
5 organisation are identified, and that their information needs
Outreach
are understood and adequately met.
To enable risk assessment and risk-based process safety.
Process
Understanding process risk depends on having accurate
6 Knowledge
process knowledge, and without an understanding of
Management
process risk, process safety can never be assured.
To enable risk assessment and risk-based process safety.
Hazards and Understanding process risk depends on correctly and
Effects completely identifying the hazards associated with the
7
Management operation, and accurately assessing the risks posed by
Process (HEMP) those hazards. Without an understanding of process risk,
process safety can never be assured.
A consistent high level of human performance is essential
Operating for a successful process safety programme. Up to date clear
8
Procedures operating procedures assure that the intended and proven
methods and techniques are applied consistently.

Revision: 1.0
ELEMEN
T AI-PSM ASSURANCE
NUMBE ELEMENT
R
To ensure that the risks associated with non-routine work

are managed in a systematic way through the application of
9 Permit to Work
a permit-to-work system and operations / maintenance
procedures (which are described in the previous element)
To ensure that equipment is properly designed, fabricated,
installed and maintained in accordance with recognised
10 Technical Integrity
standards and codes, and that it fulfils its design intent and
remains fit for purpose until removed from operation
To ensure that contracted services do not add to or increase
process safety risk by ensuring familiarity with process
Contractor
11 safety risks and a formalised process to manage contractor
Management
activities from a process safety (as well as commercial)
point-of-view.
A consistent high level of human performance is essential
for a successful process safety programme. Training and
Training and performance assurance provides confidence and
12 Performance demonstration that work tasks will be consistently completed
Assurance to the required standard, and that personnel have the
knowledge and ability to respond appropriately to non-
routine situations.
To ensure that changes made to plant equipment or
Management of technology, or to the Organisation operating the equipment,
13 do not result in the inadvertent introduction of new hazards
Change and risks, or unknowingly increase the risk from existing
hazards.
To ensure that equipment is safe to start-up and operate,
and that the activities necessary to ensure continued fitness
Operational
14 for service have been put in place. It covers start up of new
Readiness
equipment, modified equipment and existing equipment re-
starting after a plant shutdown
To create an organisation that demonstrates excellence in
Conduct of
15 the performance of every task, and has zero tolerance for
Operations
deviations.
Emergency To reduce the consequences of a major accident and to
16
Management save lives, protect property and the environment.
To learn from incidents and near misses and to prevent
them from recurring. Identifying and correcting systemic
Incident
17 incident causes will not only help prevent a repeat of that
Investigation
incident but by strengthening the AI-PSM management
system can prevent other incidents.
To provide a means for near-real-time monitoring of the
performance of the AI-PSM system, and so indicate whether
Measurement and
18 process risk is being managed as low as reasonably
Metrics
practicable and in line with company criteria for tolerable
risk.
To reduce risk by systematically and pro-actively identifying
19 Auditing
strengths and weaknesses in the implementation of AI-PSM.
Revision: 1.0
ELEMEN
T AI-PSM ASSURANCE
NUMBE ELEMENT
R
Management
To ensure that the defined AI-PSM activities produce the
Review and
20 desired results throughout the facility lifecycle.
Continuous
Improvement


SP-2062 - HSE Specification Specifications For HSE Cases

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

SP-2062 - HSE Specification Specifications For HSE Cases

Uploaded by

Copyright:

Available Formats

Revision: 1.

Petroleum Development Oman

Document Title: Specification for HSE

Document Type Specification

Discipline Technical Safety Engineering

Owner MSE/4 Head of Technical Safety Engineering

Issue Date 31 March 2011

Keywords: This document is the property of Petroleum Development Oman, LLC.

Page 1 SP-2062 Specification for HSE Cases Printed 27/03/11

This page was intentionally left blank

Page 2 SP-2062 Specification for HSE Cases Printed 27/03/11

Page 3 SP-2062 Specification for HSE Cases Printed 27/03/11

Version Date Author Scope / Remarks

Page 4 SP-2062 Specification for HSE Cases Printed 27/03/11

iii Related Business Processes

Page 5 SP-2062 Specification for HSE Cases Printed 27/03/11

iv Related Corporate Management Frame Work (CMF)

Page 6 SP-2062 Specification for HSE Cases Printed 27/03/11

8 HSE CRITICAL TASKS....................................................................................................... 30

16.2.6 Part 5 Improvement (Action Plan)................................................................51

Page 9 SP-2062 Specification for HSE Cases Printed 27/03/11

Page 10 SP-2062 Specification for HSE Cases Printed 27/03/11

Page 11 SP-2062 Specification for HSE Cases Printed 27/03/11

1.2 General Definitions

Page 12 SP-2062 Specification for HSE Cases Printed 27/03/11

1.3 Review and Improvement (SP 2062)

Page 13 SP-2062 Specification for HSE Cases Printed 27/03/11

1.4 Deviation from Standard

Page 14 SP-2062 Specification for HSE Cases Printed 27/03/11

2 WHEN ARE HSE CASES REQUIRED?

Consequences Increasing likelihood

heard of in the Industry happened happened happened

the Industry in PDO or at the more than

More than 3 massive massive Massive

Figure 2- 1: PDO Risk Assessment Matrix

Page 15 SP-2062 Specification for HSE Cases Printed 27/03/11

Figure 2-2: Framework for risk related decision support in PDO

Page 16 SP-2062 Specification for HSE Cases Printed 27/03/11

3 WHAT TYPES OF HSE CASES ARE THERE?

Page 17 SP-2062 Specification for HSE Cases Printed 27/03/11

3.1 Asset/Facility HSE Cases at different ORP phases

Figure 3-3: 5 stages and applicable HSE Cases

3.1.1 Identify and Assess

Page 18 SP-2062 Specification for HSE Cases Printed 27/03/11

Page 19 SP-2062 Specification for HSE Cases Printed 27/03/11

3.2 Roles and Responsibilities for the HSE Case

3.2.1 Sign Off Dates

Page 20 SP-2062 Specification for HSE Cases Printed 27/03/11

3.3 Roles and Responsibilities within the HSE Case

HSE Input to Concept Design HSE Case Operations HSE Case

HSE Project Manager Project Manager Asset Director

Page 21 SP-2062 Specification for HSE Cases Printed 27/03/11

HSE Input to Concept Design HSE Case Operations HSE Case

Page 22 SP-2062 Specification for HSE Cases Printed 27/03/11

3.4 Workforce Involvement

Page 23 SP-2062 Specification for HSE Cases Printed 27/03/11

Page 24 SP-2062 Specification for HSE Cases Printed 27/03/11

3.6 Performance Monitoring

3.6.1 Review and Improvement (HSE Cases)

3.6.2 Material Change

Page 25 SP-2062 Specification for HSE Cases Printed 27/03/11

o extension of the use of the installation or its components beyond the

Page 26 SP-2062 Specification for HSE Cases Printed 27/03/11