Safety Case Assessment Guide (Final) (010817) PDF

Jointlydevelopedby:
1 August 2017
Table of Contents
CHAPTER 1: INTRODUCTION TO SAFETY CASE ASSESSMENT GUIDE 1
1. Purpose of Safety Case Assessment Guide 1
2. Definitions and Abbreviations 1
3. Assessment Criteria Scope 1
4. Demonstration 2
5. Proportionality of Assessment 3
CHAPTER 2: DESCRIPTIVE ASPECTS OF SAFETY CASE ASSESSMENT 5
1. Introduction 5
Appendix A Descriptive Assessment Criteria and Guidance 6
CHAPTER 3: MAJOR ACCIDENT PREVENTION POLICY (MAPP) AND SAFETY &

HEALTH MANAGEMENT SYSTEM (SHMS) ASPECTS OF SAFETY CASE
ASSESSMENT 12
1. Introduction 12
2. The General Approach to MAPP and SHMS Assessment 12
Appendix B MAPP and SHMS Assessment Criteria and Guidance 13
CHAPTER 4: PREDICTIVE ASPECTS OF SAFETY CASE ASSESSMENT 21
1. Introduction 21
2. Risk Assessment 21
Appendix C Predictive Assessment Criteria and Guidance 23
CHAPTER 5: PROCESS SAFETY ASPECTS OF SAFETY CASE ASSESSMENT 33
1. Introduction 33
2. The General Approach to Process Safety Assessment 33
Appendix D Process Safety Assessment Criteria and Guidance 34
i|S a f e t y C a s e A s s e s s m e n t G u i d e
CHAPTER 6: MECHANICAL ENGINEERING ASPECTS OF SAFETY CASE

ASSESSMENT 49
1. Introduction 49
2. The General Approach to Mechanical Assessment 49
Appendix E Mechanical Engineering Assessment Criteria and Guidance 51
CHAPTER 7: ELECTRICAL, CONTROL & INSTRUMENTATION ASPECTS OF

SAFETY CASE ASSESSMENT 63
1. Introduction 63
2. The General Approach to EC&I Assessment 63
Appendix F Electrical, Control & Instrumentation Assessment Criteria and Guidance 65
CHAPTER 8: HUMAN FACTORS ASPECTS OF SAFETY CASE ASSESSMENT 75
1. Introduction 75
2. The General Approach to Human Factors Assessment 75
Appendix G Human Factors Assessment Criteria and Guidance 78
CHAPTER 9: EMERGENCY RESPONSE ASPECTS OF SAFETY CASE ASSESSMENT 90
1. Introduction 90
2. The General Approach to Emergency Response Assessment 90
Appendix H Emergency Response Assessment Criteria and Guidance 91
CHAPTER 10: ASSESSMENT OF ALARP IN SAFETY CASE 104
1. Introduction 104
2. The General Approach to ALARP Assessment 104
Appendix I ALARP Assessment Criteria and Guidance 105
ii|S a f e t y C a s e A s s e s s m e n t G u i d e
Chapter 1: Introduction to Safety Case

Assessment Guide

1. Purpose of Safety Case Assessment Guide

1.1. ThisisaninternalguideusedbytheMajorHazardsDepartment(MHD)fortheassessmentof
safetycasessubmittedbyMHIs.

1.2. TheSafetyCaseAssessmentGuideprovidesguidanceonprinciplesandtheapproachforusing
therespectiveassessmentcriteria.TheassessmentcriteriaaredetailedfromChapter2to10of
thisguideandareusedbyMHDtoreachconclusionsontheextenttowhichsafetycasesmeet
theirpurposesundertheWSH(MHI)Regulations.

1.3. The assessment criteria provide a framework to achieve a consistent and proportionate
considerationofmattersthatmaybeexaminedduringtheassessment.Astheproportionality
principleisacornerstoneofthesafetycaseregime,MHDfocusesonwhereitmattersmostin
thepreventionofmajoraccidentsandisnotobligatedtoaddresseverycriterion,nortothe
samedepthofdetail.Thecriteriareflecttherangeofhazardsexpectedandencounteredby
MHIs,whichcomeunderthescopestipulatedintheWSH(MHI)Regulations.
2. Definitions and Abbreviations

2.1. Forthepurposesofthisassessmentguide,thedefinitionsandabbreviationsgiveninChapter
1.3andListofAbbreviationsoftheSafetyCaseTechnicalGuideapply.
3. Assessment Criteria Scope
3.1. Theassessmentguidewillfocusonthefollowingareasduringtheassessmentofsafetycases:

a) Descriptiveaspects [Chapter2]
b) MAPPandSHMS [Chapter3]
c) Predictiveaspects [Chapter4]
d) Technicalaspects
(i) Processsafety(PS) [Chapter5]
(ii) Mechanicalengineering(Mech) [Chapter6]
(iii) Electrical,controlandinstrumentation(EC&I) [Chapter7]
(iv) Humanfactors(HF) [Chapter8]
e) Emergencyresponse [Chapter9]
f) AssessmentofALARP [Chapter10]
1|S a f e t y C a s e A s s e s s m e n t G u i d e
3.2. Thecriteriaintheassessmentguidewillbemarkedasfollows:

a) Criteria will be met when all relevant items are included in descriptions and the
necessarysupportinginformationhasbeenprovided;
b) Criteriawillbenotmetwhenrelevantitemsarenotincludedinthedescriptionsorthe
necessarysupportinginformationhasnotbeenprovided;
c) CriteriawillbenotrelevantwhentheyarenotrelevanttotheMHI;
d) Criteriawillbepreviouslymetwhenthepreviousassessorrecodedthecriterionasmet.

4. Demonstration
4.1 TheWSH(MHI)RegulationsrequireMHIstopreparesafetycasesforthepurposesofmakinga
seriesofdemonstrations.Inthiscontext,todemonstratemeanstoshoworjustifybythe
information given which should be taken at face value unless there is clear evidence to the
contrary(e.g.conflictingstatementsinthesafetycaseorlocalknowledgeoftheassessment
team).ItdoesNOTmeanpursuebyextensiveindepthscrutinyorexhaustiveexaminationto
prove beyond reasonable doubt whether the relevant criteria have been met and the
demonstrationsachieved.
4.2 MHIs are required by the WSH (MHI) Regulations to ensure that the data and information
contained within the safety case adequately reflects the conditions in the installation.
Verificationofthiscanonlybeachievedbyconductinginspectionsattheinstallationwhichcan
thenfeedbackintothesafetycaseassessment.
4.3 ItisoftenhelpfulforMHIstoprovideamatrixwhichlinksthecontentofthesafetycasetothe
requirementsoftheSafetyCaseAssessmentGuide.
4.4 There is no specific requirement for MHIs to include copies of operating procedures and/or
associateddocumentationintheirsafetycase.MHIsshoulddeterminethelevelofinformation
to be provided in support of a given demonstration or requirement in the WSH (MHI)
Regulations.MHIsmaychoosetoassisttheirdemonstrationswherenecessary,bysummarising
agivenprocedureandprovidinganexampleofrelateddocumentationinsupportofit(e.g.a
summaryofthekeypointsofapermittoworkprocedurealongsideacompletedpermitto
workrecord).
4.5 Where relevant, site records shall be used as examples to validate descriptions or where
demonstrations are required by the WSH (MHI) Regulations, primarily relating to design,
construction,operation,maintenanceandmodification.
5. Proportionality of Assessment
FactorsAffectingProportionality
5.1. Akeyprincipleofthesafetycaseassessmentprocessisthatitisproportionatetothehazards
andlevelsofrisksassociatedwiththeMHI.Theproportionalityofassessmentofasafetycase
shouldbroadlymatchtheproportionalityrequiredoftheMHIsriskassessmenti.e.anMHIwith
higherrisksofmajoraccidentswillundergogreaterrigouranddepthintheassessmentprocess.

5.2. Theproportionalityofassessmentisessentiallydeterminedby:

a) theseverityoftheworstpossibleconsequencesshouldtheworstcasescenariooccur;
b) the levels of risk that remain after taking into account the prevention and mitigation
measuresthattheMHIhasputinplace;and
c) otherconsideringfactorssuchas:
(i) The scale (inventory, vessel sizes, etc.) and nature of the hazards (hazardous
properties,toxicity,flammability,etc.);
(ii) ThelocationoftheMHIinrelationtoexternalpopulations(e.g.populationdensity)
andsensitivereceptors(e.g.hospitals,schools);
(iii) ThenumberofpeopleintheMHI;
(iv) Thevariationofresidualindividualriskwithdistance;
(v) Escalationpotential(e.g.dominoeffectsinrelationtoneighbouringMHIs);and
(vi) Thecriticalityofappliedmeasurestoachievingtheclaimedlevelofresidualrisk.
TheDecisionMakingProcess
5.3. ThelevelofriskposedbytheMHIshouldhaveaninfluenceontheareasinwhichMHDfocus
theirattention.InformationinthesafetycaseshouldenableMHDtounderstandsitespecific
circumstances(onsiteandoffsite),sothataviewonproportionalitycanbereached.Where
anearlypredictivescreenhasbeencompleted,thiswillprovideinformationtowardsMHDs
decisionmakingprocessuntilafullpredictiveassessmenthasbeencarriedout.

5.4. In the context of the Safety Case Assessment Guide, decisions about proportionality of
assessmentmeanconsideringboththebreadthanddepthofassessment.
BreadthofAssessment
5.5. ThenatureandspreadofthehazardspresentatanMHIdeterminesthebreadthofassessment.
Theassessmentneedstoconsiderarepresentativesampleofthetypesofhazardsfound.Itwill
thereforeneedtohavecovereddifferentfacilities,unitsandactivitiessufficienttoreflectthe
varyingnatureofthehazardspresent,andthedifferentnatureofthemeasurestakentocontrol
them.
DepthofAssessment
5.6. The depth of assessment depends on the risk and one approach is to use the consequence
extentandseverityinformationrelatingtoascenariotomakejudgmentsabouttherequired
depthofassessment.

5.7. Inconsideringtheextentofapotentialmajoraccident,MHDwillbelookingattherangeover
whichtheeffectsextendonsiteandoffsitetobothpeopleandthevicinity.

5.8. Inconsideringtheseverityofapotentialmajoraccident,MHDwillbelookingathowseverethe
consequences of the accident might be. This might be expressed in terms of numbers of
fatalities, serious injuries, or hospitalisation, etc. Such matters depend on the surrounding
populationandthevicinity.
ItfollowsthatthesafetycaseforhigherriskMHIsshould,inprinciple,beassessedtoagreaterdepth
thanthoseforMHIspresentinglowerrisk.
Chapter 2: Descriptive Aspects of Safety Case

Assessment
1. Introduction

1.1. ThisguideisforMHDassessorscompletingthedescriptiveaspectsoftheassessment.

1.2. ThischapterislinkedtoChapter2oftheSafetyCaseTechnicalGuide.

1.3. All descriptive assessment must use the criteria and guidance set out in
AppendixADescriptiveAssessmentCriteriaandGuidance.
Appendix A Descriptive Assessment Criteria and Guidance

TechnicalCriterion Guidance
OverviewofMHI
2.1 Thesafetycaseshallgivegeneral Tomeetthiscriterion,thesafetycaseshallincludethefollowinginformation:
informationtotheMHDandidentify a) name,workplacenumberandaddressofMHI;
theorganisationsinvolvedin b) mailingaddressofMHI[ifdifferentfrom(a)];
preparingit. c) details of whether the MHI is part of a larger group of companies, and other subsidiary office in
Singapore,aswellasabriefdescriptionoftheactivitiesateachlocation;
d) name(s),designation(s),telephoneand/orfaxnumber(s),andemailaddress(es)forcontact(s)withinthe
MHIforcommunicationaboutthesafetycase;and
e) namesoftheexternalorganisationinvolvedinpreparingthesafetycaseandtheirareaofcontribution
(e.g.QRAconsultant,competentpersoninvolvedinimplementingriskbasedinspection).

This is high level information, for example, Consultant X was used for risk assessment review work. In
circumstanceswherenootherorganisationshavebeeninvolved,MHIsshouldconfirmthisinthesafetycase.

2.2 Thesafetycaseshallprovidea Tomeetthiscriterion,thesafetycaseshallprovideageneraloutline,withoutextensivedetail,tosetthe
generaloutlineoftheinstallation,its contextforthereaderandtheoutlineshallinclude:
activities,processesandproducts. a) purposeoftheinstallation;
b) mainactivitiesandproductionwhichincludeanoverallprocessflowdiagramorblockflowdiagram;
c) generalstatementscharacterisingthemainhazardsoftheMHIwithrespecttoitsdangeroussubstances
andprocesses;

d) typesofMASs;

e) historicaldevelopmentofactivitiesandproduction,whererelevanttoMASorSCE;
f) the number of persons working at the installation and their working hours (including internal and
contractorspersonnel);and
g) nameandjobscopeofcontractorcompaniesengaged.
DescriptionofInstallationanditsActivities/ProcessesRelevanttoMajorAccidents
2.3 Thesafetycaseshallidentifyunits Tomeetthiscriterion,thesafetycaseshallcontainplans,mapsordiagramswithdescriptionswhichclearly
andotheractivitiesofthe setoutdetailedinformationabouttheinstallationswhichcouldpresentaMAH.Thelayoutoftheinstallation
installationwhichcouldpresenta shallbeclearlypresentedonadequatelyscaledplan(i.e.usuallyatleast1:10000)whichincludes:
MAHonadequatelyscaledplan.
a) mainstoragefacilities(e.g.tankfarms,storagevessels,warehouses);
b) processsections(e.g.reaction,purification,recovery);
c) locationofdangeroussubstances;

d) relevantequipmentlinkedtoMASs;

e) locationofessentialutilities,servicesandinternalinfrastructureequipmentwhichmayberelevantto
thepreventionorcontainmentofamajoraccident(e.g.instrumentair,steam,orelectricalnetworks);
f) location of key abatement system preventing or containing major accidents, such as drainage and
firewaterretention,gascleaningorliquidtreatmentworksimportantfortheprotectionofpeopleand
thevicinity;and
g) location of occupied building such as control rooms, offices, workshops and canteens that could be

vulnerableinamajoraccident(withanindicationofthenumbersofpeoplelikelytobepresentduring

peakandnonpeakhours).

For(c),MHIcouldprovideamapcontainingindividuallylabelledtanksandmajorprocessvesselsandthen
supplementedbyatableinthesafetycaseshowingwhatsubstancesarestoredand/orprocessedineach
tankandmajorprocessvessel,theirstatesandtheirquantities.

InformationonDangerousSubstances
2.4 Thesafetycaseshallidentifythe Tomeetthiscriterion,thesafetycaseshallidentifyandtabulatealistofalldangeroussubstancesandtheir
maximumquantitiesofevery respective maximum quantities present or likely to be present in the installations as per the WSH (MHI)
dangeroussubstancepresent,or Regulations.
likelytobepresent,atthe
installation. MHIsshallattachrelevantcurrentlicencesissuedbyNEA(hazardoussubstancelicence)andSCDF(petroleum
&flammablematerialsstoragelicence)inthesafetycase.
2.5 Foreachdangeroussubstance Tomeetthiscriterion,foreachdangeroussubstanceidentified,thesafetycaseshallinclude:

identified,thesafetycaseshall
describeitsclassificationunderGHS, a) itschemicalnameandwhereappropriateitscommonchemicalname;
itschemicalnameandCASnumber, b) identificationofthesubstanceorclassofsubstanceundertheInternationalUnionofPureandApplied
accordingtoIUPACnomenclature. Chemistry(IUPAC)systemofnomenclature;
c) theChemicalAbstractService(CAS)numberforthesubstanceorclassofsubstance;
d) classificationundertheGloballyHarmonisedSystemofClassificationandLabellingofChemicals(GHS)
based on its hazards (health, physical, environmental and others) and properties as per WSH (MHI)
RegulationsSecondSchedulePart2(e.g.P1,P2,H2);and
e) proportionofeachconstituentinamixture,whereapplicable.

MHIshallpresentallinformationwhichisrelevanttothevariousdemonstrationsofsafetycontainedinthe
safetycase.

2.6 Thesafetycaseshalldescribethe Tomeetthiscriterion,thesafetycasewouldtypicallyinclude:
physical,chemicalandtoxicological
characteristicsofeachdangerous a) SDSs of respective dangerous substances identified. The SDS should, where relevant, contain the
substanceidentified,relevantto followinginformation:
normaloperatingconditionsand (i) flashpoint(byanidentifiedmethod);
foreseeableaccidentconditions. (ii) autoignitiontemperatures;
(iii) flammablelimits;
(iv) vapourpressure;
(v) density;
(vi) boilingpoint;
(vii) dataonreactions;
(viii) miscibility;
(ix) partitioncoefficient;
(x) rateofdecomposition;
(xi) dataonsensitivenessofexplosivesandthebehaviourofexplosivesonaccidentalinitiation;and
(xii) appropriatedataontoxicology.
b) relevantphysicalandchemicaldatashallbepresentedinaclearandconciseformusingappropriateand
consistentunitofmeasurement,preferablyfollowingtheSIsystem(e.g.inkilogram,metres).

2.7 Thesafetycaseshallindicatethe To meet this criterion, the information presented shall relate to the physical, chemical and toxicological
hazards,bothimmediateand characteristicsofthedangeroussubstancesandshouldaddressboththeshorttermandlongtermeffects.
delayed,forhumanhealthonsite Examplescouldinclude:
andoffsite,forthedangerous
substancesidentified. a) healthhazardsuchasirritation,asphyxiation,cancerormutagenicdamage;
b) toxicitydata(e.g.PEL,LC50,LD50,IDLH,AEGL3,ERPG2);
c) potentialtocausefireand/orexplosion;and
d) effectsonthevicinities(e.g.buildingdamagesorimpactsonsensitivereceptors).

Appropriatereferencesshallbeprovided:

a) forrecognisedacceptablelimits,intermsofconcentration,distancefromsource,exposuretimeand
otherrelevantparameters;and
b) forjustificationoftheharmfuleffects,hazardousconcentrationsandacceptablelimitspresentedinthe
safetycase.

If there is little knowledge of the effects, MHIs should outline in the safety case the approach towards
evaluatingthesignificanceofthatlackofknowledgeandthepolicyfordealingwithit.

InformationontheVicinity
2.8 Thesafetycaseshalldescribethe Tomeetthiscriterion,thesafetycaseshallprovideinformationasfollows:
vicinityoftheinstallationin
sufficientdetailtoallowthe Amapofasuitableresolutionshouldbeusedwhendescribingthevicinities(outsideMHIboundarylimit).
consequencesofamajoraccidentto Separatemapsofdifferentscalemayberequiredwhenconsideringdifferentconsequenceimpacts(e.g.toxic
beassessed. effects)

Onthemaps,MHIsshouldclearlyindicate,whereapplicable:

a) sensitivereceptors(e.g.schools,hospitals,residentialareasorworkerdormitories);and
b) accessroutesandescaperoutesfromtheinstallationandothertrafficroutessignificantforrescue
oremergencyoperations.

Informationontheinstallationsvicinitythatmayinfluencetheimpactofamajoraccident,suchas:

a) the surrounding water courses including controlled water (if any), and any catchment area in
relationtothedispersionofliquidcontaminants;
b) sewageandrainwatersystems,iftheycouldbeinvolvedinthedispersalofliquidcontaminantsoff
site;
c) featuresofthevicinitythatmayhinderemergencyresponseorcontainmentmeasures.

Informationonexternalfactorswhichmayleadtoorexacerbatemajoraccidentssuchas:

a) the topography, if it could have an effect on the dispersion of toxic or flammable gases or
combustionproducts.Thisshouldincludebuildingsorotherstructureswhereappropriate;
b) local weather records, including wind speed, wind direction and atmospheric stability and the
relevanceofthisinformationtothebehaviourofreleasesofdangeroussubstances;
c) historyofthelandonwhichtheinstallationislocated,togetherwithitsvicinities,maybesignificant
when considering major accident causes. For example, land subsidence could be considered in
reclaimedindustriallandlikeJurongIslandasthisisathreattoequipmentintegrity(i.e.contributing
tostressandstrainonpipingandequipment);
d) historicalevidenceofotherexternaleventsthatmightcauseaccidentssuchasflooding,extreme
weatherconditionsincludingtemperature,rain,windandlightning;and
e) transport activities that may have an impact, including shipping, major transport routes and
dangeroussubstancemovements.

InformationonstructurewhichmaybeimpactedbytheeffectsofanMHIsmajoraccident,suchasany
sectionofkeyinfrastructure,includingmajorland,seaorairtransportroutesorhubsandutilities.

Descriptionofprotectedpartsofthevicinitiessuchas:

a) naturereserves;
b) reservoirs;and
c) marinereserves.

IdentificationofneighbouringMHIs,pipelinesandpiperacksinthearea.

[DescriptionofthevicinityandsurroundingpopulationsshouldreflectexpectedconditionsoncetheMHI
becomesoperational.Thesafetycaseshalldescribecircumstances(includingtemporaryarrangementssuch
asuseoftemporaryofficesandbuildingsandinclusionofonsitepopulations)astheyapplytoeachphase
(e.g.variousconstructionphases,commissioning,startupandshutdown).]

2.9Onthebasisofavailable Tomeetthiscriterion,thesafetycaseshould:
information,thesafetycaseshould
identifyitsneighbours. a) givethename,address,andtypeofbusinessfortheneighbouringindustrialinstallations;and
b) describeforexamplethenearbyhousingandotherbuildingswheretheremightbelargenumbersof
people,orpeoplewhomightbeparticularlyvulnerabletoamajoraccident.

Chapter 3: Major Accident Prevention Policy

(MAPP) and Safety & Health Management
System (SHMS) Aspects of Safety Case
Assessment
1. Introduction
1.1. ThisguideisforMHDassessorscompletingtheMAPPandSHMSaspectsoftheassessment.


1.3. All MAPP and SHMS assessments shall use the criteria and guidance set out in
AppendixBMAPPandSHMSAssessmentCriteriaandGuidance.

2. The General Approach to MAPP and SHMS Assessment

2.1. TheassessmentwillfocusontheindividualelementscontainedSS506Part3:Requirementsfor
thechemicalindustry(2013)andontheextenttowhichthesafetycaseisabletoshowhow
thoseelementsworktogethertocreateanappropriateSHMSfortheMHIconcerned.

2.2. Theassessmentcriteriaandguidancewhichfollowinthischapteraresetoutunderheadings
takenfromthePlan,Do,CheckandActapproachofSS506:Part3.

2.3. It shall be noted that some aspects of the SHMS are subject to assessment via the Human
Factors assessment criteria and guidance (e.g. resources, personal performance, internal
communication,investigationandcorrectiveaction).

2.4. Itshallalsobenotedthatthisassessmentcriteriaandguidanceonlyoutlinedthesalientpoints
thatMHDwouldbelookingatingreaterdetail.NonethelessundertheWSH(SafetyandHealth
Management System and Auditing) Regulations, MHIs have the ultimate responsibility to
ensurethatallotherpartsthatwerenotmentionedinthisassessmentcriteriaandguidance
butmentionedinSS506:Part3aredulycomplied.
Appendix B MAPP and SHMS Assessment Criteria and Guidance

MAPPPlan
3.1 MAPPAimsandPrinciples Tomeetthiscriterion,theMAPPshall:
TheMAPPshallincludeacommitmentto
achieveahighstandardofprotectionfor a) specificallyaddressMAHsandtheprotectionofpeopleandthevicinityinrelationtotheinstallation;
peopleandthevicinity. and
b) containasuitablestatementoftheMHIsaimsandprinciplesofactionanditscommitmenttowards
continuousimprovementinaspectsrelatingtothecontrolofMAHsattheinstallation.

3.2 MAPPandSHMSObjectives Tomeetthiscriterion,theMAPPshall:
TheMAPPshallincludeacommitmentto
provideandmaintainaSHMS. a) a recognition that the nature of the MHIs activities could give rise to MASs potentially impacting
employees, contractors, visitors, members of the public, and the natural and built environment as
appropriate,andthereforethattheMHIhasobligationstoemployees,neighboursandthevicinity;
b) statementsexplainingthecompanysoverallaimsandprinciplesofactioninrelationtothesystematic
controlofmajoraccidents;and
c) acommitmenttoprovideandmaintainamanagementsystemwhichaddressestheissuesdescribed
underSection3.3.1oftheSafetyCaseTechnicalGuide.

[Notethatforthiscriteria,theMHDisonlylookingforthepolicystatements;subsequentcriteriawilllook
atthedetailundereachheadingtodemonstratethatthereistheSHMStoimplementtheMAPP.]

TheMAPPshallbemadeavailabletoemployeesandothersintheMHI(e.g.contractors).

3.3 SeniorLevelEndorsement Tomeetthiscriterion,thecopyoftheMHIsMAPPincludedinthesafetycaseshallbesignedanddatedby

TheMAPPshallbesetataseniorlevelin anappropriatedirectoror seniorexecutivetodemonstratethat itistrulythepolicyoftheorganisations
theMHIsorganisationandbe leadership.
establishedinwriting.

SHMSDo
3.4 RolesandResponsibilities To meet this criterion, within the safety case, typically an organogram, table or similar is shown, which
Thesafetycaseshallshowthatall highlightstheroles,responsibilities,accountabilitiesandauthoritiesacrosstheorganisation,forallstaffwho
necessaryrolesandresponsibilitiesinthe havedutiestomanageMAHs.
managementofMAHshavebeenclearly
allocatedanddefined. Additionalinformationshallsupportthehighlevelviewandwouldusuallyincludejobdescriptionsordetails
ofindividualresponsibilitiesinrelationtothemanagementofMAHs.

3.5 Resources Tomeetthiscriterion,thesafetycaseshallshow:
ThesafetycaseshallshowhowMHI
allocatesresourcestoimplementthe a) whohasoverallresponsibilitiesforthesafeoperationoftheMHI;
MAPP. b) howkeyrolesareidentified;
c) detailsofanyqualifications,skillsorexperiencerequireforkeyroles;
d) howtrainingforthosekeyrolesaredelivered,verifiedandassessed;
e) describingthephilosophyfordeputisingarrangementsforkeyfunctionstocoverabsences;
f) anoverviewofanykeyrolescontractorsmayhaveonsiteandhowtrainingiscarriedoutandverified
forthoseworkers.

3.6 PersonalPerformance ThisconcernsthepeoplehavingaroletoplayinthemanagementofMAHsandtomeetthiscriterion,the
Thesafetycaseshallshowthatthe safetycaseshallprovideabriefoutlineof:
performanceofpeoplehavingaroleto
playinthemanagementofMAHsis a) howtheresponsibilitiesforthemanagementofMAHsaremadecleartotheappointmentholder(e.g.
measuredandthattheyareheld jobdescriptions);
accountablefortheirperformance. b) howtheperformancereviewisconductedwithrespecttotheaboverequirement(a);
c) howcomplianceischecked(e.g.onsitecompliancechecks).

Thesafetycaseshallalsoprovide:

a) information about the process for identifying and taking action on failures to achieve satisfactory
performance;
b) referencetoincentiveandrewardschemes;
c) summariesofarrangementsforsettingperformancestandardsandtargetsforlinemanagers.

3.7 WorkerParticipation Tomeetthiscriterion,thesafetycaseshalltypicallyinclude:
ThesafetycaseshallshowthattheMHI
hassystemsforensuringthatthose a) abriefsummaryofhowconsultationsarecarriedoutwiththeworkforce(e.g.toolboxmeetings);
workingintheinstallationareactively b) anoutlineofthearrangementsforupwardreportingofinformationrelevanttothecontrolofMAHs;
involvedinthecontrolofMAHs,where and
relevant. c) howemployeesinvolvementissecuredinrelationto:
(i) hazardstudies(e.g.HAZOP)andriskassessments;
(ii) devising,reviewingandrevisingoperatingandemergencysystems,proceduresandinstructionsfor
thecontrolofMAHs;
(iii) performancemeasuringactivitiesincludingaccident,incidentandnearmissinvestigations;and
(iv) auditandreviewactivities.

3.8 ExternalOrganisations To meet this criterion, a brief overview shall outline the MHIs arrangements for communicating and
ThesafetycaseshallshowthattheMHI cooperatingwithexternalorganisations.Thisincludes:
hasinplacearrangementsfor
cooperatingwith,communicating a) otherworkplaceswhichmightbeaffectedbytheMASs;
informationtoandsecuringthe b) contractorsandtheiremployees;
cooperationof,externalorganisations. c) theemergencyservices(e.g.SCDF);
d) otherrelevantbodies(e.g.media,cleanupcontractors).

3.9 InformationGathering AMHIsmanagementofMASs requiresthemtokeepuptodatewithlegalandtechnicaldevelopmentsthat

ThesafetycaseshallshowthattheMHI arerelevanttotheirinstallation.TheWSH(MHI)RegulationsrequiresMHIstoreviewthesafetycasewhenit
hasarrangementsforgathering isnecessarytodosototakeaccountofnewtechnicalknowledgeanddevelopmentsinknowledgeconcerning
informationfromexternalsources theassessmentofMAHs.
relevantforthecontrolofMAHs.
Tomeetthiscriterion,thesafetycaseshallprovideadescriptionoftheMHIsarrangementsforensuringthey
areawareofimportantsafetyinformationsuchaschangesinlegislation,developmentsintechnicalstandards
andmanagementpractices.

MHIs often describe receiving information from, for example: MHD; professional bodies; industry
associations;emergencyservices;othercompanies.

ThefocushereisonthearrangementsmadebytheMHItoobtainandreviewrelevantinformation(i.e.how
theyapproachthetask;experienceorcompetenceofthoseinvolved;howthefindingshavebeenusedinthe
installation,etc.).

3.10 InternalCommunication Tomeetthiscriterion,abriefdescriptionofhowtheinformationpertinenttothecontrolofmajoraccidents
ThesafetycaseshallshowthattheMHI isdisseminatedthroughouttheorganisation,thisshallinclude:
hasarrangementsforcommunicating
informationimportantforthecontrolof a) informationrelatingtotheaimsandpurposeoftheMAPP;
MASswithintheMHIsorganisation. b) informationrelatingtotherelevantriskcontrolsystemsinplace(e.g.managementofchange,permit
towork,inspectionandmaintenance);
c) howsuggestionsforimprovementscanbemade;
d) thepurposeofmonitoringandauditingactivities;
e) howlessonslearnedareactedupon.

3.11 PrioritiesforImprovement Tomeetthiscriterion,thesafetycaseshalltypicallyprovide:

hassystemsfor: a) abriefoutlineofthearrangementsforimprovementplanning,inrelationtothecontrolofMAHs;
b) anexplanationofhowworkidentifiedaspartofimprovementplanningprocessisprioritised,resourced,
a) determiningprioritiestoachievethe scheduledandhowtimescalesforcompletionareset;and
objectivesoftheMAPP; c) informationrelatingtocurrentbacklogsofimprovementworkwithabriefexplanationregardinghow
b) identifyingareasfornecessary thesearebeingprogressed.
improvementinrelationtothe
controlofMAHs;and MHIsshallprovideacopyoftheircurrentimprovementplaninthesafetycasetosupporttheirdemonstration
c) schedulingtheidentified (e.g.referencingtocurrentimprovementplanswithasuitableexplanationofthebasisonwhichpriorities
improvementwork. havebeendecided,referencingtocurrentimprovementplanstoillustratehowworkhasbeenscheduled).

3.12 Procedures ThiscriterionisaboutdescribingtheriskcontrolsystemswhichtheMHIhasinplaceforcontrollingtherisks
ThesafetycaseshallshowthattheMHI whichariseateachstageofthelifecycleoftheplant,processesorstoragefacilitiesinquestion.Tomeetthis
hasadoptedproceduresandinstructions criterion,thesafetycaseshalldescribethesystemsforcontrollingrisksateachofthefollowingstagesas
forsafeoperationandmaintenance. appropriate:

a) Constructionandcommissioningofplant,processes,equipmentandfacilities;
Includingdetailsofhowtheorganisationalreadinessoftheoperatingfunctionsand/orthetechnical
safetyandintegrityofthenewfacilityunderconstructionareascertainedpriortotheintroduction
ofdangeroussubstances.
b) Operationofplantandprocesses
Includingasappropriate,startup,steadystaterunning,normalshutdown,detectionofdepartures
from normal operating conditions and responses to them including emergency shutdown and
temporaryandspecialoperations;
c) Safeoperationundermaintenanceconditions
Includingcarryingoutriskassessmentfordecontaminationandmaintenancework,generatingsafe
methodsofworkingformaintenance(e.g.hottap,isolation,depressurising,deenergising)andusing
permittoworksystemstocontrolit;
d) Selectionandmanagementofcontractors
Howcontractorsareselected,managed,inductedandtrained;
e) Decommissioningofplant,processes,equipmentandinstallation.

MHIsmaysupporttheirdemonstrationbyprovidingcopiesof,forexample,theircontractormanagement
procedure,operatingprocedureandpermittoworkprocedure(orsummarisedversions)inthesafetycase.

3.13 ManagementofChange To meet this criterion, the safety case shall describe the management of change processes used. The
ThesafetycaseshallshowthattheMHI procedureshallfollowtherequirementasstipulatedinSS506:Part3.
hasadoptedproceduresforaddressing
possiblehazardsandassociatedriskthat MHIsmayprovideacopyoftheirmanagementofchangeprocedure(orasummarisedversion)tosupport
maybeintroducedasaresultofnew thedemonstrationalongwithacompletedexampleofarecentchangeinthesafetycase.
dangeroussubstances,changein
dangeroussubstancesinventories,
changeinprocesstechnology,infacilities
orinorganisation.

SHMSCheck
3.14 ActiveMonitoring ThiscriterionrecognisesthatinthecaseofMASs,alowincidentrateisnoguaranteethatrisksarebeing
ThesafetycaseshallshowthattheMHI effectivelycontrolled.Tomeetthiscriterion,thesafetycaseshall:
hasdevisedproactivemeansof
performancemeasurement,which a) provide information relating to a set of leading Process Safety Performance Indicators (PSPIs) which
provideinformationonwhetherthe followsuitablestandardssuchasAPI754,HSG254orsimilar;
controlmeasurestakentoguardagainst b) keyriskcontrolsystems,necessaryforthecontrolofmajoraccidentshavebeenidentifiedandthatthere
MASsareoperatingasintended. isaprocessforgatheringdataontheperformanceoftheriskcontrolsystems;
c) performancestandardshavebeensetforeachperformanceindicators;
d) seniormanagementareactivelyinvolvedinsettingperformanceindicatorsandstandards.

3.15 ReactiveMonitoring Followingonfromcriterion3.14,thesafetycaseshallshowthatthereisanestablishedsetoflaggingPSPIs

ThesafetycaseshallshowthattheMHI whichfollowsuitablestandardssuchasAPI754orHSG254orsimilar.
hasadoptedasystemforreporting
incidentsandnearmisses,relatingto Tomeetthiscriterion,itshallbeshownthatseniormanagementreceiverelevantinformationon:
failureoftheprotectivemeasuresfor
controlofMASs. a) dangerousoccurrencesasdefinedintheWorkplaceSafetyandHealthActrelevanttomajoraccidents;
b) majoraccidentsasdefinedintheWSH(MHI)Regulations;
c) injuriesandcasesofillhealthrelatedtomajoraccidents;
d) incidentswiththepotentialtoescalateintomajoraccidents(i.e.nearmisses);and
e) hazardousconditions,includinglossesofcontainmentorprocessdeviationsexceedingsafeordesign
limits.

3.16 InvestigationandCorrectiveAction Withinthesafetycase,informationshallbeprovidedontheactionstakenbytheMHIinresponsetodata
ThesafetycaseshallshowthattheMHI receivedthroughmonitoringarrangements.Thatwouldtypicallybe:
hasadoptedmechanismsfor
investigatingandtakingcorrective a) adescriptionofthearrangementsinplaceforcarryingoutinvestigations,includinghowthetypeand
action: level of investigation is determined and what outputs are expected (e.g. underlying and immediate
causes);
a) incasesoftheproactive b) aclearlinkbetweentheMHIsmonitoringarrangements(bothactiveandreactive)andanyinitiationof
performancestandardsshowinga correctiveactiontakenbythecompanytoremedyanylapsesfound;
deteriorationinriskcontrol c) howtheMHIrespondtonecessarycorrectiveactionworkidentifiedbyinvestigationreportsorsimilar,
measures;and andhowtheseareprioritised.
b) inrelationtoanyincidentorevent
withpotentialtocauseaMAS.

3.17 Audit Tomeetthiscriterion,thesafetycaseshallprovideadescriptionofauditingactivitiescarriedoutonsite,

ThesafetycaseshallshowthattheMHI whichisexpectedtocontainthefollowing:
hasadoptedaprocedureforsystematic
assessmentoftheMAPPandthe a) theresourcesandpersonnelrequiredforeachaudit,bearinginmindtheneedforexpertise,operational
effectivenessandsuitabilityoftheSHMS. independenceandtechnicalsupport;
b) theauditplanindicatinghowithasbeenprioritised;
c) the audit protocols to be adopted (which might include use of questionnaires, checklists, open and
structuredinterviewsaswellascheckingdocumentsandmeasurementsandobservations);
d) theproceduresforreportingtheauditfindings;and
e) theproceduresforfollowinguptherecommendationsshowntobenecessarybyaudits.

Typicallythesafetycasemayincludeacopyofanauditplanandanexampleofacompletedaudit.

SHMSAct
3.18 Review To meet this criterion, the safety case shall describe how information collected from performance
ThesafetycaseshallshowthattheMHI measurementsandauditsarereviewed(e.g.managementreview),andasaminimum,show:
hasadoptedareviewprocesswhichuses
informationfromperformance a) howtheresultsareconsideredandbywhom;
measurementandaudittofacilitatethe b) howtheyareusedbyseniormanagementtocarryoutnecessaryupdatesoftheMAPPandSHMS;and
updateoftheMAPPandSHMS. c) howthesuitabilityandadequacyofthecurrentarrangementsforperformancestandardsandauditsare
assessed.

3.19 DocumentingtheReview Tomeetthiscriterion,thesafetycaseshallincludeadescriptionoftheMHIsarrangementsfordocumenting
Thesafetycaseshallshowthatresultsof andpublishingtheresultsofthereviewwithintheorganisation.
reviewaredocumentedand
communicatedwithintheorganisation.

Chapter 4: Predictive Aspects of Safety Case

Assessment
1. Introduction

1.1. ThisguideisforMHDassessorscompletingthepredictiveaspectsoftheassessment.
1.3. All predictive assessment must use the criteria and guidance set out in
AppendixCPredictiveAssessmentCriteriaandGuidance.
1.4. ExperiencehasshownthatitisessentialforMHIstoidentify allMAHs,their likelihood, and

consequencesbeforegoingontoperformasufficientandsuitableriskassessmentandidentify
riskreductionmeasures.
1.5. Any subsequent risk assessment may be qualitative, semiquantitative, quantitative, or a

combinationofthese.MHIswillneedtodecidethescopeandnatureoftheirriskassessment
basedonproportionalityinrelationtotheirsitespecificcircumstancesandthedemonstration
required.
2. Risk Assessment
2.1. Riskassessmentstepsthatshallbedemonstratedinthesafetycaseare:

a) understandthesiteoperations,thematerialsinvolvedandtheprocessconditions;
b) identifythehazardswithpotentialeffectonpeopleonsiteandoffsite;
c) analysethedifferentwaysthehazardscanbeeliminatedorreducedinscale.
d) analysetherisksassociatedwiththeremaininghazardsandtheoptionsforreducingthem.
Riskreductioncannotbelookedatwithoutfirstdoingariskanalysis;
e) forthesehazards,predictthelikelihoodofthehazardsbeingrealisedtakingintoaccount
ofthechanceofsuccessandfailureofpossiblepreventivemeasures;
f) predictthecorrespondingconsequencesconsideringfailureofmeasures;
g) decidewhichmeasuresneedtobeimplementedtomaketheriskstopeopleALARP;and
h) present the results of the risk assessment in sufficient detail to demonstrate that the
necessarymeasureshavebeentakentopreventandmitigatemajoraccidents.
2.2. Theriskassessmentneedstoaddress:

a) riskstopeopleonsite;and
b) riskstopeopleoffsite.

2.3. FornewMHIsandmodificationstoexistingMHIs,theriskassessmentneedstoinclude:

a) considerationoftheeliminationofhazards;
b) inherentlysafeapproachestoreducethescaleofhazards;and
c) preventionandmitigationmeasurestopreventandlimitrisk.

Appendix C Predictive Assessment Criteria and Guidance

OverviewofMHIInstallationsandActivitiesand/orProcessesRelevanttoMajorAccidents
4.1 Thesafetycaseshalldescribethe Tomeetthiscriterion,thesafetycaseshallcontainplans,mapsordiagramswithdescriptionswhichclearly
sectionsoftheinstallationthat setoutdetailedinformationabouttheinstallationswithpotentialformajoraccidents.Thesafetycaseshould
couldgiverisetomajoraccidents. containdetailedprocessdescriptionsoftherelevantsectionsbyprovidinginformationsuchas:

a) blockflowdiagramorprocessflowdiagram;
b) theoperatingparametersandenvelopesoftheplantduring:
(i) normaloperations;
(ii) normalnonroutineoperations(e.g.regeneration);
(iii) commissioningandstartup;
(iv) shutdown;and
(v) decommissioning.
c) the designed minimum and maximum parameters, such as capacities, temperatures, pressures and
inventories;
d) relevant qualitative and quantitative information on mass and energy transport in the process (e.g.
materialandenergybalance)during:
(i) normaloperation;and
(ii) nonroutineoperations(e.g.regenerations),ifavailable;
e) informationonwhathappenstothedangeroussubstances(physicalandchemicalchanges)atdesigned
operating conditions or foreseeable deviations from design operating conditions. The range of
conditionsconsideredcouldinclude:
(i) operatingpressuresandtemperaturesduringstartup,regeneration,normaloperation,turndown
orotherdesignedmode;
(ii) productionofproducts,byproducts,residuesorintermediatesasaresultofnormaloperationsor
throughforeseeableaccidentalconditions;
(iii) processupsetconditions;
(iv) storageofmaterialsundernormaloperationandfollowinglossofutility,forexample,refrigerated
storageorheatedstorage;
(v) contaminationofproducts;and
(vi) lossofcontainment.
f) the discharge, retention, reuse, recycling or disposal of residues, waste liquids and solids, and the
dischargeandtreatmentofwastegases;
g) sufficientlyscaledplotplanwhichclearlyidentifiesthelocationofprocessesand/oractivitieswherea
majoraccidentcouldhappen;
h) dangeroussubstancelocationsandateachlocation,anindicationofthechemicalandphysicalstateand
quantityofthedangeroussubstanceinmajorprocessvesselsorstoragetanks;and
i) plantdiagramwhichclearlyidentifieskeycontrolandsafetysystems,reactionvessels,storagevessels,
piping systems, valves and significant connections (e.g. process flow diagrams and/or piping &
instrumentationdiagrams).

IdentificationofRepresentativeSetofMASs
4.2 Thesafetycaseshallidentifyand ThesafetycasesdescriptionoftheMASidentificationexerciseneedstodemonstratetotheMHDthatall
describeindetailallpotentialMASs. MAHs are taken into account. As such it shall be extensive, inclusive, and transparent, and to meet this
criterion,thesafetycaseshall:

a) demonstratethatasystematicprocesshasbeenusedtofirstidentifyallpossibleMAHsandthenits
associatedpotentialMASs;
b) describe the relevant expertise of the hazard identification team involved. The safety case shall also
showthatmultidisciplinaryteamcomposedofpersonswithappropriatecompetency(e.g.personnel
trainedinspecifichazardidentificationmethodologies,personnelwithrelevantexperienceindesign,
operation,maintenance,processsafety,orhumanfactors)wereusedtoconductorinformtheanalysis.
c) identify and describe the range of hazard identification methodsused in the safetycase. All hazards
identifiedshallinitiallybeconsideredasifnomeasureswereinplace.
ExamplesofriskstudiesthatMHIsmayuse(butnotlimitedto)toidentifyallpossibleMAHs andpotential
MASsinclude:
(i) QRAstudies;
(ii) PHAstudiessuchasHAZOP,failuremodeandeffectsanalysis(FMEA),processhazardsreview(PHR);
(iii) safetyreviewsandstudiesofthecausesofpastmajoraccidentsandincidents;
(iv) industrystandardsorchecklists;
(v) jobsafetyanalysis(e.g.taskanalysis);
(vi) humanerroridentificationmethod.

4.2.1 Thesafetycaseshall To meet this criterion, the following should be considered when determining the causes or initiators of
demonstratethatasystematic potentialmajoraccidentduringtheidentificationprocess:
processhasbeenusedto
identifyeventsandevents a) operationalcausesaredeterminedaccordingtothemethodologychosen;whererelevant,thefollowing
combinationswhichcould shouldbeconsidered:
causeMAHstoberealised. (i) physicalandchemicalprocessparameterslimits;
(ii) hazardsduringspecificoperationmodes(e.g.startupandshutdown);
(iii) malfunctionsandtechnicalfailuresofequipmentandsystems;
(iv) utilitiessupplyfailures;
(v) humanfactorsinvolvingoperation,testingandmaintenance(e.g.loadingwrongreactantsintoa
batchreactor);
(vi) chemicalincompatibilityandcontamination;and
(vii) ignitionsources(e.g.electrostaticcharge);
b) internalcauses,whererelevant,mayberelatedtofires,explosionsorreleasesofdangeroussubstances
at a certain section within the installation which the safety case covers and affecting other section
leadingtoadisruptionofnormaloperations(e.g.thefailureofawaterpipeinacoolingtower,thus
leadingtoadisruptioninthecoolingcapacityonsite);and
c) externalcauses,whererelevant,mayinclude:
(i) impactsofaccidents(e.g.fires,explosions,toxicreleases)fromneighbouringinstallations(domino
effects);
(ii) impact of accidents arising from transportation of dangerous substances offsite (e.g. roads,
pipelines);
(iii) functionalinterdependencewithotherinstallations;
(iv) landslips,subsidence;
(v) aircraftimpact(forinstallationsnearairports);
(vi) extremeenvironmentalconditions(e.g.abnormalrain,temperature,wind,floods,lightning);and
(vii) pipelinesorothercommonutilities(e.g.disruptionsofsteam,powerorcoolingwaterfromexternal
providers).

Scenarios influenced by emergency action or adverse operating conditions should also be taken into
considerationduringthehazardidentificationprocess.

4.2.2 Thereshallbeasuitable A review of past accidents and incidents with the same substances and processes used, consideration of
reviewofpastaccidentsand lessons learned from these and explicitreferencetospecific measures takentoprevent suchaccidents is
incidentsrelevanttothesite. requiredbytheWSH(MHI)Regulationsandisaminimumrequirement.Thisshouldalsolookbeyondthe
MHItothewiderindustryrelevanttothesite.

Insightsgainedfromthereviewofpastaccidentsandincidentsrelevanttothesiteshallformpartoftheinput
usedbyMHIswhengeneratingMAS.

4.3 Thesafetycaseshalldescribea Tomeetthiscriterion,thesafetycaseshallconsiderindetailtherisksassociatedwithasubsetofallMASs
representativeandsufficientsetof consideredforthesite,whichisknownastherepresentativesetofMASs.Thismakesthesubsequentrisk
MASsforthepurposeofdetailed assessmentmoremanageable.TherepresentativesetofMASsmustbesufficientandshouldinclude:
assessment.
a) rangeofaccidentsforthesite,takingaccountofdifferenthazards,substances,processes,geographical
spread,etc.leadingtofatalitiesorseriousharminjuriesonsiteand/oroffsite;
b) worstcasescenarios(considerationofworstcasescenariosisparticularlyimportantwhenassessingthe
adequacyoftheemergencyresponsearrangements);
c) eventswhichinthemselvesmightbelowseverityorrisk,butwhichcouldescalatetogiveamoreserious
event;and
d) MASswithlesserconsequencesathigherfrequency.

4.3.1 Anycriteriaforeliminating TheintentofthiscriterionistoensurethatnoimportantMASsgounconsidered.
possibleMASsfromfurther
considerationshallbeclearly Tomeetthiscriterion,anykeyassumptionsmadeduringthehazardidentificationstageshallbedescribedin
presentedandwellarguedin the safety case, especially if such assumptions lead to the elimination of significant scenarios from the
thesafetycase. eventualrepresentativelistofMASs.

4.4 Thesafetycaseshalljustifyonthe MHIsshalljustifytheirriskassessmentmethodologybasedon:
riskassessmentmethodologiesused
whenconductingdetailed a) expertiseandcompetenceofthoseidentifyingandanalysinghazards;
assessmentontherepresentative b) methodsusedintheriskanalysis;
setofMASs. c) dataandassumptions;and
d) howthesignificanceoftheriskwasassessed.

Ingeneral,MASsdeemedtohaveahigherlevelofrisk,consequencesimpactorpotentialforescalationtoa
moreseriouseventshallbeconferredwithagreaterdegreeofrigourduringtheassessmentprocess.

To meet this criterion, MHIs shall justify inthe safety case on the depth of analysis anddegree ofrigour
required for each representative set of MASs prior to the detailed assessment. It should be noted that
subsequentlyondetailedassessment,theactualrisksmightbeshowntobesignificantlyreducedeitherby
revised frequencies, which are demonstrated to be lower than was initially judged, or by accounting for
systemswhichreducetheconsequence.

4.5 Itshouldbeclearthathumanfactors Tomeetthiscriterion,thesafetycaseshould:

havebeentakenintoaccountinthe
riskassessment. a) describeaprocessforidentificationofhumanfailures,actionsorotherinvolvementascontributorto
majoraccidentwhichissystematicandintegratedwiththeoverallriskassessment;
b) showhowhumanfailurecontributestomajoraccidentinitiationorescalation;
c) wherequantitativeassessmentsareused:
(i) addresstheprobabilitiesofhumanactionsandomissionscontributingtomajoraccidents;
(ii) addressthereliabilityofmeasureswhichisdependentuponhumanaction;and
(iii) showthatallassumptionsmadeinthedeterminationofhumanfailureprobabilitiesareappropriate
orbasedonathoroughandsystematicassessment.

DetailedAssessment ConsequencesAssessmentandLikelihoodEstimationofRepresentativeSetofMAS
4.6 Thesafetycaseshallproducean This is the most important predictive part of the safety case and must be included. Without it, it is
adequateassessmentoftheextent impossibletocometoanappropriateviewonproportionalityandwhereacompanyshouldputeffortinto
andseverityoftheconsequencesfor riskreductionmeasures.
representativesetofidentified
MASs. Thesafetycaseshallcontaintheresultsofcalculationsshowingsuitableestimatesoftheextentandseverity
oftheconsequencesforeachrepresentativesetofMAS.Extentandseverityisconcernedwithwho(people)
mightbeharmed,howbadly,andhowmanypeopleareaffectedbymajoraccidents.Thesafetycaseshall
providedetailstodemonstratethatsuitableandsufficientconsequenceassessmentforeachrepresentative
setofMAShasbeencarriedoutwithrespecttopeople.

Thesafetycaseshall:

a) Presentextentinformation:
Effects distances on maps and/or images of the site and the vicinity showing areas likely to be
affectedbyrepresentativesetofmajoraccidents(withidentifiedestimationsofnumbers,centres
andtypesofpopulationsbothonsiteandestimatedoffsite).

b) Presentsseverity informationinasuitableform,e.g.:
Numbersoffatalities,seriousinjuries,hospitalisations,
Bandingintermsofconsequencestopeople(e.g.15,520,20100).
Wheremajoraccidentshavebeenputintoexamplegroups,thenitisacceptabletopresentextent
andseverityforeachgroup.
Occupancybasedpopulationdata

MHIsshalleitherdescribeorreferenceanyconsequenceassessmentmodelusedinthesafetycase.MHIs
shallalsotakeintoaccountthelimitsofapplicabilityofthemodelusedandjustifyallassumptionsmadeand
thevaluesusedinthekeyvariablesofthemethodormodel(e.g.windspeed,atmosphericconditionsand
groundroughnessingasdispersionmodels).

Differentlevelsofharmneedtobeconsidered.Anyharmfootprints,levelsorvulnerabilitymodelsused,in
predicting the extent of areas where people or the vicinities may be affected shall be aligned to the
RevisedQRAGuidelines.

4.7 Thesafetycaseshallcontain Tomeetthiscriterion,thelikelyfrequencyorprobabilityofMASsshallbeconsidered.
estimatesoftheprobability,in
qualitativeorquantitativeterms,of Thedepthoftheanalysisofscenariolikelihoodshallbeproportionatetothescaleandnatureofthehazard.
eachMASanalysed. Ifjudgmentalwordssuchaslikelyornoncredibleareusedinqualitativeestimationoflikelihood,thenthe
significanceofthesewordsshallbeclearlyexplained.
Thisshallincludeasummaryofthe
initiatingeventsandevent Forfailurerates,thesafetycaseshould:
sequences(operational,internalor
external)whichmayplayarolein a) ensurethatfailureratedatausedarealignedtotheRevisedQRAGuidelines;or
triggeringeachMAS. b) includethereferencesandmethodsofderivation(whereappropriate)forusingfailureratedatanotin
accordancewiththeRevisedQRAGuidelines.

Itisnotsufficienttoadoptdatafrompublishedsourceswithoutjustifyingitssuitabilitytotheinstallation,
unlesstheMHIshowsthattheconclusionsoftheriskassessmentarenotaffectedbysuchdata(e.g.through
asensitivityanalysis).

IftheestimationsofthelikelihoodsoftherepresentativeMASsaresensitivetothedataandassumptions
used,suitableandsufficientjustificationisneeded.

MHIsshouldassessthesensitivityoftheconclusionstotheassumptionsandotheruncertainties.Forexample,
in situations where there are not much data on event probabilities for certain processes, which causes
uncertaintyintheestimationprocess.Thesignificanceofthisuncertaintyshouldbediscussedinthesafety
caseandsufficientdetailwillhavetobeprovidedtoallowtheMHDtomakeajudgementonthequalityof
theriskassessment.Whereuncertaintiesexist,aconservativeapproachshouldbeevidentforarguments
used.

4.7.1 Methodsusedtogenerate Appropriatemethodstogenerateeventsequencesandestimatesofmajoraccidentsprobabilitiesinclude:
eventsequences,andto
estimatetheprobabilitiesof a) relevantoperationalandhistoricalfailuredata;
potentialmajoraccidents, b) faulttreeanalysis(FTA);
shallbeappropriateandused c) eventtreeanalysis(ETA);or
correctly. d) otherrelevantmethodologies.

The methods employed shall be fit forpurpose andused correctly. The process andmethodsadopted to
generateanyprobabilitiesoreventsequences,togetherwithassumptionsanddatasourcesused,shallbe
describedclearly.ChecksagainstcompanybenchmarksmustbeincludedifMHIsusedthem.

4.7.2 Estimatesof,orassumptions Thequalitativeorquantitativeargumentspresentedinthesafetycaseshallberealistic,wellreasonedand

madeabout,thereliabilityof plausible.Wherepossible,argumentsshallbebackedupbycredibleperformancedata.
protectivesystemsandthe
timesforoperatorstorespond Anyqualitativeargumentsmadeshallbe:
andisolateLOCaccidentsor
othersneedtoberealisticand a) basedonacceptedgoodstandardsforengineeringandsafesystemsofwork;and/or
adequatelyjustified. b) supportedbyevidenceonthelikelydemandonthevariouscontrolmeasuresandsystems,andwhat
theconsequencesmightbeifthesefail.

Forexample,ifanoperatorhastointervenetocloseanisolationvalvemanuallywhenautomaticisolation
fails,thenthereleasedurationwillbedeterminedbythetimetakentointervenesuccessfully.Insuchcases,
releasedurationsoflessthan20minuteswillrequirejustification.

SelectionofSCEsforALARPDemonstration
4.8 Thesafetycaseshalldescribehow The risk assessment shall show which events are critical from a safety point of view and this requires
MHIsusesriskassessmentto considerationofthelikelihoodandconsequencesofthevariousMASs.
identifytheSCEsfromthe
representativesetofMASsforthe ThesafetycaseshallidentifySCEandthebasisforthechoiceoftheidentification.Thefollowingshouldbe
purposeofALARPdemonstration. consideredwhenidentifyingSCEs:

a) worstcasescenariosineachfrequencyband;and
b) themostlikelyscenariosineachconsequenceband.

SCEsarethosethatdominatethecontributiontoriskat different distancesandthusarekeytoidentifying
suitablecontrolandprotectionmeasuresforpreventingMASsorlimitingtheirconsequences.However,the
failure of these protection measures must also be considered in assessing whether the residual risks are
ALARPorwhethermoreneedstobedone.

OnewaythatMHIscoulddemonstratehowSCEsareselectedfromarepresentativesetofMASs istoplotthe
scenariosontoariskmatrix.Fromtheriskmatrix,itisthenstraightforwardtoidentifytheSCEssuchasworst
casescenarios,highriskscenariosandotherMASsofinterest.

Theriskmatrixcouldalsobeusedtoinformoftheproportionalityoftheinstallationasawhole.
MASs approaching or in the red or uncomfortably high zone are considered to be of higher
proportionalityandthereforethelevelofALARPdemonstrationwouldbegreater.

Chapter 5: Process Safety Aspects of Safety Case

Assessment

1. Introduction

1.1. ThisguideisforMHDassessorscompletingtheprocesssafetyassessment.

1.3. All process safety assessment must use the criteria and guidance set out in
AppendixDProcessSafetyAssessmentCriteriaandGuidance.
2. The General Approach to Process Safety Assessment
2.1. MHDislookingforademonstrationthatadequatesafetyhavebeentakenintoconsiderationin
thedesign,construction,operation,maintenanceandmodificationofanyplant,storagefacility,
equipmentandinfrastructureconnectedwiththeinstallationsoperation,whicharelinkedto
MAHsinsidetheinstallation.

2.2. Fornewprojects,designstandardshalladdresstendesignkeyissuesinthesafetycases.For
existingfacilities,thekeyissuesindesignshallbeconsideredforcontrolmeasuresimplemented
forSCEs.
Appendix D Process Safety Assessment Criteria and Guidance
LinkwithPredictiveCriteria
5.1 Thesafetycaseshallshowaclear Thisisthecoreofthesafetycasefromthetechnicalpointofviewandprovidesthelinkbetweenidentification
linkbetweenthemeasurestaken andanalysisofhazardsandtheselectionofmeasures.
andtheSCEsdescribed.
ThiscriterioncanberegardedasaconclusionandtheMHDwouldfirstconsidercriteriainChapter10of
theassessmentguide.

Tomeetthiscriterion,thesafetycaseshall:

a) identifythehazardsandtheSCEs(coveredunderChapter4oftheassessmentguide);
b) describethecontrolmeasuresanddemonstrateclearlinkstotheSCEs;
c) explainthedecisioncriteriaforselectingthenecessarymeasurestoensurerisksareALARPforSCEsi.e.
thesafetycasedemonstratestherearenofurtherreasonablypracticablemeasurestheMHIcouldtake;
[MHDwouldassessthisparticularcriterionintandemwithChapter10oftheassessmentguide.]
d) demonstrateadequatediversityandredundancyinthecontrolmeasures(appropriatetotherisk).

The findings of the hazard identification process shall be presented to demonstrate that mechanical
equipmenthasbeenconsidered.Therearetwomainfunctionalcategories:

a) Equipmentcontainingdangeroussubstanceswhich,onfailure,havethepotentialtoleadtoaLOC.This
couldincludebutnotlimitedto:
Pipework
Storagetanks
Pressurevessels
Rotatingequipment
b) ItemswhichplayaroleinthepreventionormitigationofMAHs.Thiscouldincludebutnotlimitedto:
Reliefvalves
Coolingpumps
Emergencyisolationvalves
Nonreturnandcheckvalves
Excessflowvalves
Supportstructures(includingjibsandcranes)
Secondarycontainment
Tertiarycontainment
Firesuppressionsystem

Inaddition,thesafetycaseshalldescribe:

a) thelinkbetweenthedesignstagesandtheassociatedhazardstudies;
b) how a suitable hierarchical approach (i.e. eliminate, prevent, mitigate) has been used and inherent
safetydesignshavebeenintroducedwherereasonablypracticable.
[ApplyinginherentsafetydesignsmaybedifficultforexistingMHIsbutisrelevanttothedesignof
newplantsandmajormodifications.Itisspecificallyaddressedin5.2.1.2below]

TheHazardStudiesshallbe:

a) sufficienttoidentifythehazardsarisingfromtheprocessesandthedangeroussubstancesinvolved;
b) appropriateforthescaleandnatureofthehazardspresented.SuchstudiescouldincludeHAZID,HAZOP,
FaultTrees,FMEA,hazardousareaclassification,chemicalreactionhazardsassessment,SILandLOPA
assessmentsandwhereappropriatecomparisonwithpublishedstandards;
c) carriedoutbycompetentpersonnelwithrelevantdisciplinerepresentation;
d) usedcorrectlytoinformdecisionmaking.
GeneralPrinciples
5.2 Thesafetycaseshalldemonstrate Thesafetycaseshalldescribe:
howthemeasurestakenwillprevent
foreseeablefailureswhichcouldlead Thisiseffectivelyasummaryofcriteria5.2.1.1to5.2.3,theMHDwouldcomebacktothiswhencriteria5.2.1.1
tomajoraccidentsandlimittheir to5.2.3havebeenassessed,andthenconclude:
consequences.
a) whetheralltheassessedcriteriahavebeenmet;
b) how significant the failure to meet one or more criteria is to the overall safety demonstration; in
particular:
identifyinganyfailuretofollowappropriatestandards,codesofpracticesandguidance;and
anydeviationsshallbefullyjustifiedbytheMHIandtherisksshallbeALARP.
c) therecommendedactionsforimprovingthesafetycaseandsuggestedtimescales;and
d) therecommendationsforfollowupinspectionandverification,theirpriorityandtimescale.

UseofIndustryCodesandStandards
5.2.1.1 Thesafetycaseshallshow TheMHDwillbelookingattheoveralldesignstrategyandthejustificationforthedesignselectedincluding
thattheinstallationshave theassociatedcontrolmeasures.
beendesignedtoan
appropriatestandard. Tomeetthiscriterion,thesafetycaseshall:
a) givereferencestostandardsandcodesofpracticeusedasthebasisforthedesignoftheprocessandits
application.Thesemaybeincorporatedinthetextorasalist;
b) showthatwheresuchstandardsandcodesofpracticehavebeenrevisedornewstandardscreated,
thesehavebeenconsidered(e.g.bygapanalysis)andincorporatedintoinstallations,wherereasonably
practicable,forbarriersidentifiedforSCEs;
c) show that global or company standards (where they are used) align with appropriate published
standardsandguidance.Whereglobalorcompanystandardsarenotalignedwithpublishedstandards
andguidance,MHIsshalljustifyhowtheirownstandardsareappropriateandfitforpurpose;
d)identify where the design of equipment is not covered by published standards and codes and
demonstratethatsafetyisnotcompromised.

[Forcommontypesofinstallation,referencetopublishedstandardsorguidancewithinthesafetycasecan
beaneffectivewayofshowingthatadequatemeasureshavebeentaken.]

[Forolderplantsinparticular,thesafetycaseshalldescribeadditional(ifany)systemsorcontrolmeasures
areinplacetopreventanSCEorlimititsconsequence,totakeaccountofplantbuilttostandardsthathave
sincebeensuperseded.Thesafetycaseshallalsodescribeanyadditionalsystemsorcontrolmeasuresthat
havebeenintroducedasaresultoflongoperationalexperienceonsite.]

DesignConsiderations
5.2.1.2 The safety case shall show Theuseofahierarchicalapproachismentionedin5.1and5.2.1.5.
that a hierarchical approach
to the selection of measures Thethreestagehierarchy,inorderofpriority,is:
hasbeenused. a) Eliminate(inherentsafety)
b) Prevent
c) Mitigate

Fornewandmodifiedfacilities,thesafetycaseshalljustifythequantityandtypeofdangeroussubstance
onsiteby,forexample,showingthatappropriateconsiderationhasbeengivento:

a) reducinginventoriesofdangeroussubstancesonsite;
b) useofalternativelesshazardoussubstances;
c) useofinherentlysaferprocesses;
d) useofintensifiedprocesses(e.g.useofsmallervolumecontinuousprocessesratherthanlargebatch
processes);and
e) otherexamplesasprovidedinChapter5Paragraph148oftheSafetyCaseTechnicalGuide.

For existing MHIs, they shall be alert to the possibility of taking advantage of technical advances in their
industrytoimprovesafety.

Thesafetycaseshallalsoshowthat:

a) processesaredesignedtoeliminateorpreventunsafeconditionsoccurringandthattheprinciplesof
redundancy,diversity,separationandsegregationhavebeenapplied;
b) priorityisgiventopassiveratherthanactivemeasures;
c) safetycriticalcontrolmeasureshavebeenidentifiedandalternativesconsidered.
d) identifyhowthebehaviourofequipmentonfailurehasbeenaddressed,includingeventswhichmay
causeafaultanddisableprotectivesystems;
e) show that performance standards (reliability, availability, accuracy, etc.) are adequate (linked to
Criterion5.3below).

5.2.1.3 Thesafetycaseshallshow ThiscriterionisparticularlyrelevantduringtheQRAapprovalstagewheredesignofthelayoutofaplant
thatthelayoutoftheplant canmakeabigcontributiontoreducingthelikelihoodandconsequencesofamajoraccident.
limitstheriskduring
operations,inspection, Tomeetthiscriterion,thesafetycaseshallshowthat:
testing,maintenance,
modification,repairand Dueattentionhasbeengiventoensuringsafetyinthedesignofthelayoutoftheinstallation.Inparticular,it
replacement. shallshowhowthelayoutpreventsorreducesthedevelopmentofMASs.Examplesofhowthismightbe
achievedincludethefollowing:

a) SeparationoffacilitieswithMAHsordangeroussubstancesfromthesiteboundarytoreduceoffsite
risk,andtoreducerisktotheplantfromoffsitecausessuchasfires;
b) Safepositioningofoccupiedbuildings;
c) SeparationbetweenfacilitieswithMAHsordangeroussubstancesandstorageareastolimitthespread
offireandotherdominoeffects;
d) Separation of facilities with MAHs or dangerous substances and processes from ignition sources,
roadwaysorotheractivitieswhichmayimpactonsafety;
e) Lowcongestionofstructures,equipment,plantoranyotherobstacletogasflowthatcouldaggravate
thepressureeffectsresultingfromtheignitionofareleaseofaflammablesubstance;
f) Accessforemergencyservices;
g) Adequate safety refuge or inplace protection (IPP) facilities during any toxic release, and adequate
meansofescapeduringotheremergencies;
h) Accessforinspection,testing,maintenanceandrepair,atalltimesthroughoutthelifeoftheplant.

Thesafetycaseshallcontainthefollowingrelevantrecords,orequivalentsuchas:

a) Mapsofthesitelayout,identifyingprocessandstorageareas,occupiedbuildings,roadways,locations
ofdangeroussubstances;
b) HazardousAreaClassification(HAC)drawingsshowingthelocationsofflammablesubstancesandthe
associatedhazardousareas(seealso5.2.1.8);
c) Drainagediagrams,asappropriatetodemonstrateroutestoseparators,etc.;
d) Locationofgasdetectors,fireandsmokedetectors;
e) Loadingandoffloadingfacilities,deliveryarrangementsparticularlytankermovement;
f) Vapourrecycleandventingsystemsandemergencyventingarrangements.(seealso5.2.1.5)

5.2.1.4 Thesafetycaseshallshow Tomeetthiscriterion,thesafetycaseshallshow:

thatutilitiesthatareneeded
toimplementanymeasure a) thattheroleandsignificanceoftheutilitieshasbeenconsideredindesign,construction,operationand
definedinthesafetycase maintenancetoensurethattheseutilitiesandfacilitieswillbeavailablewhenrequired;
shallhavesuitablereliability, b) theeffectofthelossofkeyutilitieshasbeenconsideredaspartofastructuredhazardidentificationand
availabilityandsurvivability. analysisprocess.Thisshallensurethatcontrolsystemsandsafetysystemsfailtoasafestateandthat
theconsequenceofutilitiesfailuredoesnotactasamajoraccidentinitiator;
c) the reliability of utilities for safe shutdown and emergency response have been determined and
independentbackupsuppliesprovidedwherenecessary;and
d) thoseutilitiesthatareessentialforoperationofkeysafetysystemsanditsbackupsystem.

Furtherjustificationthattheutilitiesaresuitablemayincludereferenceto:

a) theroutingofservices;
b) physicalprotection(e.g.barriersandfireproofing);
c) thesegregationofduplicatedsupplies;
d) the means of managing changed demands (e.g. during startup and shutdown) and abnormal
operation;and
e) the methodology adopted to allow continued availability of essential services while allowing
maintenanceactivitiesormodificationstobecarriedoutsafely.

Utilitiestobeconsidered,asappropriate,include:

a) electricalpower;
b) steamandcondensate;
c) inertinggases(e.g.nitrogen);
d) compressedair;
e) vacuumsystems;
f) coolingwater;
g) processandservicewater;
h) fuel(e.g.oil,gas);
i) refrigeration;
j) anyothersafetycriticalutility.

[Chapter7oftheassessmentguidewillfurtherassesstheeffectoflossofutilitiesoncontrolsystems.]

thatappropriatemeasures
havebeentakentoprevent The process by which dangerous substances could be accidentally released from containment and
andeffectivelycontain themeasureswhichhavebeenprovidedtopreventorminimisereleases.Thesafetycaseshalldemonstrate
releasesofdangerous thesuitabilityofmeasurestopreventorminimisereleases.Suchmeasuresmayinclude:
substances.
a) controlmeasuresusedinthedesigntoreducepotentialsourcesofreleasewhichinclude,forexample,
thelocation,numberandtypeofjoints(e.g.threadedandscrewedjoints,flangedjoints,socketwelded
joints).Anyjointsusedshallbesuitablefortheintendedpurposeconsideringthenatureofthecontained
material,operatingconditionsandthedegreeofdangerthisrepresents;
b) designrequirementsfortemporaryarrangements,takingintoaccountpossiblemovement(e.g.flexible
connectionsbetweenfixedstorageorpipingsystemsandisotankersorvessels);
c) maintenanceandinspectionrequirementsaddressedatthedesignstage;and
d) processdesignandcontrolforexothermicreactions.

Details of system designed to control LOC and to manage unplanned releases shall be demonstrated and
thesecouldinclude:

i. PrimaryContainment
Allprocess,storageandanyotherequipmentcontainingdangeroussubstancesshallbedesignedto
appropriatestandards.Wheretherearedeviationsfromstandards,theseshallbedocumentedand
justifiedtodemonstrateanequallevelofsafety.
ii. SecondaryandTertiaryContainmentMeasures
WhereLOCsofasignificantquantityofdangeroussubstancesisforeseeable,thesafetycaseshall
describethe measuresto limittheconsequences.These measures includesecondaryandtertiary
containment(e.g.bunding,interceptors,catchmentpits,dumptanks,diversionwallsorgradingof
theground).Thesafetycaseshallalsoidentifysuchmeasuresanddemonstratetheadequacyofthe
design and the capacity in relation to the maximum expected spill. The possibility of bund
overtoppingshallbetakeninaccount.

iii. VentingSystems
Thesafetycaseshalldescribeandjustifythedesignbasisforanyventingsystemtakingintoaccount
foreseeablehazards(includinglossofutilitiesortheeffectsoffire)andtheconsequencesofventing
tothevicinity.

iv. IsolationArrangements
Thesafetycaseshalldescribeandjustifytheemergencyautomaticandmanualisolationarrangement
tomanageareleaseincludingconsiderationofthetimerequiredtoisolate.Appropriateperformance
standardsforemergencyisolationshallbestatedandjustifiedinthesafetycase.

[Isolationmayalsobenecessaryformaintenancebutthearrangementsforthiswillbedifferent
fromthose required for emergencyisolation wherespeed ofresponse andaccessibility may be
important.]

v. OtherPreventionandContainmentMeasures
The safety case shall describe and justify the design basis for each of these measures taking into
accounttheforeseeablehazards.

[Inthecaseofsomesituationsinvolvingexplosives,itmaybemoreappropriatetolimittheeffects
ofanexplosionthroughreducingthecontainmentorconfinementoftheexplosive.]

vi.
DetectionofReleases
ThesafetycaseshalldescribethemeasurestodetectaLOCorotherincidentatanearlystage.These
measures include gas detection, level monitoring, loss of pressure, visual methods (e.g. operator
rounds,cameras),etc.

5.2.1.6 Thesafetycaseshallshow Tomeetthiscriterion,thesafetycaseshalldescribe:
howthecontainment
systemshavebeendesigned a) thenormaloperatingconditionsoftheplantandanyforeseenoperationalextremessuchasexternal
towithstandtheloads loads,ambienttemperaturesandthefullrangeofprocessvariations(e.g.normaloperation,startup
experiencedduringnormal andshutdown,turnaround,regeneration,processupsetandemergencies);
operationofplantandall b) howsuitablesafetymarginsaredeterminedsuchthatthesafeworkinglimitsoftheplant(pressures,
foreseeableoperational temperatures,flowrates,liquidlevels,etc.)arecompatiblewithallexpectedoperatingextremes;
extremesduringitsexpected Specificdetailsshallbegivenwhereactualmarginsdiffersignificantlyfromindustrypracticeand
life. thesafetyimplicationsarisingfromthevariationshallbedescribedandjustified.
c) theprovisionofexcursionrelief(e.g.pressureand/orvacuumreliefdevices),whereappropriate.

Thesafetycaseshallalsodemonstratehowforeseeableextremeconditions(e.g.duringstartup,shutdown,
processupsets)havebeentakenintoconsiderationinthedesignofplantandequipment.

Toassistinthedemonstrationofthiscriterion,atableorlistdetailingthefollowinginformationforthemajor
equipmentitemsfeaturinginSCEsselectedcouldinclude:

a) Expected minimum and maximum operating conditions (e.g. pressure and temperature) and design
limits.
b) Setpressuresforassociatedreliefdevices(PRVs,rupturediscs,etc.)whereappropriate.

5.2.1.7 Thesafetycaseshall Tomeetthiscriterion,thesafetycaseshalldescribe:

describehowadequate
controlmeasureshave a) howmarginshallbesetsothatforforeseeablefailures(e.g.equipmentfailure),appropriatecorrective
beenprovidedtoprotect actioncanbetakenbeforethesafeoperatinglimitsareexceeded.Thecorrectiveactioncanbeeither
theplantagainst automatic,manual,oracombinationofboth.
excursionsbeyonddesign b) how MHIs monitor and ensure that plant and equipment continues to operate within the design
conditions. envelopeanddefinedsafeoperatinglimits(e.g.processcontrolsystems,alarms,trips);
c) how chemical reaction hazards are evaluated and justify the sufficiency of the control measures to
preventrunawayreactions,overpressureandLOC.Thisdescriptionshallincludechemicalmanufacturing
processesasdesigned,andalsoaccidentalmixingofincompatiblechemicalsonsiteandtreatmentof
wastestreams;

Thesafetycaseshall:
give details of the physical parameters of possible conditions (i.e. flows, temperatures and
pressures)withrespecttoexcursions,runaway,worstcasescenarios,etc.;
show that the design standards and other applied codes of practice are appropriate to the
conditionsunderwhichthedesignmustwork;
showthathazardidentificationhascoveredthepossibilityofbeyonddesignconditions;and
showthataccidenthistoryforatypeofplanthasbeenconsideredwhererelevant.

d) the emergency prevention and protection measures and show that these are fit for purpose. These
measuresinclude:
the safetyrelated controls and alarms designed to prevent or warn of excursion beyond safe
operatinglimitanduponwhichthesafetyoftheplantisbased;
thepressurereliefandemergencyventingarrangements.Themethodforthesizingofthepressure
reliefandemergencyventingshallbespecified;
explosionrelief;
occupiedbuildingriskassessment(OBRA);
interfaceswithothermeasuredesignedtolimitexcursionsbeyondsafeoperatinglimitssuchas:
shuttingofffeedstreams;
shuttingdownofheatsources;
addinginhibitorstothereagent;
dumpsystems;
inerting;
flushingthroughofcontinuousprocesses;
applicationofprocesscooling;
operatingvents;
shutdownofequipment;and
sprinklersorwaterdeluge.
e) whetherinterventionsareautomaticormanual.ThesafetycaseshallshowthattheMHIshaveexamined
thecostsandbenefitsofautomatingthesystemandjustifiedthesuitabilityoftheadoptedapproach.

[Whereexamplesofproceduresoroperatinginstructionshavebeenincludedinthesafetycase,theMHD
willexaminethemtoseeiftheseproceduresandinstructionscouldbehelpfulinclarifyingontheprocess
andtheassociatedcontrolmeasures.]

thattherearesystemsfor
identifyinglocationswhere a) that,aspartoftheriskassessment,MHIsmustassesswhetherpotentiallyhazardousareas(flammable
flammablesubstances andexplosiveatmosphere)islikelytoform;
couldbepresentandhow b) that all possible ignition sources (including electrostatic discharges) in areas where dangerous
theequipmenthasbeen substances are present have been considered. As a minimum, the following form of energy shall be
designedtotakeaccountof includedwhenconsideringpotentialignitionsources:
therisk. heat(includingpossibilityofradiofrequencyenergyleakagefromsemiconductorequipment);
electrical;
mechanical;and
chemical.
c) thatahazardousareaclassification(HAC)studyhasbeencarriedoutandthisshallberecordedinthe
formofdrawingwhich:
identifiesthehazardousareasandtypes(e.g.zone0,1,2ordivision1,2);
shows the extent of the zones in both plan and elevation (i.e. illustrates the 3D nature of the
hazardouszone);
issupplementedbytext,whereapplicable,givinginformationabout:
(i) thedangeroussubstancesthatwillbepresent;
(ii) theworkactivitiesthathavebeenconsidered;
(iii) otherassumptionsmadebythestudy.
isconsideredwhenevernewequipmentistobeintroducedintoazonedarea.
d) the procedures and policies for identifying hazardous areas are based on established codes and
standards;
e) theproceduresandpoliciesforidentifyinghazardousareasareconsistentlyapplied;
f) theHACdataisusedintheselectionandlocationofequipmentanditsmaintenanceandinconsidering
plantandprocesschanges;
g) thelocationandlikelihoodofpotentialsourcesofignitioninrelationtoLOCeventsandMASsshallbe
considered.TheMAHriskassessmentmayindicatethatfurtherriskreductionmeasuresarerequired
suchasremovalofignitionsourcesorprovisionofprotectedelectricalequipmentinotherareas(e.g.
closureofadjacentroadwaysduringtankerloadingandoffloading,provisionofprotectedlighting).

Operation
5.2.2 Thesafetycaseshallshow The safety case shall describe how documented operating procedures assure that mechanical plant and
thatsafeoperating equipment are always operated within safe limits (e.g. procedures shall prevent damage to plant or
procedureshavebeen componentsfromoccurringduringoperationalextremessuchasstartupandshutdown).
establishedandare
documentedforall [Processcontrolsystems(whereinstalled)arecoveredundercriterion5.2.1.6above.]
reasonablyforeseeable
conditions.

ModificationandDecommissioning
5.2.3 Thesafetycaseshalldescribe Failuretoproperlymanagechangemanagementisacommoncauseofaccidents.
thesysteminplacefor
ensuringmodificationsare Tomeetthiscriterion,thesafetycaseshalldescribe:
adequatelydesigned,
installedandtested. a) thesystemfordealingwithchanges,updatesormodificationsto:
plantandequipment;
processparameterssuchastemperatureandpressure;
operatingproceduresanddocumentation;
rawmaterialspecifications,suppliers,etc.
b) the management systems for change as described under SS506: Part 3 (Management of Change).
Themanagementofchangeprocedureshallalsoinclude:
thecriteriafordeterminingwhenaprocesschangeissufficienttogothroughaformalmanagement
ofchangeprocess;
whetheraprocesschangeneedsaformalhazardstudyorriskassessment;
whetherthehierarchicalapproachisusedwherepracticableinrelationtoprocessmodifications
andchanges;
thecompetenceandindependenceoftheteamorindividualsinvolvedinthedecisionmaking;
thearrangementfortemporarymodificationswhichshallbeidentifiedtogetherwithprocedures
forreinstatementasappropriate.MHIsshallalsoidentifyhowriskisassessedanddecisionsare
madeontemporarymodifications;
themethodforensuringthatthemodificationisinstalledasspecifiedinthechangeproposal(e.g.
prestartupsafetyreview).

PerformanceStandardsandIndicators
5.3Thesafetycaseshallshowthat Performancestandardistheacceptablelevelofresponseortherequiredperformanceforacontroltobe
performancestandardsand considered effective in managing the risk. Standards may include both the current required level of
indicators(includingsafety performanceandalsoatargetleveltobeachievedwithinaspecifiedtimeframe.
indicatorscoveredunder
SS506:Part3)areimplementedto Tomeetthiscriterion,thesafetycaseshallshowthat:
provideongoingassurancethatkey
systemsrelevanttomajoraccidents a) performanceindicatorsandrelatedperformancestandardsenabledMHIsto:
areundercontrol. measure,monitorandtesttheeffectivenessofeachcontrolmeasure;
takecorrectiveactionbasedonfailuretomeettheperformancestandard;and
generateperformancemanagementreportsontheintegrityoftheMHIscontrolmeasuresand
howwelltheyarebeingmanaged.
b) thereareperformanceindicatorstomeasurenotonlyhowwellthecontrolmeasuresareperforming,
butalsohowwellthemanagementsystemismonitoringandmaintainingthem.

Chapter 6: Mechanical Engineering Aspects of

Safety Case Assessment
1. Introduction
1.1. ThisguideisforMHDassessorscompletingthemechanicalengineeringassessment.


1.3. All mechanical engineering assessment must use the criteria and guidance set out in
AppendixEMechanicalEngineeringAssessmentCriteriaandGuidance.
2. The General Approach to Mechanical Assessment
2.1. MHDislookingforademonstrationthatadequatesafetyhavebeentakenintoaccountinthe
design, construction, operation, maintenance and modification of any plant, storage facility,

2.2. Inrelationtoanyinstallationandequipmentandinfrastructureconnectedwithitsoperation
whicharelinkedtoMAHswithintheinstallation,theMHDassessorislookingfor:
a) AdequateInitialMechanicalIntegrity

Demonstratedby:
(i) adherencetosuitabledesignprinciples,oftenembodiedininternationalcodesand
standards;and
(ii) suitablecontrolsonmanufacturingandconstructionforthedeliveryofdesignintent.

b) AdequateContinuingMechanicalIntegrity

Demonstratedby:
(i) suitableproceduresandhardwarecontrols(e.g.trips,reliefdevices)toensurethat
thefacilitiesareoperatedwithinthelimitsforwhichitwasdesigned;
(ii) appropriatemaintenanceandperiodicexaminationregimes;and
(iii) suitable procedures to ensure modifications to facilities will not compromise
mechanicalintegrity.

2.3. For new projects, design standard shall address the ten key design issues (see Safety Case
TechnicalGuide5.3.2.2)inthesafetycases.Forexistingfacilities,thekeyissuesindesignshall
beconsideredforcontrolmeasuresimplementedforSCEs.

a) DesignCriteria
(i) Designandconstructiontoanappropriatestandard;
(ii) IdentificationofdirectcausesofLOC(e.g.corrosion,erosion,vibration);
(iii) MechanicalmeasurestopreventLOC;
(iv) Suitablematerialsofconstruction;and
(v) Selectionanddesignofmechanicalequipmentforuseinhazardousclassifiedareas.

b) ConstructionCriteria
(i) Constructionagainstappropriatestandards;
(ii) Controlsovermanufacture(e.g.weldingproceduresandweldercompetency);
(iii) Inspection and testing of initial integrity (e.g. Nondestructive testing (NDT)
requirementsembodiedindesignandconstructionstandards);
(iv) Management of design changes during construction including mechanical integrity
assessment.

c) InServiceCriteria
(i) Assuringmechanicalfacilitiesarealwaysoperatedwithinsafelimits;
(ii) Managementofchangetoensurethatmechanicalintegrityisnotcompromisedby
equipment,process,oroperatingandmaintenancesystemchanges.

d) MaintenanceandInspectionCriteria
(i) Prioritisationofsafetycriticalequipment;
(ii) The specified design basis for major equipment items and how the impact of the
selecteddesign(e.g.pressureandtemperaturerating,material,corrosionallowance)
oninspection,testingandmaintenancerequirementsisassessed;
(iii) Appropriate maintenance or inspection regimes and philosophies including
proceduresforperiodicreview;
(iv) Identifieddegradation(damageordeterioration)mechanisms;
(v) Procedures for identifying ageing and determining the condition of mechanical
facilities (e.g. from comprehensive inspection or maintenance history, measured
corrosionrates,operationalperformance);
(vi) Assessmentproceduresorjustificationsrequiredpriortooperatingfacilitiesbeyond
itsexpectedlife(ratherthanrepairingorreplacingonbreakdown).Requirementsfor
increasedinspection(toinformtheassessmentortomonitorongoingconditionof
plant)shallalsobedescribed,whereappropriate;
(vii) Anyrequirementforfitnessforserviceorremnantlifeassessmenttechniques(e.g.
API 5791, ASME FFS1) to be employed, to enable major equipment items to be
returnedtoservicefollowinginspection;
(viii) Competenceofmaintenanceandinspectionpersonnel;
(ix) Analysisofmaintenanceandinspectionfindingsbyacompetentperson;
(x) Performancemonitoringofintegrityassurancesystems.
Appendix E Mechanical Engineering Assessment Criteria and Guidance
GeneralPrinciples
6.1 Thesafetycaseshalldemonstrate Thisiseffectivelyasummaryofcriteria6.1.1.1to6.1.4.
howthemeasurestakenwillprevent
foreseeablefailureswhichcouldlead MHDwouldcomebacktothiswhencriteria6.1.1.1to6.1.4havebeenassessed,andthenconclude:
tomajoraccidentsandlimittheir
consequences. a) whetheralltheassessedcriteriahavebeenmet;
b) howsignificantthefailuretomeetoneormorecriteriaistotheoverallsafetyjustification;
c) therecommendedactionsforimprovingthesafetycaseandsuggestedtimescales;and
d) therecommendationsforfollowupinspectionandverification,theirpriorityandtimescale.

6.1.1.1 Thesafetycaseshallshow This criterion applies to all major vessels, pipework, rotating equipment (e.g. pumps, compressors) and
thattheinstallationshave structures(e.g.piperacks),relevanttoMASs.
beendesignedtoan
appropriatestandard. Thesafetycaseshalldescribeadequateinitialintegrityoffacilitiesby:

Thesafetycaseshallalso a) reference to design codes and standards (including justification of any deviations or exceptions
showhowtheinstallations adopted)accordingtothehierarchyofpreference:
havebeenconstructedto (i) SingaporeStandard;
appropriatestandardsto (ii) Commonlyusedinternationalstandards(e.g.EN,BS,API,ISO,IEC);
preventmajoraccidentsand (iii) Othernationalstandards(e.g.GB,DIN,JIS);
reduceLOC. (iv) Industrystandards;
(v) Companystandards.
b) referencetoprincipaldesignparameters(e.g.designpressureand/ortemperature)andconstruction
asperapplicablestandardsandcode.
Whereinhousedesigncodesandstandardshavebeenadopted,thesafetycaseshalldemonstrate:

a) theirrelevance;and
b) howthecompanyhasvalidatedthem.

Wherenostandardshavebeenused,thesafetycaseshall:

a) demonstratehowfitnessforpurposeofsuchfacilitiesisassured;and
b) includeadescriptionofdesignreviewsconducted(e.g.wherenoveldesignsareemployed).

A table or list detailing the design codes, standards and principal design parameters for the equipment
featuringintherepresentativeMASsselectedcouldbeprovidedinthereporttoassistthedemonstration.

In assessing the demonstration that the mechanical design has been considered and the risk reduced to
ALARP,theMHDshallconsidertheapplicabilityofcodesandstandardsineachcaseandadoptanapproach
proportionatetotheoverallrisk.

Inaddition,thesafetycaseshallalso:

a) show that construction of plant and associated equipment is managed to ensure that it is built in
accordancewiththedesignintent;
b) show,whereveravailable,thatthemanufactureandconstructionoffacilitieshaveemployedappropriate
materialsandconstructionmethods;
c) showthatconstructionworkhasbeencarriedoutbysuitablepersonnelinaccordancewithappropriate
procedures;
d) provideevidenceontheadequacyofproceduresadoptedifcodesorstandardshavenotbeenusedor
donotexist;and
e) describe the arrangements for controlling and recording changes to the original design made during
construction.Anydeviationsfromtheoriginalthatmayaffectsafetyshallbeidentified,andtheeffecton
safetydemonstratedtobeacceptable.

[Informationinthesafetycaseshallshowthattheconstructionoftheplant,includingdeviationsfromthe
originaldesign,hasbeendocumentedtogiveanassuranceofconformity.]



6.1.1.2 Thesafetycaseshallshow To assist demonstration of this criterion, the safety case shall discuss how the following were
thatthelayoutoftheplant considered,whereapplicable,duringdesignoftheplantlayout:
limitstheriskduring
operations,inspection, ThiscriterionisparticularlyrelevantduringtheQRAapprovalstagewheredesignofthelayoutofaplant
testing,maintenance, canmakeabigcontributiontoreducingthelikelihoodandconsequencesofamajoraccident.
modification,repairand
replacement. a) Accessrequirementsforperiodicmaintenanceandinspection;
b) Liftingprovision(i.e.requirementstofacilitatetheremovalofequipmentforperiodicmaintenanceor
replacement);
c) Constructionandmaintenanceactivities(e.g.tominimisetherisksfromdroppedobjects,eliminating
theneedtoliftoverliveplantasfaraspossible).

[MHDwillbeassessingtheasbuiltlayoutplansagainstpreviouslysubmitteddesignlayoutplansforany
significantdeviations.Justificationsshallbeprovidedtodemonstratethatanysignificantdeviationmade
doesnotresultinadditionalrisk.MHIsshalldemonstratethatadditionalrisk,ifany,hasbeenmitigated.]

6.1.1.3 Thesafetycaseshallshow Thesafetycaseshalldescribethelikelyimpactofutilityfailureonsafetycriticalmechanicalequipment(e.g.
thatutilitiesthatareneeded primarycontainmentsystem).
toimplementanymeasure
definedinthesafetycase Contentprovidedinthesafetycasetoassistdemonstrationcouldinclude:
shallhavesuitablereliability,
availabilityandsurvivability. a) thedesignstandardsforequipmentincorporatedwithinsafetycriticalutilitysupplies;
b) details of the monitoring, testing, maintenance and inspection regimes employed for equipment
incorporatedwithinsafetycriticalutilitiesincludingbackupsystem;

6.1.1.4 Thesafetycaseshallshow Thesafetycaseshalldescribe:
thatappropriatemeasures
havebeentakentoprevent a) themechanicalmeasuresinplacetopreventandcontainreleases;
andeffectivelycontain b) theintegrity(i.e.function,reliability)ofsuchmeasures;and
releasesofdangerous c) theavailabilityofemergencysystems(i.e.intheeventofafireormajoraccident).
substances.
Content provided in the safety case to assist demonstration could include discussion of the integrity of
mechanicalmeasuressuchas:

emergency shutdown valves including firesafe valve seating arrangements and discussion on
performancestandards,whereapplicable;
manuallyoperatedisolationsinsafetycriticalduty;
excessflowvalvesandnonreturnvalves;
rotating equipment (e.g. protection from reverse rotation and overspeed, cavitation, dry running,
deadheadconditions,sealfailure);
joints(e.g.suitabilityforintendeddutyofflangedandscrewedjoints,couplings);
bellowsandflexiblejoints;
temporaryrepairs(e.g.clamps,wraps);
drybreakcouplings;
secondarycontainment.

6.1.1.5 Thesafetycaseshallshow The safety case shall describe how the following direct causes of LOC, where applicable, have been
thatallforeseeabledirect consideredinthedesignoftheinstallationandtheselectionofmeasures:
causesofmajoraccidents
havebeentakeninto a) Corrosion(internalandexternal):
accountinthedesignofthe Variations in processconditionshavebeenconsideredtheequipmentdesignandmaterialsof
installation. constructionshallaccommodateforeseeablechangestotheprocessconditions,suchasvariations
intemperatureandcorrosivespecies(e.g.duringcleaning).
Consideration of inspection requirements during design (e.g. to facilitate the detection and
monitoringofcorrosionunderinsulation).
Thepotentialforcorrosionhasbeeneliminatedor reduced(e.g.dead legshavebeenremoved,
buriedlinesminimised).
Corrosionispreventedorcontrolledbyothermeans,suchascathodicprotectionand/ortheuseof
coatingsystems.
Corrosionismanagedinotherways,suchasemployingcorrosionallowances.
b) Erosion:
Considerationshallbegiventotheeffectofsolids,abrasion,phasechangesandcavitation.
c) ExternalLoading:
Consideration shall be given to the suitability of facilities to survive anticipated loadings from
externalsources,suchaswindandrain,aswellasprocessanddynamicloadings.Theconstruction
phaseshallalsobeconsideredinadditiontonormaloperation.
d) Impact:
Duringoperation(e.g.isotankersorforklifttruckimpact).
Duringconstructionandmaintenanceactivities(e.g.fromswingingloads,droppedobjects).
Onbuildingsfromblastloadings.
e) Pressure:
Theinstallationsareprotectedfromtheeffectsofexcessivepressureandvacuum.
Pressurefluctuationsarerecognisedasinducingfatiguefailures.
f) Temperature:
Hightemperaturesareaccommodatedinthedesign(e.g.creepresistance)andprotectivesystems
areinplacetopreventdamagefromexcessivetemperature.
Lowtemperatureeffectsareavoidedorcontrolled(e.g.brittlefailure,freezingeffects).
Temperaturefluctuationsarerecognisedasinducingfatiguefailures(i.e.thermalfatigue).
g) Vibration:
Considerationofbothmachineinducedandprocessinducedvibration(e.g.highandlowfrequency,
waterhammer).
Showeliminationbydesign,preventionorcontrolofvibrationwherepossible.
Vibration induced fatigue is recognised (e.g. provision of suitable supports for smallbore
connections).
h) InappropriateEquipmentandMaterial:
Controlsexistforthespecificationandsupplyofsafetycriticalequipmentandspares.
i) DefectiveEquipment:
Identificationandmonitoringofpreexistingflawsintroducedduringdesignandconstruction.

ItisunacceptableforthesafetycasetohavenoexplanationofhowforeseeabledirectcausesofLOChave
beentakenintoaccountinthedesignoftheinstallation.

thatmaterialsof
constructionusedinthe a) theapproachtakenforselectionofmaterials,demonstratingthatmaterialsofconstructionaresuitable
plantaresuitableforthe based on the substances being handled, expected process conditions (e.g. temperature, flow) and
application. externalenvironmentconditions;

MHIs or personnel experience of material performance may inform the selection process but
should not be solely relied on. Additional assurance (e.g. worldwide performance data) shall be
obtainedforsafetycriticalapplications.
Moreexpensivematerialsofconstruction(e.g.stainlesssteelorhastelloy)arenotuniversallybetter
ormoreappropriateforaggressiveenvironments.Justificationoftheirsuitabilityfortheintended
useshallstillbemade.
b) howeffectsofimpuritiesonthecontainmentmaterialshavebeentakenintoconsiderationbasedon
impuritieslikelytobepresentundernormalandabnormalconditions;
c) Positive Material Identification (PMI) procedures for materials of construction where uncontrolled
variationswouldbecritical(e.g.certainhighhazardapplicationsinrefining);and
d) material of construction and coating system selection processes for facilities operating in corrosive
environments.
Example(s) detailing and justifying the materials of construction selected for particular major plant items
(subjecttoaggressiveoperatingenvironments,whereappropriate)couldbeincludedintothesafetycaseto
assistthedemonstration.

6.1.1.7 Thesafetycaseshallshow Thesafetycaseshalldemonstratethat:
identifyinglocationswhere a) wheremechanicalequipmentistobeusedinpotentiallyexplosiveand/orflammableatmospheres,the
flammablesubstances equipmentselectedisdesignedtobesafeinhazardousareas;
couldbepresentandhow b) suitable international standards have been employed to identify potential ignition sources from
theequipmenthasbeen mechanicalequipmentincluding:
designedtotakeaccountof heatenergy(e.g.hotsurfaces,hotworksuchasweldingspatter,heatinginstallations);and
therisk. mechanical energy from overheating or friction due to rotating equipment, impact, grinding,
adiabaticcompressionandshockwaves,etc.
c) suitable inspection, testing, cleaning and maintenance regimes have been implemented to minimise
presenceofflammablesubstancesandignitionsourcesoccurringasaresultofforexampleoverheating
orfaultconditions.

Construction
6.1.2 Thesafetycaseshallshow Thesafetycaseshalldemonstratethatinitialinspection,testingandcommissioningoftheplanthasbeen
howconstructionofall documentedandtheinformationisretrievable(particularlyforequipmentformingtheprimarycontainment
facilitiesisassessedand boundary).
verifiedagainstthe
appropriatestandardsto Wheretheaboveinformationisnotavailable(e.g.forolder,existingorsecondhandMHIs),thesafetycase
ensureadequatesafety. shalldescribehowmajoraccidentsarepreventedorhowplantintegrityisdemonstrated,bydiscussingfor
example:

a) Forolderplant:inspectionhistory;
b) Forsecondhandplant:postinstallationbaselineinspectiondataobtained;
c) operatingrestrictionsapplied,whereappropriate.

Maintenance
thatanappropriate
maintenanceregimeis a) the maintenance administration system. Relevant job descriptions, roles and responsibilities. A
establishedforplantand departmentorganisationchartsuchasorganogramcouldbeusedtodemonstrate,ifappropriate;
systemstopreventmajor b) the maintenance regime adopted for equipment of high safety concern (i.e. evidence of a suitable
accidentsorreducetheLOC plannedandpreventativemaintenanceregime;
intheeventofsuch c) systemsforperiodicallyreviewingthesuitabilityofthemaintenanceregimeadoptedforequipmentof
accidents. highsafetyconcern(e.g.basedonfindingsand/orfailurehistory);
d) the maintenance philosophy adopted for mechanical facilities (e.g. time, condition and/or reliability
based);and
e) systemsforprioritisingmaintenanceactivities(particularlyinrelationtosafetycriticalequipment).

Contentprovidedinthesafetycasetoassistdemonstrationcouldinclude:

a) an overview of competency requirements of the personnel completing key mechanical maintenance

activitiesrelatingtoMASsonsite(e.g.companyemployees,externalspecialistcontractors);
b) example(s) of safety critical maintenance activities completed on mechanical equipment (e.g. bench
testingofpressurereliefdevices);and
c) examples illustrating the performance monitoring procedures applicable to the maintenance system
(e.g.processsafetyperformanceindicators)includingconfirmationthatdataisperiodicallyreviewedby
seniormanagement.

6.1.3.2 Thesafetycaseshallshow Thesafetycaseshallinclude:
thatthereareappropriate
proceduresformaintenance a) anoverviewofthemechanicalisolationpracticesadoptedonsite,priortocompletingintrusiveactivities
thattakeaccountofany onequipment;and
hazardousconditionswithin [MHD will focus on potential MAHs. Concerns relating to particular hazardous activities may be
theworkingenvironment. addressedwithintheinterventionplan.]
b) adescriptionofhowthemechanicalisolationproceduresfitintotheoverallmaintenancemanagement
procedures(e.g.permittoworksystem)adoptedonsite.

6.1.3.3 Thesafetycaseshallshow Thiscriterionisconcernedwithinserviceintegrityofsafetycriticalequipmentandstatutoryequipment.
thatsystemsareinplaceto
ensurethatsafetycritical [Thesafetycaseshallincludeademonstrationthatsuitableinspectionregimesareinplaceandrequired
equipmentandsystemsare precheckshavebeencompletedbycompetentperson.]
examinedatappropriate
intervalsbyacompetent Thesafetycaseshalldescribe:
person.
a) theperiodicinserviceexaminationregimesadopted;
Thesafetycaseshallalso b) theproceduresforanalysinginspectionfindingsandconfirmingthattherelevantequipmentisendorsed
showthatthereisasystem foraperiodofoperatingservicebeforethenextexaminationisrequired.Theroleofexternalaccredited
inplacetoensurethe organisationsshallalsobedescribed,whereemployed;and
continuedsafetyofthe
installationsbasedonthe c) howinspectionregimesarereviewedtoensurethattheyremainsuitableandrelevant.Typicalcontents
resultsofperiodic ofaninspectionregimefortherelevantequipmentinclude:
examinationsand (i) identificationsoftheequipmentandmachinerieswithintheMHI;
maintenance. (ii) thosepartsofthesystemwhicharetobeexamined;
(iii) thenatureoftheexaminationrequired,includingtheinspectionandtestingtobecarriedouton
anyprotectivedevices;
(iv) whereappropriate,thenatureofanyexaminationneededbeforethesystemisfirstused;
(v) themaximumintervalbetweenexaminations;
(vi) thecriticalpartsofthesystemwhich,ifmodifiedorrepaired,shouldbeexaminedbyacompetent
personbeforethesystemisusedagain;
(vii) the name and position, where applicable, of the competent person approving the inspection
regime;and
(viii) thedateoftheinspection.


a) systemsfortheprioritisationofsafetycriticalsystems;
b) independenceandcompetenceofinspectionstaff;
c) justification of inspection scope and frequencies by reference to relevant industry standards, where
appropriate,andtoanalysisofinspectionfindings;and
d) appropriatesystemsformanagingfollowupactionsresultingfromperiodicinspection.

WhereRiskBasedInspection(RBI)isemployed,thesafetycaseshallshow:

a) that the RBI assessment team contains the experience and knowledge required for a suitable and
sufficientanalysis;
b) thatathoroughandsystematicprocessisemployedforidentifyingallrelevantdamagemechanismsand
likelylocationsincludingreferencingtorelevantindustryguidance,whereappropriate;and
c) that a suitably cautious approach is taken to changes in inspection frequency indicated by the RBI
process,withthecompetentpersoninvolvedinanymodificationtotheinspectionregime.

[Theapproachtointegritymanagementadoptedshallreflectthecomplexityoftheplantandthepotential
severityoftheconsequencesoffailure.]

6.1.4 Thesafetycaseshalldescribe For new or major plant modification projects, the safety case shall describe the system in place for
thesysteminplacefor identifyingandmanagingmodificationsduringthedesignandconstructionphases.
ensuringmodificationsare
adequatelydesigned, [Theaboveprocessmaybeimplementedbytheprincipaldesignand/orconstructioncontractorandmay
installedandtested. differ from the change management procedure ultimately adopted by the MHIs, following project
handover.]

Inaddition,thesafetycaseshalldemonstrate:

a) howMHIsmodificationprocedurecoverschangestoexistingfacilities
b) howthepotentialimpactofnewequipmentonexistingsystemsisassessed;
c) technicalapprovalprocessesforproposedmodifications(e.g.demonstrationsthattheconcepthasbeen
properlyaddressedformechanicalintegrity);
d) prestartup safety review to confirm that the construction and equipment is in accordance with
specifications;and
e) proceduresforintegratingnewfacilitieswithinexistingintegritymanagementarrangements.

[Wherearrangementsexistfortemporarymodifications,theyshallbeidentifiedinthesafetycase,together
withproceduresforreinstatementasappropriate.MHIsshallidentifyhowriskisassessedanddecisions
madefortemporarymodifications.]

Fordecommissioningormothballingprojects,thesafetycaseshalldescribe:

a) thesysteminplaceforidentifyingdecommissionedormothballedfacilities;and
b) thearrangementinplacetoensurethattheremovalormothballingofsuchfacilitiesshallnotleadtoan
increasedriskassociatedwiththeuseoftheremainingfacilities.


Chapter 7: Electrical, Control &

Instrumentation Aspects of Safety Case
Assessment
1. Introduction

1.1. ThisguideisforMHDassessorscompletingtheelectrical,controlandinstrumentation(EC&I)
assessment.


1.3. All EC&I assessment must use the criteria and guidance set out in Appendix F Electrical,
Control&InstrumentationAssessmentCriteriaandGuidance.
2. The General Approach to EC&I Assessment
2.1. MHDislookingforademonstrationthatadequatesafetyhavebeentakenintoaccountinthe
design, construction, operation, maintenance and modification of any plant, storage facility,

2.2. FortheassessmentofEC&I,theMHDwouldbecoveringonthreeprioritytopics:
a) Functionalsafety;
b) Explosiveand/orflammableatmospheres;and
c) Electricalpowersystems.

FunctionalSafety
2.3. Functional safety is concerned with the management, design, installation, operation,
maintenanceandmodificationofinstrumentedprocesssafetysystemsthatreducetheriskofa
majoraccident.Suchsystemsinclude:

processcontrolsystems;
safetyinstrumentedsystems;
alarmsystems.
Explosiveand/orFlammableAtmospheres
2.4. InthecontextofEC&Iinspection,explosiveand/orflammableatmospheresareconcernedwith
themanagement,design,installation,operation,maintenanceandmodificationofsystemsthat
reducetheriskofelectricalsourcesofignitionarisingfrom:

electricalandinstrumentationequipment;
lightning;
static;
andthemitigationofreleasesusing:
flammablegasdetection;
firedetection.

ElectricalPowerSystems
2.5. InthecontextofMAHs,electricalpowersystemsareconcernedwith:

a) themanagement,design,installation,operation,maintenanceandmodificationofelectrical
power systems so that they provide the necessary reliability and availability to prevent or
mitigatemajoraccidentsandpreventdangertopersonnel;and
b) theinitiationofmajoraccidentsbyelectricalequipmentthroughfireandexplosion.
2.6. MHDisalsolookingforanadequatedescriptionofthefollowingaspectsofthesafetyandhealth
managementsystem,sofarastheyapplytotheEC&Idiscipline:
a) structure,responsibilityandauthority;
b) operationalcontrol;
c) managementofchange;and
d) performancestandardsandindicators.
Appendix F Electrical, Control & Instrumentation Assessment Criteria and Guidance
LinkwithPredictiveCriteria(Chapter4)
7.1 Thesafetycaseshallshowaclear Tomeetthiscriterion,thesafetycaseshalldescribe:
linkbetweenthemeasurestaken
andtheSCEsdescribed. a) hownecessaryinstrumentedsafetyfunctionsareidentifiedforSCEs;
b) howtherequiredintegrityofinstrumentedsafetyfunctionsisdeterminedandcompetencyofteam
determiningtheSILlevels,ifrelevant;
c) how,ingeneralterms,otherEC&ImeasuressuchasfireandgasdetectionsystemsareappliedtoMASs
(e.g.byreferencetoprocessriskassessments).


a) sampleSILdeterminationrecord(e.g.LOPA,riskgraphoutput)

7.1.1.1 Thesafetycaseshallshow Tomeetthiscriterion,thesafetycaseshalldescribethegeneralapproachtotheapplicationofEC&Idesign
thattheinstallationshave standardsforexample:
beendesignedtoan
appropriatestandard. a) SingaporeStandard;
b) Commonlyusedinternationalstandards(e.g.EN,BS,API,ISO,IEC);
c) Othernationalstandards(e.g.GB,DIN,JIS);
d) Industrystandards;
e) Companystandardsandhowithasbeenestablishedthattheyalignwithrelevantgoodpractice.


7.1.1.2 Thesafetycaseshallshow Tomeetthiscriterion,thesafetycaseshalldescribehowelectricalandinstrumentairsupplies(andany
thatutilitiesthatareneeded otherfluidusedtoprovidemotiveforcetoinstrumentationandcontrolsuchasnitrogen)havebeendesigned
toimplementanymeasure tohavesuitablereliability,availabilityandsurvivability,including:
definedinthesafetycase
shallhavesuitablereliability, a) thestandardsappliedtothedesignofsupplies;
availabilityandsurvivability. b) thesourcesofsupply;
c) thesuppliesthatareessentialfortheoperationofsafetysystems;
d) theintegrityrequirementsforsupplies;
e) anyinstrumentationemployedtomaintaintheintegrityofsupplies(e.g.levelalarmsoncoolingwater
vessels);
f) theuseofdiverseand/orbackupsupplies;
g) how partial and total loss of supplies has been considered (e.g. as part of a structured hazard
identificationandanalysesprocess);
h) theeffectofthepartialandtotallossofsupplies;
i) means of ensuring that power supply to humanoperated control systems survives during a major
accidentsuchasviaanuninterruptiblepowersupply(UPS);
j) UPSsystemssupportallnecessaryinstrumentationandequipmenttoaddressemergencysituations:
(i) controlroominterfaces;SupervisoryControlandDataAcquisition(SCADA)systems;localpanels;
(ii) levelmonitoringandgaugingequipment;
(iii) processalarms;sitewideevacuationalarms;
(iv) radiobasestations;landlinecommunicationsystems;
(v) otherremotelyoperatedshutdownequipment.
k) howithasbeendeterminedthatelectricaldistributionequipmentisnotoverstressed;
l) thestandardsappliedtothedesignofelectricalpowersystemearthing;
m) howtheignitionriskfromexcessivestressvoltagesinLV(lowvoltage)distributionsystemsismanaged;
n) howhighenergyelectricalequipmentthatposesarisktomajorhazardplanthasbeenidentifiedand
managed.


a) sample of a current electrical signal line diagram demonstrating diversity and/or redundancy of
electricalsupply;
b) samplefaultenergylevelcalculationforatypicalHV(highvoltage)andatypicalLVswitchboard;
c) sample protection coordination study for a typical HV and a typical LV substation and switchroom
showingthatadequateselectivityandprotectionhasbeenachieved.

7.1.1.3 Thesafetycaseshall Tomeetthiscriterion,thesafetycaseshalldescribe:

describehowadequate
a) theoverallprocesscontrolstrategy,forexample:
controlmeasureshave
beenprovidedtoprotect automaticcontrol;
theplantagainst manualcontrol;
excursionsbeyonddesign automaticsafetysystems;
conditions alarmandoperatoraction.
b) thetypesofinstalledcontrolandsafetysystems,forexample:
distributedcontrolsystems;
panelmountedcontrollers;
standalonecontrolsystemssuchasburnermanagementsystems(BMS);
ProgrammableLogicController(PLC)basedpackagedunits;
safetyPLCs;
individualhardwiredinstrumentsafetyloops;
alarmannunciators.
c) howindependenceandseparationbetweencontrolandsafetysystemshasbeenachieved;
d) the system for determining, recording and reviewing safe operating limits and how these relate to
controlalarmandtripsettings;
e) howcontrol&safetysystemsettingsarereviewedbasedonoperatinghistoryandaccountingforany
modifications;and
f) thestandardsappliedtoalarmmanagement.

howsafetyrelatedcontrol
systemshavebeen a) thestandardsappliedtothedesignofinstrumentedsafetysystems,including:
designedtoensuresafety (i) processsafetysystems;
andreliability. (ii) machinery safety systems (e.g. where machines are used in the manufacture of chemicals or
explosives);
b) thegeneralapproachtofunctionalsafetymanagement;
c) howithasbeenassuredthatpersonsinvolvedinthedesignofsafetyinstrumentedsystems(SIS)are
competenttocarryouttheactivitiesforwhichtheyareaccountable;
d) howcurrentrelevantgoodpractice(e.g.IEC61511)hasbeenappliedasfarasreasonablypracticableto
systemsdesignedbeforeitspublication;
e) howinstrumentedsafetysystemswitharequiredintegrityoflessthanSIL1aremanaged;
f) thedesignofalarmsystems,includinghowthereliabilityoftheoperatoristakenintoaccount;and
g) the extent to which fire and gas detection systems are used to initiate executive action (e.g. deluge
systems,inertingsystems,automaticdumpsystems).


a) samplesafetyrequirementsspecification(SRS);
b) sampleSILassessmentrecord(e.g.PFDcalculationandfaulttoleranceassessment);
c) samplerecordofcompetenceforanindividualinvolvedinthedesignofSISorinthereviewofSISagainst
relevantgoodpractice.

identifyinglocationswhere a) thestandardsappliedto:
flammablesubstances thedesignandselectionofexplosionprotected(Ex)equipment;
couldbepresentandhow thedesignoflightningprotectionsystems;
theequipmenthasbeen themanagementofhazardsduetostaticelectricity;
designedtotakeaccountof themanagementofcathodicprotectioninexplosiveand/orflammableatmospheres;
therisk. themanagementoflifttrucksinpotentiallyflammableatmospheres.
b) how the requirements for lightning protection and surge suppression systems were established,
whereverrelevant;
c) in overview, the installed lightning protection and surge suppression systems including lightning
protectionlevelswhererelevant;and
d) how it has been assured that competent persons are involved in the selection and installation of
equipmentandprotectivesystemsdesignedtobesafeinexplosiveand/orflammableatmosphere.

Construction
7.1.2 Thesafetycaseshallshow Tomeetthiscriterion,thesafetycaseshalldescribe:
howconstructionofallplant
andsystemsisassessedand thestandardsappliedtotheconstructionverificationof:
verifiedagainstthe a) safetyinstrumentedsystems(SIS);
appropriatestandardsto b) explosionprotected(Ex)equipment;
ensureadequatesafety. c) electricalpowersystems;and
d) the process for ensuring that the EC&I equipment and systems are verified against the appropriate
standardstoensureadequatesafetypriortotheMAHsbeingpresent.


a) samplefunctionalsafetyassessment;
b) sampleExinspectionrecord;
c) recordofcompetence(e.g.certificateofcorecompetence)ofthepersonswhocarriedouttheinitial
inspections;
d) sampleindustrialLVfixedinstallationinspection&test(verification)record.

Operation
7.1.3 Thesafetycaseshallshow Tomeetthiscriterion,thesafetycaseshalldescribe:
thatsafeoperating
procedureshavebeen a) thecontrolofoperationofelectricalswitchgear,includingthecontrolofswitchingbysubcontractors
establishedandare anddistributionnetworkoperators;and
documentedforall b) theprocedureforidentifying,reportingandinvestigatingthefailureofEC&Iprotectivemeasuresagainst
reasonablyforeseeable majoraccidents.
conditions.
a) sample record of authorisation for person(s) authorised to operate electrical LV, HV and generation
systems.
Maintenance
thatanappropriate
maintenanceregimeis a) theMHIsmaintenancemanagementsystem,including:
establishedforplantand howscheduledworkisplannedandprioritised;
systemstopreventmajor howtherepairworkisprioritised(e.g.defects).
accidentsorreducetheLOC b) the location and structure of the MHIs EC&I safety critical elements inventories (e.g. Ex equipment,
intheeventofsuch temperatureandpressuresensors,PLCs,emergencyblockvalves,SIS,electricalsupplies);
accidents. c) thestrategyandmethodologyformonitoringandcontroloftheconditionoftheequipment;
d) thestrategyformanagingobsolescentEC&Iequipment;
e) thestandardsappliedtothemaintenanceandprooftestingofSIS;
f) howthemaintenanceandtestingofSISismanaged;
g) thestandardsappliedtothemaintenanceandinspectionofequipmentinexplosiveand/orflammable
atmospheres,includingfixedandmobileequipment;
h) how the maintenance and inspection of equipment in explosive and/or flammable atmospheres,
includingfixedandmobileequipment,ismanaged;
i) thestandardsappliedtothemaintenanceandinspectionofelectricalpowersystems;
j) howthemaintenanceandinspectionofelectricalpowersystemsismanaged;and
k) howithasbeenassuredthatpersonsinvolvedinthemaintenanceofEC&Iequipmentandsystemsare
competent.


a) functionalsafety:
SampleSISprooftestprocedure;
SamplerecordofcompletedSISprooftest.
b) Equipmentinexplosiveand/orflammableatmospheres:
Representative sample of periodic Ex inspection records (or records of continuous supervision),

includingprotectionconcepts(e.g.d,e,N,IandtDfromIEC60079/61241)wheretheyexistonsite;
Record of competence (e.g. Licenced Electrical Worker) of the persons who carried out the
inspections(orcontinuoussupervision);
Samplelightningprotectionsystemtestandinspectionrecord;
Samplestaticearthingsystemtestandinspectionrecord;
Sampleflammablegasdetectortestandinspectionrecord;
Samplefiredetectortestandinspectionrecord;
Sampletoxicgasdetectortestandinspectionrecord.
c) Electricalpowersystems:
SampleHVandLVtransformerperiodicinspectionandtestrecord;
SampleHVandLVswitchgearinspectionandtestrecord;
Sampleelectricalpowersystemearthinginspectionandtestrecord;
Sample emergency generator periodic inspection, maintenance and test (no load and/or load)
record.

thatthereareappropriate
proceduresformaintenance a) howsafeworkpracticesareappliedtoEC&Imaintenanceactivities;and
thattakeaccountofany b) how electrical safety rules, including isolation of electrical supplies, are applied to maintenance
hazardousconditionswithin activities,whereverapplicable.
theworkingenvironment.


thatthereisasystemin
placetoensurethe a) performancemonitoringofEC&Isystemsandequipment,includingtheuseofperformancestandards
continuedsafetyofthe andindicatorssuchasfaultsandfailuresfoundduringoperation,inspectionandtesting;and
installationsbasedonthe b) howtheresultsofperformancemonitoringareusedtoensurethecontinuedsafetyoftheinstallations.
resultsofperiodic
examinationsand
maintenance.

7.1.5 Thesafetycaseshalldescribe Tomeetthiscriterion,thesafetycaseshalldescribe:
thesysteminplacefor
ensuringmodificationsare a) howtheimpactonEC&Isystems,equipment,operationandmaintenanceareaddressedwhencarrying
adequatelydesigned, outplantandprocessmodifications;
installedandtested. b) howmanagementofchangeisappliedtoSIS.


a) samplerecordformanagementofchangeshowingconsiderationofinstrumentedsafetysystems.


Chapter 8: Human Factors Aspects of Safety Case

Assessment

1. Introduction
1.1. ThisguideisforMHDassessorscompletingthehumanfactorsassessment.

1.2. ThischapterislinkedtoChapter3,4,5,6,and7oftheSafetyCaseTechnicalGuide.

1.3. All human factors assessment must use the criteria and guidance set out in
AppendixGHumanFactorsAssessmentCriteriaandGuidance.
1.4. MHIs are allowed the flexibility to take a phased implementation approach towards human
factors in the safety case. The MHD will carry out the human factors assessment in three
submission cycles with the first cycle starting with the MHIs first safety case submission.
Subsequentcycles(i.e.2ndand3rd)willtakeplaceduringthe5yearlysubmissionofthereviewed
safetycase.Startingfromthethirdcycle,thehumanfactorscriteriaoutlinedinthisassessment
guidewillbefullyappliedbytheMHDduringtheassessmentofthesafetycase.
2. The General Approach to Human Factors Assessment
2.1. Thesafetycaseshalldemonstratehowmeasurestakenwillpreventforeseeablehumanfailures
that could lead to major accidents. MHIs should have a systematic approach to managing
humanperformancebasedonathoroughunderstandingofhumanreliabilityandwherethe
siteisvulnerabletohumanfailure.Thereshouldbeasysteminplaceto:
a) identifyallsafetycriticaltasksatthesite,andthosewhichcouldinitiate,preventormitigate
therepresentativesetofMASs;
b) analysethetasksforthepotentialforhumanfailure(taskanalysisandhumanfailureanalysis);
c) identifyappropriateriskcontrolmeasuresmatchedtothetypeofhumanfailureandimplement
them;and
d) identify any performance influencing factors (PIF) and introduces measures to optimise
performance.
2.2. Thehumanfactorsdisciplinecoversarangeoftopicsincluding:

a) HumanReliability
(i) Astructuredandsystematicapproachtoidentifyandmanagehumanfailureisevidentfor
bothoperationandmaintenancefunctions;
(ii) Humanfactorsareintegratedintoaccident,incidentandnearmissinvestigationsasper
SS506Part3:Section4.5.3(c).

b) ErgonomicsDesignofFacilities,Equipment,WorkingEnvironmentandTasks
(i) HumanfactorsareintegratedintotheMHIsmanagementofchangeanddesignprocesses
andtheMHIhasarrangementstointegratehumanfactorsintoallmajormodificationsand
newprojects;
(ii) Ahierarchicalapproachtotheselectionofriskcontrolmeasureshasbeenadoptedand
thereisaclearjustificationfortheallocationoffunctions1tohumansortoautomation;
(iii) Human failure is systematically addressed during the design of safety instrumented
systems;
(iv) Facilities, equipment, workstations, etc. are designed with user capability in mind,
consideringconstruction,operation,maintenanceanddecommissioningtasks;
(v) Thedesign(andupgrade)ofcontrolroomsandinterfacesisusercentric;
(vi) Alarm systems are designed and managed to take account of limitations in human
performance;
(vii) Environmentaleffectssuchasworkingspace,temperature,lighting,etc.,andtheireffects
onhumanperformanceareconsideredinthedesignprocess.

c) OptimisationofOrganisationalPerformanceInfluencingFactors
(i) Robustandsystematicarrangementsforthemanagementoforganisationalchangerelated
tomajoraccidents.Organisationalchangesincludeexamplessuchas:
downsizingwithareductioninstaffinglevels;
amovetomultiskilling;
delayeringandchangesinsupervisionsuchasintroducingselfmanagedteams;
outsourcingofkeyfunctionstocontractors;
centralisationordispersaloffunctions;
mergersand/oracquisitions;
changestorolesorpositionrelatedtoriskmanagementofmajoraccidents.
(ii) Astructuredframeworktoensurethatthereareadequatenumbersofcompetentpeople
withrealisticworkloadstopreventandmitigatemajorhazardsinMHIsespeciallyduring
abnormaland/orupsetconditions;
(iii) Suitablearrangementsareinplacetomanageshiftworkandfatigue;
(iv) Effectivearrangementsforsafetycriticalcommunicationsincludingshifthandoversystem;
(v) Adescriptionofsupervisoryarrangements.
UseofExamplesintheSafetyCase
2.3. Whereappropriate,MHIsshouldconsiderprovidingexamplesof:

a) Taskanalysisandhumanfailureanalysis;
b) DocumentedassumptionsunderpinningassessmentofhumanperformanceinSILandLOPAs;
c) Considerationofhowequipmentdesignandtheassociatedoperatingenvironmentminimise
Humanfailureorimprovingequipmentdesigntoprovideamoreerrortolerantsystem
1
TheUKHSEwebsiteprovidesfurtherexplanationonallocationoffunctionandthiscanbefoundunder
http://www.hse.gov.uk/humanfactors/resources/safetyreportassessmentguide.pdf
d) Whereameasurereliesonhumanintervention,anexplanationastowhyhumanintervention
hasbeenselectedinpreferencetoanautomatedsystem;
e) Management of organisational PIFs (e.g. shift work and overtime arrangements to minimise
fatigue,staffinglevelsandsupervisions).
Appendix G Human Factors Assessment Criteria and Guidance
MAPPandSHMSAspects
8.1.1 Resources i. STAFFINGLEVELS
ThesafetycaseshallshowhowMHI
allocatesresourcestoimplementthe The safety case shall explain how senior management provide sufficient human resources to maintain
MAPP. adequatestaffinglevelsforthefullrangeofsafetycriticaltasksattheinstallation.

(Same as criterion 3.5 of Safety Case Tomeetthiscriterion,thesafetycaseshoulddescribe:
Assessment Guide Chapter 3)
a) themethodologybywhichappropriatestaffinglevelshavebeensetfor:
(i) thefullrangeofnormaloperationsincluding(e.g.startupofcontinuousprocesses);
(ii) especiallyduringabnormalorupsetconditions(i.e.howstaffingarrangementaresetnottoaffect
thereliabilityandtimelinessofdetecting,diagnosingandrecoveringfromMASs);and
(iii) thefullrangeofmaintenanceactivitiesincludingturnaroundswhererelevant.
b) arrangementsforensuringthattheidentifiedstaffinglevelsaremaintained;
c) arrangementsfordetecting,assessingandaddressingworkloadswhichareeithertoohighortoolow.

ii. MANAGEMENTOFSHIFTWORK

Fatiguemayresultinslowerreactions,reducedabilitytoprocessinformation,memorylapses,absentminded
slips,lackofattention,etc.

Tomeetthiscriterion,thesafetycaseshoulddescribe:

a) themethodologybywhichappropriatestaffinglevelshavebeensetfor:
(i) thefullrangeofnormaloperationsincludingstartup,shutdownandnonroutineactivities(i.e.how
staffingarrangementaffectthereliabilityandtimelinessofdetecting,diagnosingandrecovering
fromMASs);
(ii) maintenanceshiftactivitiesincludingturnaroundswhererelevant;and
b) theframeworkformanagingfatigueusingappropriatestandardsandgoodpracticeincluding:
(i) a policy that specifically guards against fatigue by addressing shift patterns, working hours,
overtime,etc.;
(ii) guidanceonshiftrosterdesignthattakesaccountofshifttypes,shiftlengths,restperiods,rotation
andsocialfactors,etc.;
(iii) considerationofenvironmentalfactors(e.g.temperature,noiselevels,ventilation,lighting);
(iv) systematicarrangementofchangestoworkinghoursandshiftpatterns;
(v) arrangementstoset,record,monitorandenforcelimitsandstandardsforworkinghours,overtime,
oncallduties,shiftswapping,etc.;
(vi) arrangementstoeducatepersonnelinfatiguerisks;
(vii) arrangementsforpersonnelandcontractorstoreportfatigueproblems.

8.1.2 PersonalPerformance i. SUPERVISION
Thesafetycaseshallshowthatthe
performanceofpeoplehavingaroleto Thesafetycaseexplainstheonsitearrangementsforsupervisionofoperationalandmaintenanceteams.
playinthemanagementofMAHsis
measuredandthattheyareheld Tomeetthiscriterion,thesafetycaseshoulddescribe:
accountablefortheirperformance.
a) competencestandardshavebeenestablishedforsupervisorypersonnelwhichinclude:
(Same as criterion 3.6 of Safety Case (i) nontechnicalskills(e.g.leadership,managingpoorperformance,communicatingeffectively);
Assessment Guide Chapter 3) (ii) technicalskills(relevanttothefacilityandprocess);and
(iii) managementoforganisationalPIFswithintheircontrol(competenceassurance,workload,staffing
levels,shiftwork,fatigue,etc.).
b) supervisoryrolesandresponsibilitiesareclearlydefinedinthecontextofMAHs(thiswouldhavebeen
assessedundertheMAPPandSHMSassessmentportion);
c) supervisoryroleinmanagingcompliancewithsafetycriticalrulesandprocedures.

ii. PROCEDURESCOMPLIANCE

Tomeetthiscriterion,thesafetycaseshoulddescribethearrangementsdevelopedtoensuredaytoday
compliancewithsafetycriticalprocedures,includingeffectivesupervision(e.g.thereareenoughsupervisors,
withsufficienttime,tocarryouttheirsupervisoryresponsibilities;thoseresponsibilitiesareclearlydefined;
supervisorsdisplayagoodunderstandingofMAHsandcontrolmeasures).

8.1.3 InternalCommunication Tomeetthiscriterion,thesafetycaseshoulddescribe:
hasarrangementsforcommunicating i. SHIFTHANDOVER
informationimportantforthecontrolof
MASswithintheMHIsorganisation. Arrangementsforshifthandover:

(Same as criterion 3.10 of Safety Case a) Thestandardsand/orproceduresforshifthandoverwhichhasbeenimplemented;
Assessment Guide Chapter 3) b) Supportequipmentwhichisprovided(structuredwrittenorelectroniclogs);
c) Allocationoftimeforincomingandoutgoingshiftstodiscussplantstatusfacetoface;
d) Arrangements to schedule maintenance within shifts, or arrangements to control maintenance work
thatcrossesshifts.

ii. REMOTECOMMUNICATIONS

Arrangementsforremotecommunicationsandthemeasurestakentoensure:

a) remotecommunicationequipment(e.g.radios,intercoms,publicannouncementsystems,telephones)
issuitableandreliable;
b) usersarecompetentintheuseofequipmentandassociatedradioprotocols.

8.1.4 InvestigationandCorrectiveAction SS506:Part3statedinvestigationshallconsiderhumanfactors.

hasadoptedmechanismsfor Tomeetthiscriterion,thesafetycaseshalldescribehow:
investigatingandtakingcorrectiveaction:
a) theinvestigationprocessisclearlydefinedviaproceduresandchecklists,encouraginginvestigatorsto
a) incasesoftheproactive determinewhyhumanfailuresoccur;
performancestandardsshowinga b) asystematicapproachisadopted(e.g.investigationsfollowapathsimilartohumanfailureanalysis);
deteriorationinriskcontrol c) immediatehumanfailuresaswellaslatenthumanfailures(e.g.decisionsremoteintimeandplacefrom
measures;and theincident)areaddressed;
b) inrelationtoanyincidentorevent d) contributingfactors(e.g.PIFs)areidentifiedatjob,individualandorganisationallevels.
withpotentialtocauseaMAS.
Thedemonstrationcouldincludethedocumentedfindingsofanaccidentinvestigation.
(Same as criterion 3.16 of Safety Case
Assessment Guide Chapter 3)

PredictiveAspects
8.2 Thesafetycaseshalldemonstrate MAHriskassessmentprocessneedstoconsiderhumanfactors.Supportingdocuments(e.g.LOPA,bowtie
thatasystematicprocesshasbeen diagrams) should clearly illustrate the part played by people in initiating, preventing and mitigating the
usedtoidentifyeventsandevents consequencesofMAHs.
combinationswhichcouldcause
MAHstoberealised. Thepotentialfordependencybetweensuccessivehumantaskhasbeenrecognisedandaccountede.g.:

(Same as criterion 4.2.1 of Safety Case a) the human failure probabilities for one task may be significantly influenced by an error in previous
Assessment Guide Chapter 4) relatedsteportask;
b) thesamepersonmaymakethesameorsimilarfailureduringanumberoftasks;
c) astaffresponsibleforcrosscheckingmayfailtodetectanerror.

Tomeetthiscriterion,thesafetycaseshoulddescribe:

a) the methodology for identifying safety critical tasks in the MHI (including e.g. routine; nonroutine;
abnormalandupset;firstlineemergencyresponse;safetycriticalmaintenance,inspectionandtesting
activities);
b) themethodologyusedfortaskandhumanfailureanalysisanappropriatesystemcouldinclude:
(i) structuredtaskanalysis,togainathoroughunderstandingofthetaskandidentifysafetycritical
steps(thelatterbeingthefocusforindepthanalysis);
(ii) systematic identification of the different types of human failure (slips, lapses, mistakes and
violations,etc.)usingarecognisedmethodology;
(iii) active involvement of frontline personnel who currently perform the task being analysed (with
supportfromcompetentfacilitators).
c) asuitablyprioritisedprogrammeoftaskandhumanfailureanalysisthataccountsforthefullrangeof
safetycriticaltasksrelatedtorepresentative MASsinthe MHI. Atypicalprogramme mayrunover a
numberofyears.
d) arrangement to ensure that those who undertake or facilitate task and human failure analysis are
knowledgeabletodoso.

GeneralPrinciples
8.3 Thesafetycaseshalldemonstrate Thiscriterionistobecompletedlast.
howthemeasurestakenwill
preventforeseeablefailureswhich Thisiseffectivelyasummaryofcriteria8.3.1.1to8.3.2,theMHDwouldcomebacktothiswhencriteria8.3.1.1
couldleadtomajoraccidentsand to8.3.2havebeenassessed,andthenconcludethatthesafetycasehasdemonstratedthat:
limittheirconsequences.
a) astructuredandsystematicapproachtomanaginghumanperformanceinthecontextofMAHs;and
b) riskcontrolmeasures,andthesupportingMAPPandSHMS,arebuiltuponasoundunderstandingof
howhumanfailureplaysapartininitiating,escalating,andfailingtomitigatetheconsequencesofmajor
accidents.
Overall,whererelianceisplacedonpeopleaspartofthepackageofnecessarymeasures,thesafetycase
demonstratesthathumanfactorsissues(suchashumanreliability)arebeingaddressedwiththesamerigour
astechnicalandengineeringmeasures.
8.3.1.1 Thesafetycaseshallshow HUMANFACTORSINDESIGN
thattheinstallationshave
beendesignedtoan Thiscriterionisparticularlyrelevantfornewprojects.HoweverforexistingMHIs,thiscriterionshouldbe
appropriatestandard. raisedforonsiteverification.

Tomeetthiscriterion,thesafetycaseshouldshow:

a) thereisaclearpolicyand/orproceduretoensuretheapplicationofinherentsafetyprinciplesatthe
outsetofthedesignandmodificationprocess;
b) thattheMHIappliesahierarchyofcontrolmeasures,whichaimstoremoverelianceonhumans,or
improvesystemdesign,wherehumanperformancehasahigherprobabilityoffailure;
c) recognitionthattrainingshouldnotbesolelyrelieduponasacontrolmeasuretotacklehumanfactors
problemandshouldprioritisesautomationandusercentreddesignoverproceduresandtraining;
d) theimplicationsofhumanfailureinautomatedsystems(viadesign,inspection,testing,maintenance,
etc.)areacknowledgedandaddressed;
e) theneedformanualinterventioninhigherriskprocessesoractivities(e.g.manualemergencyshutdown
ofacontinuousprocess)isclearlyjustified(thisisapriorityforverificationbyinspection);
f) where possible, human performance is further assured by mechanical or electrical means (e.g.
sequentiallyinterlockedvalves;interlockedearthprovingforisotankeroperation);
g) whereproceduresandtrainingaresolelyrelieduponasariskcontrolmeasures,thesafetycaseshould
showthat:
(i) therelevantscenarioshavebeenidentifiedandanalysed;
(ii) theanalysissupportsthedevelopmentoftheproceduresandtraining;
(iii) thecompetencemanagementsystemisinplacewhichincludesproceduresandtraining;and
(iv) theproceduresandtrainingmanagerisktoanacceptablelevel.
h) facilities,equipment,workstationsandcontrolsystemsaredesignedwithhumanperformanceinmind;
and
i) howthecompany integratehumanfactorsinthedesign andcommissioning processforallnewand

majormodificationprojects:
(i) Humanfactorsprinciplesareintegratedintodesign;
(ii) Humanfactorsareconsideredthroughouttheprojectdevelopmentlifecycle;
(iii) Relevantfrontlinepersonnelincludingbothoperationsandmaintenancepersonnelareinvolvedin
thedesignprocess,whererelevant;
(iv) Usabilityoroperabilityandmaintainabilityarebasedonausercentricdesignasfarasapplicable;
(v) Thedesignprocesscontributestotheidentificationofproceduralandtrainingneedsofrelevant
users;and
(vi) Relevantgeneraldesignstandardshavebeenappliedonsite.

Thedemonstrationcouldincludeaworkedexample.



8.3.1.2 Thesafetycaseshallshow Thiscriterionisrelevantfornewormodificationprojects.HoweverforexistingMHIs,thiscriterionshould
thatthelayoutoftheplant beraisedforonsiteverification.
limitstheriskduring
operations,inspection, Tomeetthiscriterion,thesafetycaseshoulddescribe:
testing,maintenance,
modification,repairand Howsystemsaredesignedforoperabilityandmaintainability:
replacement.
a)
Facilitiesandequipment,includinglayoutonsite,aredesignedwithhumanperformanceinmind(e.g.
accessibilityforinspection,testingandmaintenance);
b) Theworkingenvironment(noise;temperature;lighting,etc.,e.g.incontrolrooms)hasbeenconsidered;
c) Facilitiesandequipmentareclearlyidentifiedandlabelledsoastoreducethelikelihoodoferror;
d) Uptodate P&IDs, schematics, line diagrams, jobaids and other diagnostic tools are available for
operationandmaintenance.

8.3.1.3 Thesafetycaseshallshow Tomeetthiscriterion,thesafetycasereportshoulddescribewhereappropriate,theavailabilityofsystem
thatutilitiesthatareneeded requiredforhumaninventionfollowingutilityfailure:
toimplementanymeasure
definedinthesafetycase a) UPSsystemsprovidesufficienttimetoenableorderlyshutdownand/orevacuation;
shallhavesuitablereliability, b) thereisadequateemergencylightingtocarryoutrelevantshutdowntasks;whereappropriate,hand
availabilityandsurvivability. heldtorchesareavailable.

8.3.1.4 Thesafetycaseshallshow Thiscriterionisrelevantfornewormodificationprojects.HoweverforexistingMHIs,thiscriterionshould
howsafetyrelatedcontrol beraisedforonsiteverification.
systemshavebeen
designedtoensuresafety Tomeetthiscriterion,thesafetycaseshoulddescribehowthepotentialforhumanfailureisidentifiedand
andreliability. systematicallytreatedinthedesignofsafetyrelatedcontrolsystems(e.g.safetyinstrumentedsystems).The
designprocesspromptsamultidiscipline,teamapproach(includinginputfromoperatorsandhumanfactors
specialists,whereapplicable).

TheMHIhasidentifiedtaskswhere:
a) humanfailurecouldleadtoademandonthesafetyfunction(e.g.errorsinsettingprocessparameters,
conflicting responsibilities that may distract the operators attention; unauthorised use of system
overrides);
b) humanactioncouldreducethedemandrateonthesafetyfunction(e.g.respondingtoalarms);
c) failureofthesafetyfunctionrequiresactionstomitigatetheconsequencesoftheevent.

Thesafetycaseisrealisticaboutlevelsofriskreductionclaimedforalarmsystemsandconsiders:
a) availabilityoftheoperatortorespond;
b) adequacyoftimetorespond;
c) thepotentialforalarmflooding;
d) whethertheoperatorknowshowtorespond(i.e.thereisaclear,documentedresponseforeachcritical
alarm,supportedbytraining).

Inaddition,thesafetycaseshould:

a) show that assumptions about human performance in the control system (relating to representative
MASs)aredocumented;anexamplecouldbeincludedinthesafetycase;
b) identifyandaddresshumanfailuresthatincreasethelikelihoodofthesafetyfunctionfailingtoworkon
demand(inspection,testing,maintenance,calibration,etc.);
c) describehowMHIidentifiesandaddressesthepotentialforoperatorstooverridesafetyfunctions;and
d) where appropriate, consider the availability of humanoperated control systems during upset and
emergencies(e.g.iscontrolroomtoxicrefuge,canoperatorreachshutoffvalves).

8.3.1.5 Thesafetycaseshallshow Tomeetthiscriterion,thesafetycaseshoulddescribe:
howsystemswhichrequire
humaninteractionshave i. MANUALCONTROLOFSYSTEMS
beendesignedtotakeinto
accounttheneedsofthe WhererelevanttorepresentativeMASs,themeasurestakentoensurehumanreliability,wherethereisa
userandbereliable. relianceonhumanperformancetokeepasystemwithinsafeoperatinglimitsmanually.Thisincludeexamples
suchas:

a) Facilities (e.g. valves, flow direction and contents of pipework) and materials (e.g. chemicals added
manuallytobatchprocesses)areclearlylabelled;
b) Information about the statusof theprocess is availabletothe operator(e.g.pressure gauges, sight
glassesareappropriatelylocated);
c) Procedurehasbeenoptimisedtosupporttheoperatorinthefield;
d) Whereapplicable,processcontrolsystemsinformtheoperatorsifunsafesetpointsorparametersare
enteredintothesystem.

ii. CONTROLROOMANDINTERFACEDESIGN

Thiscriterionisrelevantfornewormodificationprojects.HoweverforexistingMHIs,thiscriterionshould
beraisedforonsiteverification.

Wherethereisacontrolroom:

a) thesafetycasecontainsacleardescriptionofthecontrolroomenvironmentandassociatedprocess
controlsystemsandinterfaces;
b) relevant standards and recognised good practice are applied during upgrades and modifications of
existingcontrolroominterfaces,aswellasthedesignofnewcontrolsystems;
c) design criteria encompass control room arrangements and layout; panel workstations; displays and
controls;environmentalconditions(lighting;acoustics;ventilation,temperature,etc.);
d) theexperienceofoperatorsandengineeringandmaintenancepersonneliscapturedandfedbackinto
theupgradeprocess;
e) trainingforDCSandSIScoversspecific,localoperationalissuesaswellasgenericfunctionalityofthe
interfaceandfamiliarisationwithsystemoperatingmanuals.

iii. ALARMHANDLING

HowMHIhassetouttheirphilosophywithregardtothedesignandmanagementofalarms.Thisincludes
descriptiononhow:

a) alarmhandlingisfullyintegratedintothedesignprocess;
b) the design process acknowledges and accommodates human capabilities and limitations (including
operatoravailabilitytorespond;timetorespond;thepotentialforalarmfloodingetc.);
c) alarmswillbejustifiedandprioritised;
d) relevantperformanceindicatorsaredefinedandmonitored(e.g.averagealarmrate;upsetalarmrate;
averagenumberofstandingalarms;badactors);
e) alarmsystemsaresubjecttocontinuousimprovement(e.g.basedonperformanceindicators).

Inparticular:
a) maximumtanklevelsandlevelalarmsettingsareclearlydefinedtoensurethereissufficienttimefor
detection,diagnosis,planningandaction;
b) thesafetycasedescribeshowalarmsystemsalert,informandguideoperatoraction(includingadefined,
documentedresponseforeachsafetycriticalalarm,supportedbytrainingandassessment);
c) specificexamplescouldbeincludedwithinthesafetycasetoshowhowrelevantstandardsandgood
practicehavebeenappliedonsite.

8.3.2 Thesafetycaseshalldescribe TheMHIshoulddemonstratethathumanfactorsareconsideredinmajorprojects.
thesysteminplacefor
ensuringmodificationsare Tomeetthiscriterion,thesafetycaseshoulddescribehow:
adequatelydesigned, a) ensuringthatspecifichumanfactorsactivitiesarebuiltintoprojectplansandaresufficientlyresourced;
installedandtested. b) understanding andspecifyingthecontextofuseoftheproposedmodifications,identifying whothe
usersare,whattheywillbedoing,includingassessingtheimpactofthechangeonworkloadandstaffing
levels;
c) ensuringthatusercharacteristicsandtasksanalysisareconsideredasthebasisfordesign;
d) specifying the user and organisational requirements, and ensuring a balance between usercentred
designoptionsandrelativecost;
e) applyinghumanfactorsexpertisetogeneratedesignoptionswhichmeetuserrequirements(planning
intimeforiterativedesignandusingprototypestoevaluateuserexperience);
f) evaluatingrequirementsbyinvolvingtargetusersandhumanfactorsspecialists.
g) themanagementoforganisationalchangeprocedurehasbeenappliedrelatedtomajoraccidents;
h) procedureshavebeenupdatedtoreflectthechange;and
i) traininghasbeenprovided.

Thedemonstrationcouldincludeaspecificexample.

RiskAssessmentandRiskReductionMeasures
8.4Thesafetycaseshallclearlydescribe Tomeetthiscriterion,thesafetycaseshallshowthatriskreductionmeasuresimplementedtoreduceor
howMHIsuseriskassessmentto removethelikelihoodofhumanfailureare:
helpmakedecisionsaboutthe
measuresnecessarytoprevent a) matchedtothehumanfailuretypesidentified;and
majoraccidentsortomitigatetheir b) wherenecessary,optimisethelocalperformanceinfluencingfactorsthatmaketheerrormorelikely.
consequences.
Trainingandproceduresarenotviewedasthesoledefenceagainsthumanfailuretheyformanintegral
(Same as criterion 10.1 of Safety Case part of a broader range of measures to reduce the potential for human failure. The risk assessment
Assessment Guide Chapter 10) methodologyshouldmakeitclearthat:

a) whereappropriate,thehumancontributiontofailureisremoved(e.g.byamorereliable,automated
system);
b) automationisselectedfortherightreasonsthereisconsiderationofinvolvingtheoperatorsinthe
processandmaintainingtheirsituationawareness,andofthepotentialforalarmoverload.

Chapter 9: Emergency Response Aspects of

Safety Case Assessment
1. Introduction
1.1 ThisguidanceisforMHDassessorscompletingtheEmergencyResponseassessment.

1.2 ThischapterislinkedtoChapter6oftheSafetyCaseTechnicalGuide.

1.3 All emergency Response assessments must use the criteria and guidance set out in
AppendixHEmergencyResponseAssessmentCriteriaandGuidance.
1.4 The aim shall be to demonstrate that MHIs have taken the measures necessary to limit the
consequencesof amajoraccident,andanemergencyresponseplanhas beendevelopedto
taketheseintoaccount.Themeasuresshouldberelated,andpreferablycrossreferenced,to
theMASsdescribedelsewhereinthesafetycase.
2. The General Approach to Emergency Response Assessment
2.1 Themainfocusoftheassessmentisontheextenttowhichthesafetycaseisabletoshowthat
anemergencyresponseplanhasbeenpreparedthatisproportionatetothepossibleMASsfor
the MHI concerned and for which the necessary measures have been taken to limit their
consequences.

2.2 TheMHIsshalldevelopscenariospecificemergencyplansbasedonSCEsidentifiedinthesafety
caseanddominoimpactsfromneighbouringMHIstoformpartofChapter3.2.3.2oftheSCDF
EmergencyResponsePlantemplateandincludeallrelevantinformationoutlinedinchapter6
oftheSafetyCaseTechnicalGuide.MHIscansubmittheirscenariospecificemergencyplansto
MHDduringtheir1stsafetycasesubmissionifavailable,otherwise,MHIshallsubmitlatestby
the2ndsafetycasesubmission.Whilepreparingtheseplans,MHIsarestillrequiredtosubmit
theiremergencyresponseplanstoNEAorSCDFannuallyaspartoftheirlicensingrequirements.
Appendix H Emergency Response Assessment Criteria and Guidance
EquipmentandSystemsInstalledtoLimitConsequenceofMajorAccidents
9.1 Thesafetycaseshalldescribethe Tomeetthiscriterion,thesafetycaseshallshowbasicinformation,whichshouldinclude:
fixedequipmentandsystems
installedonplantthatlimitor a) thefixedequipmentorsystemsavailable;
mitigatetheconsequencesofmajor b) adescriptionofsuchequipmentandsystems;
accidentsandhowtheseequipment c) howtheseequipmentorsystemsaffecthowamajoraccidentismitigated;
orsystemsaffecthowanemergency d) listofrelevantregulations,standardsandcodesofpracticeshavebeenfollowed;and
ismitigated. e) themanualinterventionrequired.

Organisation,ArrangementsandProvisionsfortheAlertingandInterveningintheEventofaMajorAccident
9.2 Thesafetycaseshalldescribethe Tomeetthiscriterion,thesafetycaseshallshowbasicorganisationalinformation,whichshouldincludethe
organisation,arrangementsand functionsofkeypostsandgroupswithdutiesintheemergencyresponse.Thefollowinginformationonthe
provisionsforthealertingand organisationforalertingandinterveningintheeventofamajoraccidentshouldbeincluded:
interveningintheeventofamajor
accidenttoprovideevidencethat a) thearrangementsforinformingindividualsonsite,neighbouringinstallations,whererelevant:
thenecessarycontrolmeasureshave (i) tothenatureofthealarmsandtheplantconditionsrequiredtoactivatethem;and
beentakenonsite. (ii) theinitialactionsrequiredbothonsiteandoffsiteinresponsetoalarmwarnings.
b) thearrangementsandconditionsforalertingandmobilising:
(i) individualsorgroupswithdefinedresponsibilitiesundertheemergencyresponseplans,including
essentialpersonnelonsiteandoffsite;
(ii) theemergencyservices(e.g.SCDF);
(iii) neighbouringinstallations,whichmaybeaffectedbytheoffsiteeffectsfromthemajoraccidentor
wheremutualaidagreementsexist;and
(iv) externalagencies.
c) thearrangementsforcontrollingandlimitingtheescalationofaccidentsonsite,including:
(i) isolationofhazardousinventoriesandtheremovalofinventorieswhereappropriate;
(ii) useoffirefightingandothermitigationmeasures;and
(iii) preventionofdominoeffects.
d) provision for monitoring of wind speed and direction and other environmental conditions, where
applicable;
e) a description of how communications will be established and maintained during the emergency
response;
f) thenatureof,andarrangementsformaintaining,anymutualaidagreementswithnearbyinstallations;
g) thenatureandlocationofanyfacilitieswhichmayrequirespecialprotectionand
h) thenatureandlocationofanyfacilitieswhichrequirespecialrescueoperation(e.g.confinedspace).
i) thenatureandlocationof:
(i) emergencycontrolcentresandfirecommandcentresintegritymaintainedintheeventofamajor
accidentor,ifnot,areservefacilityavailable;
(ii) medicalandfirstaidpoints;
(iii) inplaceprotection(IPP)facilities;
(iv) shelteringbuildings;
(v) evacuationassemblyareas;
(vi) predefinedcontrolpoints,alongwithanyidentifiedsecondary,backuplocations;and
(vii) anyotherrelevantitems.
j) thelocationofaccessroutesforemergencyservices,rescueroutes,escaperoutes,andanyrestricted
areas;
k) occupancyloadofoccupiedareasatpeakandnonpeakperiods;
l) theevacuationarrangementsandanytransportrequirements,withconsiderationsgiventopersonswith
disability;
m) theheadcountrollcallandsearchandrescuearrangements;
n) the communication means to signal occupants to initiate IPP. The roles of the coordinators and fire
wardenstoassistinsettingupofIPPandthearrangementstoisolatemechanicalventilationsystems;
o) thenatureandlocationofanypollutioncontroldevicesandmaterials;and
p)
considerationoftheeffectsofemergencyresponseactions,includingfirefightingactivities,tominimise
theoverallimpactonpeopleandtheenvironment.Thisshouldincludeshorttermandlongtermeffects,
andalternativeoptionsfordisposalordischargeofreleasedchemicals.

DescriptionofMobilisableResources
9.3.1 Thesafetycaseshallprovide Tomeetthiscriterion,thesafetycaseshallconfirmthatthefollowingfactorshavebeentakenintoaccount:
evidencethatsufficientpersonnel
canbemadeavailablewithin a) various functions which are required to implement the emergency response plan and supporting
appropriatetimescalestocarryout procedureshavebeenidentified;
themitigationactionsrequiredby b) thenumberofpersonnel(includingthirdparties)withappropriateskillsandcompetenciesrequiredto
theemergencyresponseplan. implementtheemergencyresponseplan;
c) staffrequiredtoimplementtheplancanbeassembledintherequiredresponsetime;
d) mitigationactionsareappropriateandachievable;
e) howdeputisingarrangementsforkeyroleshavebeenassignedandhowitcanbeassuredthatrequired
staffareavailable;
f) contingenciesifthedecisionmakerssuchaskeyappointmentholdersareincapacitated;and
g) informationtakenfromanalysisofthetestingofplanswhichcouldshowdetailedassemblytimesand
arrangementsandhowtheserelatetooverallresponsetimesandtheanalysisofthegeneralsuitability
ofmitigationactions.

9.3.2 Thesafetycaseshallprovide Tomeetthiscriterion,thesafetycaseshalldescribewhatprovisionsareinplacetominimisethereleaseor

evidencethatsuitableand mitigatetheconsequencesofmajoraccidents.Thefollowinginformationshallbeincluded:
sufficientarrangementsarein
placetoensurethattheequipment a) sufficient quantities of appropriately specified equipmentcanbemade availablewithin therequired
tobemobilisedformitigatingthe timescale,andtherelevantcontainingactionsustainedforthenecessarylengthoftime;
consequencesofmajoraccidents b) thattheequipmentcanfunctioneffectivelyinallexpectedenvironmentalconditionsandifthereisa
willbefitforpurposewhencalled lossofutilitiesorsimilar;
uponforuse. c) emergencyequipmentisstoredinanappropriatemannerandlocation,itisaccessibleatallrelevant
timesanditissuitablyprotectedfromtheconsequencesofamajoraccident(e.g.fire);
d) emergencyequipmentshouldbecompatible,wherenecessarywiththatofSCDF(e.g.SCDFmobilewater
monitors,foamconcentrate)andotherorganisationswheremutualaidagreementexist;and
e) electrical equipment used in emergency response should be suitably protected for the foreseeable
environmentalconditionsduringamajoraccident.

9.3.3 Thesafetycaseshallprovide Tofulfilthiscriterion,thesafetycaseshallincludethesuitabilityandaccessibilityofPPEsuchasbreathing
evidencethatsuitableand apparatus(BA)sets,respirators,chemicalsuits,personaldetectorsandotherprotectiveclothinghavebeen
sufficientpersonalprotective describedforthetypesofmajoraccidentsidentifiedforbothrespondersandotherindividualsnotdirectly
equipment(PPE)willbeavailable involvedindealingwiththeemergencyresponse.
intheeventofamajoraccident.
9.3.4 Thesafetycaseshallprovide Tofulfilthiscriterion,thesafetycaseshallincludethefollowingtodemonstratetheMHIsabilitytolimitthe
evidencethatsuitableand consequencesofamajoraccident,whereapplicable:
sufficientonsitefirefightingand
fireprotectionprovisionscanbe a) MHIsshouldtakeaccountofresourcesavailablefromotherorganisationswithmutualaidagreements,
mobilisedintheeventofamajor whereapplicable;
accident. b) thatthefirefightingrolesofCERTarecomplementarytotheroleofSCDF;
c) thatthequantityandspecificationofonsitefirefightingequipmentaresufficient;
d) thatthewaterrequirementsforfirefightingandfireprotection(e.g.cooling,havebeenpredetermined,
andthatthecapacityandreliabilityofthewatersupplyareadequate,takingintoaccountthevarious
sourceswhichmaybeavailableandthetimerequiredtoestablishbackupsupplies);
e)
thatsuitableandsufficientportableandmobilefirefightingequipment,suchasmobilemonitors,mobile
pumps,portableextinguishers,foamgenerationequipment,hosesandhydrants,havebeenlocatedat
appropriatepointsthroughouttheinstallationaccordingtothehazard;
f) thatsuitableandsufficientstocksoffoamcompoundareavailablewhenandwherenecessary;
g) adequate consideration has been given in the design (e.g. the positioning of fire walls, to assist the
positioningandprotectionoffirefightingequipmentandpersonnel,andthatthereachoffireprotection
andextinguishingequipmentareappropriate);
h) adequateconsideration(e.g.mitigationplans)hasbeengiventoflammablesubstancesbeingcarriedby
firewaterandspreadingthefiretootherareas;and
i) detailsofanypotentiallyincompatiblesubstanceswhichmayrequireadditionalmitigationmeasuresin
placetolimittheconsequencesofaMAH.

9.3.5 Thesafetycaseshallshowthat Tomeetthiscriterion,provisionstominimisethereleaseandmitigatetheconsequencesofmajoraccidents
suitableandsufficientprovisions relatedtotoxicorflammablesubstancesshallbeincludedinthesafetycase:
canbemobilisedtominimisethe
releaseof,andmitigatethe a) measurestoreducetheevolutionoftoxicorflammablevapoursfrommaterialthathasalreadybeen
consequencesofdangerous spilledandtoreducetheeffectsofitsvapours(e.g.watercurtains);
substancesintheeventofamajor b) equipmentthatwillbeusedtoterminateorreduceanyleakatsource(e.g.patching,plugging,valve
accident. closureandtheisolationofsectionsofplantbyblindingorblankingoff);
c) earthmoving equipment, sandbags, drain seals, pipeblockers and absorbents for spillages on the
groundandindrainagesystems,aswellaspenstocksindrainagesystems;
d) floating booms for immiscible lighterthanwater products that have entered the water, including
controlledwaters,whereapplicable;and
e) provisionsfortreatingandremovingspilledmaterial(e.g.mobilepumps,specialchemicalsandother
materialsforneutralisingorabsorbingthespillage).

9.3.6 Thesafetycaseshallprovide Tomeetthiscriterion,thesafetycaseshallshowthatsuitableandsufficientprovisionsformonitoringand/or
evidencethatsuitableand sampling,wherevernecessary,whichcanbemobilisedintheeventofamajoraccident.Someexamplesof
sufficientprovisionsformonitoring suchinformationare:
and/orsamplingcanbemobilised
intheeventofamajoraccident. a) detailsofsamplingandmonitoringequipment;
b) identify the purpose of the monitoring and sampling provisions and explain how the results might
influencedecisionsconcerningtheemergencyresponse;and
c) anyspecialtechnicalexpertiseandotherprovisionsrequiredforanalysingorinterpretingthemonitoring
and/orsamplingresults.

9.3.7 Thesafetycaseshallprovide Tomeetthiscriterion,thesafetycaseshallprovideanoutlineoftheprovisionsthatareavailableforclean
evidencethatsuitableand upoftheenvironmentandwhicharesuitableandsufficientfortheMASsidentified.Thesafetycaseshould
sufficientprovisionshavebeen thereforeoutlinewhatisavailableforuseandwhoistrainedtouseit,suchas:
madeforthecleanupofthe
environmentfollowingamajor a) equipmenttocontaintoxicsubstances;
accident. b) agentstosoakupand/orneutralisecontaminants;
c) earthmovingequipmentfortheremovalofcontaminatedsoilandothermaterial;
d) boomsandskimmersforspillagestowater;and
e) anytemporarystoragearrangements(e.g.portablestoragetanksforthecontaminatedmaterial).

Other points to consider include the expected timescale over which any temporary containment may be
required,thearrangementsmadetoensurethatsuchfacilitieswouldnotposeanunacceptablethreatto
health and thevicinity, and suitable disposal arrangements are made (e.g.engagementof toxic industrial
wastecollectors).

9.3.8 Thesafetycaseshallshowthat Tomeetthiscriterion,thesafetycaseshallshowtherearesuitableandsufficientprovisionsmadetomobilise

suitableandsufficientprovisions firstaidandmedicaltreatmentduringtheemergencyresponsefortheMASsidentifiedinthesafetycase.For
havebeenmadetomobilisefirst medical treatment, it is sufficient to describe the arrangements for providing first aid and/or transferring
aid/medicaltreatmentand employees,suchasthosewhohavebeenexposedtotoxicsubstances,tohospitalasquicklyaspossible.In
decontaminationfunctionsduring this part of the safety case, MHIs will need to show how the onsite firstaid provisions align with the
theemergencyresponse. provisionsofemergencyresponseplan.Thiscanbeachievedby:

a) makingreferencetothenumberandavailabilityoftrainedfirstaiders;
b) describingthefacilitiesavailableattheMHI;
c) confirmingboththeexpectationsandlimitsofthefirstaiderstraining;and
d) includingrelevantinformationanyhazardspecificmedicaltreatmentthattheMHIhascateredforand
describingtheliaisonwithSCDFbymakingreferencestohowthecasualtycontrolordecontamination
strategiesthathavebeendetermined.

9.3.9 Thesafetycaseshallshowthat Tomeetthiscriterion,thesafetycaseshallshowthattherearesuitableandsufficientprovisionstomobilise
suitableandsufficientprovisions any ancillary equipment which may be required during the emergency response for the major accidents
havebeenmadetomobiliseany identifiedinthesafetycase.Thiscouldincludeequipmentsuchas:
ancillaryequipmentwhichmaybe
requiredduringtheemergency a) forklift;
response. b) heavyliftinggear
c) earthmovingequipment;
d) emergencylighting;and
e) specialtoolsandpartsrequiredtocarryoutemergencyrepairsandactions.

Ifthereisarelianceuponathirdpartytosupplyequipmentorservices,thesafetycaseshoulddescribethe
equipmentneededandexplainhowthiswillbesourced,includingestimatedtimescalesforitsarrivalonsite.

MaintenanceandInspectionofEmergencyResponseEquipment
9.4 Thesafetycaseshallprovide Maintenanceactivitiesshouldalreadybedescribedelsewhereinthesafetycase,soabriefsummaryshould
evidencethatsuitablearrangements meettherequirementsofshowthatsuitablearrangementshavebeenmadetofulfilthiscriterion.Typically,
havebeenmadeforthe thiswouldinclude:
maintenance,inspectionandtesting
ofthemobilisableresourcesand a) adescriptionofarrangementsused,forexample:ifusingthirdpartyorganizations,thendetailsofthe
otherequipmenttobeusedduring servicelevelagreementinplaceshouldbeprovided(itisnotnecessarytoincludedetailedarrangements
theemergencyresponse. inplacewiththeemergencyservices);
b) confirmationthatsuitablearrangementshavebeenmadeforthemaintenance,inspectionandtesting
ofemergencyequipmentforwhichtheMHIhasresponsibility;andforequipmentforwhichtheMHI
mayrelyuponbutnothaveresponsibilityfor;
c) confirmation of the MHIs arrangements to ensure that the equipment is maintained in an efficient
workingordersothatitwouldbeavailableforuseandprovidethenecessaryfunctionwhencalledupon;
d) detailsoftypeofequipmentcovered(e.g.firefightingequipment,breathingapparatussets,personal
monitors);and
e) informationontheschedulingofmaintenance,inspectionandtestingactivitiesonsuchequipment.

TrainingforEmergencyResponse
9.5 Thesafetycaseshallprovide To meet this criterion, the safety case shall show that the safety and health management system has
evidencethatsuitablearrangements accountedfortheneedtotrainindividualsintheemergencyresponseandensuredthatthetrainingiskept
havebeenmadeintheSHMSfor uptodateandrefreshed.
trainingofindividualsonsiteinthe
emergencyresponse. Thetrainingshouldbegivento:

a) employeeswithaspecificroleintheeventofamajoraccident;
b) informationforotheremployeeswhomaynothaveaspecificrole;and
c) contractorsandvisitorstothesite.

Whereapplicable,thetrainingshallinclude:
a) informationontheMASs andtheemergencyresponseprocedurestotakeintheeventofsuchaccidents;
b) specifictrainingrequirementsforallstaff;thismayinvolve:
(i) knowledgeofthealarmsystemsandtherequiredresponsetoeachalarm;
(ii) proceduresforreporting/respondingtoincidentsonsitewhichhavethepotentialtoescalateinto
amajoraccident;
(iii) theuseoftheresourceswhichmaybemobilisedintheeventofamajoraccident;
(iv) useofprotectiveequipmentandanylimitationsontheiruse;
(v) evacuationandmusteringprocedures;and
c) actionsrequiredbystaffwithkeyrolesintheimplementationontheemergencyresponseplans.

TestingofEmergencyResponsePlan
9.6 Thesafetycaseshallprovide To meet this criterion, the safety case shall provide confidence that a suitable programme of emergency
evidencethatprocedureshavebeen exercises has been drawn up. It should show that the programme has been implemented to test the
madeandadoptedtotestand emergencyarrangementsatalllevels(i.e.theplantresponseandthesitewideresponse,andtheinterface
reviewemergencyresponseplans, withtheexternalresponsebySCDForthirdpartyemergencyresponseteams).Confidenceshouldbegiven
andtorevisetheemergency thatproceduresexisttoensurethatthelessonslearnedfromtheseexercisesarereviewedandtheemergency
arrangementsinthelightofthe arrangements are revised where necessary. Typical information included in a safety case to show these
lessonslearned. elementsincludes:

a) Examplesoffrequencyofliveexercises,tabletopexercisesortests,includinginformationrelatingto
whichscenarioorelementoftheplantobetested(thisshouldincludebothscenarioswithonsiteand
withoffsiteimpact);
b) howtestsorexercisesarecarriedouttoensurethatallpersonnelinvolvedintheemergencyresponse
areincluded;
c) approachondebriefandanalysisactivitiesrelatingtohowthetestingoftheplanwerecarriedout;and
d) approachonhowanylessonsarisingasaresultofanydebriefandanalysisareeffectedintothereview
process.

PreparingtheEmergencyResponsePlan
9.7 Scenariospecificemergencyplans To meet this criterion, scenariospecific emergency plans based on SCEs identified in the safety case and
shallbedeveloped.Theseplansshall dominoimpactsfromneighbouringMHIsshallbedeveloped.MHIsshouldincludeallrelevantinformation
formpartofChapter3.2.3.2ofthe outlinedinChapter6oftheSafetyCaseTechnicalGuide.
SCDFEmergencyResponsePlan
template. AnexampleofascenariospecificemergencyplanisprovidedinAnnexE12oftheSCDFEmergencyResponse
Plantemplate.

ReviewofthisChapterandERP
9.8 MHIsshallreviewthecontentsof Tomeetthiscriterion,theMHIsshallreviewthecontentsoftheiremergencyresponseplanannually.
theiremergencyresponseplanto
ensuretheyarecurrentand
relevant.

2
AnnexE2oftheSCDFERPtemplatewillbeusedforinsertionofotherpremisespecificemergencyplans(e.g.arsonpreventionplans)andstandardoperatingprocedures.

ANNEXE1
ScenarioSpecificEmergencyPlans
A MHI shall prepare a series of scenariospecific emergency plans that can be used by incident
responders.Theyshouldcover,asaminimum,SCEsidentifiedinthesafetycaseandrelevantoffsite
consequences from neighbouring MHIs encroaching into your premises (upon receipt of domino
information).
Thescenariospecificemergencyplansshouldbe:
Sitespecificandthereforerelevanttotheinstallationssystemsandequipment;
Fitforpurpose;
Easytouse;and
Helpfultotheendusers.
Scenario specific emergency plans should preferably consist of only two pages. The first page is
intendedtoprovideguidanceontheactionsandresourcesrequiredtodealwiththeincidentduring
its first 2030 minutes. Once this early stage has passed, a stable response should have been
established. The scenariospecific emergency plans should combine operator and fire responder
actionssothatacoordinatedapproachisadoptedforincidentmanagement.Theplansmayconsistof
athreetieredresponsewith:
1. FirstresponsebyinstallationoperatorstoverifyincidentandsubsequentnotificationofSCDF,
SPFandrelevantparties;
2. Installationemergencyresponders(e.g.CERTor3rdpartyfirebrigades)asthesecondresponse;
and
3. SCDFresponseandrelevantpartiesasthethirdresponse.

Onthereverseofthetextpage,ahazardeffectsmap(basedonexistingQRAstudyorconsequence
contours developed for legacy sites) should be provided. This should indicate the potential toxic,
overpressure, radiant heat hazard areas. In addition, nearby plant, tanks, vessels and associated
equipmentthatcouldbeaffectedbytheincidentshouldbeindicatedonthemap.Thehazardeffects
areproducedfromfire,toxicgasdispersionandexplosionconsequencemodellingprograms.Hazard
effectsmapsgiveanindicationofthepotentialgas,fireorexplosionareathatmaybeinvolvedduring
amajorincident.Theyprovideanappreciationofpotentialincidentsforallresponders.
AnexampleofascenariospecificemergencyplanisprovidedinthisAnnex.

ANNEXE1
ExampleofScenarioSpecificEmergencyPlans
Emergency plan for: Descriptionofthetypeoffireoremergencyanticipated
Strategy: The major accident mitigation strategy which states the overall
objectivestopreventescalationandbringtheincidentundercontrol
Immediately Actions Equipment Resources Comments
Usually control Logical stepbystep What equipment CanbeCERT,firewardens, Asrequired.

room or site actions which are arerequiredtocarry FSMetc.
personnel who will required according outtheactions?
notify relevant totheincidenttype Valvesordevicesto
authorities and and location. isolate.
companies, alert, Typically, alarm,
shutdown and evacuation,
evacuateetc. isolation, shut
down, informing
etc.
1st response Actions Equipment Resources Comments
MaybeCERTand/or Sizingupofincident. Fixed equipment Any foam concentrate Asrequired.
3rd party fire Logical stepbystep systems installed required. The anticipated
brigade. actionsnecessaryto onsite.Portablefire water demand for the
isolate the fuel, or equipmentforinitial incident. Fire hose/nozzles
carry out initial control. Any water required. The number of
incident control or foam monitors hose will be based on the
actions. required. hydrant locations and fire
Appropriate PPE vehicles used. The fire
etc. vehicles from CERT or 3rd
partyfirebrigades.
2nd response Actions Equipment Resources Comments
Linking up with Logical stepbystep Fixed equipment Resources available to Foam applied at
SCDF.Sitepersonnel actionsnecessaryto systems installed assistSCDFoperations: pertinent
may be required to controlandmitigate onsite. Any water e.g. foam concentrate and application rate
do other tasks at theincident. /foam monitors watersupply etc.
thisstage. required.
Ongoingpotentialhazards
Anyknownhazardsthatwillbepresentbecauseoftheanticipatedfireeitherfromflameimpingementorradiated
orconductedheat.Alsoconsideranyexplosionpossibility.
Otherissues
Anyotherissues,e.g.personnelsafety,gasreleases,publicexposure.

ANNEXE1
ExampleofHazardEffectsMapforScenarioSpecificEmergencyPlans
Chapter 10: Assessment of ALARP in Safety Case
1. Introduction

1.1. ThisguideisforMHDassessorscompletingtheALARPaspectsoftheassessment.

1.2. ThisislinkedtoChapter7oftheSafetyCaseTechnicalGuide.

1.3. All ALARP assessments must use the criteria and guidance set out in
AppendixIALARPAssessmentCriteriaandGuidance.
2. The General Approach to ALARP Assessment
2.1. ALARP demonstration for a SCE can be satisfied by MHIs by answering the following
fundamentalquestionsinrelationtotheidentifiedSCEs:

a) WhatmorecanMHIsdotoreducetherisks?
Theanswertothisquestionisqualitativeinnature.MHIsshouldlooksystematicallyateach
SCEanddrawup,inaproportionateway,alistofcontrolmeasuresthathavebeenimplemented
andwhichcouldbeimplementedtofurtherreducetherisksofSCE.ForfewSCEstherewillbe
nothingfurtherthatMHIscandoexceptshuttingtheplantdowncompletely,forotherSCEs
there may be further risk reduction measures that can be possibly implemented. Having
answeredthisquestion,theneedtoactisdeterminedbyansweringthesecondquestionbelow
in2.1(b).
b) Whatfurtherriskreductionmeasuresarereasonablypracticable?
Theanswertothisquestionmaybequalitativeorquantitativeinnature.Whicheverwaythe
questionisanswered,ifthecontrolmeasureisreasonablypracticable,basedonsoundlogical
considerations,thenMHIsaredutyboundtoimplementthatmeasure.

2.2. TheMHDpolicyisthattakingallnecessarycontrolmeasures(i.e.allreasonablypracticable
controlmeasures)equatetoreducingriskstoALARP.
2.3. Inparticular,theMHDneedstoassesstheanalysisofpossiblefurtherriskreductionmeasures.
Theinformationneededtodetermineifthenecessarymeasuresforriskreductionhavebeen
implementedmustbeeitheravailableorreferencedandsummarised,whereappropriateinthe
safetycase.
Appendix I ALARP Assessment Criteria and Guidance
RiskAssessmentandRiskReductionMeasures
10.1Thesafetycaseshallclearly ThiscriterioniseffectivelyasummaryofthePredictive(Chapter4),Technical(Chapters5to8)andALARP
describehowMHIsuserisk criteria(Chapter10).TheMHDwouldcomebacktothiscriterionwhenthecriteriaabovehasbeenaddressed.
assessmenttohelpmakedecisions
aboutthemeasuresnecessaryto Tomeetthiscriterion,thesafetycaseshallpulltogethertheinformationfromtheriskassessmentsuchthat
preventmajoraccidentsorto it:
mitigatetheirconsequences.
a) drawstogetherthelikelihoodandconsequenceassessmentsinanappropriatewaytomakeestimates
oftherisks;
b) identifiesSCEs;
c) recognisesthathighconsequenceseventswarrantattentionforfurtherriskreductiononacasebycase
basis;
d) considersonsiterisksandoffsiterisks;
e) compares the risks against suitable MHIs criteria and takes account of aversion to large scale MASs
wherenecessary,intheselectionofnecessarycontrolmeasures;
f) considerssensitivityanduncertaintyintheriskassessment;
g) showsthatriskassessmenthasbeenusedinanappropriatewayaspartoftheprocesstoreducerisks
ontheinstallationtoALARP;
h) includes a suitable and sufficient consideration of risk reduction options and describes the decision
makingprocess;
i) comestoconclusionaboutwhatfurtherriskreductionmeasuresarereasonablypracticable;
j) demonstratethattheadoptedcontrolmeasuresforanyidentifiedSCEscollectivelyeliminateorreduce
therisktohealthandsafetytoALARPlevels;and
k) putsinplaceaprogrammeforimplementingfurtherriskreductionmeasureswithtimescale.

DemonstrationofALARP
10.2 Thesafetycaseshallshowthe Tomeetthiscriterion,thesafetycaseshall:
approachesormethodologiesused
tosupporttheMHIsevidences a) describethedecisionmakingprocessforcontrolmeasuresadoptedandfurtherriskreductionmeasures
andjustificationsforALARP rejectedforeachSCE;
demonstration. b) definetheunderlyingrationale,criteriaanddecisionmakingbasisforALARPdemonstration;
c) demonstrate thatdecisions on the requirement foradditionalriskreduction measures to bringdown
levelstoALARParemadebyappropriatelyqualifiedandexperiencedtechnicalpersonnel;
d) demonstratethatdecisionmakingbyMHIsisprecautionarywhenthedegreeofuncertaintyislarger,or
theconsequencesoftheSCEgiverisetosignificantoffsiterisks.Aprecautionaryapproachmeansthat
thereisabiastowardssafety.

Thedescriptionmustbeconvincing.ThismeansthattherationalefordecidingthecompletenessoftheMAH
and scenario identification and the adequacy of the control measures employed shall be supported and
accompaniedbyall assumptionsmade and conclusionsdrawn. Where appropriate, MHIs shallpresent or
summarisetheresultsofsupportingstudiesthathavebeenperformed.

Thedescriptionshallalsodemonstratethattheprocesswassystematicwhichmeansthatitfollowedafixed
andpreestablishedscope.Finally,thedegreeofanalysisinsupportoftheALARPdemonstrationshallbe
proportionatetotheriskandtothecomplexityoftheMHI,hazardsandthecontrolmeasures.

10.3.1Fundamentalconsiderationfor Tomeetthiscriterion,thesafetycaseshall:
ALARPdemonstration(part1):
a) includeasystematicreviewofcontrolmeasuresapplicabletoallSCEs;
WhatmorecanMHIsdotoreducethe b) drawupinaqualitativeandproportionateway,alistofcontrolmeasuresthathavebeenimplemented
risksfromSCEs? foreachSCE. As a minimum the list should include all relevant good practicesand sound engineering
principles;
c) drawup in a qualitative and proportionate way, a list of control measures that could be practicably
implementedtoreducerisksfromSCEsfurther.Suggestionsforfurtherriskreductionmeasuresinclude:
(i) relevantgoodpracticesorsoundengineeringprinciplesnotimplemented;
(ii) anoptionadoptedelsewhereinsimilarcircumstances;and
(iii) anyotheroptionthathasworkedinpractice.

Wherefurtherriskreductionmeasuresincludeautomation(e.g.toremovehumancontributiontofailure),
theautomationshouldbewelljustified,welldesigned,andselectedfortherightreasons.

Whererelevant,MHDofficersshouldnotethattrainingandproceduresshouldnotbeviewedasthesole
defenceagainsthumanfailure;theyshouldformanintegralpartofabroaderrangeofmeasurestoreduce
thepotentialforhumanfailure.

10.3.2Fundamentalconsiderationfor Tomeetthiscriterion,thesafetycaseshall:
ALARPdemonstration(part2):
a) includeforeachcontrolmeasureidentifiedforfurtherriskreductionthatcouldpracticablyimplemented,
Whatfurtherriskreductionmeasuresare anassessmentof:
reasonablepracticable? (i) thesacrifice,inmoney,timeandeffort,requiredtoimplementthecontrolmeasure;and
(ii) theforeseenbenefits,inharmavoided,fromimplementingthecontrolmeasure;
b) include a comparison of the sacrifice and benefits, and a conclusion whether the sacrifice is grossly
disproportionatetothebenefitsbasedonMHIscriteria.ReviewofMHIsALARPcriteriaisanimportant
aspectoftheALARPassessment.

MHD shall look for the safety case to demonstrate the following when MHIs are using qualitative and/or
quantitativeargumentduringALARPdemonstration:

QualitativeArgument
a) describethe argumentationthat focusesonrelevantgoodpracticesandsoundengineering principles.
Severalsourcesofgoodpracticeandengineeringprinciplesexistwhichareinorderofprecedence:
(i) prescriptivelegislation;
(ii) regulatoryguidance;
(iii) standardsproducedbystandardmakingorganisations;
(iv) guidanceagreedbyanorganisationrepresentingaparticularsectorofindustry;and
(v) standardgoodpracticeadoptedbyaparticularsectorofindustry.

b) demonstrate,ifgoodpracticeandsoundengineeringprinciplesareusedasthesolejustificationofALARP,
that:
(i) goodpracticeandsoundengineeringprinciplesarerelevanttotheSCEs;
(ii) adoptedstandardsareuptodateandrelevant;
(iii) whereastandardallowsformorethanoneoptionforconformity,thechosenoptionmakestherisks
ALARP;and
(iv) goodpracticeandsoundengineeringprinciplesreducetherisktoanacceptablelevel.

c) IfALARPcannotbedemonstratedbygoodpracticeandsoundengineeringprinciples,thesafetycaseshall
demonstrateforfurtherriskreductionmeasures:

(i) thatmeasureswhicharereasonableandpracticablereducetherisktoanacceptablelevel;and
(ii) themeasureswhicharereasonableandpracticableareimplemented,orareincludedintheMHIs
improvementorriskreductionplan.

QuantitativeArgument
a) presentquantitativeargumentssuchasCostBenefitAnalysis(CBA)ifapplyingqualitativeargumentation
isnotsufficienttodemonstrateALARP.


Safety Case Assessment Guide (Final) (010817) PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Safety Case Assessment Guide (Final) (010817) PDF

Uploaded by

Copyright:

Available Formats

Jointlydevelopedby:

CHAPTER 1: INTRODUCTION TO SAFETY CASE ASSESSMENT GUIDE 1

1. Purpose of Safety Case Assessment Guide 1

2. Definitions and Abbreviations 1

3. Assessment Criteria Scope 1

CHAPTER 2: DESCRIPTIVE ASPECTS OF SAFETY CASE ASSESSMENT 5

Appendix A Descriptive Assessment Criteria and Guidance 6

CHAPTER 3: MAJOR ACCIDENT PREVENTION POLICY (MAPP) AND SAFETY &

2. The General Approach to MAPP and SHMS Assessment 12

Appendix B MAPP and SHMS Assessment Criteria and Guidance 13

CHAPTER 4: PREDICTIVE ASPECTS OF SAFETY CASE ASSESSMENT 21

Appendix C Predictive Assessment Criteria and Guidance 23

CHAPTER 5: PROCESS SAFETY ASPECTS OF SAFETY CASE ASSESSMENT 33

2. The General Approach to Process Safety Assessment 33

Appendix D Process Safety Assessment Criteria and Guidance 34

CHAPTER 6: MECHANICAL ENGINEERING ASPECTS OF SAFETY CASE

2. The General Approach to Mechanical Assessment 49

Appendix E Mechanical Engineering Assessment Criteria and Guidance 51

CHAPTER 7: ELECTRICAL, CONTROL & INSTRUMENTATION ASPECTS OF

2. The General Approach to EC&I Assessment 63

Appendix F Electrical, Control & Instrumentation Assessment Criteria and Guidance 65

CHAPTER 8: HUMAN FACTORS ASPECTS OF SAFETY CASE ASSESSMENT 75

2. The General Approach to Human Factors Assessment 75

Appendix G Human Factors Assessment Criteria and Guidance 78

CHAPTER 9: EMERGENCY RESPONSE ASPECTS OF SAFETY CASE ASSESSMENT 90

2. The General Approach to Emergency Response Assessment 90

Appendix H Emergency Response Assessment Criteria and Guidance 91

CHAPTER 10: ASSESSMENT OF ALARP IN SAFETY CASE 104

2. The General Approach to ALARP Assessment 104

Appendix I ALARP Assessment Criteria and Guidance 105

Chapter 1: Introduction to Safety Case

2. Definitions and Abbreviations

3. Assessment Criteria Scope

Chapter 2: Descriptive Aspects of Safety Case

Appendix A Descriptive Assessment Criteria and Guidance

2.5 Foreachdangeroussubstance Tomeetthiscriterion,foreachdangeroussubstanceidentified,thesafetycaseshallinclude:

Chapter 3: Major Accident Prevention Policy

Appendix B MAPP and SHMS Assessment Criteria and Guidance

3.3 SeniorLevelEndorsement Tomeetthiscriterion,thecopyoftheMHIsMAPPincludedinthesafetycaseshallbesignedanddatedby

3.9 InformationGathering AMHIsmanagementofMASs requiresthemtokeepuptodatewithlegalandtechnicaldevelopmentsthat

3.11 PrioritiesforImprovement Tomeetthiscriterion,thesafetycaseshalltypicallyprovide:

3.15 ReactiveMonitoring Followingonfromcriterion3.14,thesafetycaseshallshowthatthereisanestablishedsetoflaggingPSPIs

3.17 Audit Tomeetthiscriterion,thesafetycaseshallprovideadescriptionofauditingactivitiescarriedoutonsite,

Chapter 4: Predictive Aspects of Safety Case

1.4. ExperiencehasshownthatitisessentialforMHIstoidentify allMAHs,their likelihood, and

1.5. Any subsequent risk assessment may be qualitative, semiquantitative, quantitative, or a

Appendix C Predictive Assessment Criteria and Guidance

4.5 Itshouldbeclearthathumanfactors Tomeetthiscriterion,thesafetycaseshould:

4.7.2 Estimatesof,orassumptions Thequalitativeorquantitativeargumentspresentedinthesafetycaseshallberealistic,wellreasonedand

Chapter 5: Process Safety Aspects of Safety Case

2. The General Approach to Process Safety Assessment

Appendix D Process Safety Assessment Criteria and Guidance

5.2.1.4 Thesafetycaseshallshow Tomeetthiscriterion,thesafetycaseshallshow:

5.2.1.7 Thesafetycaseshall Tomeetthiscriterion,thesafetycaseshalldescribe:

Chapter 6: Mechanical Engineering Aspects of

2. The General Approach to Mechanical Assessment

Appendix E Mechanical Engineering Assessment Criteria and Guidance

a) an overview of competency requirements of the personnel completing key mechanical maintenance

Chapter 7: Electrical, Control &

2. The General Approach to EC&I Assessment

Appendix F Electrical, Control & Instrumentation Assessment Criteria and Guidance

7.1.1.5 Thesafetycaseshallshow Tomeetthiscriterion,thesafetycaseshalldescribe:

Representative sample of periodic Ex inspection records (or records of continuous supervision),