21020-BAB-04101-HS-PR-0005_C1 FINAL

Supplier Document Front Sheet

Supplier Name BUMI ARMADA

Equipment Tag/WIN No(s):

Supplier Document No: 21020-BAB-04101-HS-PR-0005 Supplier Document Revision:

C1

Document Title: SAFETY CASE STRATEGY

EnQuest Document Number

Company Project ID Discipline System Document Class Seq. No.

BAB KRA HS 00 STR 0001

Alternative Document No :

Rev Description Date Prepared Checked Approved

PMT PM A1 Issued For Joint Review 21/03/14 KJ GWR SW AJS A2 Issued for Approval

03/07/14 GWR KMcC SW AJS

C1 Approved For Use 03/09/14 GWR KMcC SW AJS

EnQuest Approval of Supplier Document

Code Description of Code Signature of EnQuest Package Engineer Date

A Accepted - Work May Proceed

B Revise and Resubmit - Work May Not Proceed.

D Revise and Resubmit - Work May Proceed.

I Information Only

Doc. No : 21020-BAB-04101-HS-PR-0005

Rev No : C1

Page : Page 2 of 52

Consultant/ Vendor No :

KRAKEN FIELD DEVELOPMENT

KRAKEN FPSO

SAFETY CASE STRATEGY C1 03 Sept 14 Approved For Use GWR KMcC SW AS

A2 03 Jul 14 Issued For Approval GWR KMcC SW AS

A1 21 Mar 14 REISSUED FOR IDC KJ GWR SW AS

R0 24 Jan 14 ISSUED FOR IDC KJ GR AS

Rev Date Description Prepared Checked PMT PM

APPROVAL

Doc. No : 21020-BAB-04101-HS-PR-0005

Rev No : C1

Page : Page 3 of 52


REVISION CHANGE NOTICES

Revision Location of Changes Brief Description of Change C1 Revised to Approved For

Use None

HOLDS TABLE

Location Hold Action By

Doc. No : 21020-BAB-04101-HS-PR-0005

Rev No : C1

Page : Page 4 of 52


TABLE OF CONTENTS

1. INTRODUCTION ......................................................................................................................... 6

1.1 PURPOSE AND SCOPE .............................................................................................. 6 1.2 INTERFACES - ENQUEST / BAB / BA UK ................................................................. 7 1.3 PROJECT BACKGROUND ......................................................................................... 8 1.4 ABBREVIATIONS ........................................................................................................ 9 1.5 DEFINITIONS ............................................................................................................. 12 1.6 COMPLIANCE FRAMEWORK .................................................................................. 14

1.6.1 General ........................................................................................................... 14 1.6.2 Legal Background ........................................................................................... 15 1.6.3 Safety Case Regulations ................................................................................ 15 1.6.4 Content Requirements.................................................................................... 16

1.7 DEMONSTRATING COMPLIANCE .......................................................................... 17 1.8 REFERENCES ........................................................................................................... 18

1.8.1 External References ....................................................................................... 18 1.8.2 Internal References ........................................................................................ 19

2. SAFETY CASE OBJECTIVES AND SCOPE ........................................................................... 20

2.1 SAFETY CASE OBJECTIVES................................................................................... 20 2.2 SAFETY CASE SCOPE ............................................................................................. 20

3. SAFETY CASE ESTABLISHMENT AND MAINTENANCE ..................................................... 21

3.1 RESPONSIBILITY FOR THE SAFETY CASE .......................................................... 21 3.2 SAFETY CASE ESTABLISHMENT ........................................................................... 21 3.3 WORKFORCE INVOLVEMENT ................................................................................ 21 3.4 VERIFICATION AND VALIDATION .......................................................................... 24 3.5 SAFETY CASE SUBMISSION................................................................................... 24 3.6 SAFETY CASE MAINTENANCE ............................................................................... 24

4. STRUCTURE OF THE SAFETY CASE .................................................................................... 26

4.1 PART 1: INTRODUCTION & SUMMARY .................................................................. 26 4.2 PART 2: FIELD AND FACILITY DESCRIPTION ...................................................... 26 4.3 PART 3: SAFETY MANAGEMENT SYSTEM (SMS) ................................................ 28 4.4 PART 4: COMBINED OPERATIONS ........................................................................ 28 4.5 PART 5: MAJOR ACCIDENT HAZARD ANALYSIS & MANAGEMENT ................. 29 4.6 PART 6: PERFORMANCE STANDARDS AND VERIFICATION SCHEME ............. 30

5. PROJECT MAH MANAGEMENT STRATEGY ........................................................................ 31

5.1 MAH MANAGEMENT ................................................................................................ 31 5.2 FORMAL SAFETY ASSESSMENT PROCESS ........................................................ 31 5.3 HAZARD IDENTIFICATION ....................................................................................... 36

5.3.1 Major Accident Hazard Risk Register ............................................................. 36 5.4 RISK ASSESSMENT METHODOLOGY ................................................................... 37

5.4.1 Project Risk Management Framework ........................................................... 37 5.4.2 Risk Assessment Model ................................................................................. 38

Doc. No : 21020-BAB-04101-HS-PR-0005

Rev No : C1

Page : Page 5 of 52


5.4.3 Qualitative Risk Assessment .......................................................................... 40 5.4.4 Quantified Risk Assessment - QRA ............................................................... 41 5.4.5 QRA Uncertainty and Sensitivity .................................................................... 42

5.5 DEMONSTRATION OF TOLERABLE RISK ............................................................. 42 5.5.1 Project Risk Acceptance Criteria .................................................................... 43 5.5.2 Risk Reduction Measures .............................................................................. 45

5.6 DEMONSTRATING COMPLIANCE WITH RELEVANT STATUTORY PROVISIONS. 45

5.6.1 ALARP Decision Selection ............................................................................. 46 5.6.2 ALARP Methodology Overview ...................................................................... 47 5.6.3 Cost Benefit Analysis ...................................................................................... 47

6. HUMAN FACTORS ................................................................................................................... 48

APPENDIX A TYPICAL SAFETY CASE (TABLE OF CONTENTS) ............................................... 50

Doc. No : 21020-BAB-04101-HS-PR-0005

Rev No : C1

Page : Page 6 of 52


1. INTRODUCTION

1.1 PURPOSE AND SCOPE

Pursuant to the United Kingdom’s (UK) Offshore Installations (Safety Case) Regulations, 2005 (SCR05), in particular Regulation 12, this document provides the strategy for, and guidance on, the development of a Safety Case for Bumi Armada UK Limited (BAUK) (the duty holder), a subsidiary of Bumi Armada Berhad (BAB). This strategy shall ensure compliance with the relevant statutory provisions (RSPs) so as to ensure safe operation of the Kraken offshore facilities throughout life of field.

The purpose of this strategy is to provide guidance to the Kraken workforce including vendors and 3rd parties, giving an insight into safety case regulatory requirements and the engagement processes that they will be involved with. The strategy maps out the structure and content of the safety case. The strategy also contains the Major Accident Hazard (MAH) philosophy. This philosophy shall be applied as the benchmark to conduct the Kraken formal safety assessment (FSA) studies.

BAB/BAUK acknowledge the importance that the compilation of a Safety Case provides to the regulatory requirement as a means of demonstrating to their workforce, and the UK Health and Safety Executive (HSEx) that BAUK, as duty holder, is committed to managing its operations in a safe and efficient manner, and ensuring that risks from Major Accident Hazards (MAHs) are identified and measures commensurate are implemented. In so doing, the BAB Kraken Project Team (BAB Kraken) and BAUK are able to demonstrate that risks are as low as reasonably practicable (ALARP) in the context of compliance demonstration.

As part of the BAB Kraken Project and BAUK Safety Management System (SMS) the process of developing the Safety Case involves a systematic review of field source data from where the MAHs are identified. The philosophy and management that will control the implementation of the MAH processes are detailed in Section 5.0. As part of this structured approach the formal safety assessment (FSA) processes will demonstrate the adequacies of the risk reduction measures implemented, and that these are visible and robust. This review occurs both during the initial development of the Safety Case, and subsequently as a process of continuous improvement throughout the life cycle of the Kraken FPSO.

The Safety Case shall be prepared and submitted by the BAB Kraken Project, in association with the duty holder, BAUK.

Note1: The contents of this document must be read in conjunction with all of the project management and design engineering management philosophies and understood by all managers and all levels of supervision, as well as any contractors that shall be responsible for developing, documenting and implementing the relevant safety case process. The following apply:

1. Field Development Plan, Doc No. ENQ-KRA-PM-00-PLA-0001 2. Environmental Statement, Doc No. ENQ-KRA-HS-00-STA-0002 3. Basis of Design, Doc No. ENQ-KRA-PM-00-BOD-0001 4. FPSO Technical Specification, Doc No. ENQ-KRA-PM-00-SPE-0001 5. HSE Design Basis, Doc No. 21020-BAE-07700-HS-RP-7001 6. Structural Design Brief, Doc No. 21015-DEL-10000-ST-RP-0001 7. Mooring System - Design Analysis, Doc No. 21015-APL-79100-MO-RP-0005

Doc. No : 21020-BAB-04101-HS-PR-0005

Rev No : C1

Page : Page 7 of 52


8. STP Buoy - Design Report, Doc No. 21015-APL-79100-MO-RP-0009 9. Naval Architecture & Structural Design Brief, Doc No. 21020-BAE-07000-ST-RP 10. Topsides Structural Basis of Design, Doc No, 21020-BAE-70000-ST-RP-0001 11. HSE Plan, Doc No. 21020-BAB-04101-HS-PR-0001 12. Project Quality Plan, Doc No. 21020-BAB-04101-QA-PR-0002 13. Project Execution Plan, Doc No. 21020-BAB-04100-PM-PL-0001 14. Regulatory Compliance Plan, Doc No, 21020-BAB-04101-QA-PL-0002 15. Verification Strategy, Doc No. 21020-BAB-04101-HS-PL-0005 16. Safety Case Design Notification Doc No. 21020-BAB-04101-HS-PR-0006

Note2: In order to ensure understanding and ownership, BAB shall develop an appropriate competency-based training module for all relevant Project personnel.

1.2 INTERFACES - ENQUEST / BAB / BA UK

BAB, via the subsidiary Armada Kraken PTE Ltd, will procure, design, engineer, construct, commission and install the Kraken FPSO on location in the UK North Sea. As highlighted in Figure 1.1, this agreement is contained within the Bareboat Charter Agreement as entered into between Armada Kraken PTE Ltd and EnQuest Heather Ltd & Partners (EnQuest). BAB and Bumi Armada Engineering (BAE) will in turn provide the Project process, engineering, procedures and manpower to Armada Kraken PTE Ltd (AKP).

An Operating & Maintenance Agreement (OMA) is in place between another BAB subsidiary, namely Bumi Armada UK Ltd and EnQuest for operation of the Kraken FPSO following successful start-up.

EnQuest is the Field Operator, whilst BAUK is the nominated Kraken Field Duty Holder.

.

Figure 1.1 – Kraken Interfaces

Doc. No : 21020-BAB-04101-HS-PR-0005

Rev No : C1

Page : Page 8 of 52


Enquest are responsible for the Design, Installation, Maintenance and Provision of:

• Kraken reservoir / downhole & drilling / wells

• Subsea including all jewellery and controls (with Subsea/Topsides Interface)

• Pipelines & Risers (with Subsea/Topsides Interface)

• Shuttle Tanker Charters

Armada Kraken PTE & BAUK the Duty Holder are responsible for the Kraken FPSO EPIC, Operations & Maintenance of the following:

• Tanker conversion to FPSO, including Accommodation & Marine Systems

• STP Buoy, FPSO Mooring & Turret Systems

• Platform topsides including Process, Utilities & Safety Systems

• Import of well stream fluids, fuel gas and production processing on-board the FPSO.

• Control and Instrumentation command with all Subsea, Pipeline and Riser facilities (Refer to Enquest Subsea/Topsides Interfaces)

• Tanker Offloading Operations.

All of the design and operational data for EnQuest entity will be provided for inclusion within the respective safety case sections.

1.3 PROJECT BACKGROUND

The Kraken Field is located in the UK Continental Shelf (UKCS) block 9/02b, approximately 400 km north east of Aberdeen in a nominal water depth of 116m.

Following the field development plan submission to the Department of Energy and Climate Change (DECC), the Kraken field development consists of the provision of subsea and FPSO production facilities to deliver stabilized oil to a shuttle tanker from 25 wells (14 producers and 11 water injectors). The Kraken product is heavy oil with a gravity of approximately 13.7° API. The development of the Kraken field requires multiple drilling/production centres, which will be subsea developments tied back to the FPSO. The FPSO shall be specifically considered to be a harsh environment production facility. Artificial lift is required in the form of water driven Hydraulic Submersible Pumps (HSPs) in each production well supplied with power fluid from the FPSO. Water injection is required for reservoir pressure support, voidage replacement and to sweep the oil to the producers.

As a result of the low Gas Oil Ratio (GOR), associated gas and crude will be used for power generation, with the possibility of import gas in later life. Gas import via a dedicated import pipeline tied into an existing 3rd Party trunk line is a future possibility and therefore included.

The heavy oil forms a strong viscous emulsion with water; however, this will be managed with the HSP power fluid which mixes with the crude oil at the well head producing more favourable separation of oil and water phases.

BAB Kraken will base the FPSO on the existing tanker PRISCO ALCOR (the Tanker), which shall undergo an extensive conversion programme for conversion to the FPSO role. The FPSO shall sail under its own power from conversion yard in Singapore to a port in Northern

Doc. No : 21020-BAB-04101-HS-PR-0005

Rev No : C1

Page : Page 9 of 52


Europe (Rotterdam) and then will be towed from the port to the field for hook-up and installation.

Figure 1.1 – Kraken Field Location

1.4 ABBREVIATIONS

ACoP - Approved Codes of Practice

AIMS - Asset Integrity Management System

ALARP - As Low as Reasonably Practicable

APOSC - HSE Assessment Principals for Offshore Safety Cases

BAB - Bumi Armada Berhad

BAB Kraken - Bumi Armada Berhad Kraken Project Team

BAUK - Bumi Armada UK Operations Team

CAA - Civil Aviation Authority

CAP - Civil Aviation Practice

Doc. No : 21020-BAB-04101-HS-PR-0005

Rev No : C1

Page : Page 10 of 52


CBA - Cost Benefit Analysis

COLREG - Collision Regulations

CON - Combined Operations Notification

DCR - Design and Construction Regulations

DECC - Department of Energy and Climate Change

DNV - Det Norske Veritas

ER - Emergency Response

EU - European Union

FPSO - Floating Production Storage Offloading

FSA - Formal Safety Assessment

GASCET - Guidance for the Topic Assessment of the MAH Aspects of Safety Cases

GOR - Gas Oil Ratio

HAZID - Hazard Identification

HAZOP - Hazard and Operability Study

HFA - Human Failure Analysis

HFE - Human Factors Engineering

HSC - Health and Safety Commission

HSEx - UK Health and Safety Executive

HSP - Hydraulic Submersible Pumps

HSWA - Health and Safety at Work Act

IALA - International Association of Lighthouse Authorities

IDC - Interdisciplinary Check

ICAF - Implied Cost of Averting a Single Fatality

ICP - Independent Competent Person

IEC - International Electrotechnical Commission

ILO - International Labour Organization

IMO - International Marine Organization

ISM - International Safety Management

ISO - International Standards Organization

IVB - Independent Verification Body

LOLER - Lifting Operations and Lifting Equipment Regulations, 1998

MAE - Major Accident Event

MAH - Major Accident Hazards

MAPD - Major Accident Prevention Document

MAR - Management and Administration Regulations

MARPOL - International Convention for the Prevention of Pollution from Ships

MEE - Major Environmental Event

MHSWR - Management of Health and Safety at Work Regulations, 1999

MOC - Management of Change

MS - Management System

Doc. No : 21020-BAB-04101-HS-PR-0005

Rev No : C1



OHSAS - Occupational Health and Safety Assessment Series

OIS - HSE Topic Guidance Offshore Information Sheets

OSRSCR - Safety Representatives & Safety Committees Regulations

PFEER - Prevention of Fire & Explosion, and Emergency Response Regulations

PS - Performance Standards

PSR - Pipeline Safety Regulations

PTW - Permit to Work

PUWER - Provision and Use of Working Equipment Regulations, 1998

RSP - Relevant Statutory Provisions

QRA - Qualitative / Quantitative Risk Assessment

SCE - Safety Critical Elements

SCR05 - Offshore Installations (Safety Case) Regulations, 2005

SCR92 - Offshore Installations (Safety Case) Regulations, 1992

SCTA - Safety Critical Task Analysis

SFAIRP - So Far As Is Reasonably Practicable

SMS - Safety Management System

SOLAS - Safety of Life at Sea

TA - Technical Authority

TR - Temporary Refuge

TRI - Temporary Refuge Integrity

UK - United Kingdom

UKCS - UK Continental Shelf

Doc. No : 21020-BAB-04101-HS-PR-0005

Rev No : C1



1.5 DEFINITIONS

ALARP The concept of “reasonably practicable” involves weighing the risk against the cost in terms of the time, investment and resource needed to eliminate or further reduce it. Thus, ALARP does not represent a fixed risk value, but describes the level to which one expects to see workplace risks controlled.

BAB Kraken BAB entity responsible for the design, build, commissioning and hand-over of the Kraken FPSO.

BAUK BAB entity responsible for operation of the Kraken FPSO following commissioning and hand-over from BAB Kraken Project.

Barrier A functional grouping of safeguards and controls selected to prevent, or limit the effect of, a Major Accident or Environmental Event (MAE / MEE). Each barrier typically includes a mix of facilities (equipment), processes (documented and ‘custom & practice’) and people (personal skills and their application). The selected combination of these ensures the barrier will be suitable, sufficient and available to deliver its expected risk reduction. A barrier is the high level functional group (e.g. fire suppression) and can be divided into separate safety critical systems (e.g. deluge system), and further sub-divided into safety critical elements (which will generally be the tagged items representing the lowest level to which the barrier can sensibly be sub-divided).

Cost Benefit Analysis CBA is the numerical assessment of the costs of implementing a design change or modification and the likely reduction in fatalities that this would be expected to achieve.

Combined Operations Performing two or more operations concurrently which could bring about an undesired event or set of circumstances if not adequately managed. Could include, but not be limited to the following:

• A vessel undertaking a non-routine operations within the facility’s 500m zone;

• Subsea umbilicals, risers and flowlines (SURF) operations;

• Field developments with multi-vessel/contractor operations. Combined operations often involve several companies (duty holder, contractors, subcontractors, & vendors), multi-disciplined workforces and a wide range of daily (24-hour) routine & non-routine activities.

Duty Holder Refers to the legal entity on which duties are placed by the SCR05 in respect of offshore installations, in particular the preparation of the safety case. In relation to a fixed production installation, the duty holder is the operator. The operator in turn is the person appointed by the licensee to manage and control directly, or by any other person, the execution of the main functions of a production installation.

Grossly Disproportionate If a risk reducing measure is practicable and it cannot be shown that the cost of the measure is grossly disproportionate to the benefit gained, then the measure is considered reasonably practicable and should be implemented.

Major Accident Hazard Identified from the field source data and is a hazard which has the

Doc. No : 21020-BAB-04101-HS-PR-0005

Rev No : C1



potential to result in a Major Accident Event (MAE).

Major Accident Event a) a fire, explosion or the release of a dangerous substance involving death or serious personal injury to persons on the installation or engaged in an activity on or in connection with it;

b) any event involving major damage to the structure of the installation or plant affixed thereto or any loss in the stability of the installation;

c) the collision of a helicopter with the installation; d) the failure of life support systems for diving operations in

connection with the installation, the detachment of a diving bell used for such operations or the trapping of a diver in a diving bell or other subsea chamber used for such operations; or

e) any other event arising from a work activity involving death or serious personal injury to five or more persons on the installation or engaged in an activity in connection with it

Major Hazard Facilities Operational facilities which have the potential to cause a major accident due to storage, handling, processing or transport of hazardous or toxic materials or other activities carried out on the site including but not limited to offshore installations, onshore terminals or storage installations, high pressure transmission pipelines conveying flammable or hazardous materials, etc.

Performance Standards A measurable description, usually in qualitative & quantitative terms, of the performance required of a barrier, safety critical system/ element and which may apply to facilities, processes or people.

Relevant Statutory Provisions

Means the relevant statutory provisions (as defined in section 53(1) of the Health & Safety at Work Act (HSWA)) which apply to or in relation to installations or activities on or in connection with them; The expression ‘relevant statutory provisions’ (RSPs) is used in the HSWA to mean Part I of that Act, the health and safety regulations made under it, and the existing statutory provisions defined in it. The RSPs that apply to or in relation to offshore installations or connected activities include: (a) Part 1 of the HSW Act; (b) Regulations made under the Act which contain a provision

applying them offshore, including MHSWR, MAR, PFEER, DCR, PSR and PUWER; and

(c) Remaining provisions of older offshore-specific health and safety legislation, such as OSRSCR and the provisions on safety zones under the Petroleum Act 1987.23

The expression is used in primarily in regulation 12 regarding the demonstrations to be contained in a safety case. Similar use occurs in Schedules 1, 4 and 6 specifying the contents of notifications. The expression is also used in regulation 5 setting out the duties of licensees.

Safety Critical Element Safety-critical elements” (SCEs) means such parts of an installation and such of its plant (including computer programmes), or any part thereof – (a) the failure of which could cause or contribute substantially to; or (b) a purpose of which is to prevent, or limit the effect of, a major

Doc. No : 21020-BAB-04101-HS-PR-0005

Rev No : C1



accident;

The term SCEs is an important component of the provisions relating to verification schemes. Any structure, plant, equipment, system (including computer software) or component part whose failure could cause or contribute substantially to a major accident is safety critical, as is any which is intended to prevent or limit the effect of a major accident. Identifying an item as safety critical should follow from identifying major accident hazards as required by Regulation 12 (SCR05). Note: Safety critical elements can be grouped into barriers.

1.6 COMPLIANCE FRAMEWORK

1.6.1 General The Kraken FPSO will operate inside the UKCS and is therefore required to comply with the legislative requirements of the UK sector. The identified Kraken Project compliance framework is illustrated in Figure 1.2.

Figure 1.2 – Offshore Legislative Framework

Note1: A Regulatory Compliance Plan and a Register of Applicable Legislation shall be developed for the Kraken Project.

Note2: DNV Classification contributes to the case for safety; however BAB recognize that adherence to classification code is not sufficient as the benchmark for a case safety and UK SCR05 sets the overarching precedence.

Doc. No : 21020-BAB-04101-HS-PR-0005

Rev No : C1



In comparison to SCR92, which required a demonstration that risks to people from MAHs had been reduced to the lowest level i.e. reasonably practicable (ALARP), SCR05 requires a demonstration that major accident risks are, or will be, controlled to ensure compliance with the RSPs. Refer to Section 1.6.3 for a breakdown of SCR05 requirements.

1.6.2 Legal Background The Health and Safety at Work etc. Act 1974 (HSWA) is the principal source of health and safety legislation in the UK. The Act requires employers to ensure so far as is reasonably practicable (“SFAIRP”) the health, safety and welfare at work of employees, and others.

Note: The meaning of SFAIRP has been the subject of legal judgment in the UK courts (Edwards v National Coal Board 1949).

The HSWA is supported by regulatory requirements, many of which require assessment of risk. For example, the Management of Health and Safety at Work Regulations 1999 (MHSWR) Regulation 3, requires a suitable and sufficient assessment of risk for the purpose of identifying measures needed to comply with the RSPs.

1.6.3 Safety Case Regulations

SCR05 requires duty holders to demonstrate that measures have been, or will be, taken to reduce risk to persons affected by hazards, which have the potential to cause a major accident, to the lowest level i.e. ALARP. This means that the duty holder has to show through reasoned and supported arguments that there is nothing else that could reasonably be done to reduce risks further.

Many of the requirements within the RSPs are qualified by phrases SFAIRP, ALARP or even, “appropriate with a view to”. Where legal duties use these qualifying phrases, they call for similar tests to be applied. Wherever such wording is used this means a duty holder has to show, through reasoned and supported arguments, that there is nothing else that could reasonably be done to reduce risks further.

Note: Bab Kraken/BAUK has a legal obligation to comply with legislation within the confines of the goal setting regime. HSE acceptance is required for all safety cases plus material revisions to safety cases. Acceptance is not defined in the Regulations, but its meaning follows Principle 4 of the HSC policy statement on permissioning regimes.

HSE will accept a safety case or a revision under these Regulations when duty holders demonstrate and describe specified matters to HSE’s satisfaction. Acceptance will be based on HSE’s judgement that the arrangements and measures described in the safety case taken as a whole are likely to achieve compliance if implemented as described. To give acceptance HSE does not need to be satisfied that compliance will be achieved - this confirmation will be made by post-acceptance programmes of inspection and enforcement, based on the accepted safety case. Acceptance does not guarantee the safety of the installation or its operations.

In making an acceptance decision HSE will take a considered view on which elements of a particular safety case should be examined in greater depth and which need not. The key criterion will be whether a safety case contains sufficient information to enable HSE to make a decision on acceptance. This provides flexibility in the assessment process. HSE’s Assessment principles for offshore safety cases (APOSC) provide a detailed list of principles that need to be addressed to ensure the safety case includes the relevant information. Safety case handling and assessment manual - principles and procedures (SCHAM) sets out HSE’s approach to assessing safety cases and gives an insight as to how and why decisions are reached by HSE.

Doc. No : 21020-BAB-04101-HS-PR-0005

Rev No : C1



The HSEx may inspect the FPSO prior to arrival in the field at Rotterdam. However, the HSEx may not inspect the FPSO until after it is operational. The HSEx have indicated during meetings held in March / April 2014 that they will conduct inspections during the first two years of operation of the FPSO.

1.6.4 Content Requirements Schedule 2 of the SCR05 sets out the content requirements of the safety case:

1. Name and address of the operator of the installation. 2. Description of the extent to which the duty holder has taken into account any matters

raised by the HSEx in relation to the Design Notification. 3. A summary of workforce involvement, specifically that of the safety representatives for

the installation pursuant to the requirements of The Offshore Installations (Safety Representatives and Safety Committees) Regulations 1989.

4. A description, with suitable diagrams, of: a. Main and secondary structure of the installation and its materials; b. Process plant; c. Layout and configuration of plant; d. Connections to any pipeline or installation; and e. Any wells connected or to be connected to the installation.

5. A suitable plan of the location of the installation and of anything connected to it, and particulars of:

a. The meteorological and oceanographic conditions to which the installation may foreseeably be subjected; and

b. The properties of the sea-bed and subsoil at its location. 6. Particulars of the types of operation, and activities in connection with an operation, which

the installation is capable of performing. 7. The maximum number of persons:

a. Expected to be on the installation at any time; and b. For whom accommodation is to be provided.

8. Particulars of the plant and arrangements for the control of well operations, including those to:

a. Control pressure in a well; b. Prevent the uncontrolled release of hazardous substances; and c. Minimise the effects of damage to subsea equipment by drilling equipment.

9. A description of any pipeline with the potential to cause a major accident, including: a. The fluid which it conveys; b. Its dimensions and layout; c. It’s contained volume at declared maximum allowable operating pressure; and d. any apparatus and works intended to secure safety,

together with a summary of the document prepared in compliance with the requirements of the Pipelines Safety Regulations 1996.

10. A description of how the duty holder has ensured, or will ensure, compliance with the requirements of the PFEER Regulations.

11. A description of arrangements made for protecting persons on the installation from toxic gas at all times other than during any period while they may need to remain on the installation following an incident which is beyond immediate control.

12. A description of the measures taken or to be taken or the arrangements made or to be made for the protection of persons on the installation from hazards of explosion, fire, heat, smoke, toxic gas or fumes during any period while they may need to remain on the

Doc. No : 21020-BAB-04101-HS-PR-0005

Rev No : C1



installation following an incident which is beyond immediate control and for enabling such persons to be evacuated from the installation where necessary, including provision for:

a. Temporary refuge; b. Routes from locations where persons may be present to temporary refuge and

for egress therefrom to points from where the installation may be evacuated; c. Means of evacuation at those points; and d. Facilities within temporary refuge for the monitoring and control of the incident

and for organising evacuation. 13. A description of the main requirements in the specification for the design of the

installation and its plant, which shall include: a. Any limits for safe operation or use specified therein; b. A description of how the duty holder has ensured, or will ensure, compliance with

the requirements of the Offshore Installations & Wells (Design & Construction, etc.) Regulations 1996;

c. A description of how the duty holder has ensured, or will ensure, the suitability of the safety-critical elements; and

d. A description of how the duty holder: i. where he is also the operator in relation to a pipeline, has ensured, or will

ensure, compliance with the Pipelines Safety Regulations 1996; or ii. where he is not also the operator in relation to a pipeline, has co-

operated or will co-operate with the operator in relation to a pipeline to ensure compliance with the Pipelines Safety Regulations 1996.

14. Particulars of any combined operations which may involve the installation, including: a. A summary of the arrangements in place for co-ordinating the management

systems of all duty holders involved in any such combined operation; b. A summary of the arrangements in place for a joint review of the safety aspects

of any such combined operation by all duty holders involved, which shall include the identification of hazards with the potential to cause a major accident and the assessment of risks which may arise during any such combined operation;

c. The plant likely to be used during any such combined operation; and d. The likely impact any such combined operation may have on the installations

involved.

1.7 DEMONSTRATING COMPLIANCE

In the context of duty holdership, and based on the requirements for regulatory compliance (refer Section 1.6); BAB Kraken and BAUK recognize that a key element of the project and operations safety management systems is ensuring compliance with the relevant statutory provisions (in accordance with SCR05, Regulation 12). The focus of the systems must thus be on the management processes (initially during the project phase and later during the operations phase) by which both parties can reach the conclusion that all measures that could be applied to reduce risk, from each of the identified major accident hazards (MAHs), are appropriate and that nothing more could be done.

Compliance demonstration within the Safety Case must therefore validate fulfilment of the relevant statutory provisions (RSPs) and establish that risks are tolerable - through application of relevant good practice, professional judgement, experience, etc., and where necessary supported by reference to the use of appropriate risk assessment techniques.

Doc. No : 21020-BAB-04101-HS-PR-0005

Rev No : C1



The management processes described in the demonstration of compliance must also show how, in the context of duty holdership, that BAB Kraken and BAUK have considered an integrated picture whilst assessing risk and not merely a partial view i.e. not considering each hazard in isolation, but rather across the whole system.

1.8 REFERENCES

1.8.1 External References

HSWA Health and Safety at Work Act, 1974 SCR05 The Offshore Installations (Safety Case) Regulations, 2005 HSE L30 A Guide to the Offshore Installations (Safety Case) Regulations 2005

MAR The Offshore Installation & Pipelines Works (Management & Administration) Regulations, 1995

PFEER The Offshore Installations (Prevention of Fire & Explosion, and Emergency Response) Regulations 1995

DCR The Offshore Installations and Wells (Design & Construction, etc.) Regulations,1996

OSRSCR The Offshore Installations (Safety Representatives & Safety Committees) Regulations, 1989

PSR Pipeline Safety Regulations, 1996 SOLAS Safety of Life at Sea Regulations 2002 with 2010 amendments PUWER Provision and Use of Work Equipment Regulations 1998. LOLER Lifting Operations and Lifting Equipment Regulations 1998. NOISE Noise at Work Regulations 2005

IPPC Environmental Protection The Offshore Combustion Installations (Prevention and Control of Pollution) Regulations 2013

DNV-OSS-102 Rules for Classification of Floating Production, Storage and Loading Units, 2010

HSE OIS No.2/2006

Offshore Installations (Safety Case) Regulations 2005 Regulation 12 Demonstrating compliance with the Relevant Statutory Provisions

HSE OIS No.3/2006 Guidance on Risk Assessment for Offshore Installations

HSE OIS No.11/2007

Offshore Installations (Safety Case) Regulations 2005 HSE’s involvement in the design and construction process (including processing of design notifications.

APOSC Assessment Principles for Offshore Safety Cases (APOSC)

GASCET Guidance for the Topic Assessment of Major Accident Hazards aspects of Safety Cases

SCHAM Safety Case Handling and Assessment Manual R2P2 Reducing Risks, Protecting People – HSE’s Decision Making Process

Note: Always refer to the most recent edition of the reference works listed above.

Doc. No : 21020-BAB-04101-HS-PR-0005

Rev No : C1



1.8.2 Internal References

21020-BAB-04101-HS-PL-0001 Verification Scheme 21020-BAB-04101-HS-PL-0003 Verification Strategy Project Phase 21020-BAB-04101-HS-PL-0004 Human Factors Implementation Plan 21020-BAB-04101-HS-PR-0001 Project HSE Plan 21020-BAB-04101-HS-PR-0003 Environmental Management Plan 21020-BAB-04101-HS-PR-0006 Design Notification 21020-BAB-04101-PM-PL-0001 Project Execution Plan 21020-BAB-04101-PM-PR-1002 Project Management of Change Procedure 21020-BAB-04101-PM-PRM-7113 Project Risk Management Procedure 21020-BAB-04101-QA-PL-0002 Regulatory Compliance Plan 21020-BAB-04101-QA-PR-0002 Project Quality Plan 21020-BAB-04101-QA-PR-0003 Project Audit Procedure 21020-BAB-04106-PM-RL-0002 Change Register 21020-BAB-06800-PM-PR-0001 Interface Management Procedure 21020-BAB-07000-PM-PL-0002 Engineering Execution Plan 21020-BAE-07700-HS-RP-7001 Project HSE Design Basis

Note: Always refer to the most recent edition of the reference works listed above.

Doc. No : 21020-BAB-04101-HS-PR-0005

Rev No : C1



2. SAFETY CASE OBJECTIVES AND SCOPE

2.1 SAFETY CASE OBJECTIVES

The purpose of the Safety Case is to communicate a clear, comprehensive and defensible argument that the design and operation of the offshore facility has systematically and comprehensively considered safety.

The Safety Case provides confidence to both the duty holder and HSEx that the duty holder has the ability and means to control major accident risks effectively. The Safety Case provides an extra level of regulatory control on top of regulations such as PFEER and DCR, justified by the major accident potential of the offshore activities within scope.

The Safety Case shall be prepared pursuant to SCR05 Regulation 12:

(1) The duty holder shall, subject to paragraphs (2) and (3) below, include in the safety case sufficient particulars to demonstrate that:

(a) his management system is adequate to ensure— (i) that the RSPs will, in respect of matters within his control, be complied with; and (ii) the satisfactory management of arrangements with contractors and subcontractors;

(b) BAB Kraken Project & BAUK has established adequate arrangements for audit and for the making of reports thereof;

(c) all hazards with the potential to cause a major accident have been identified; and (d) all major accident risks have been evaluated and measures have been, or will be, taken to

control those risks to ensure that the relevant statutory provisions will be complied with. (2) Paragraph (1) shall only require the particulars in the safety case to demonstrate the matters referred to in that paragraph to the extent that it is reasonable to expect that BAB Kraken Project and BAUK the duty holder to address them at the time of sending the safety case to the Executive. (3) In this regulation, “audit” means systematic assessment of the adequacy of the management system to achieve the purpose referred to in paragraph (1)(a) carried out by persons who are sufficiently independent of the system (but who may be employed by the duty holder) to ensure that such assessment is objective.

2.2 SAFETY CASE SCOPE

The Kraken Safety Case shall be a single volume standalone document sufficient to meet the contents (refer to Section 1.6.4) and level of detail requirements of the SCR05 i.e. the Kraken Safety Case shall be sufficiently comprehensive without the need to refer the reader to documents external to the Safety Case in order to meet the objectives stated above.

Doc. No : 21020-BAB-04101-HS-PR-0005

Rev No : C1



3. SAFETY CASE ESTABLISHMENT AND MAINTENANCE

3.1 RESPONSIBILITY FOR THE SAFETY CASE

The Kraken Safety Case is a key project deliverable. Upon completion of the Project Phase, responsibility shall be transferred to Bumi Armada UK Limited. The work to establish the Kraken Operational Safety Case shall be led by the BAB Kraken Project Safety Case Manager.

3.2 SAFETY CASE ESTABLISHMENT

The Project activities leading up to the development of the Kraken Safety Case and thereby ensuring the safe and efficient operation of the Kraken FPSO are illustrated in Figure 3.1. The activities to develop the Safety Case are integrally linked and the process is not viewed as linear. Because of this overlap, linkages shall be constructed throughout the Safety Case process allowing the document to have a consistent integrated overall structure with a logical flow.

The major accident hazard management strategy employed by BAB Kraken and BAUK throughout the Project is discussed in detail within Section 5 of this document.

3.3 WORKFORCE INVOLVEMENT

The work to establish and maintain the Safety Case is viewed as a multi-disciplinary activity, involving personnel from engineering and operations within BAB Kraken Project and BAUK. The work shall also require involvement and input from various other parties such as the Client (Licensee), Class Society and the selected Independent Verification Body (IVB).

In compliance with the requirements of the SCR05 (pursuant to the requirements of the OSRSCR, 1989), BAB Kraken Project and BAUK shall ensure that there is effective consultation with, and participation by the Kraken workforce, external contractors, vendors and 3rd parties during the preparation, revision and review of the Kraken Safety Case and supporting studies. This will ensure that the workforce understands the risks and hazards to which they may be exposed and that they are knowledgeable and informed on:

• Risk controls, • Risk control effectiveness & vulnerabilities, and • The importance of monitoring risk control measure degradation.

The workforce including operations shall be continuously involved in the formal hazard management processes e.g. HAZID, HAZOP and SIL, Design and Layout / HFE Reviews and IDC review processes.

The 3rd parties, including consultants similar to DNV GL, external contractors and vendors will be engaged through attendance at workforce engagement workshops.

Doc. No : 21020-BAB-04101-HS-PR-0005

Rev No : C1



Further workforce engagement workshops shall be scheduled as further personnel mobilize to the project. This will be extended to include any additional 3rd parties, Construction, Commissioning and Operations personnel.

In accordance with OSRSCR Reg.23 Safety representatives will be appointed and consulted on the preparation, review and subsequent revision of the Kraken Safety Case. This will ensure continuation of workforce involvement into the operational phase of the Kraken field where documents will also be available and accessible for them under OSRSCR Reg.18.

BAB Kraken Project and BAUK personnel shall manage and own the preparation, workforce involvement & maintenance of the Kraken Safety Case.

Note: The above commitment does not preclude individual studies, integral to the understanding of risk and on which the Safety Case may be based, from being performed by consultants or contractors.

Doc. No : 21020-BAB-04101-HS-PR-0005

Rev No : C1



Figure 3.1 - Project Activities Leading to a Safe Functional Design (Safety Case) – Hazard Management

IMPROVE

PLAN

IDENTIFY

ASSESS

MITIGATE

MANAGE

MANAGEMENT SYSTEM

KRAKEN PROJECT TIME LINE

PROJECT ESTABLISHMENT

PROJECT PLANNING

PROJECT EXECUTION OPERATION

ESTABLISH CONTEXT

FSA: HAZARD ID & RISK ASSESSMENT

VERIFICATION

SAFETY CASE MONITOR & AUDIT

FSA: ACTION TRACKER / ALARP /

RISK ACCEPTANCE CRITERIA

MAJOR ACCIDENT HAZARD MANAGEMENT STRATEGY

FSA: SAFETY STUDIES

ONGOING HAZARD IDENTIFICATION &

RISK EVALUATION

COMPLIANCE REQUIREMENTS

OPERATIONAL CONTROL

BARRIER MS

BASIS OF DESIGN

UK REGULATORY REQUIREMENTS

RESOURCES & COMPETENCY

PROJECT CHARTER

AIMS PROJECT EXECUTION PLAN

MOC PROCESS

Doc. No : 21020-BAB-04101-HS-PR-0005

Rev No : C1



3.4 VERIFICATION AND VALIDATION

A project specific Verification Scheme shall be established covering all types of verification related to the Safety Case. Examples of typical verification methods that will be applied in the different project phases are as follows:

• Design & Construction Phase:-

- Design reviews - Constructability reviews - Use of TAs in IDC process - Contractor audits - Audits by Authorities (UK HSE) - Inspections by Flag Administration - Inspection by Class Society (DNV) - Inspection by Client (EnQuest) - Workforce involvement & input - Notarized Bodies - HAZID, HAZOPS, ENVID - IVB Body involvement & input

• Operations Phase:-

- Company inspections & audits - Audits by Authorities (UK HSE) - Inspections by Flag Administration - Inspection by Class Society (DNV) - Inspection by Client (EnQuest) - Use of certificates (e.g. Flag/Class) - Verification through maintenance - Operation experience & analysis - Workforce involvement & input - IVB Body involvement & input

3.5 SAFETY CASE SUBMISSION

In accordance with the requirements of SCR05, the operational safety case shall be submitted to HSEx at least 6 months prior to commencing operation. The safety case must be accepted by HSEx before the Kraken FPSO can operate. In reaching a decision about the acceptability, the HSEx shall assess the content of the safety case in accordance with assessment principles for offshore safety cases (APOSC).

The activities at the offshore facility must be conducted in accordance with the safety case, as accepted by HSEx.

3.6 SAFETY CASE MAINTENANCE

Regulation 13 of the SCR05 sets out the requirements for the thorough review of the safety case as either when directed to do so by the Executive, or in the absence of such a direction, within 5 years of the Executive having accepted the current safety case (or the date of the previous review).

Regulation 14 of the SCR05 notes the need to review the safety case prior to the requirements of Regulation 13 should changes be proposed to the Facility with activities at the offshore facility no longer to be conducted in accordance with the safety case as accepted by the Executive.

The Kraken Safety Case shall be a living document and once accepted by HSEx shall be maintained and updated by BAUK throughout the life cycle of the Kraken FPSO. As per the

Doc. No : 21020-BAB-04101-HS-PR-0005

Rev No : C1



requirements of SCR05, the Kraken Safety Case shall be revised at least once every 5 years and in the event of a material change in circumstances, including but not limited to, major modifications to the Facility, management systems, organisation, operations, activities or the environment. Due account shall also be taken of technological advances that may present improved techniques for risk reduction or render current techniques obsolete.

Doc. No : 21020-BAB-04101-HS-PR-0005

Rev No : C1



4. STRUCTURE OF THE SAFETY CASE

The Kraken Safety Case shall have 6 Parts, as illustrated in Figure 4.1.

4.1 PART 1: INTRODUCTION & SUMMARY

Part 1 shall clearly state the purpose, scope and objectives of the Safety Case and include the name and address of Bumi Armada UK Limited as the operator (and Duty Holder) of the Kraken FPSO as well as a brief description of the Facility – marine & topsides, manning, etc.

Part 1 shall provide an introduction to all further Parts of the Safety Case, briefly summarizing the intent of each so that the reader knows where to find information in the Safety Case. Part 1 shall further detail the requirements for maintaining and updating the Safety Case, as well as necessary compliance with UKCS regulatory requirements with which offshore activities must comply.

Part 1 shall lastly provide a summary description of the major accident hazard, assumptions and risk prevention and mitigation measures, and a summary of the key safety features of the installation, its operations and the overall assessed risk to people in support of the ALARP principle are identified and measures commensurate to demonstrate the risks are as low as reasonably practicable in the context of compliance demonstration to ensure compliance with the RSPs as a justification for operation.

4.2 PART 2: FIELD AND FACILITY DESCRIPTION

Part 2 shall describe the FPSO, its intent, design basis and operational aspects. It shall contain information on the field location and relevant environmental conditions, manning levels, detail of the arrangement and layout of the Facility, process overview, hazardous substances and inventories, general arrangements and the implemented technical control measures (safety critical systems & elements) including those required for emergency escape and evacuation. Part 2 shall also contain details from the Licensee (Client) on the wells and reservoirs and a description of the pipelines connected to the Facility including a summary of the Pipeline Major Accident Prevention Document (MAPD).

The purpose of the facility description is to provide sufficient factual information to gain an understanding of the major accident events identified and assessed in the formal safety assessments, the technical arrangements for managing the risks of these major accident events and the interactions between these risk control measures and the safety management system. The information provided shall be sufficient to gain a full appreciation of the major accident hazards and risk management strategies identified and implemented.

Part 2 shall also highlight any novel or unusual conditions, engineering solutions or technologies encountered and/or used at/on the Facility.

Doc. No : 21020-BAB-04101-HS-PR-0005

Rev No : C1



Figure 4.1 - Structure of the Safety Case

Part 3 Part 4 Part 6

Introduction

• Introduction to Safety Case,

• Description of regulatory framework,

• Workforce (safety rep) involvement, and

• Justification for Operation

• Field location & conditions • BoD (metocean data) • Manning • Facility & equipment description • Process description • Control, safety & emergency

systems (technical barriers) (PFEER Reg.4)

• Description of wells and reservoirs • Description of pipeline (PSR)

Field & Facility Description

Safety Management

• SMS - organizational & operational barriers

MAH Analysis & Management

• Summary of FSAs and description of ALARP process

PS & Verification Scheme

• Identification of SCE and systems

• Bow-tie diagrams • Development of

Performance Standards • Verification Scheme (IVB

and ICP) • Compliance with design

intent

Part 1 Part 2

Combined Operations

Part 5

• Generic aspects of combined operations (review, meetings, MOC, PTW, ER, etc)

Kraken Safety Case

Doc. No : 21020-BAB-04101-HS-PR-0005

Rev No : C1



4.3 PART 3: SAFETY MANAGEMENT SYSTEM (SMS)

Part 3 shall describe the BAUK Safety Management System (inclusive of health and environmental management) and the control the system will impose to ensure that the Facility is operated safely and how the system shall continue to ensure that all measures applied to reduce risk shall remain appropriate and effective. Part 3 shall also describe how offshore management will take full responsibility for the safety of the Facility.

The BAUK safety management system is dynamic and will be shown to be able to readily respond to changes in legislation, operating environment (including organizational and economic changes), reservoir, process or any other physical conditions.

Part 3 shall not include the entire SMS but shall provide sufficient information to describe the major aspects of the SMS and explain how these aspects contribute to reducing the risk to the health and safety of persons on or near the Facility.

All information pertaining to the SMS within Part 3 shall be relevant to the information contained in Part 2 i.e. appropriate to the Facility and associated activities. The content and level of detail shall be adequate to gain an appreciation of the relevant plans, procedures and processes implemented.

4.4 PART 4: COMBINED OPERATIONS

Part 4 of the Safety Case shall cover the generic aspects of expected periods of Combined Operations. Generic aspects include the requirement for kick-off meetings, work-specific dossiers, risk assessments and work reviews, development of hierarchies of control and reporting lines, development of interface/bridging documents, and day-to-day management of the activities, which includes communication, management of change (MOC), permit to work (PTW) and emergency response (ER) systems.

The purpose of Part 4 is not describe the above activities in detail but to provide sufficient understanding of the processes that will be employed to ensure effective management of the combined operations from start to close-out.

Note: Respective periods of Combined Operations shall be brought to the attention of HSEx. In accordance with Regulation 10 of the SCR05, BAUK will be required to submit a Combined Operations Notification (CON) Procedure at least 21 days in advance of a combined operation. However, should the proposed combined operation exceed the scope of the existing accepted safety case, BAUK will be required to submit a safety case revision under Regulation 14(2). This must be accepted by HSEx prior to the necessary CON being submitted.

Doc. No : 21020-BAB-04101-HS-PR-0005

Rev No : C1



4.5 PART 5: MAJOR ACCIDENT HAZARD ANALYSIS & MANAGEMENT

A key subject of the Safety Case is a discussion of the:

• Formal safety assessments conducted for the Kraken FPSO activities; and • Demonstration of the compliance process (as discussed in Section 1.6).

This detail is documented in Part 5, which describes the major accident hazards and demonstrates the compliance process, which includes the following key activities:

• Evaluation of the consequences of the identified hazards, • Identification and consideration of a range of potential measures for further risk reduction; • Systematic analysis of each of the identified measures and a view formed on the safety

benefit associated with each of them; • Evaluation of the reasonable practicability of the identified measures; • The implementation (or planned implementation) of the identified reasonably practicable

measures; • Recording of the process and results; and a • Description and assessment of the emergency response arrangements

Part 5 also describes the specific BAB Kraken/BAUK risk tolerability criteria and safety goals. This part of the safety case must demonstrate that every effort has been taken to reduce risk to as low as reasonably practicable and that the process of controlling risks, to ensure regulatory compliance, has been an iterative one i.e. that both parties have revisited the compliance process above a number of times.

Note: This will support BAUK’s provision that major accident risks are and will continue to be controlled to ensure regulatory compliance.

The concept of ALARP is central to compliance with the safety case regime, allowing BAB Kraken/BAUK to set their goals for safety performance and also allowing HSEx to accept or reject BAB Kraken/BAUK’s arrangements under the Safety Case.

Note: The results and conclusions within Part 5 are dependent upon the requirements of the RSPs being met, and equipment, facilities and procedures being properly maintained and implemented.

Part 5 of the Safety Case is thus key to illustrating to HSEx that:

• All hazards with the potential to cause a major accident have been identified; • All major accident risks have been evaluated; and, • Measures have been, or will be, taken to control the major accident risks to ensure

compliance with the RSPs (i.e. compliance demonstration)

Section 5 of this Safety Case Strategy lays out the structure of how BAB Kraken and BAUK shall implement the FSA processes and conclude the above, and is considered absolutely essential to understanding the requirements of SCR05.

Doc. No : 21020-BAB-04101-HS-PR-0005

Rev No : C1



4.6 PART 6: PERFORMANCE STANDARDS AND VERIFICATION SCHEME

The Safety Case shall identify the safety critical elements (SCEs) of the Facility and appropriate performance standards shall be defined for the operation of the safety critical aspects as per the requirements of the SCR05.

SCEs are measures which have been put in place to prevent, detect, control or mitigate the hazardous affects associated with a major accident hazard, and will also facilitate with the escape and survival of personnel following a major accident event.

Performance standards, by definition, are associated with the identified barriers (safety critical systems / elements) that form the basis for managing the risk of an MAE. The performance standards are the parameters against which the barriers are assessed to ensure they reduce risk to ALARP. Performance Standards facilitate the transition from the theoretical to the practical in the MAE risk management process.

Part 6 shall detail how the performance standards enable BAUK to measure, monitor and test the effectiveness of each control measure (via monitoring, audit, review and maintenance) and take corrective action based on deviations or trends.

The assurance activities for the safety critical elements ensure the upkeep of the Facility and that the SCEs continue to deliver the required performance throughout their design life. The Verification Scheme developed shall state the performance criteria to be met during inspection and tests and contingency measures to be introduced should the SCE fail to deliver the required performance. The discussion in Part 5 shall thus centre on the identified Verification Scheme and assurance activities to be undertaken by the Independent Verification Body (IVB) and Independent Competent Person(s) (ICP).

Figure 4.2 - Schematic representation of the role of Safety Critical Systems/Elements

Note: An overview of SCE, and specifically how they relate to inherently safer design measures as well as protective systems, is provided within the project HSE Design Basis. Information on the development of detailed Performance Standards for identified SCE is contained within the Verification Strategy.

Consequences Threats Hazard Release

Elimination / prevention barriers

Control / mitigation barriers

Elimination Prevention Reduction Mitigation

Doc. No : 21020-BAB-04101-HS-PR-0005

Rev No : C1



5. PROJECT MAH MANAGEMENT STRATEGY

The objective and structure of this Section is to summarise the Kraken MAH Management Strategy (MAHMS). As per Section 3 - Figure 3.1 - this strategy will be implemented throughout the Kraken Project.

5.1 MAH MANAGEMENT

The key aims of the MAHMS are to ensure:

• All hazards are identified, analysed and understood. • The principles of inherent safety are implemented as

appropriate. • An appropriate combination of prevention, detection,

control and mitigation systems are implemented and maintained throughout the lifecycle of the facility.

• As a minimum, the design complies with relevant regulations, codes and standards and is in line with good engineering practice.

• Risks are tolerable and at a level that is demonstrably ALARP in the context of compliance demonstration with relevant statutory provisions.

Figure 3.1 – Project Execution Extract

5.2 FORMAL SAFETY ASSESSMENT PROCESS

As per Section 4.5, the FSA process shall underpin Part 5 of the Safety Case and provide evidence of the:

• Likelihood of potential MAHs and the range of possible outcomes; • Magnitude & severity of the consequences arising from MAHs for the range of possible

outcomes; • Clear linkages between Kraken FPSO activities, the potential MAHs, control measures

and the associated consequences and risk.

The typical studies are illustrated in Figures 5.1 and 5.2.

Note: The formal safety assessments will relate to major accident hazards only.

PROJECT EXECUTION

FSA: HAZARD ID & RISK ASSESSMENT

VERIFICATION

SAFETY CASE

FSA: ACTION TRACKER / ALARP / CBA

MAHMS

FSA: SAFETY STUDIES

BARRIER MS

Doc. No : 21020-BAB-04101-HS-PR-0005

Rev No : C1



Typical studies and workshops for Kraken will include amongst others the following:

• Historical review of incidents involving floating offshore units. • HAZIDs (topside/subsea/marine/vendor systems). • HAZOPs (topside/subsea/marine/vendor systems). • Safety Integrity Level (SIL) assessment/ Layer of Protection Analysis (LOPA). • Gas dispersion studies. • Fault and Event Trees • Bow Ties • Qualitative Risk Assessment • Quantitative Risk Assessments (QRA) • Fire and explosion assessments including blast overpressure events. • Helicopter Crash (In-Flight, Helideck & FPSO) • Ship collision analyses. • Dropped objects studies for FPSO and subsea impact events. • ALARP workshops involving operations personnel. • PFEER studies using experts in this area. • Vulnerability / survivability / reliability / availability studies based on previous experience,

knowledge and reasonably foreseeable events. • Escape, evacuation and rescue analyses (EERA). • TR Integrity analysis (TRIA) • Emergency systems survivability analyses (ESSA). • Major Accident Prevention Document (MAPD).

As per section 6.0, human factors engineering (HFE) processes and assessments shall be performed during the applicable FSA processes, including HAZID, HAZOP, SIL assessment, layout and model reviews. Safety critical task analysis (SCTA) and human failure assessment (HFA) shall be implemented and performed by HFE specialists.

With respect to consequence analysis (refer Table 5.1), quantitative estimates of consequence will be produced for MAHs through consequence modelling. Risk assessments will also consider escalation i.e. the possibility of the event intensifying or the possibility of one event triggering another as well as considering the most likely events.

Note: Consideration of escalation will be linked with emergency response arrangements as per the requirements of PFEER.

Table 5.1 – Modelled Consequences

Pool fires (including sea fires) Dropped objects

Jet fires Ships collision impact

Confined and partially confined explosions Loss of structural stability

Probabilistic explosion (CFD) Loss of hull integrity

Flash fires Helicopter crash (in-flight, helideck & FPSO)

Toxic releases and their effects Impact to Escape, Evacuation Rescue & Recovery

Gas dispersion (flammable or toxic) Plume dispersion

Flare radiation & dispersion F&G mapping

Doc. No : 21020-BAB-04101-HS-PR-0005

Rev No : C1



The FSAs will consider existing control measures and how these will influence risk as well as their potential to experience common mode failure. The FSAs will also consider how reliable controls are and how effective they might be for a particular situation (e.g. emergency system survivability analysis during a major accident event).

Doc. No : 21020-BAB-04101-HS-PR-0005

Rev No : C1



Figure 5.1 – Formal Safety Assessment Process

HAZARD IDENTIFICATION

MAH RISK REGISTER

LAYOUT REVIEW HAZOP HAZID/ENVID/HRA SIL

SAFETY STUDIES

NHHA (e.g. helicopter / ship collision, dropped object and structural failure) assesses the risk of ‘physical’ accident events that could harm personnel on the Facility.

NON HYDROCARBON HAZARD ANALYSIS

FIRE AND EXPLOSION RISK ASSESSMENT

ESCAPE TEMP REFUGE EVAC & RESCUE ANALYSIS

EMERGENCY SYSTEMS SURVIVABILITY ASESSMENT

QUANTITATIVE RISK ANALYSIS

FERA is used to assess the consequences of fire and explosion events on the Facility and to evaluate the potential of event escalation leading to impairment of the critical structures and equipment on the Facility.

ETRERA considers the provisions for escape, muster, evacuation and rescue of personnel on the Facility. ETRERA assesses the availability and integrity of the EER facilities to ensure that in the event of an unwanted event, personnel can escape and muster and that the evacuation and rescue facilities are available, when required.

ESSA identifies the emergency systems on the facility and assesses the ability of these systems to withstand MAEs for a sufficient time to allow these systems to complete their functions. For example, a gas detector to alert personnel of a gas leak before a fire or explosion event occurs.

SAFETY CASE

SCEs (barriers) & PS

ALARP STUDY

Doc. No : 21020-BAB-04101-HS-PR-0005

Rev No : C1



Figure 5.2 – Kraken Safety Case FSA Process

SAFETY STUDIES

NHHA FERA EERA & TRIA ESSA

QRA

HRA

NOISE & VIBRATION HFE

RADIATION & DISPERSION

SAFETY CASE

SCS / SCE and PS

ALARP STUDY

HAZARD IDENTIFICATION

LAYOUT REVIEW HAZID/ENVID/HRA SIL HAZOP

MAH RISK REGISTER

Doc. No : 21020-BAB-04101-HS-PR-0005

Rev No : C1



5.3 HAZARD IDENTIFICATION

Major accident hazards are those hazards that have the potential to result in major accident events (MAEs) i.e. the high consequence / low frequency events. These hazards, if realized, have the capability to cause multiple fatalities and/or impairment of the defined safety functions upon an installation.

5.3.1 Major Accident Hazard Risk Register

An initial MAH Risk Register was compiled during the early engineering phase of the Kraken Project. On completion of the Hazard Identification (HAZID) Workshop, the findings from the workshop will be consolidated within the MAH Risk Register. This Register shall then continue to be developed in parallel to the risk assessment process - informing it and being informed by it. Figure 5.3 outlines the process for developing the risk register process.

Figure 5.3 – MAH Risk Register Processes

Doc. No : 21020-BAB-04101-HS-PR-0005

Rev No : C1



The MAH Risk Register details the major accidents hazards associated with the asset design, including their causes and potential escalation events. The Register also specifies the safety critical design measures in place to either help prevent, detect, control or mitigate the hazardous affects associated with the identified major accident hazards.

The MAH Risk Register will be supported by “bowtie” diagrams. These diagrams provide a diagrammatical representation of the MAE by identifying and defining the following:

• All threats/causes which could lead to the identified MAE being realized. • All barriers in place to help prevent, detect, control or mitigate the resulting MAH/MAE; • The major accident hazard.

The MAH Register & bowties are used to illustrate the relationships between each MAH and allows an assessment to be made as to whether adequate preventive, detection, control and mitigation controls are in place to prevent the hazard from being realised or to manage the hazard. The assessment further identifies actions that may be required in areas where the controls are not considered sufficient.

5.4 RISK ASSESSMENT METHODOLOGY

5.4.1 Project Risk Management Framework The systematic analysis of options for reasonable practicability shall make reference to relevant good practice and sound engineering judgement. Where appropriate, this will be supported by reference to suitable and sufficient risk assessment. If a measure appears practicable and the cost of the measure is not grossly disproportionate to the benefit gained, then the measure is reasonably practicable and shall be implemented.

The “Framework for Risk Related Decision Support” – Oil & Gas UK will be applied to support the risk related decision-making process and for recording and demonstrating the robustness of the decision.

These same guidelines will support decision-makers when assessing the relative importance of codes and standards, good practice, engineering judgement, risk analysis, cost benefit analysis and company and societal values when making decisions. The framework aims to encourage the development of transparent decision making processes, thereby helping duty holders meet their regulatory obligations.

In conjunction with the Oil & Gas UK guidelines the framework of the decision making process is shown in Figure 5.4.

Doc. No : 21020-BAB-04101-HS-PR-0005

Rev No : C1



Figure 5.4 - Risk Related Decision Support Framework Diagram

5.4.2 Risk Assessment Model During development of the MAH Risk Register, where Project risks have been identified for further more detailed assessment, the rigour of the assessment will be proportionate to the following:

• The level of estimated risk (and its proximity to the limits of tolerability); and

• The complexity of the problem and/or difficulty in answering the question of whether more needs to be done to reduce the risk.

As illustrated in Figure 5.5, risk assessment will progress through specific stages (qualitative, semi-quantitative or quantitative assessments) to provide an appropriate demonstration that the risk is being managed.

Figure 5.5 – Proportionate Risk Assessment

Doc. No : 21020-BAB-04101-HS-PR-0005

Rev No : C1



Qualitative (Q) in which frequency & severity are determined purely qualitatively.

Semi-quantitative (SQ) in which frequency & severity are approximately quantified within ranges.

Quantified risk assessment (QRA) in which full quantification occurs.

Note: These stages may be modified according to the complexity of the decision that the risk assessment is being used to inform e.g.: it may occasionally be possible to use qualitative risk assessment in extremely high risk situations, where it is obvious that the risk is so high that risk reduction is essential. Great care must also be taken when attempting to justify something that is a significant deviation from existing codes, standards or good practice.

Evaluation of a major accident risk will therefore be based upon the proportionate level of risk and the complexity of the problem. Most importantly, the risk assessment undertaken will provide an input in to the decision making process and those responsible for such decision making will be shown to be suitably qualified, experienced and of sufficient seniority to be competent and accountable for their actions.

The lower levels of assessment (Q and SQ) are considered most appropriate for screening for hazards and events that need to be analysed in greater detail i.e. to assist in determining the events to be included in the representative set for more detailed assessment.

For the Kraken Project, the approach to deciding the appropriate level of detail will be to start with a qualitative approach and to elect for more detail whenever it becomes apparent that the current level is unable to offer the following:

• Required understanding of the risks.

• Discrimination between the risks of different events.

• Assistance in deciding whether more needs to be done (making compliance judgements).

A robust risk management process will underpin the management of all safety issues identified for the Kraken Field. This process, initiated in the earliest phase of the Project, will be continued throughout the lifecycle of the Project.

Note: Kraken hazards identified through the risk management process shall be assessed both individually and cumulatively.

The Kraken Project approach to risk management is outlined in Figure 5.6. The process adopted combines the activities needed to comply with SCR05, MAR, PFEER and DCR into a lifecycle approach for hazard management.

Doc. No : 21020-BAB-04101-HS-PR-0005

Rev No : C1



Establish The Context Of The Risk Assessment

Define The Activities To Be Done

Identify The Hazards Associated With The Activities

Evaluate The Likelihood Of The Hazards Coming To Fruition

Compare The Risks (Likelihood x Consequences) With The BAUK

Risk Criteria

Is The Risk ALARP/Broadly

Acceptable?

Instigate The Next Level Of

Protection

Identify The Consequences Of The Hazards Coming To Fruition

Perform The Activities

Yes

Regu

larly

Mon

itor A

udit A

nd R

eview

Cons

ult, I

nfor

m a

nd E

duca

te T

he S

take

holde

rs R

egar

ding

the

Risk

Ass

essm

ent

No

Figure 5.6 – Kraken Project Risk Management Process

5.4.3 Qualitative Risk Assessment The source of the concept of the tolerability of risk is the HSEx’s decision making progress guidance “R2P2”. The above figure as well as the guidance provided in “R2P2” shall be used to support risk management decisions. The Kraken Project has defined the boundaries between the three risk regions within a risk tolerability matrix (refer Table 5.2). The tolerability matrix is based primarily on ISO17776 and is used to describe what the credible outcome of the hazardous event is in terms of consequence (people, environment, value or reputation) and how likely it is.

All residual risks identified for the Kraken Project shall be evaluated against this risk tolerability matrix. Evaluations using this table shall be conducted by an appropriately experienced group to ensure hazards are correctly ranked.

The outcome of the risk ranking process shall be used to determine the appropriate hazard management approach and shall assist in the prioritisation of risk management efforts.

Doc. No : 21020-BAB-04101-HS-PR-0005

Rev No : C1



Table 5.2 – Project Risk Tolerability Matrix Criteria

Residual Risk Region Summary

Intolerable High Risk (red region)

Activities/operations that give rise to residual risk (i.e. those that remain after the control measures have been applied) within the intolerable risk region of the matrix are unacceptable.

Tolerable if ALARP Medium Risk (yellow region)

Activities/operations will be allowed to operate subject to confirmation that the cost of an additional control measure is grossly disproportionate compared to the risk reduction afforded by the additional control measure.

Broadly Acceptable (Low Risk) (green region) Activities/operations may be operated without further consideration to the provision of additional control measures.

5.4.4 Quantified Risk Assessment - QRA SCR05 has removed the specific requirements for QRA and the approach supported by HSEx OIS 3/2006 has been adopted, where an initial assessment of the likely minimum approach to risk assessment has been performed. The Kraken FPSO has been assessed in the category:

• Large integrated platforms in the northern North Sea or large nodal platforms in the southern North Sea are likely to have a combination of complexity and risk level requiring QRA;

SCR92 tended to focus the attention of a duty holder on the extensive use of detailed QRA, frequently prepared by a specialist contractor on their behalf. This approach has been useful for advancing the understanding of risk on offshore installations, or from activities in connection with them. However, now that this understanding is more mature, risk assessment must increasingly focus on where it can add value (e.g. in evaluation of risk reduction options) rather than provided as an “off-the-shelf” assessment. Thus any risk assessment should answer the fundamental question of whether there is anything more that can be done to reduce the risk, while adding value.

A detailed QRA will be undertaken for the Kraken Project by a 3rd party risk specialist. The QRA shall not be an “off-the-shelf-assessment but shall focus on the unique characteristics of the heavy crude process streams and the very limited gas inventory.

In line with guidance set out by the HSEx, QRA results shall be expressed in terms of the following:

• IRPA - Individual Risk Per Annum, this is the chance of an individual becoming a fatality. An IRPA of 1.00E-03 would mean for each individual, every year, there is a 1 in 1000 chance of a fatal accident.

• PLL - Potential Loss of Life, this is the product of all the IRPAs. PLL is related to IRPA by the relationship IRPA = PLL x fraction of time an individual is offshore per year/POB.

• Temporary Refuge (TR) Impairment - This is the chance per year that the TR will be unable to perform in the way stated in the safety case. It is represented as a frequency

Doc. No : 21020-BAB-04101-HS-PR-0005

Rev No : C1



per year, with an upper bound of no higher than 1.00E-03. In other words no more than once in every 1000 years would there be an event that would prevent the TR from functioning as described in the safety case.

5.4.5 QRA Uncertainty and Sensitivity The quality of the modelling and data will affect the robustness of the numerical estimate and the uncertainties. This will be borne in mind by BAB Kraken and BAUK when using the estimate in risk management decisions.

Note: The use of numerical estimates of risk, by themselves, can be misleading and can result in decisions that either do not meet adequate levels of safety, or overestimate the real risks. In general an approach that uses information from engineering and operational analysis, supplemented where appropriate by QRA, will lead to more robust decisions.

5.5 DEMONSTRATION OF TOLERABLE RISK

Figure 5.7 illustrates the concept of the tolerability of risk. The triangle which is based on guidance by the HSEx represents increasing levels of risk for a particular hazardous activity as we move from the bottom of the triangle towards the top.

The red zone at the top of the triangle represents the unacceptable risk region. Risks in this region are not tolerated no matter what the level of benefit is. The lightly shaded zone at the bottom of the triangle represents the broadly acceptable risk region. The levels of risk characterising this region are comparable to those that people regard as insignificant or trivial in their daily lives. The zone between the unacceptable and broadly acceptable regions is the tolerable region. Risks lying in this region are typically those that people are prepared to tolerate in order to secure some benefit, in the expectations that:

• The nature and level of the risks are properly assessed and the results used properly to determine control measures.

• The residual risks are not unduly high and kept as low as reasonably practicable. • The risks are periodically reviewed to ensure that they still meet the ALARP criteria, for

example, by ascertaining whether further or new control measures need to be introduced to take into account changes over time, such as new knowledge about the risk or the availability of new techniques for reducing or eliminating risks.

Doc. No : 21020-BAB-04101-HS-PR-0005

Rev No : C1



Figure 5.7 - HSE Framework for Tolerability of Risk

5.5.1 Project Risk Acceptance Criteria In order to ensure a Project design solution that ensures risks are ALARP and in accordance with the requirements to demonstrate regulatory compliance, BAB identified project-specific risk acceptance criteria (RAC) during the early establishment of the Kraken Project. These criteria apply when judging the tolerability of risk to persons for the Kraken Project. The Project RAC are illustrated in Figure 5.8 and are based on Industry benchmark, and HSEx guidance (R2P2 and OIS 3/2006), which are underpinned by NORSOK Z013 and the Oil & Gas UK Fire & Explosion Guidelines 2007.

• Individual risk (IRPA) to any worker group above 5.00E-04 per annum shall be considered intolerable and fundamental risk reduction improvements are required

• Individual risk below (IRPA) 5.00E-04 but above 1.00E-05 per annum for any worker group shall be considered tolerable if it can be demonstrated that the risks are as low as reasonably practicable

• Individual risk (IRPA) below 1.00E-05 per annum for any worker shall be considered as broadly acceptable and no further improvements are considered necessary provide documented control measures are in place and maintained.

Doc. No : 21020-BAB-04101-HS-PR-0005

Rev No : C1



Figure 5.8 – Risk Acceptance Criteria for Kraken Development

Table 5.3 – Risk Frequency Distribution

Risk Frequency

1.00E-03 OR 1 x 10-3 1 in 1,000 years 1 in 1,000 chance per year




Although there is no specific requirement to estimate group risk, guidance provided within HSE APOSC indicates a need for the duty holder to demonstrate TR integrity (TRI), which could be considered as a measure of societal risk. The requirement adopted for the Kraken Project is to demonstrate that the frequency, with which accidental events (any MAH consequence category) will result in a loss of TRI, within the minimum stated endurance time, does not exceed the order of 1.00E-04.

As for individual risk this frequency must be reduced to a lower level wherever reasonably practicable and where the frequency is close to 1.00E-03 (refer Table 5.3), acceptance that further risk reduction measures are ‘grossly disproportionate’ should be on the basis of a very rigorous demonstration.

An acceptable level of risk can be identified within the ALARP framework (refer Figure 5.8), which identifies the acceptable frequency of exceedance of the severity of the design or dimensioning scenarios. Typically this frequency of exceedance will be of the order of 1.00E-

IRPA 1X10-5

IRPA 5X10-4

Doc. No : 21020-BAB-04101-HS-PR-0005

Rev No : C1



04 to 1.00E-05 per year depending on the risk to people on board, impact on the SCEs and the overall individual risk including that from other hazards.

Following NORSOK Z013, ISO 19901-3: 2003 uses a threshold probability of exceedance level (1.00E-04 per year) below which individual contributing scenarios need not be considered further if the impact on personnel is low enough (i.e. numbers of personnel affected). Events with probabilities above this level are considered to be ‘top event, and require further analysis to determine the size and extent of the resulting loading and subsequent effects.

BAB Kraken and BAUK propose a similar approach. An event which impinges directly on the Temporary Refuge will require a probability of exceedance > 1.00E-05 per year. Events directly affecting other regions where a barrier may be present to prevent impingement on the TR are considered if the probability of exceedance is greater than 1.00E-04 per year.

Reducing risks to ALARP will be demonstrated in all cases, both through the justification of the choice of design scenarios and from a determination of the impairment frequency of the safety critical elements (SCEs) under the fire loads.

5.5.2 Risk Reduction Measures The main purpose of the risk assessment process is to decide if more needs to be done. Where there is scope to reduce the risks to personnel an appropriate technique shall be applied to decide if the measure is reasonable. Assessing which risk reduction measures should be incorporated into the design will be based on established principles of engineering safety; the project Hazard Management contained in this document, HSE Design Basis, best practice and where appropriate the project compliance demonstration (ALARP) process.

5.6 DEMONSTRATING COMPLIANCE WITH RELEVANT STATUTORY PROVISIONS. The application of the ALARP process is one portion of the key element of the BAUK SMS to ensure that all measures that could be applied to each of the identified major accident hazards are appropriate. The ALARP process is encompassed into the requirements to demonstrate compliance with the relevant statutory provisions.

For the purposes of SCR05 Regulation 12 compliance with the relevant statutory provisions shall be demonstrated. As duty holder BAUK recognizes the process shall be a key element of their safety management system. This will result from the description of the management process by which BAUK has reached the conclusion that all the measures that could be applied to reduce risks from each of the identified major accident hazards are appropriate and that nothing more can be done.

The compliance demonstration with relevant statutory provisions shall establish that risks are tolerable - through application of relevant good practice, professional judgement, experience etc. and where necessary supported by reference to the use of appropriate risk assessment techniques. Following this BAUK shall consider whether the relevant legal test has been satisfied, for example have the risks been reduced so far as is reasonably practicable. This involves looking to see if there are ways in which remaining risks can be further reduced.

To demonstrate compliance with the relevant statutory provision for each major accident hazard identified for the installation, the demonstration shall contain elements of the following process:

Doc. No : 21020-BAB-04101-HS-PR-0005

Rev No : C1



• Identification and consideration of a range of potential measures for further risk reduction, • Systematic analysis of each of the identified measures and a view formed on the safety

benefit associated with each of them, • Evaluation of the reasonable practicability of the identified measures, • The implementation (or planned implementation) of the identified reasonably practicable

measures, • Recording of the process and results, and these are summarised in the safety case.

The systematic analysis of options for reasonable practicability shall make reference to relevant good practice and sound engineering judgement. Again, where appropriate this should be supported by reference to appropriate use of risk assessment techniques. If a measure appears practicable and the cost of the measure is not grossly disproportionate to the benefit gained, then the measure is reasonably practicable and should be implemented.

The management process described in the demonstration of compliance with the relevant statutory provisions should also show that a duty holder has considered the integrated picture when assessing risk and not a partial view from considering each hazard in isolation, rather than across the whole system.

The safety case shall show that the process of ensuring risks are controlled to ensure regulatory compliance has been an iterative one in which it has been necessary for a duty holder to go through the process a number of times. This will support BAUK’s provision in providing a convincing demonstration that major accident risks are controlled to ensure regulatory compliance.

Reducing a risk to ALARP further involves balancing achievable risk reduction with the cost and implementation of the risk reduction measure. ALARP can be demonstrated by showing that the residual risk (after implementation of controls) is broadly acceptable (as per figure 5.8), requiring no further controls, or that the cost of additional risk reduction measures is grossly disproportionate to the risk benefit gained i.e.

- where DF is the disproportionate factor.

For the Kraken Project, and in line with the Executive, the costs are considered to be grossly disproportionate to the improvement gained if the implied cost of averting a single fatality (ICAF) is ≥ £6,000,000.00.

5.6.1 ALARP Decision Selection The decision to conduct an ALARP assessment shall be made by the Technical Safety TA in consultation with project personnel and discipline leaders. All ALARP assessment decisions, including those that require a greater degree of risk assessment than an ALARP worksheet and those that do not require an ALARP review, shall be recorded for auditing purposes. A register of ALARP decisions shall be maintained by project technical safety and shall be incorporated into a close-out report.

This may involve an overall ALARP project register and a FPSO specific ALARP Register (where major engineering change to the FPSO can be recorded).

Costs

Benefits > 1x DF

Doc. No : 21020-BAB-04101-HS-PR-0005

Rev No : C1



5.6.2 ALARP Methodology Overview

The ALARP methodology shall adhere to the main steps for risk assessment. Technical Safety shall develop a Risk Assessment / ALARP Procedure to support the Compliance Demonstration. For the purposes of this, these steps have been divided into the following main stages:

• Identification of the design issue, the risks of that issue and the tolerability criteria. • Assess the options, the selection basis, the uncertainties and the chosen option. • Risk Conclusion / Evaluation which outlines the residual risks generated and further

requirements / confirmations.

The ALARP procedure will be developed to contain the management processes including ALARP worksheets and supporting registers.

5.6.3 Cost Benefit Analysis Having identified potential additional risk reduction measures, their practicality shall be assessed. One technique to achieve this shall be Cost Benefit Analysis (CBA). CBA is the numerical assessment of the costs of implementing a design change or modification and the likely reduction in fatalities that this would be expected to achieve. It suffers from the same problems as QRA when used as an input to decision making and therefore it should be used cautiously in support of qualitative or engineering arguments.

In making this assessment there is a need to set criteria on the value of a life or implied cost of averting a statistical fatality (ICAF). For Kraken, the following shall be used as guidance for risk based decision making using CBA:

• HSE principles for Cost Benefit Analysis (CBA) in support of ALARP decisions. • Health and Safety Executive, Reducing Risks Protecting People (R2P2), HSE Decision

Making Process.

Doc. No : 21020-BAB-04101-HS-PR-0005

Rev No : C1



6. HUMAN FACTORS

BAB Kraken Project and BAUK’s goal is to reduce the potential for human error in the design and operation of the Kraken facilities, and so demonstrate that the risks to personnel and the environment posed by Human Factors are ALARP.

In accordance with the Human Factors Implementation Plan, Human factors will be addressed during the design (and operation) of the Kraken FPSO in order to identify operator & maintenance needs and requirements throughout the lifecycle of the FPSO’s systems, with the goal being to minimize human error and maximise human and total system safety and effectiveness. This will be accomplished through the following:

• Analysis of design requirements and development of a lessons learned register - positive & negative - of previous designs that should be carried forward or should be changed/ improved;

• Development of HFE design criteria & guidelines to apply human factors principles; • Appropriate analyses & requests for operator and/or maintainer input to derive task

requirements and needs; and • Application of logical and practical human-system interface design.

The various HFE high level activities to be performed are identified in Figure 6.1.

By virtue of workforce involvement in various design reviews, the plant will, as far as reasonably practicable, be designed to provide sufficient space and access for operation, maintenance, escape & evacuation, and fire fighting activities. All mainstream valves on cargo handling equipment will be accessible or operable from permanent access platforms. Local status indicators, valve operators, emergency valves, sample points, purge and drain points will similarly be accessible from permanent decking.

With regards handling of motors, pump heads, tube bundles, valves, etc., extensive consideration will be given to mechanical handling and methods of transport to ensure that equipment is fit for purpose and appropriate to the task, in accordance with the requirements of the Lifting Operations and Lifting Equipment Regulations.

As a general requirement adequate valves and spade isolation points will be provided to allow equipment to be worked on while production continues, and to allow partial operation under most conditions.

The objective will be to “design-in” safety and operability and to “design-out” potential incidents that might arise from people’s interaction with equipment. Further consideration will the provision of good information, clear procedures, memory aids, training, clear objectives, avoiding distractions and a working environment which minimises fatigue, ill health, etc.

Risk assessment and human factors for the Kraken FPSO is further outlined within the HSE Design Basis. Please refer to this document for further details.

Doc. No : 21020-BAB-04101-HS-PR-0005

Rev No : C1



Figure 6.1 Human Factors Engineering Activities

KRAKEN PROJECT TIME LINE

FEED: Defining DD: Design Development

DD: 3D Design PRE-OPERATION

TECHNICAL SPECIFICATIONS

DESIGN ANALYSIS

EARLY DESIGN ANALYSIS

DESIGN REVIEWS

PROVIDE SUPPORT

CRITICAL TASK REVIEWS

Analysis

IMPLEMENTATION PLAN

SAFETY CRITICAL PROCEDURES

ISSUE REGISTER & ACTION PLAN

OPERATIONS

Analysis Review Support Monitor,

measure, implement,

validate

DESIGN ANALYSIS

MANAGEMENT OF CHANGE

CAUSAL ANALYSIS (incidents)

LESSONS LEARNED

LAYOUT REVIEWS

CONSTRUCTION PLAN

PRE-COMMISSION REVIEWS

REVIEW OF STANDARDS

INSPECTIONS / AUDITS

Doc. No : 21020-BAB-04101-HS-PR-0005

Rev No : C1



APPENDIX A TYPICAL SAFETY CASE (TABLE OF CONTENTS)

1. INTRODUCTION AND SUMMARY

1.1. Purpose of the Safety Case

1.2. Safety Case Structure

1.3. Safety Case Objectives, Purpose & Scope

1.4. Safety Case Ownership and Distribution

1.5. Responsibilities, Maintenance of and Review

1.6. Name And Address of the Operator

1.7. The Kraken Field

1.8. FPSO Facility Design Overview

1.9. FPSO Facility Operations Overview

1.10. Risk Management and Control Overview

1.11. Review and Improvement Plan

1.12. Justification for Continued Operations

2. FIELD AND FACILITY DESCRIPTION

2.1. Overview

2.2. Environmental Conditions

2.3. Design and Development History

2.4. Operational Limits

2.5. Facility Structure

2.6. Facility Equipment and Area layout

2.7. Reservoir and Wells

2.8. Pipelines and Risers

2.9. Marine Systems

2.10. Process Systems

2.11. Turret & Mooring Systems

2.12. Utility Systems

2.13. Control and Communications

2.14. Safety Systems

2.15. Evacuation, Escape and Rescue

2.16. Operations and Logistics

2.17. Hazardous Substances and Inventories

Doc. No : 21020-BAB-04101-HS-PR-0005

Rev No : C1



2.18. Occupational Health and Safety

3. SAFETY MANAGEMENT SYSTEM

3.1. Introduction and Description

3.2. Management Policy and Principals

3.3. Health and Safety Organization

3.4. Regulatory and Compliance Management

3.5. Operational Risk Management

3.6. Planning and Implementation

3.7. Training and Competence Management

3.8. Communication and Consultation Management

3.9. Procurement and Contractor Management

3.10. Health and Welfare Management

3.11. Operational Management and Control Procedures

3.12. Emergency and Crises Management

3.13. Performance and Audit Management

3.14. Incident / Non-Conformance Management

3.15. Continuous Improvement Management

3.16. Experience Transfer

4. COMBINED OPERATIONS

4.1. Introduction

4.2. Description of Facilities

4.3. Management of Combined Operations

4.4. Simultaneous Operations

4.5. Risk Assessments & Work Reviews

4.6. Hierarchy of Controls

4.7. Development of Interface/Bridging Documents

4.8. Verification Schemes for COMOPS

5. MAJOR ACCIDENT HAZARD ANALYSIS AND MANAGEMENT

5.1. Introduction

5.2. Hazard (Formal Safety Assessment) Methodology

5.3. Evaluation of Hazard Management Systems

5.4. TR Integrity & EER Assessment results

5.5. QRA Results

5.6. Safety Critical Elements and Performance Standards

Doc. No : 21020-BAB-04101-HS-PR-0005

Rev No : C1



5.7. Demonstration of ALARP

5.8. Major Accident Prevention Document Summary

5.9. Major Accident Hazard Sheets

6. VERIFICATION

6.1. Verification

6.2. Classification