Introduction
Having considered major factors that should influence the writing and application of a successful safety case, including the legislative history and framework in which they exist, in this section we shall look at exactly what is meant by a safety case, what the purpose of a safety case is, and the pros and cons of using the safety case approach. We will also briefly discuss the importance of aligning the safety case with the design process. Again, we will look across more than one industry to allow cross pollination of good ideas and will look at a significant incident in the development of safety cases – namely the Piper Alpha disaster.
By the end of this section you will be able to:
- Analyse the definition of safety cases
- Analyse the development of safety cases in the UK
- Evaluate the purpose of safety cases
- Evaluate application of safety cases
Definition of Safety Cases
A safety case is a concept that has been mentioned on several occasions throughout this course of study – including in the module title - and it is likely that they have been encountered in the workplace.
Exactly how a safety case is defined can vary slightly from employer to employer or industry to industry, however one definition from the UK MOD (Ministry of Defence) is that a safety case is:
“…a structured argument, supported by a body of evidence, that provides a compelling, comprehensible and valid case that a system is safe for a given application in a given environment.” (MOD 2007)
The Office for Nuclear Regulation (ONR) provides a similar definition:
“A safety case is a logical and hierarchical set of documents that describes risk in terms of the hazards presented by the facility, site and the modes of operation, including potential faults and accidents, and those reasonably practicable measures that need to be implemented to prevent or minimise harm.
It takes account of experience from the past, is written in the present, and sets expectations and guidance for the processes that should operate in the future if the hazards are to be controlled successfully.
The safety case clearly sets out the trail from safety claims through arguments to evidence” (Allmark 2019)
Safety cases can be written for a variety of reasons, but it is usually because they are needed as part of regulatory process, often when designing a new product or process, or repurposing an old one. In this case, a certificate of safety – such as the certificate of airworthiness in the aviation industry – will only be issued when the regulator is satisfied by the argument presented in the safety case. In this way, there are many similarities with risk assessment, but unlike risk assessment the outcomes are case specific. For example, a safety case for a vehicle may conclude it is safe for use in good weather, but not in poor visibility for example.
Safety Case Basics
As always, different industries have different regimes, and this remains true when discussing safety cases.
Taking the MOD definition as a starting point, it can be seen that the two elements of argument and evidence need to support each other. Clearly the evidence is needed to show that the argument holds true, but also the argument needs to show that the evidence presented is sufficient – and relevant.
Although there is no set template, it would be expected that a safety case would include:
- Scope of what is being addressed, and the context and environment in which it is being addressed – the same pump may have different safety cases if it is used on land and at sea for example
- The safety management system used
- Any applicable legislation or requirements with the evidence that they have been complied with
- Evidence that risks have been identified and controlled and that any residual risk is both acceptable and ALARP
- Independent assurance that the argument and evidence are sufficient
It would then be expected that the detail of the safety case shows not just how the system or product is designed to be safe, but how this safety will be preserved throughout its life and disposal. It should in most cases also contain the methodologies and processes used in the design, the competence of those involved in the design, and should also look at the requirements of those who will operate the system through its life.
In terms of the evidence, this will be expected to include any testing or prototyping that has been carried out – including any incidents encountered – obviously from the product in question, but it would also be acceptable to bring in data from other, similar systems. In addition, it is key to demonstrate how risks have been managed. In some ways the most difficult part of this, is demonstrating that all credible risks have been identified and dealt with, which of course is impossible, but it should be shown beyond any level of reasonable questioning. Furthermore, evidence will need to be provided to show that the mitigations described in the safety case have actually been carried out and are working.
Safety cases might cover only a small aspect of a system’s operation, or its whole lifecycle, they can also be constructed to cover changes to existing systems of work. For this reason, safety cases can range from comparatively small, to positively vast. For example, in the case of an individual aircraft where every part is inspected before use, the evidence would be expected to include the quality records of every nut, bolt and rivet on the aircraft.
Obviously this means that a safety case is rarely a single physical document, rather reports summarising the argument are generated that also signpost to the relevant evidence. This also assists with the growth and development of the safety case over time, allowing individual sections to be revised or replaced without having to re-write the entire document. Conversely, though, it can be a problem, as a report is only a snapshot in time and as such should be regenerated every time the safety case is used, something that humans are notoriously bad at doing.
Purpose of Safety Cases
The Office of Nuclear Regulation (ONR) states that the primary purpose of a safety case is to provide the duty-holder (or intended duty-holder) with the information required to enable safe management of the facility or activity in question across its lifecycle, and to reduce risks to ALARP (As Low As Reasonably Practicable).
To achieve this, the safety case should be understandable and useable, and clearly owned by those with direct responsibility for safety. There is no point in writing a safety case that cannot be understood by those who need to use it, nor should it request activities that cannot be achieved. In addition, ownership of the safety case needs to be clear – as covered in the section on human factors, if there is no specific ownership there is a risk that it will be assumed to be someone else’s problem. Further detail on the content and structure of the safety case is given later in this section. The implementable requirements of the safety case (e.g. limits and conditions necessary in the interest of safety; safety measures; examination, inspection maintenance and testing regimes for engineering measures; claims on human action) must be properly implemented so that the facility can be operated and maintained in a safe manner, and so that radiological risks are managed to reduce them to ALARP (SAP SC.6 [1]). When assessing safety cases, inspectors should seek assurance that the licensee has identified all implementable requirements and that these have been captured in such a way that their implementation can be tracked onto plant as part of safety case implementation.
The image shows an artists impression of the new Hinkley Point C nuclear power plant, currently under construction in Somerset. As the first of the UKs new Nuclear Power Plants, the Safety Case process is embedded within the design from the earliest stages
Safety Cases in Industry
Whilst the HSWA (Health and Safety at Work Act) does not specifically require production of safety cases, their use has become increasingly widespread across industry and continues to grow.
This is particularly true in high risk industries where there is a requirement to demonstrate to regulators and the public that the activity is safe before it can take place. Even if it is not named as a safety case, this requirement means that a safety case must be written.
As would be guessed, given other sections of this module, prime examples of UK industries that make use of safety cases would be the nuclear, chemical, transport and offshore industries.
Here there is often a legal or regulatory requirement that a safety case must be presented to the appropriate body before permission to proceed is granted.
Nuclear
The need for safety cases was first realised in the 50s following the Windscale fire that was looked at in the section on industry specific legislation.
The licensing regime that came in following the 1965 act, called for the production of documentation justifying safety during all phases of operation – a safety case in all but name.
Wikimedia / public domain
Chemical
The Nypro explosion in 1974, that was mentioned in the section looking at the development of health and safety legislation, led to the drafting of a set of regulations for hazardous installations, but before these could be enacted there was a release of a large quantity of dioxin into the atmosphere near the Italian town of Seveso. Although there were no immediate human deaths, 3000 animals died, a further 80000 were slaughtered, and there is an increased risk of cancer in the town.
This led to an EC (European Commision) directive based on the British work that ultimately became the CIMAH (Control of Industrial Major Accident Hazards) regulations in 1994. One of the main requirements was for the production of a report demonstrating adequate controls of substances and potential accidents and describing the safety management systems – again a safety case in all but name.
Offshore Oil and Gas
The need for safety cases was introduced following the Cullen enquiry into the Piper Alpha disaster that we will look at in more detail later in this section.
This led to the introduction of the Offshore Installations (Safety Case) Regulations 1992 and 2005 that specifically require safety cases showing that hazards have been identified and reduced as far as practicable.
They also require demonstration that there are audit arrangements in place and that other statutory requirements are met. They are still goal setting in that they specify the scope and content of the safety case, but do not prescribe a specific method of doing so.
Railways
Before privatisation the whole of the UK industry was nationalised, with standardised safety standards across the whole organisation. Despite this, several major accidents had raised public concern.
These events and the oncoming privatisation led to the Railways (Safety Case) Regulations 1994. They imposed a modular system, with railway safety cases that were in turn supported by safety cases for the trains and stations.
Again, they specify the contents, but not specific standards or techniques that must be used.
Safety Cases for Military Systems
The UK military works in a slightly different regulatory framework to the rest of UK industry, and as such will not be dealt with in depth.
However, it has been the policy for many years that where the MOD has been granted exemptions from legislation, it will introduce standards that are at least as good as those required by the said legislation, so far as is practical.
On the back of this, the MOD started adopting safety cases which had become accepted as good practice in high – risk industry by the 1990s, even though there was no legal requirement for them to do so.
Wikimedia / public domain
Pros and Cons of the Safety Case Approach
Although widely accepted as best practice, it would be foolish to say that the safety case approach is perfect, and a brief consideration of its advantages and disadvantages is worthwhile (Inge, 2007).
It can be used very effectively to justify why something is safe, by providing a reasoned argument that can be tailored to meet the situation. It allows the rigour of the argument to be tailored to the level of risk involved – a safety case for a new fence would not need to be of the same level as that of a new power station for an extreme example. When written correctly with the evidence and argument supporting each other, it is easy to see how the argument is affected if the evidence changes – for example if a new chemical is introduced to a process. This is also the case when new evidence comes to light – for example following an incident at another location. Of course this flexibility can be useful in positive cases as well, for example if new innovations occur or there are changes to best practice, it can be seen how the argument is affected, and as such how the change will need to be managed to be implemented successfully.
Perhaps the biggest disadvantage is that the approach relies significantly on judgment. For example, what level of evidence is sufficient is difficult to define, and therefore becomes an engineering judgement based on the experience of the team involved. It therefore follows that the safety case approach will require a greater level of competence than a prescriptive approach, where rather than applying professional judgment, management teams and other workers can achieve compliance by following a set of rules that may or may not be adequate, rather than having to make their own decisions.
Aligning Safety Cases and the Design Process
The safety case will usually be most effective if it is written and compiled at the same time as the design process is undertaken, growing with the design process and both informing and being informed by it.
Often at the end of the design process, the information that is used to compile the safety case will then be used to create any formal guarantee or warranty of the product, along with its operation and usage specifications (safe working loads, maximum operating speeds etcetera). In addition, the safety case should be revisited every time there is a suggested repurposing of the product.
For the safety case to be effective, it needs to demonstrate appropriate defence in depth in design, that the associated risk and hazards have been assessed, the appropriate limits and conditions have been defined and adequate safety measures have been identified. It is not possible to do this after the design process is complete – unless it is by chance. Rather the safety case should be written as the design process develops, and in a similar manner.
When part of the design process is initially completed, the safety case must be reviewed, and then the design altered as necessary, with the safety case being reviewed again and so on. This iterative process should continue until the two align perfectly.
If carried out properly, and in a collaborative, communicative and supportive manner, then it can be hoped that very few iterations will be needed before alignment is achieved.
Wikimedia / public domain
Piper Alpha
Piper Alpha was an oil production platform approximately 190km north – east of Aberdeen. It was originally built as an oil only platform and began production in 1976. It was later converted to both oil and gas production. On 6th July 1988, an explosion tore through the platform, resulting in the deaths of 167 people and causing a loss of around £1.7Bn. It was, and remains, the worst ever offshore oil disaster in terms of lives lost.
The events of the evening are discussed in the following documentary:
Following the disaster, a public inquiry was set up, led by Scottish Judge William Cullen. The inquiry lasted for 6 months, and a copy of the full report can be found below. As can be seen it is a substantial document running to two volumes, and whilst it is worth a read it is not vital for this course.
The report made 106 recommendations relating to offshore safety. The two most significant of which were removing responsibility for offshore safety from the Department of Energy, and the requirement for operators to present safety cases to the regulator.
The first recommendation was made because it was felt that the Department of Energy had a conflict of interest as it also had a role in promoting North Sea oil and gas, which was difficult to reconcile with its safety role. For this reason, responsibility was removed from the Department of Energy and passed to the HSE.
The second recommendation lead directly to the adoption of the Offshore Installations (Safety Case) Regulations in the early 1990s, one of the earliest safety case regulatory instruments anywhere in the world.
Piper Alpha is one of the most significant safety incidents in the modern era, leading to wide ranging changes in methods of managing safety that went far beyond the offshore industry. NASA draw parallels between the safety case regulations and their own Risk – Informed Safety Cases Methodology, as discussed in the following case study on the Piper Alpha disaster from 2013:
Summary
As we have seen, a safety case is a document – or rather series of documents – that is designed to both explain why a process, item or installation is safe and also ensure that those who are intended to make use of the subject of the safety case know how to do so in a safe manner.
Safety cases in the UK have developed over time but are now accepted in many industries – particularly high-risk industries – as best practice in terms of safety management, and although they are not perfect their advantages outweigh their disadvantages.
References
Cullen, Lord W. D. (1990) The Public Inquiry into the Piper Alpha Disaster. London: HMSO
Haddon – Cave QC, C. (2009) The Loss of RAF Nimrod XV230; A Failure of Culture, Leadership and Priorities. London: The Stationary Office
Inge, J. R., (2007). The Safety Case, its Development and Use in the United Kingdom. Bristol: Ministry of Defence
Ministry of Defence (2007) Defence Standard 00-56 Safety Management Requirements for Defence Systems: Issue 4. Glasgow: UK Defence Standardization
NASA (2013) The Case for Safety [online]. Available from: https://sma.nasa.gov/docs/default-source/safety-messages/safetymessage-2013-05-06-piperalpha.pdf?sfvrsn=3daf1ef8_6 [27th January 2020]
Stavert-Dobson, A. (2016) Does Your Supplier’s Safety Case CHIME Clear as a Bell? [online]. Available from: https://safehand.co.uk/2017/10/18/suppliers-safety-case/ [28th January 2020]