Who is a Safety Case for?

In the Inquiry to Piper Alpha, one of the recommendations made by Lord Cullen was that operators of offshore installations should carry out a formal safety assessment, to demonstrate that potential major hazards and the risks to personnel have been identified and appropriate controls provided.

The assessment should be demonstrated to the Regulator in the form of a Safety Case. This includes a demonstration that the safety management system is adequate to ensure that the design and the operation of the installation and its equipment are safe.

A typical safety management system contains 4 key elements:

1. The safety objectives
2. The system by which these are to be achieved
3. The performance standards to be met
4. The means by which adherence to those standards is monitored.

The Safety Case (or a Safety Report for onshore operations) is submitted to the Regulator for approval. This is the essence of a Permissioning regime: the Regulator must accept the Safety Case before operations can proceed.

And therein lies one of the problems with Safety Cases.

Because of this demonstration to the Regulator, there is a working assumption in some organisations that the Safety Case is written for the Regulator.

Lord Cullen chaired the Inquiry into the Ladbroke Grove railway disaster, as well as the Inquiry into Piper Alpha for which he is perhaps better known. In the Ladbroke Grove Inquiry, Lord Cullen stated that:

“Safety Cases were intended to be an aid to thinking about risk, not an end in themselves” (Part 2, 2009).

Lord Cullen clearly intended Safety Cases primarily to be the means by which a company demonstrates to itself the safety of its activities.

Compounding this problem, is my experience that Safety Cases are frequently written by a contractor, with little knowledge of the facility or organisation - and often without visiting the facility.

As a Regulator myself, I assessed safety reports (onshore) and safety cases (offshore) that gave me serious concerns about the process. For example, some referred to activities not undertaken at the site, or referred to materials that were not used. In several instances, the document included the name of a different company to the one that it was supposed to be written for.

When meeting with companies to discuss aspects of their Safety Cases, I allowed their contractors to attend the meeting – on the condition that the company representatives answered my questions, not the contractor. And this sometimes caused problems, if the company was not familiar with their own Safety Case. . .

In safety-critical industries, you cannot outsource your thinking.

Since Piper Alpha, Safety Cases are now required for several industries, each with slightly different requirements, but the overall philosophies are similar. Following the Grenfell Tower disaster in the UK, certain high-rise residential buildings also now require a safety case report.

In the aviation sector, the Nimrod Review concludes:

“Unfortunately, the Nimrod Safety Case was a lamentable job from start to finish. It was riddled with errors. It missed the key dangers. Its production is a story of incompetence, complacency and cynicism. The best opportunity to prevent the accident to XV230 was, tragically, lost” (Nimrod Review, 2009, p.161).

For a Safety Case that involved consultancy fees in excess of £3m, that’s quite an indictment.

When Lord Cullen intended Safety Cases to be an aid to thinking about risk, he intended that they be a useful tool for the company. That the process of their production should be an opportunity to challenge the status-quo.

Instead, they may have become a way to document the status-quo, simply collating design data and other historical documentation. This is far removed from the intended philosophy of Safety Cases.

Martin Anderson is a Principal Consultant, working at the intersection of human factors and process safety.