Guidance note

N-04300-GN0166 Revision 5 June 2014

ALARP
Core concepts
One of the main objectives of the Commonwealth Offshore Petroleum and Greenhouse Gas Storage
(Safety) Regulations 2009 [OPGGS(S)] is to ensure that the risks to health and safety of people at
offshore facilities are reduced to a level that is as low as reasonably practicable (ALARP).
A safety case has to show how an operator meets, or will meet, the requirements of the regulatory
provisions relevant to the control of major accident event risks and the risks to health and safety of
people at the operators facility. Many of the requirements are qualified by the phrase reduce the
risks to a level that is as low as reasonably practicable. This means that the operator has to show,
through reasoned and supported arguments, that there are no other practical measures that could
reasonably be taken to reduce risks further.
The adopted control measures for any particular identified major accident event must be shown to
collectively eliminate, or reduce to a level that is ALARP, the risk to health and safety.
The approach employed in providing the required evidence of ALARP within a safety case is at the
discretion of the operator. In practice a combination of approaches is likely to be necessary.
Only by inclusion of a sufficient level of detail of information will NOPSEMA be able to make a
judgement on the appropriateness of the safety case in accordance with OPGGS(S) Regulation 2.26 (for
new safety cases) or Regulation 2.34 (for revised safety cases).

This guidance note addresses how the ALARP concept can be addressed in the context of a safety case.

National Offshore Petroleum Safety and Environmental Management Authority

A138249

June 2014

1 of 22

Guidance note

ALARP

Table of Contents
1

2
3
4

5
6

7
8
9
10

Introduction

1.1 Intent and purpose of this guidance note

1.2 Summary of the legislative requirements

Application of the ALARP principle

Key Principles
What descriptions are required?

4
5
6

4.1 Control measures

4.2 SMS ALARP aspects

4.3 What are the fundamental approaches to consider?

Suitability of control measures for MAEs

11

5.1 Summary of factors in selecting or rejecting control measures

13

Risk assessment and providing evidence

14

6.1 Risk assessment tools

14

6.2 Risk criteria

14

6.3 Continuous improvement

16

Use of Industry Codes and Standards

Good practice and reasonable practicability
Critical factors for success
References, Acknowledgements & Notes

17
20
21
22

Abbreviations/Acronyms
ALARP

As Low As Reasonably Practicable

CBA

Cost Benefit Analysis

EERA

Evacuation, Escape and Rescue Analysis

FERA

Fire and Explosion Risk Analysis

FSA

Formal Safety Assessment

FPSO

Floating, Production, Storage and Offloading

HSC

Health and Safety Commission

HSE

United Kingdom Health and Safety Executive

ICAF

Implied Cost of Averting a statistical Fatality

IMO

International Maritime Organisation

IPRA

Individual Risk Per Annum

LSA

Life Saving Appliances

MAE

Major Accident Event

MODU

Mobile Offshore Drilling Unit

NOPSEMA

National Offshore Petroleum Safety and Environmental Management Authority

OPGGSA

Offshore Petroleum Greenhouse Gas Storage Act 2006

OPGGS(S)

Offshore Petroleum and Greenhouse Gas Storage (Safety) Regulations 2009

QRA

Quantitative Risk Assessment

SMS

Safety Management System

National Offshore Petroleum Safety and Environmental Management Authority

A138249

June 2014

2 of 22

Guidance note

ALARP

Key Definitions for this Guidance Note

Reasonably Practicable:

The legal definition on this was set out in England by Lord Justice Asquith in Edwards vs. National Coal
Board [1949] who said:
Reasonably practicable is a narrower term than physically possible and seems to me to imply that a
computation must be made by the owner, in which the quantum of risk is placed on one scale and the
sacrifice involved in the measures necessary for averting the risk (whether in money, time or trouble) is
placed in the other; and that if it be shown that there is a gross disproportion between them the risk being
insignificant in relation to the sacrifice the defendants discharge the onus on them. Moreover, this
computation falls to be made by the owner at a point of time anterior to the accident.
This English decision has since been confirmed by the Australian High Court 1.
1

Slivak v Lurgi (Australia) Pty Ltd (2001) 205 CLR 304 cited in Bluff & Johnstone (2004) The relationship between Reasonably
Practicable and Risk Management (WP 27 ANU National Research Centre for OHS Regulation)

Introduction

1.1 Intent and purpose of this guidance note

This document is part of a suite of documents (see Figure 1) that provide guidance on the preparation of
safety cases for Australias offshore facilities, as required under the Commonwealth Offshore Petroleum
and Greenhouse Gas Storage (Safety) Regulations 2009 [the OPGGS(S) Regulations] and the corresponding
laws of each State and of the Northern Territory where powers have been conferred on NOPSEMA.
This guidance note in particular, ALARP, provides direction on the descriptions that could be included in a
safety case submission as a means of addressing the requirements of the OPGGS(S) Regulations in
providing evidence that risks are reduced to a level that is ALARP. The guidance will be of use to those with
responsibility for health and safety at offshore petroleum facilities, and particularly those developing the
facility safety case.
Figure 1 Safety Case Guidance Note Map

National Offshore Petroleum Safety and Environmental Management Authority

A138249

June 2014

3 of 22

Guidance note

ALARP

The purpose of the guidance is to explain the objectives of the OPGGS(S) Regulations, to identify the
general issues that should be considered, and to provide practical examples to illustrate the concepts and
potential approaches that can be taken in the preparation of safety cases. It is not the intention of the
guidance to provide detailed approaches or detailed regulatory assessment criteria.
Guidance notes indicate what is explicitly required by the regulations, discuss good practice and suggest
possible approaches. An explicit regulatory requirement is indicated by the word must, while other cases
are indicated by the words should, may, etc. NOPSEMA acknowledges that what is good practice, and
what approaches are valid and viable, will vary according to the nature of different offshore petroleum
facilities and their hazards. This guidance note is not a substitute for detailed advice on the OPGGS(S)
Regulations or the Act under which the OPGGS(S) Regulations have been made.

1.2 Summary of the legislative requirements

Summary tables of the legislative requirements with respect to providing evidence that the risks to health
and safety of persons at the facilities are reduced to a level that is ALARP are included as a quick reference
throughout this document. However, the reader is encouraged to work directly from the regulations.

Application of the ALARP principle

OPGGS(S) Regulations Objects
Reg 1.4

(3) An object of these regulations is to ensure that the risks to the health and safety of
persons at offshore petroleum facilities are reduced to a level that is as low as
reasonably practicable.

A safety case has to show how an operator meets, or will meet, the requirements of the regulatory
provisions relevant to the control of major accident event risks and the risks to health and safety of people
at the operators facility. Many of the requirements are qualified by the phrase reduce the risks to a level
that is as low as reasonably practicable. This means that the operator has to show, through reasoned and
supported arguments, that there are no other practical measures that could reasonably be taken to reduce
risks further.
The concept of reasonably practicable is central to the safety case regime. It allows operators to set goals
for their own safety performance rather than following prescriptive requirements. It also allows NOPSEMA
to accept or reject the operators arrangements under the safety case. This flexibility is a great advantage
but it can be challenging because it requires people to exercise judgement with respect to how they are
going to manage their risks. In the great majority of cases, a decision can be made by referring to existing
good practice that has been established. However, for complex situations it may be difficult to reach a
decision on the basis of good practice alone. There may be some situations, for example in the case of
new technology, where there is no relevant good practice that can be followed. In these situations other
decision-making techniques need to be applied to inform our judgment.
Other regulators such as the United Kingdoms Health and Safety Executive (HSE) and the Norwegian
Petroleum Directorate have been successfully administering safety case regimes for many years. The HSE,
in particular, has developed constructive guidance on the topic of the application of ALARP (available on
the HSE website www.hse.gov.uk) and readers are encouraged to make reference to it. However, it is
essential to bear in mind that while there are parallels in the regulatory approach, there are also important
variations in the safety case legislation between the UK and Australia, and as such the HSE guidance should
only be referenced to for concepts and principles.
Key aspects of the HSE guidance are distilled in this guidance note with respect to how to go about
constructing an ALARP argument.
Further information is available in the NOPSEMA Policy:
Safety Case Assessment

National Offshore Petroleum Safety and Environmental Management Authority

A138249

June 2014

4 of 22

Guidance note

ALARP

Key Principles

It is important to understand the key principles underpinning the ALARP principle. The following
descriptions have been adapted from HSE information sheet no. 2/2006.
Reasonable practicability Determining whether risks have been reduced as low as is reasonably
practicable involves an assessment of the risk to be avoided, and an assessment of the sacrifice (in money,
time and effort) involved in taking measures to avoid that risk, and a comparison of the two. A risk may sit
on a spectrum from very low (where it is very unlikely that it would be possible to reduce the risk further)
through to levels of risk that are very high. The greater the initial level of risk under consideration, the
greater the effort likely to be required to demonstrate that risks have been reduced to a level that is as low
as reasonably practicable, however, just because the initial level of risk may be low doesnt mean it may
not be reasonably practicable to reduce it further. The basis on which the comparison is made involves the
test of gross disproportion.
Gross disproportion if a measure is practicable and it cannot be shown that the cost of the measure is
grossly disproportionate to the benefit gained; then the measure is considered reasonably practicable and
should be implemented. The criterion is reasonably practicable not reasonably affordable: justifiable cost
and effort is not determined by the budget constraints/viability of a project.
Inherently safer design It is good practice to apply the principles of prevention as a hierarchy.

Elimination of risk by removing the hazard;

Substitution of a hazard with a less hazardous one;

Prevention of potential events;

Separation of people from the consequences of potential events;

Control of the magnitude and frequency of an event;

Mitigation of the impact of an event on people; and

Emergency response and contingency planning.

Operators are entitled to apply these general principles as they see fit. However, NOPSEMA promotes the
incorporation of inherently safer design features, where appropriate.
Choosing between options for new facilities or brown-field redevelopment projects, a selection among
options may be needed at any stage in any project, not least at the design stage, which will involve making
a choice between differing design concepts for the project as a whole. In making choices it is good practice
for operators to consider the risks involved over the whole life cycle of a project. However, it is expected
that a new installation would not give rise to a residual level of risk greater than that achieved by the best
examples of existing good practice for comparable functions. The reasonable practicability of any further
risk reduction should be measured against this baseline. Safety cases should show that the lowest risk
option has been selected in all cases, or why the selected higher risk option is ALARP.
Good practice within the HSE and their ALARP guidance documentation, good practice is the term used
for those standards for controlling risk which have been judged and recognised by the HSC (Health and
Safety Commission) as satisfying the law when applied to a particular relevant case in an appropriate
manner. This is not the case in Australia. NOPSEMA has not endorsed any approved codes of practice or
standards to allow them a special legal status. The term good practice in NOPSEMA guidance
documentation therefore is taken to refer to any well-defined and established standard practice adopted
by an industrial/occupational sector, including learnings from incidents that may yet to be incorporated
into standards. Good practice generally represents a preferred approach; however it is not the only
approach that may be taken. While good practice informs, it neither constrains, nor substitutes for, the
need for professional judgement. Good practice may change over time because of technical innovation, or
because of increased knowledge and understanding.

National Offshore Petroleum Safety and Environmental Management Authority

A138249

June 2014

5 of 22

Guidance note

ALARP

Reverse ALARP operators have from time to time tried to show through quantitative risk assessment
(QRA) and cost benefit analysis (CBA) that moving to a less protected situation will meet the legal
requirement to reduce risks to a level that is ALARP, sometimes arguing that the increase in risk is more
than balanced by gains in reduced operational costs or increased operating profit a reverse ALARP
argument. The legal requirement to reduce risks as low as reasonably practicable would rule out
NOPSEMA accepting a less protected but significantly cheaper approach to the control of risks.
Changed circumstances operators may wish to introduce new processes, new technology or alter the
conditions in which equipment is operated in response to changed circumstances. Such changes may
result in a change to the risk profile - some risks may increase. This may be permissible provided control
measures are taken to ensure that the risks are reduced as low as reasonably practicable for the new
situation.

What descriptions are required?

4.1 Control measures

OPGGS(S) Regulations FSA Description
Reg 2.5(2)

The safety case for the facility must also contain a detailed description of the
formal safety assessment for the facility, being an assessment, or series of
assessments, conducted by the operator that:
(a) identifies all hazards having the potential to cause a major accident event;
and
(b) is a detailed and systematic assessment of the risk associated with each of
those hazards, including the likelihood and consequences of each potential
major accident event; and
(c) identifies the technical and other control measures that are necessary to
reduce that risk to a level that is as low as reasonably practicable.

The formalised descriptions within the safety case must provide evidence a formal safety assessment (FSA)
has been carried out for the facility, and that the FSA has identified the technical (i.e. hardware and
software) and other (i.e. procedural) control measures that are necessary to reduce risk to a level that is
ALARP. In respect of this requirement, the OPGGS(S) Regulations also explicitly require two studies in
particular to be carried out as part of the FSA:

an evacuation, escape and rescue analysis (EERA) that identifies control measures necessary to
reduce the risks associated with emergencies to a level that is ALARP [OPGGS(S) subregulation
2.16(2)(h)];and

a fire and explosion risk analysis (FERA) that identifies control measures necessary to reduce the risks
associated with fires and explosions to a level that is ALARP [OPGGS(S) subregulation 2.17(2)(g)].

Operators should note that the regulations require the consideration of a range of control measures in each
instance, including different procedures, a range of amenities and/or equipment, alternative measures, etc.
[OPGGS(S) subregulation 2.16(2) and subregulation 2.17(2)]. Consequently, information presented in the
safety case should not simply focus on promoting or selling the chosen design option but rather a
discussion on the merits of different options and a justification that the chosen option is indeed the one
that reduces risk to a level that is ALARP.

National Offshore Petroleum Safety and Environmental Management Authority

A138249

June 2014

6 of 22

Guidance note

ALARP

Suitability of control measures for MAEs

For existing facilities, operators should not merely concentrate on providing information on design
features of control measures, but should also put effort into providing knowledge acquired from
operating the facility, such as adequacy assurance gained from control measure performance data over
time. Design ALARP should be taken as a starting point only.

5.1 SMS ALARP aspects

OPGGS(S) Regulations SMS Description
Reg 2.5(3)

The safety case for the facility must contain a detailed description of the safety
management system that:
(e) provides for the reduction to a level that is as low as reasonably practicable of risks
to health and safety of persons at or near the facility including, but not limited to:
(i) risks arising during evacuation, escape and rescue in case of emergency; and
(ii) risks arising from equipment and hardware.

While the FSA must identify the technical and other control measures that are necessary to reduce risk to
ALARP, the SMS must be comprehensive and integrated to cover all control measures. The so called
other control measures are found within the safety management system (SMS), and include elements
such as policies and procedures. The regulatory requirement is that SMS itself must provide for reduction of
risks to ALARP; and that the detailed description within the safety case provides information to support that
the SMS achieves this requirement. This aspect is particularly relevant for safety cases which cover ongoing
activities and operations over time. The safety case should show how effectiveness is maintained and how
deviations are managed to ensure they achieve a risk profile that is ALARP.
OPGGS(S) Regulations SMS Description
Reg 2.5(3)

The safety case for the facility must contain a detailed description of the safety
management system that:
(i) specifies the performance standards that apply.

In order to maintain risks at a level that is ALARP it is essential that control measures remain effective. The
information provided in the safety case in support of the ALARP argument should cover the following
aspects as a minimum:

Performance standards have been established.

Performance is measured against set performance standards within inspection, maintenance and
safety management systems.

There is periodic review of the process by which performance standards are established and
maintained, including checks that the right things are being measured.
Further guidance is available in the NOPSEMA guidance note:
Control Measures and Performance Standards

5.2 What are the fundamental approaches to consider?

There is no prescribed methodology for demonstrating that the necessary control measures have been
identified to reduce risks to ALARP, or the comprehensiveness of an SMS. However, there are several basic
approaches which may be used to support an operator's provision of evidence and justification within the
safety case. Operators could consider using one or more of these approaches, but should also be prepared
to consider developing specific approaches appropriate to their facilities. In practice, it is likely that most
facilities will require a combination of approaches.
National Offshore Petroleum Safety and Environmental Management Authority

A138249

June 2014

7 of 22

Guidance note

ALARP

In setting out to provide evidence that the risks are reduced to a level that is ALARP, it is a fundamental
requirement to demonstrate, in the first instance, that the hazard identification and risk assessment carried
out have been systematic and detailed, as they provide the foundation on which to base the control
measure selection. The following approaches may be considered:
Hazard / Risk Criteria Approach
Define criteria that is considered to correspond to reducing risk to a level that is as low as is
reasonably practicable, assess performance quantitatively or qualitatively (using matrices for
example) and compare against the criteria.
Comparative Assessment of Risks, Costs and Benefits
Evaluate risk and associated costs for a range of control measure options for the facility and
compare the relative merits of the different options, selecting the options which are practicable.
Cost Benefit Analysis [CBA]
The numerical assessment of the costs of implementing a design change or modification and the
likely reduction in fatalities that this would be expected to achieve. The quality of the modelling
and the data will affect the robustness of the numerical estimate and the uncertainties in it must
always be borne in mind when using the estimate in risk management decisions. In making this
assessment there is a need to set criteria on the value of a life or implied cost of averting a
statistical fatality (ICAF). In reality of course there is no simple cut-off and a whole range of factors,
including uncertainty need to be taken into account in the decision-making process.
Comparison with Codes and Standards
Compare design, the management system framework and operational procedures against
recognised national, international or industry standards, codes of practice, guides etc.
Audit against good practice
Audit the basis and implementation of the management system, including operations and
maintenance systems, against good practice for offshore facilities, vessels, or relevant similar
industries onshore.
Technical Analysis
Evaluate control measures in technical terms; assess strengths and weaknesses, e.g. effectiveness,
functionality, availability, reliability, technical feasibility, compatibility, survivability, correspondence
of control measures to hazards and risks, appropriateness of performance standards, etc.
Performance Data
Evaluate MAE safety-related performance data as evidence of adequacy or satisfactory levels of
performance, e.g. data on the operational effectiveness or reliability of a control measure may
support the demonstration of its appropriateness for that service.
Improvement Approach
Demonstrate the extent of relative improvements in performance for the facility based on past,
present and planned modifications and enhancements.
Judgement Approach
Present considered judgements as to the suitability of control measures and the management
systems, or the perceptions of a cross-section of various stakeholders, e.g. key members of the
workforce, senior management, plus independent observers.
Practical Tests
Demonstrate that the management system and/or control measures function effectively, using
major accident event simulations, management system tests, equipment breakdown and recovery
tests, etc. For example, it may be possible to conduct fire impingement tests to show that fire
rating of the material being used is appropriate.
For safety case acceptance purposes, NOPSEMA will evaluate the operators approach in terms of its
robustness, transparency and appropriateness to the facility. The operator should therefore define the
underlying rationale, criteria and decision-making basis for the case.
National Offshore Petroleum Safety and Environmental Management Authority

A138249

June 2014

8 of 22

Guidance note

ALARP

The description must be convincing; this means that the rationale for deciding the completeness of the
hazard identification and the adequacy of the measures employed should be supported and accompanied
by all assumptions made and conclusions drawn. Where appropriate, it should present/summarise the
results of supporting studies that have been performed.
The description should demonstrate that the process was systematic which means that it followed a fixed
and pre-established scope. Finally, the degree of analysis in support of the demonstration should be
proportionate to the risk and to the complexity of the facility, hazards and the control measures.

Example application of a model using a combination of approaches

Note: The following model is an example of using a combination of approaches. It is included as an illustration only
and is not required to be prescriptively followed. It should be noted that following such a model does not necessarily
lead to reducing the risks to a level that is ALARP.

The UK offshore oil and gas industry has developed a framework to assist risk-related decision making (Oil
& Gas UK, formerly UKOOA, 1999), which helps decision-makers choose an appropriate basis for their
decisions. A summary of the framework is shown in Figure 2.
The framework takes the form of a spectrum of decision bases, ranging from those decisions dominated
purely by engineering concerns to those where company and societal values are the most relevant factors.
Down the right-hand edge of the framework are typical characteristics which indicate the decision context;
these can be used to help the user determine the context of the specific decision. Once this level has been
identified, reading horizontally across the framework shows the suggested balance of decision bases to be
taken into account in the decision. Some means of calibrating or checking the decision basis are shown on
the left-hand side of the framework.
Figure 2 Risk Related Decision Support Framework (UKOOA 1999)

National Offshore Petroleum Safety and Environmental Management Authority

A138249

June 2014

9 of 22

Guidance note

ALARP

This approach shows that risk assessment may have a major input to Type B decisions involving some
uncertainty, deviation from standard practice, risk trade-offs etc., whilst codes and standards are likely to
have a major input to Type A decisions, with less influence on Type B and C. What is evident from the
model is that a combination of decision bases is most likely to be applicable in any case.
The model is intended to be dynamic with the diagonal lines shifting either towards the X-axis or the Y-axis
depending on circumstances of the application being considered. It is advisable to make reference to the
Oil & Gas UK guidelines themselves for detail on the use of the framework as the diagram is complex and its
interpretation can be very subjective.
As an additional caution, operators who are making Type A decisions that rely predominantly on codes and
standards as a decision basis should ensure they truly understand how the codes and standards act to
minimise risks. Without this knowledge it is difficult to identify when change (planned or otherwise) will
undermine the effectiveness of that standard or code as a control measure.
The following example gives an application of the framework for illustration purposes: three facilities, three
different outcomes.
Table 1 - Example of applying the risk related decision support framework
Facility 1

Facility 2

Facility 3

Scenario

Standard temperature /
pressure pipeline in a
mature oil and gas
development area with no
known unique
environmental concerns
and much existing similar
infrastructure.

Normally attended facility

which has some
hydrocarbon processing
equipment on board. There
is nothing new or unusual
about the equipment or
process but this is the first
time a facility of this type
has been installed and
operated by this operator.

Normally attended facility

with novel technologies and
complex hydrocarbon
processing equipment that
requires frequent
monitoring during the initial
start-up phase of
operations. The facility has
a large number of
personnel on board and is
located a long way from the
mainland.

Decision
Type

Nothing new or unusual,

company and external
codes cover this application
extensively, the best design,
installation and
maintenance approaches
are known and well
established over many
years. The decision type is
A.

Hydrocarbon processing
facilities are not novel but
they are new to the
operator and thus deviate
from established company
practice. Qualified
engineering judgement and
some risk based assessment
will be required to
determine that the design is
ALARP. The decision type is
B.

Some new and novel

technologies are utilised
and the number of
potentially exposed
personnel is high. The
impacts from any loss of
containment are potentially
very high. The decision is
type C.

Risk
reduction
measures

Standard measures
specified in design codes
and adopted on the existing
infrastructure are put in
place.

Standard measures put in

place for processing
facilities and decisions
made regarding increased
monitoring and inspection.

The decision type means

that much more effort is
expended on examining risk
reduction options and
proving the design is ALARP.
Although costly, a standby
vessel is incorporated into
the design and operation
philosophy for the facility.

National Offshore Petroleum Safety and Environmental Management Authority

A138249

June 2014

10 of 22

Guidance note

ALARP

Suitability of control measures for MAEs

The basic requirement for control measures for MAEs is that they must collectively reduce the risk to the
health and safety of people to a level as low as is reasonably practicable (ALARP). Risk assessment provides
information necessary to test this requirement, and it is this information that must be included in the safety
case. Reduction of risk to ALARP is dependent on identification of hazards having the potential to cause
MAEs and proper selection of the necessary control measures for each of them. This has several aspects, all
of which will in general apply to each facility:

The knock-on effects of hazards must be considered, i.e. any chain of events, causes and contributing
factors leading to MAEs.
For any MAE there may be several independent hazards or combinations of hazards, each of which
could lead to that event, and several control measures which may be particularly important because
they may impact on one or more of those hazards.
The potential for escalation of major accident events needs to be considered, i.e. the cumulative
consequences of apparently separate events that may be triggered by each other.
In cases where a large number of different hazards and potential incidents exist, the cumulative risk
may be significant even if the risk arising from each is low. For example, the cumulative effects of
many sources of risk in an offshore accommodation area may identify an unacceptable risk even if
each source is low risk.

Consequently the demonstration that risks from MAEs are eliminated or reduced to ALARP may need to be
made for hazards individually, in groups, and as a whole.
As stated earlier, there is no single correct way to demonstrate ALARP. However, it is expected that for
each MAE identified for the facility, the demonstration would contain elements of the following process:

Identification and consideration of a range of potential measures for risk reduction (both those
adopted and those rejected);
Systematic analysis of each of the identified measures and a view formed on the safety benefit
associated with each of them;
Evaluation of the reasonable practicability of the identified measures and the adoption or rejection of
each; and
Recording of the process and results, to be summarised in the safety case.

Clearly, the balance between benefits in terms of reduced risk and the costs of control measures will play a
part in achieving and justifying ALARP. For example, if a control measure has a benefit that greatly
outweighs the cost, this control measure would almost always have to be implemented, or very good
reasons provided for not doing so. In contrast, if the cost greatly outweighs the benefit, demonstrating that
the control measure is not appropriate is straightforward, as other options will almost certainly exist that
are able to achieve a similar level of risk reduction at lower cost. If benefits and costs are both high, or are
both low, more careful consideration may be required before selecting or rejecting control measures.
The operator may be able to rank available control measure options according to their benefits and costs in
qualitative or quantitative terms. This will enable the operator to show that the appropriate balance has
been achieved, where further steps to reduce risk would incur unreasonably high cost with little gain.
For existing facilities, in undertaking risk assessment and providing justification, operators shouldalso
consider if newly adopted control measures could pose additional hazards or contribute to incident
scenarios, e.g. during installation or commissioning of new control equipment, or arising from spurious
operation of control measures.
Implementation arrangements should be included for any risk control measures that are planned but not
yet in place, i.e. scheduled implementation. Specific and explicit commitments should be included that
demonstrate the operators intention not to operate their facilities at an increased level of risk, in that
activities will not be carried out until such time as the corresponding control measures have been fully
implemented.

National Offshore Petroleum Safety and Environmental Management Authority

A138249

June 2014

11 of 22

Guidance note

ALARP

While there is no explicit requirement within the OPGGS(S) Regulations to record in the safety case the
range of control measures that has been considered, the content and level of detail needs to be sufficient
to gain an appreciation of the scope and process for undertaking the consideration including sources of
data and rationale for excluding or discounting items from consideration. It is difficult to see how an
operator could show that risks are as low as reasonably practicable without making reference to other,
discarded risk control measures.
Given all of the issues that may need consideration in demonstrating that the necessary control measures
have been identified, it is appropriate to develop an approach that is logical, structured and efficient. For
example, it would be inefficient to assess the effect of a control measure in detail if itwas not practicable
from a cost perspective. Equally, if there are control measures that can eliminate hazards, there may be
little purpose in devoting significant effort to the assessment of measures for reduction or mitigation of the
identified associated MAE.
Performance standards should be set for MAE control measures, and the safety case will need to include a
convincing argument that these standards are appropriate. This is required to provide evidence to enable
NOPSEMA to make a decision on whether the safety case is appropriate to the facility in accordance with
OPGGS(S) subregulation 2.5(2)(c). These factors are discussed in greater detail in NOPSEMA Guidance Note
Control Measures and Performance Standards.
Further guidance is available in the NOPSEMA guidance note:
Control Measures and Performance Standards

Example for a New-Build FPSO

An example of adopting a risk management strategy incorporating a hierarchy of controls and
inherently safe design principles is encompassed in the case of reducing risks associated with
conventional FPSO cargo pumps(located in a pump room) by using motor driven submersible pumps
located on deck.
The safety issues associated with a conventional pump room versus deep well pumps located in
each crude oil tank were evaluated. The review concluded there are advantages and disadvantages
to both options, however the pump room option does not satisfy established isolation protocol as
the pump seals are prone to leak thus posing significant fire and gas risk in the enclosed pump room
space. Based on this evaluation, the deep well pump option was selected.
A further review was then carried out to examine the safety issues associated with hydraulic versus
electric driven deep well pumps. Overall, it was concluded that the electric pump option is safer,
primarily because the lower personnel exposure more than offsets the higher ignition potential. For
this reason, the electric pump option was chosen for the design. Once the decision was made, the
design and provision was finalised incorporating inputs from ergonomic, material handling and
human factor interface reviews.

National Offshore Petroleum Safety and Environmental Management Authority

A138249

June 2014

12 of 22

Guidance note

ALARP

6.1 Summary of factors in selecting or rejecting control measures

Methodology for
understanding controls

Points to Consider

Control Measure Hierarchy

Elimination

Prevention

Reduction

Mitigation

Is there a control higher up the hierarchy that would more

effectively manage the hazard?
Where appropriate, is there a spread of controls across the
hierarchy?

Types of Control Measure

Technical (Hardware/software)

Other (SMS/Procedural)

Common Mode Failures

Is there an appropriate spread of technical and other controls?

Have failure modes been identified for each control measure

and then compared to identify common mode failures?

Layers of Protection

Design Standards

Control Systems

Operating Procedures

Safety Devices

Emergency Systems

Are the layers of protection provided adequate for the level of

risk posed by the hazard?

Operating Circumstances

Environment

Operating conditions

Activities being carried out

Focus of Control Measure

Have the controls been assessed for effectiveness over the range
of different operating circumstances they may have to operate
in?

Does the relative importance or vulnerability of the control

measure justify a higher depth of scrutiny than others

Effective

Functionality

Availability

Reliability

Survivability

ALARP

Has the functionality, availability, reliability and survivability,

been established for each control measure?
Have means of improving these aspects been considered?

Has each control measure been assessed for practicability, and

those found practicable been implemented while those found to
be not practicable noted as such with sufficient justification?

National Offshore Petroleum Safety and Environmental Management Authority

A138249

June 2014

13 of 22

Guidance note

ALARP

Risk assessment and providing evidence

Operators of offshore facilities must adopt a comprehensive and systematic method for assessing the risks
of major accident events at their facilities. Some operators may choose to adopt quantitative methods,
particularly if this is common practice in their company, whereas others may choose to adopt qualitative
methods. The results of such assessments should be used to support the evidence that necessary control
measures have been identified, and to show that risks are eliminated or reduced to a level that is ALARP.
NOPSEMA expects the operator to justify the adopted risk assessment methodology and associated risk
acceptance criteria as being suitable and appropriate to the specific facility.

7.1 Risk assessment tools

Approaches to formal safety assessment are discussed in numerous publications, and in NOPSEMA
Guidance Note: Risk Assessment, so only limited details of risk assessment methods are provided in this
guidance note. ISO 17776, in relation to offshore production facilities, may provide further guidance on
tools and techniques for hazard identification and risk assessment. The requirement is for the operator to
select an approach which supports decision-making on control measures. Risk assessment will be an
important part of this process, by showing that risks are reduced to a level that is as low as reasonably
practicable, and by showing that decision-making relates to the level of risk.
Further guidance is available in the NOPSEMA guidance note:
Risk Assessment

7.2 Risk criteria

Many operators of offshore facilities may elect to assess and evaluate risks in a quantitative or semiquantitative manner, and to develop criteria against which to compare the estimated risk levels. It must be
noted, however, that all risk assessment is subject to uncertainty. For this reason, most approaches
evaluate risk based on broad ranges of risk, rather than on specific criteria.

Increasing individual risks and societal concerns

Figure 3 - Example of an ALARP triangle

Unacceptable /
Intolerable Region
IRPA 1x10 -3

ALARP
Region

IRPA 1x10 -6
Broadly
Acceptable
Region

National Offshore Petroleum Safety and Environmental Management Authority

A138249

June 2014

14 of 22

Guidance note

ALARP

Risk is most commonly represented on an inverted triangle (such as Figure 3 above) as increasing from a
broadly acceptable risk region, through a tolerable region only if shown to be ALARP, to an intolerable
region, in which the risk cannot be justified on any grounds. Such diagrams also typically introduce
numerical thresholds between the risk bands, often in terms of the Individual Risk Per Annum (IRPA) of a
fatality. Operators may find it helpful to think of risk in terms of the inverted ALARP risk triangle; however it
is important to be aware that the overall provisions the operator has to make through the safety case need
to consider hazards and risks in all regions of the triangle.
As shown in Figure 4, a more accurate representation of an ALARP triangle in the context of the OPGGS(S)
Regulations is simpler, but more challenging, with the sole requirement being the reduction in risk to
ALARP. It is notable that in order to keep risk at a level that is ALARP requires ongoing action to ensure the
integrity of the control measures is maintained.
Figure 4 OPGGS(S) ALARP triangle diagram

Increasing individual risks and societal concerns

For each OHS Hazard

Untreated
Risk
Application of
cost effective
control measures
to reduce risk

Ongoing action to
maintain integrity of
control measures

Risk reduced to a
level that is
ALARP
Cost of further risk
treatment grossly
disproportionate to
the reduction in risk

Although the Australian safety case regime may appear broadly compatible with that applied
internationally, it is important to stress that the requirements contained within the OPGGS(S) Regulations
incorporate continuous improvement aspects. This means that at the lowest risk band, it may be
reasonably practicable to further reduce the risk, and the regulations also require that this is considered.
The safety case will have to show that:

all hazards with the potential to lead to a major accident event have had all reasonably practicable
risk reduction measures applied;
any hazards or risks that may arise in the future will be effectively dealt with; and
there are suitable and reliable processes for continuing to manage hazards and risks at all levels,
and for achieving continuous improvement

It is appropriate to apply concepts of proportionality to treating risks, and to concentrate effort on high
risk areas. Numerical categorisation of risk may provide a yardstick to assist understanding and
prioritizing risk reduction measures, however it should not be used as a single acceptance criterion.

National Offshore Petroleum Safety and Environmental Management Authority

A138249

June 2014

15 of 22

Guidance note

ALARP

7.3 Continuous improvement

While the safety case may place emphasis on reducing the risk to a level that is ALARP, it should not detract
from the need for continuous improvement. Reducing risks to a level that is ALARP and continual
improvement are both key objectives of the regulations, and relate both to what is done currently and to
what is planned for the future.
If carried out properly, the process of developing the safety case will improve safety of offshore activities by
ensuring a systematic review of the hazards, their associated risks and the control measures that are
applied at the facility to either eliminate the hazards or otherwise reduce the risks. Progress, in terms of
risk reduction, is achieved by applying the process both during initial development of the safety case and
subsequently in the course of continuous improvement (Figure 5).

Level of RIsk

Figure 5 - Continuous Improvement in Safety through Implementation of the Safety Case

Safety Case Development

Continuous Improvement

Identify
Hazards
Assess
Risks

Implement
Controls
Identify
Controls

Identify
Hazards

Manage
Safety
Implement
Controls

Identify
Controls

Assess
Risks

Safety Case
Submission

ALARP

It is expected that over the life of a facility an operators risk managementprocesses will identify
opportunities to enhance the effectiveness of existing control measures or implement additional control
measures and that a proportion of these will be reasonably practical to implement. This expectation is
based on both ongoing developments in the state of knowledge concerning hazards and risks and the
associated control measures and the over-arching duty of an operator to take all reasonably practicable
steps to ensure that the facility and activities carried out at the facility are safe and without risk to the
health and safety of any person at or near the facility.

National Offshore Petroleum Safety and Environmental Management Authority

A138249

June 2014

16 of 22

Guidance note

ALARP

Use of Industry Codes and Standards

For most facilities, compliance with industry standards, codes or practices may play an important role in
providing evidence that necessary and appropriate control measures have been identified and adopted. In
principle, such standards may be Australian Standards, equivalents from overseas organisations such as ISO
standards, international industry practices such as those from the American Petroleum Institute, or
company-specific standards. However, the existence of a published standard does not imply that it is
always useful or correct. Whichever standards are being used, these standards, and the control measures
that they apply, should all be shown to be suitable and appropriate to the specific facility, taking account of
its type, scale, activities, location, etc. Operators have the responsibility to consider the available
standards, specify the correct one, enforce compliance, and use the system or equipment correctly.
Validation of suitability of standards for safety-critical equipment is also necessary.
Further guidance is available in the NOPSEMA guidance note:
Control Measures and Performance Standards

Technical standards issued by classification societies, IMO, national authorities and industry bodies
underpin the design of many aspects of most offshore installations. For example, ISO 13702 (Control and
mitigation of fires and explosions on offshore production installations), ISO 15544 (Requirements and
guidelines for emergency response) and ISO 10418 (Basic surface process safety systems) provide guidance
in relation to offshore production facilities. These standards have been developed using the expertise of
the industry, responding to previous accident and incident experience and, in general, prescribe specific
design solutions. The aim of technical standards is to ensure that, provided the installation is used for a
standard application under good safety management, the risks will be reduced. However, it is an
established part of good safety management to make use of risk assessment to identify hazards and
minimise risks. Compliance with technical standards provides a sound design basis for standard offshore
installations, but does not replace risk assessment altogether.

Example: Option Selection

Standards, for the most part, allow for multiple solutions to a design. For example, in a project
design process a decision would be made on, for instance, a type of compression to be adopted on
the facility and then the appropriate standards are applied to the type of compression selected.
Standards compliance on its own does little to demonstrate an ALARP decision process, since one
type of compression may be of inherently lower risk than the other. The real ALARP decision process
centres on the option choice whereas the standards argument is merely demonstrating that the
chosen option meets appropriate standards for the option selected.
In some cases there may be a single over-arching standard that appears to apply. An example is the
International Maritime Organisation Code for the Construction and Equipment of Mobile Offshore Drilling
Units, (MODU Code) for most of the marine standards for an offshore drilling unit. For simple facilities, it
may be possible to present evidence that risk related to design aspects are ALARP based largely on such
standards, however the overall requirement for evidence of ALARP applies equally to construction,
operation, ongoing maintenance and decommissioning phases (depending on the stage(s) in the life of the
facility addressed in the safety case) as well as the facility design. In addition, a significant component of
the ALARP requirements of the OPGGS(S) Regulations relates to the safety management system [OPGGS(S)
subregulation 2.5(3)(e)] and therefore it is not normally possible to base an ALARP demonstration on
standards alone.
For particularly large or complex facilities, it may be necessary to go beyond the established standards in
order to demonstrate that risks related to facility design are ALARP. For example:

The standards may not address the types of incident that are of prime concern to the facility;
There may be gaps in the standards, such that the particular standard does not govern all aspects of
hazards and risks at a facility; and

National Offshore Petroleum Safety and Environmental Management Authority

A138249

June 2014

17 of 22

Guidance note

ALARP

The standard has fallen behind current good practice, or the facility has fallen behind the standard
as that has been further developed.

Example: Lifeboat Capacity

An operator may decide to comply with the Life-Saving Appliances (LSA) IMO code for all lifeboats on
a specific facility, since LSA is an internationally recognised standard for lifeboats on vessels. The
operator should recognise according to the LSA code, lifeboat capacity is based on a person having
an average mass of 82.5kg. If the average weight for the personnel on the operators facility is
typically 90kg then the operator should identify the limitation of the LSA code and ensure their
lifeboat capacities are reclassified accordingly.
Example: Hazardous Area Zoning
An operator suspected that hazardous area classification zones described in a standard used by their
organisation might not accurately reflect what was occurring in practice. As a result, a gas
monitoring system was set up that identified the hazardous area zones needed to be increased due to
the specific site circumstances. Under a goal-setting regime, it is also possible for operators to make
such zones smaller if they can demonstrate it is reasonable to do so.
In the petroleum and chemical processing industries, there are no single over-arching standards for all
aspects of facility design and operation. Rather, there are detailed standards in specific areas of design
such as pressure vessels, hazardous area classification, fire-protection, and so on, plus general standards
related to safety management. Standards are good at a system or equipment level but not necessarily
suitable at a holistic level; they cannot be relied upon to give an indication of the adequacy of risk
management of a combination of unique hazards on a specific facility. In this situation, it is common for an
operator to adopt a suite of standards, perhaps taken from a number of different organisations. In such
cases, significant effort may be necessary to show that this overall suite of standards is suitable and
appropriate, as well as the individual parts.
Particular issues that will need additional consideration, which may not be covered by the individual
standards, include plant layout, routing of escape-routes and protection of manned areas. In such cases
there will be particular benefit in the operator developing a basis for safety for the specific facility.
Whatever standard or set of standards is used, the operator should take care to justify applicability and
recognise limitations of those standards.
There may be cases where the current most relevant standard is not complied with in certain respects. An
example may be a complex or novel facility where there are no applicable standards; another may be an
ageing facility designed and constructed to standards now superseded. In such cases, the operator should
show that additional measures have been introduced to compensate (i.e. to show that equivalent safety
has been achieved), or that additional measures are not reasonably practicable. Examplesof measures that
may achieve equivalent safety are re-rating of equipment and introduction of more frequent testing or
inspection. Where weaknesses are known or suspected to exist, for example if there is a gap in overall
control measures, or a measure has been compromised by age, this must be explicitly identified. Solutions
for addressing these weaknesses must be explored, and the chosen solution incorporated.

National Offshore Petroleum Safety and Environmental Management Authority

A138249

June 2014

18 of 22

Guidance note

ALARP

OPGGS(S) Regulations Objects

Reg 1.4(2)

An object of these regulations is to ensure that safety cases for offshore petroleum
facilities make provision for the following matters in relation to the health and safety of
persons at or near the facilities:
(a) the identification of hazards
(b) the implementation of measures to eliminate the hazards or otherwise control the
risks;
(c)
a comprehensive and integrated system for management of the hazards and risks;
(d) monitoring, audit, review and continuous improvement.

With respect to OPGGS(S) subregulation 1.4(2)(d) the review of facility hazards and risks should be a
periodic process whereby the applied standards on a facility are reviewed against new and updated
standards. If new standards or requirements are introduced they cannot be dismissed because the plant or
facility was built prior to them; neither should they be automatically adopted: the risk assessment process
must be undertaken. The task would be to understand the intent of the new standard and the change that
it evokes from the current/existing operating situation. Once the assessment has taken place then
decisions can be made about implications for a new understanding of risk on the facility and the steps that
need to be taken.
Example: MODU Code
A number of MODUs operating in Australian waters are only classed to the 1979 MODU Code (rather
than the 1989 Code or 2001 amendment). One area of significant difference with later versions of
this code is considerations for ballast control following the Ocean Ranger incident in which a MODU
and all on board were lost. Any ALARP argument for the management of ballasting related MAEs
should explicitly consider the limitations of the older code and implementation of the current code or
equivalent control measures unless it can be demonstrated not to be reasonably practicable to do so.
It is also an option for an operator to use earlier versions of a code or standard if it can be shown that by
doing so the risks are reduced to a level that is ALARP. In taking such an approach an operator wouldalso
need to be mindful of the basis for the change to the code or standard noting that such changes are
generally improvements in response to an identified failure or weakness of the code or standard.
Example: Electrical colour coding
An operator may in the past have complied with Electrical Installation Standard AS 3000 which was
revised in 2007 with respect to selection of cables for size and colour. The operator may assess that
there is a risk arising from the use of two different cable colour schemes in the same system.
NOPSEMA would expect under such circumstances that older conductors would be thoroughly tested
to ensure that their physical condition is acceptable and that existing cables do actually meet the
standard the operator has quoted in terms of adequate cross-sectional area, voltage drop levels,
cable grouping etc.

National Offshore Petroleum Safety and Environmental Management Authority

A138249

June 2014

19 of 22

Guidance note

ALARP

Good practice and reasonable practicability

In determining what is reasonably practicable (or not), the courts usually do so in the context of an incident
and therefore take an event focus - they consider in hindsight an alleged breach associated with a
particular incident, and each incident is judged on a case by case basis. Due to the event focus of
prosecutions, courts traditionally have not been concerned with what proactive steps might need to be
taken by an operator to address risk across a facility. In contrast, risk management provisions in the
OPGGS(S) Regulations are framed as a proactive and holistic process, to prevent or control risks before
incidents occur rather than simply reacting to them when they do.
In the decision by Lord Asquith, the computation associated with reasonably practicable falls to be made
by the owner at a point of time anterior to the accident. Furthermore, in regard to what is practicable,
the test of gross disproportion applies: if a measure is practicable and it cannot be shown that the cost of
the measure is grossly disproportionate to the benefit gained, then the measure is considered reasonably
practicable and must be implemented. This reinforces a precautionary approach by requiring the requisite
control measures to be implemented unless there is an obvious imbalance between the sacrifice (cost) and
the risk and further that as risk levels rise so too does the sacrifice (cost) that could reasonably be
considered as being grossly disproportionate. .
When reviewing health or safety control measures for an existing facility, plant, installation or for a
particular situation (such as when considering retrofitting, safety reviews or upgrades), operators should
compare existing measures against current good practice. The good practice measuresshould be adopted
so far as is reasonably practicable. It might not be reasonably practicable to apply retrospectively to
existing plant, for example, all the good practice expected for new plant. However, there may still be ways
to reduce the risk e.g. by partial solutions, alternative measures, etc.
In determining what is reasonably practicable, the starting point for the risk/sacrifice computation should
be the current situation. Operators should also consider the adequacy of the relevant good practice. An
operators SMS should incorporate processes to monitor changes to applicable codes and standards. When
a code or standard is updated to a higher standard, the facility, plant, installation or situation should be
examined to see if it can be brought up to the new standard. Any such upgrades must be undertaken if it is
reasonably practicable to do so.
New plant, installations or situations should conform to current good practice, as a starting point. Other
potential options should be considered to determine whether further risk reduction measures are
reasonably practicable. As a guide, designers can aim and compare against levels of safety that are known
to have been achieved in other good practice designs.
The use of good practice at the design stage is essential to demonstrating achievement of ALARP.
Therefore, it is important that the operator capture all of the relevant information about risk-reduction
decisions made during the early design stages. This should include use of sound design principles (e.g.
inherent safety) as well as codes, standards and guidance. The earlier an operator undertakes an ALARP
evaluation, the greater the ability to reduce risks to a level that is ALARP. Practicability is reduced as the
project progresses and inherent safety opportunities are often lost beyond the concept selection stage. As
previously mentioned, the criterion is reasonably practicable, not reasonably affordable: justifiable cost and
effort is not determined by the budget constraints/viability of the project.

National Offshore Petroleum Safety and Environmental Management Authority

A138249

June 2014

20 of 22

Guidance note

ALARP

10 Critical factors for success

NOPSEMA expects the operator to address at least the following specific factors in their consideration of
ALARP in the safety case submission:

Timeliness. The earlier an operator undertakes an ALARP evaluation, the greater the ability to reduce
risks to a level that is ALARP.

Safety case content that is consistent with the requirements specified in the OPGGS(S) Regulations;

Involvement of people who know the facility or a very similar operation;

Access to a wide range of reference material such as standards, safety alerts, etc.;

Description with an sufficient level of detail that explains the means by which the operator ensures
suitability of the design, construction, installation, operation, maintenance or modification that is
appropriate to the facility;

A transparent and robust presentation of evidence showing that the adopted control measures
reduce risk to ALARP; and

A transparent and robust presentation of evidence that the SMS provides for and will continue to
provide for reduction of risk to ALARP, and that the SMS is comprehensive and integrated.

National Offshore Petroleum Safety and Environmental Management Authority

A138249

June 2014

21 of 22

Guidance note

ALARP

11 References, Acknowledgements & Notes

Offshore Petroleum and Greenhouse Gas Storage Act 2006
Offshore Petroleum and Greenhouse Gas Storage (Safety) Regulations 2009
HSE Offshore Information Sheet 2/2006 The Role of Offshore Installations (Safety Case) Regulations 2005
regulation 12 http://www.hse.gov.uk/offshore/sheet22006.pdf
ISO 10418 Petroleum and natural gas industries -- Offshore production platforms - Basic surface process
safety systems
ISO 13702 Petroleum and natural gas industries -- Control and mitigation of fires and explosions on
offshore production installations -- Requirements and guidelines
ISO 15544 Petroleum and natural gas industries -- Offshore production installations -- Requirements and
guidelines for emergency response
ISO 17776 Petroleum and natural gas industries -- Offshore production installations -- Guidelines on tools
and techniques for hazard identification and risk assessment
National Research Centre for Occupational Health and Safety Regulation, The Relationship Between
Reasonably Practicable and Risk Management Regulation, Bluff and Johnstone, 2004
UK HSE Assessment Principles for Offshore Safety Cases 2005
UK HSE Assessing compliance with the law in individual cases and the use of good practice
UK HSE Principles and Guidelines to assist HSE in its judgements that duty holders have reduced risk as low
as reasonably practicable
UK HSE Policy and guidance on reducing risks as low as reasonably practicable in Design
The UK offshore oil and gas industry A framework to assist risk-related decision making (Oil & Gas UK,
formerly UKOOA, 1999)
Note: All regulatory references contained within this Guidance Note are from the Commonwealth Offshore
Petroleum and Greenhouse Gas Storage Act 2006 and the associated Commonwealth Offshore Petroleum
and Greenhouse Gas Storage (Safety) Regulations 2009. For facilities located in Victorian designated coastal
waters, please refer to the Victorian Offshore Petroleum and Greenhouse Gas Storage Act 2010 and the
associated Offshore Petroleum and Greenhouse Gas Storage Regulations 2011. For facilities located in
other designated coastal waters, please refer to the relevant State or Northern Territory legislation.
NOPSEMA would like to acknowledge the UK Health and Safety Executive (HSE) and WorkSafe Victoria for
their assistance in the preparation of this guidance documentation. For more information regarding this
guidance note, contact the National Offshore Petroleum Safety and Environmental Management Authority
(NOPSEMA):
Telephone:
e-mail:

+61 (0)8 6188-8700, or

safetycaseguidance@nopsema.gov.au

National Offshore Petroleum Safety and Environmental Management Authority

A138249

June 2014

22 of 22