Guidelines for the management of

safety critical elements

2nd edition

An IP Publication

Published by the Energy Institute

Energy Institute
61 New Cavendish Street
London W1G 7AR, UK
t: +44 (0) 20 7467 7157
f: +44 (0) 20 7255 1472
e: pubs@energyinst.org.uk
www.energyinst.org.uk
ISBN 978 0 85293 462 3
Registered Charity Number 1097899
This publication has been produced as a result of
work carried out within the Technical Team of the
Energy Institute (EI), funded by the EI’s Technical
Partners. The EI’s Technical Work Programme
provides industry with cost effective, value adding
knowledge on key current and future issues
affecting those operating in the energy sector,
both in the UK and beyond.
GUIDELINES FOR THE MANAGEMENT OF
SAFETY CRITICAL ELEMENTS

Second edition

March 2007
 GUIDELINES FOR THE MANAGEMENT OF
SAFETY CRITICAL ELEMENTS

Second edition

March 2007

Published by
ENERGY INSTITUTE, LONDON
The Energy Institute is a professional membership body incorporated by Royal Charter 2003
Registered charity number 1097899
Endorsed by
The United Kingdom Offshore Operators Association and the HSE Offshore Safety Division
The Energy Institute gratefully acknowledges the financial contributions towards the scientific and
technical programme from the following companies:

BG Group Murco Petroleum Ltd

BHP Billiton Limited Nexen
BP Exploration Operating Co Ltd Saudi Aramco
BP Oil UK Ltd Shell UK Oil Products Limited
Chevron Shell U.K. Exploration and Production Ltd
ConocoPhillips Ltd Statoil (U.K.) Limited
ENI Talisman Energy (UK) Ltd
ExxonMobil International Ltd Total E&P UK plc
Kuwait Petroleum International Ltd Total UK Limited
Maersk Oil North Sea UK Limited

Copyright © 2007 by the Energy Institute, London:

The Energy Institute is a professional membership body incorporated by Royal Charter 2003.
Registered charity number 1097899, England
All rights reserved

No part of this book may be reproduced by any means, or transmitted or translated into a machine language without
the written permission of the publisher.

The information contained in this publication is provided as guidance only and while every reasonable care has been
taken to ensure the accuracy of its contents, the Energy Institute cannot accept any responsibility for any action taken,
or not taken, on the basis of this information. The Energy Institute shall not be liable to any person for any loss or
damage which may arise from the use of any of the information contained in any of its publications.

The above disclaimer is not intended to restrict or exclude liability for death or personal injury caused by own
negligence.

ISBN 978 0 85293 462 3

Published by the Energy Institute

Further copies can be obtained from Portland Customer Services, Commerce Way,
Whitehall Industrial Estate, Colchester CO2 8HP, UK. Tel: +44 (0) 1206 796 351
e: sales@portland-services.com

Electronic access to EI and IP publications is available via our website, www.energyinstpubs.org.uk.

Documents can be purchased online as downloadable pdfs or on an annual subscription for single users and
companies. For more information, contact the EI Publications Team.
e: pubs@energyinst.org.uk
 CONTENTS

Page

Foreword . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii

Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viii

1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

2 Background to the revision of Guidelines for the management of safety critical elements . . . . . . . . . . . 3

3 Applicable legislation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

4 Definitions and key concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

4.1 Safety critical elements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
4.2 Major accidents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
4.3 Performance standards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
4.4 Verification schemes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
4.5 Independent competent persons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

5 Identification of SCEs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

6 Development of Performance Standards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

7 Assurance of SCE integrity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

8 Verification throughout the asset life . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

8.1 Overview of verification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
8.2 Verification in the concept, feed, design, construction and commissioning phases . . . . . . . . . . . . . . . 18
8.3 In-service verification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
8.4 Decommissioning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

9 Change management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
9.1 Modifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
9.2 Temporary equipment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

10 References and glossary of terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

v
vi
 FOREWORD

In 2005, the UKOOA led Installation Integrity Working Group (IIWG) requested that the Energy Institute manage
the review and revision of the UKOOA Guidelines for the management of safety critical elements, first issued in
September 1996. This project required the formation of a separate (sub) Working Group from the parent IIWG
members.

The revision exercise was part of a programme of work undertaken by the IIWG which included development and
promotion of industry good practices and suitable performance measures. A principal deliverable of this Working
Group was the Asset Integrity Tool Kit, which includes an Assurance and Verification Tool outlining the
requirement for identification, assurance and verification of Performance Standards for Safety Critical Elements.
These Guidelines are therefore considered as providing valuable input for this element of the management of
installation integrity.

It is intended that these Guidelines should provide good practice for the management of safety critical elements for
offshore installations and will be of use principally for those involved in assurance and verification. The document
should also provide a useful guide for duty holders, managers of operations, safety, engineering and maintenance
functions, and an initial introduction for those who wish to become involved in the subject.

This document has been compiled as guidance only and while every reasonable care has been taken to ensure the
accuracy and relevance of its contents, the Energy Institute, its sponsoring companies, the document writer and the
Working Group members listed in the Acknowledgements who have contributed to its preparation, cannot accept
any responsibility for any action taken, or not taken, on the basis of this information. The Energy Institute shall not
be liable to any person for any loss or damage which may arise from the use of any of the information contained in
any of its publications.

These Guidelines will be reviewed in future and it would be of considerable assistance for any subsequent revision
if users would send comments or suggestions for improvements to:

The Technical Department,

Energy Institute,
61 New Cavandish Street,
London
W1G 7AR

e: technical@energyinst.org.uk

vii
 ACKNOWLEDGEMENTS

The Institute wishes to record its appreciation of the work carried out by the following individuals:

Tim Walsh of Lloyds Register EMEA, for the drafting of this document.

Members of the Joint Industry Working Group, which was set up to steer the re-drafting programme and who have
provided valuable expertise:

Keith Hart Energy Institute (Manager and Chairman)

Lee Broadley Talisman Energy Ltd
Simon Brown HSE OSD
Bernard Emery HSE OSD
Peter Griffiths HSE OSD
Paul Kefford Chevron
Bob Kyle UKOOA
Alex Macleod Lloyds Register EMEA
Bill McKenzie BP Operating Company Ltd
Alan Richardson HSE OSD
Ian Wright DNV

Assistance was also provided by:

Garry Mannett BV
Richard McCabe BV
Phil Rothie BV
Ruth White DNV

The Institute also wishes to recognise the contribution made by those who have provided comments on the Draft
document which was issued during an industry consultation period.

viii
 1
INTRODUCTION
The purpose of this document is to provide industry
guidance for the management of Safety Critical
Elements (SCEs) on offshore installations operating on
the UK continental shelf. SCEs are the equipment and
systems which provide the basis to manage the risks
associated with Major Accident Hazards (MAHs). This
document should be read in conjunction with the
Offshore Installations (Safety Case) Guidelines. This
publication replaces that of the same title produced by
the UK Offshore Operators Association (UKOOA) in
1996.
The starting point for this guidance is a review of
the applicable legislation and a summary of the key
concepts underpinning the management of SCEs. The
1
document then describes the process by which SCEs are
identified and performance standards set. The process of
verification is central to ensuring that the integrity of
SCEs is maintained and guidance is provided for the
management of verification throughout the various
stages of the asset lifecycle. The document also deals
with the management of change in relation to SCEs and
concludes by identifying sources of further information
including good practice and FAQs.
This document is aimed at all those who have an
interest and/or involvement in the management of SCEs,
particularly those responsible for the management of
technical and operational activities within, or on behalf
of, duty holders.
GUIDELINES FOR THE MANAGEMENT OF SAFETY CRITICAL ELEMENTS

2
 2
BACKGROUND TO THE REVISION OF
Guidelines for the management of safety
critical elements
The first issue of the joint industry Guidelines for the
management of safety critical elements was produced by
a UKOOA led work group in September 1996, at a time
when the new "verification regime" was being
introduced. That document was primarily intended to
provide guidance to the industry on how the new
requirements should be implemented on installations
that had been designed, constructed and operated under
the previous "certificate of fitness" requirements.
The UK oil and gas industry has been operating in
accordance with the requirements of the Offshore Safety
Case Regulations (OSCR) since 1996 and it is
appropriate that the original guidelines should be
revised to take account of experience gained in recent
years. Since the publication of the original guidelines,
there have also been additional developments from
within industry which have impacted on the
management of safety critical elements and for which
guidance is provided in this document.
3
These include:
— Major modifications being carried out to existing
installations as they are developed for changing
field characteristics and functions, which may be
very different to those for which they were
originally designed.
— Replacement of verification aspects of the Offshore
Installations (Design & Construction) Regulations
(1996) by the Offshore Safety Case Regulations
(2005).
— Installations that are being operated well beyond
their original design life.
— Changing ownership, and in some cases, multiple
changes of ownership, of many older assets and the
prevalence of smaller independent operators, some
of whom are new entrants to the UK sector.
— The increasing importance of decommissioning
activities.
GUIDELINES FOR THE MANAGEMENT OF SAFETY CRITICAL ELEMENTS

4
 3

APPLICABLE LEGISLATION

The requirement for industry to manage SCEs is — The Offshore Installations (Prevention of Fire and
covered either directly or indirectly by the following Explosion and Emergency Response) Regulations
regulations: 1995 (PFEER).

— The Offshore Installations (Safety Case) The following table shows how these regulations relate
Regulations 2005. to the management of SCEs.

Regulations Section Areas covered

OSCR 2005 Regulation 2 Definition of Safety Critical Elements
Definition of Major Accident Hazards
Assurance of the fitness for purpose of SCEs
Independent Competent Persons
Regulation 19 Duty holders’ responsibility with respect to the
identification and management of SCEs
Schedule 7 Matters to be provided for in a verification scheme
PFEER 1995 Regulation 5 Performance Standards
Regulation 19 Assurance of the fitness for purpose of SCEs

5
GUIDELINES FOR THE MANAGEMENT OF SAFETY CRITICAL ELEMENTS

6
 4
DEFINITIONS AND KEY CONCEPTS
There are a number of definitions and key concepts
which are essential to the successful management of
SCEs. Details of these are provided within the
regulations, approved codes of practice and guidance
documents; however the main concepts are summarised
below.
4.1 SAFETY CRITICAL ELEMENTS
Safety Critical Elements are any part of the installation,
plant or computer programmes whose failure will either
cause or contribute to a major accident, or the purpose
of which is to prevent or limit the effect of a major
accident, and for the purpose of these guidelines,
include items of specified plant referenced in
Regulation 19 of PFEER.
4.2 MAJOR ACCIDENTS
Major accidents are fires, explosions or releases of
dangerous substances that will cause death or serious
injury; major damage to the structure or plant or loss of
stability; the collision of a helicopter; failure of life
support systems for diving operations; or any other
event involving death or serious injury to five or more
people.
4.3 PERFORMANCE STANDARDS
A Performance Standard is a qualitative or quantitative
statement of the performance required of a system or
item of equipment in order for it to satisfactorily fulfil
7
its purpose.
It is a requirement that Performance Standards
should be established for all SCEs.
4.4 VERIFICATION SCHEMES
Verification schemes are written schemes implemented
to confirm, or otherwise, that SCEs are suitable and
remain in good repair and condition. As from April
2006 verification schemes should also cover specified
plant required by PFEER and previously subject to
PFEER written schemes of examination.
4.5 INDEPENDENT COMPETENT PERSONS
Independent Competent Persons (ICPs) are required to
carry out various functions under the verification
scheme to ensure that the process of managing risks
associated with the Major Accident Hazards is working
effectively. It is a requirement that ICPs must be
sufficiently independent so as to be impartial and
objective in their judgement such that safety is not
compromised. The role of the ICP can either be
undertaken by a single organisation or by a number of
different individuals or organisations considering
separate aspects of the installation. In the latter case
however, greater co-ordination will be required by the
duty holder to ensure that all parts of the scheme have
been adequately addressed and that interfaces are
effectively managed. Although not mandatory, it is
generally recommended that where multiple ICPs are
employed, one has an overseeing role.
GUIDELINES FOR THE MANAGEMENT OF SAFETY CRITICAL ELEMENTS

8
 5

IDENTIFICATION OF SCEs

Although there are various different, and equally which are common to all. These common steps are
acceptable, ways of identifying SCEs there are steps shown in Figure 5.1 and described below.

Identify Major Accident

events using the
Safety Case

Identify structure and plant which can cause, prevent,

detect, control, mitigate, rescue or help recover from a
major accident

Identify PFEER specified plant

Record items identified

as SCEs

Figure 5.1: Identification of SCEs

9
 GUIDELINES FOR THE MANAGEMENT OF SAFETY CRITICAL ELEMENTS
Step 1: Identify the major accident events on the
installation
This is carried out using a series of hazard identification
techniques, involving both qualitative and quantitative
methods. The results from this process are generally
recorded in a Hazard Register which documents all of
the potential major accident event scenarios on an
installation, and should be documented in the safety
case for the installation.
Step 2: Identification of structures and plant which
can cause, contribute to, prevent or help
recover from a major accident
Duty holders will generally utilise lists of plant and
equipment, extracted from their computerised
maintenance management systems, as the starting point
for assessing which of the items on the list are safety
critical. The issue of 'how deep to dig' is one that
requires to be addressed before the identification
process can begin. Approaches vary, but SCEs need to
be defined at an appropriate level such that they have a
direct linkage to MAHs, and it is also clear whether or
not an equipment item forms part of one or more SCEs.
A team approach to SCE selection is usual as it is
unlikely that a single person would have sufficient
technical appreciation of the major accident analyses
and detailed knowledge of the installation. Starting from
the complete list of equipment the team should assess
each item in turn and form a view as to whether it could
cause, contribute to, prevent or help recover from, a
major accident.
10
The outcome of these deliberations should be
recorded giving the reasons why an item has, or has not
been identified as safety critical and with reference to
the relevant major accident hazard.
Step 3: Identify PFEER Specified Plant
Specified Plant is any of the plant of an installation
which is provided:
— To comply with Regulations 11(1)(a), 13, 15 and
16 of the PFEER Regulations.
— As a means of detecting fire and for detecting and
recording accumulations of flammable gases (as
required by Regulation 10 of the PFEER
Regulations).
— Measures to combat fire and explosion as required
by Regulation 12 of the PFEER Regulations.
Step 4: Prepare a record of items identified as
Safety Critical Elements
It is important that the record of SCEs is maintained up
to date, therefore the major accident analyses and the
list of SCEs should be reviewed periodically. The list
should also be reviewed prior to the addition of new
equipment or modification of existing plant.
A typical (but non-exhaustive) example, showing
the interrelationship between MAHs and SCEs is given
below.
 IDENTIFICATION OF SCEs

HAZARD PRIMARY SAFETY CRITICAL ELEMENTS AND SUB-ELEMENTS

IDENTIFICATION MAJOR
PRESSURE VESSELS
AND ASSESSMENT HAZARDS
PROCESS PIPING
CONTAINMENT PIPELINES
WELLS
FIRE

IGNITION Ex CERTIFIED EQUIP.

CONTROL ELECTRICAL TRIPPING EQUIP.
EARTHING AND BONDING EQUIP.

MAINTENANCE MANAGEMENT SYSTEM

EXPLOSION SAFEGUARDING
PROCESS SHUTDOWN SYSTEM
SYSTEMS
EMERGENCY SHUTDOWN SYSTEM
MAJOR FIRE AND GAS SYSTEM
ACCIDENT FIRE
SCENARIOS HELICOPTER PROTECTION WATER FIRE FIGHTING
CRASH CHEMICAL FIRE FIGHTING
PASSIVE FIRE PROTECTION
NAVIGATIONAL
AIDS AIRCRAFT
MAJOR SEACRAFT
SHIP
ACCIDENT
COLLISION
HAZARDS SUPPORT STRUCTURES
STRUCTURES FACILITY STRUCTURES
EXPLOSION PROTECTION

STRUCTURAL LIFTING CRANES

MAJOR FAILURE EQUIPMENT LIFTING GEAR AND BEAMS
HAZARDS
REGISTER
TURBINE P.M. FOR COMPRESSORS
ROTATING TURBINE P.M. FOR GENERATORS
DROPPED EQUIPMENT
OBJECTS RADIOS
TELEPHONES
COMMUNICATIONS PUBLIC ADDRESS
EQUIPMENT
TURBINE
LIFEBOATS
DISC
ESCAPE, LIFERAFTS
FAILURE
EVACUATION AND HELICOPTER RESCUE BOX
FLOW RESCUE EQUIPMENT PERSONAL SAFETY EQUIPMENT

11
GUIDELINES FOR THE MANAGEMENT OF SAFETY CRITICAL ELEMENTS

12
 6
DEVELOPMENT OF PERFORMANCE
STANDARDS
This activity follows from the identification of MAHs
and selection of SCEs described in Section 5.
The creation of Performance Standards (PSs) is the
process by which a duty holder sets out what is
expected of an SCE. The PSs are the criteria against
which the initial and ongoing suitability of an SCE is
assessed. Safety Integrity Level (SIL) assessments may
be used to develop PSs for instrument based protective
systems.
Performance Standards for SCEs are generally
defined in terms of:
13
— Functionality – What is it required to do?
— Availability – For what proportion of time will it be
capable of performing?
— Reliability – How likely is it to perform on
demand?
— Survivability – Does it have a role to perform post
event?
— Interactions – Do other systems require to be
functional for it to operate?
GUIDELINES FOR THE MANAGEMENT OF SAFETY CRITICAL ELEMENTS

14
 7
ASSURANCE OF SCE INTEGRITY
It is the responsibility of the duty holder to ensure that
SCEs are able to perform their intended functions with
the required availability and reliability throughout their
service.
This should be achieved by the following means:
1. Identifying those assurance activities, such as
maintenance, inspection and testing, that are
required to maintain the SCE in a suitable
condition.
15
2. Ensuring that assurance activities are carried out at
the appropriate time by competent people.
3. Maintaining a record of these activities and any
findings that arise.
4. Addressing any deficiencies arising from assurance
activities as soon as possible and taking any
temporary measures that may be necessary to
maintain risk ALARP until deficiencies have been
rectified. Any temporary measures should be
subject to review and comment by the ICP.
GUIDELINES FOR THE MANAGEMENT OF SAFETY CRITICAL ELEMENTS

16
 8

VERIFICATION THROUGHOUT THE

ASSET LIFE
8.1 OVERVIEW OF VERIFICATION 8.1.2 Responsibilities of the ICP

This section provides an overview of verification and
description of how verification should be approached
during the various stages of the asset’s life.
8.1.1 Elements of a verification scheme
A verification scheme must address the following (see
OSCR (2005) Schedule 7):
1. The principles to be used in selecting persons to
perform functions under the scheme and keep it
under review (i.e. the ICP).
2. Arrangements for communicating necessary
information to persons performing functions under
the scheme and reviewing it.
3. The nature and frequency of examination and
testing.
4. Arrangements for reviewing and revising the
scheme.
5. Arrangements for record keeping for examinations
and tests carried out, results and findings,
recommended actions and close-out of
recommended actions.
6. Arrangements for communicating 5. to the
appropriate level in the duty holder’s organisation.
The ICP is required to review and comment on the list
of SCEs and ensure himself that Performance Standards
are appropriate; any reservation raised by the ICP
should be recorded.
The verification scheme may be drawn up by either
the duty holder (or an appointee acting on its behalf), or
the duty holder in conjunction with the ICP. If it is not
drawn up by the ICP, then the ICP must review and
comment on the scheme and a record of that review
(including any comments or reservations as a result of
unresolved issues arising) should be retained as part of
the scheme records.
The ICP is responsible for carrying out the
verification activities detailed in the verification
scheme. The duty holder is responsible for ensuring that
the ICP is provided with all access necessary and
information required to carry out the verification
activities.
8.1.3 Verification activities
Verification activities are those carried out by the ICP
and are intended to either directly establish the
suitability of the SCE, or to establish that appropriate
assurance activities have been undertaken (e.g. the
witnessing of emergency shutdown system function
tests).
Both assurance and verification activities should be
defined in the same written scheme of examination, but
only an ICP can carry out verification activities.

17
 GUIDELINES FOR THE MANAGEMENT OF SAFETY CRITICAL ELEMENTS
The verification scheme should provide a clear
indication of the nature and frequency of the verification
activity that the ICP is expected to carry out.
When assurance and maintenance work is carried
out sufficient information should be recorded to show
that the SCE remains in good repair and condition. This
is particularly important where availability and
reliability performance standards require to be
demonstrable.
8.2 VERIFICATION IN THE CONCEPT, FEED,
DESIGN, CONSTRUCTION AND
COMMISSIONING PHASES
During these initial phases of a development project, the
duty holder is required to demonstrate “initial
suitability” of SCEs through the following:
— Consideration of the design.
— Confirmation of the adequacy of manufacture,
fabrication and installation.
— Demonstration during commissioning that the
SCEs are capable of meeting the required
performance standards.
The ICP’s role is to carry out independent examination
of documents, activities and plant and equipment to
confirm the level of compliance with the performance
standards.
The identification of SCEs and the setting of
performance standards are important activities during
these pre-operating stages of the project as they provide
the foundation for managing the MAH risk.
Development of a verification scheme for new
construction requires input and co-ordination from a
number of different parties within the duty holder’s
organisation, and also from the ICP, design contractors,
fabricators and completions team. The early
engagement of all parties in the process is crucial to a
successful outcome. Particular effort should be made to
ensure that previous operational experience is utilised
during the detailed design and construction phases.
8.2.1 Major Accident Hazards and SCEs
It is usual to produce a document (MAH / SCE matrix)
listing the SCEs and describing their derivation linkage
to the MAH (See section 5). Where changes to process
plant and equipment are undertaken, a similar document
should be produced identifying the impact on the
existing SCEs of each modification and identifying any
new SCEs resulting from the changes to MAHs (see
Section 9.1).
18
8.2.2 Performance Standards for SCEs
Once SCEs have been identified, Performance
Standards (PSs) need to be set for each (see Section 6).
Those PSs associated with establishing “initial
suitability” may be different to those used to assess
ongoing suitability throughout the operational life of the
SCE. There are a number of ways of dealing with this
issue including the development of separate PSs for
initial and ongoing assessment and the incorporation of
both into a single PS. Regardless of the approach taken,
it is essential that the requirement contained in the PS
assures that the SCE can fulfil its function. The PS must
also be written in such a way that it can be clearly
established whether or not the required standard of
performance has been achieved.
8.2.3 Documenting the scheme
There is no fixed way of documenting a new
construction verification scheme and a number of
methods have been employed ranging from having all
details and records in a single document to having a
number of separate documents dealing with different
requirements. In the later case, an overall document will
be necessary in order to describe how the various pieces
of documentation relate to each other. Whichever
approach is taken, it should ensure that all the details
required by Schedule 7 of OSCR are provided (see
section 8.1).
8.2.4 Execution
During the design and construction phase the following
issues need to be considered in executing the
verification scheme:
— Identification of design deliverables for
verification.
— Timing of verification submissions for design.
— Scope of procurement/fabrication verification
activities.
— Scope of verification activities during Hook up
Installation and Commissioning (HUIC).
— Verification during start-up activities.
— Close-out of Construction (Project) Verification
Scope.
(i) Identification of design deliverables for
verification
It is important that the design deliverables that are
subject to review by the ICP are clearly defined and
agreed as early as possible in the life of the project. This
 VERIFICATION THROUGHOUT THE ASSET LIFE
process is usually facilitated by a mark-up of the project
Master Document Register (MDR).
Sufficient records should be maintained by the ICP
to ensure that the documentation subject to review for
each SCE is clearly identified and that its status,
together with any associated ICP comment, can be
readily established at any time during the process. The
duty holder may elect to maintain these records himself.
A clear system should be established by the project
to alert the ICP to changes to design documentation
already examined which could affect the determination
of suitability. This will help to avoid any necessity for
examination of successive revisions of documentation
in the future. The system should be subject to ICP audit
and included as part of the overall verification scheme.
(ii) Timing of verification submissions for design
Where possible, design documentation should be
divided into logical packages per SCE in consultation
with the ICP and a schedule for submission/examination
established. This will allow the most effective use of
resources on behalf of the ICP and enable the progress
of the scheme, with regard to the different SCEs, to be
easily established.
It is particularly important that the ICP be given the
opportunity to review and comment on the design early
enough to be in a position to influence any changes
necessary to ensure suitability.
(iii) Scope of procurement/fabrication verification
activities
As early as possible within the FEED and detailed
design stages, a procurement register should be made
available to the ICP and agreement reached as to those
items which are to be subject to verification at source
(i.e. at a vendor’s works).
The extent of verification activities proposed will
be agreed between the ICP and duty holder and should
relate to the risk associated with failure of each of the
item(s) concerned.
Verification activities at vendors’ works or at major
fabrication sites, should be documented by the issue of
specific instructions to ICP surveyors complemented by
a mark-up of the vendor/fabricator’s planned inspection
and test schedules to indicate those points where
intervention is required.
(iv) Scope of verification activities during HUIC
Prior to commencement of commissioning activities
(either onshore or offshore) the commissioning plans for
SCE systems should be made available for ICP review,
comment and mark-up, to indicate those activities
subject to verification review and the extent of ICP
involvement. The nature and frequency of these
19
activities should again, be related to the risk of failure of
the SCE to perform and should be agreed between the
ICP and duty tolder.
Verification activities during commissioning should
be supported by the issue of specific instructions to ICP
surveyors.
(v) Verification during start-up activities
The project should produce a specific start-up plan for
bringing the new or modified facilities into use. The
purpose of this is to allow the duty holder to manage the
changing MAH and risk profile during this phase of the
project. This should be reviewed by the ICP and
agreement reached with the duty holder with regard to
a schedule for finally establishing suitability for each
SCE. Dependent on the situation, some SCEs will
require to be fully functional (and verified) sooner than
others and equally, “Partial” SCEs are likely to be
required at some stages.
A formal documented process should be established
which allows the duty holder to assess the status of
assurance and verification at each stage of the start-up
process.
(vi) Close-out of Construction (Project) Verification
Scope
At the end of the project, and as part of the handover to
operations, the conclusions of the project verification
scheme should be documented and agreed.
These will include:
— The results of the ICP scrutiny of the list of SCEs
and the verification scheme itself.
— A completed matrix relating examinations
undertaken to particular SCEs.
— Completed and signed off ICP work instructions
issued at each stage.
— A statement of any conditions or reservations
expressed by the ICP during the course of the
examinations.
— A final statement as to the suitability of the
identified SCEs.
8.3 IN-SERVICE VERIFICATION
Verification of the ongoing suitability of SCEs on
offshore installations begins once they are in operation.
An in-service verification scheme should be prepared
during the construction phase and all interested parties
made familiar with it before the installation is taken into
operation. Those interested parties include:
— Duty holder’s verification engineer/coordinator.
 GUIDELINES FOR THE MANAGEMENT OF SAFETY CRITICAL ELEMENTS
— Technical Authorities within the duty holder and
engineering support organisations.
— Representatives from the duty holder’s Safety
Engineering department.
— Relevant ICPs.
8.3.1 Units entering the UKCS
In the case of an existing installation being taken into
use on the UKCS for the first time, a safety case should
be developed and an associated verification scheme
should be set in place in preparation for the beginning
of the operating period. It will be necessary for such a
scheme to address the 'initial' as well as the 'ongoing'
suitability of the identified SCEs.
8.3.2 Scheme revision
Verification schemes should be kept under continuous
review and revised as often as is necessary to keep them
up to date. In addition to periodic reviews a scheme
review should be initiated by changes such as the
following:
— Revision of any Codes or Standards referenced in
the scheme.
— Modifications to the installation which result in
amendments to the list of SCEs.
— Significant revision to the installation Safety Case.
— Changes to installation operating parameters.
— Changes to environmental conditions.
8.3.3 Reporting
Reports of verification surveys undertaken by ICPs
either onshore or offshore should be presented to the
duty holder’s nominated representative in a timely
manner. Each report should provide the duty holder
with a clear representation of the condition of the SCE
and confirmation or otherwise, that the PS has been
fully addressed. It is not sufficient to report 'by
exception' as this does not present a full picture of the
condition of the SCEs.
20
8.3.4 ICP Recommendations
In instances where a compromised SCE is identified or
where a PS is inadequately addressed during the
verification process, the ICP report should contain a
clear statement regarding 'continuing suitability' and a
recommendation as to the course of action which should
be adopted by the duty holder.
The verification scheme should contain targets for
initial response times and final close-out times for ICP
recommendations.
It is the duty holder’s responsibility to address any
recommendation made by the ICP in order to restore the
affected SCE to the capability stipulated by the PS, in
the most expedient manner.
8.4 DECOMMISSIONING
8.4.1 Review of MAHs.
At least three months prior to decommissioning taking
place, the duty holder should prepare revisions to the
installation safety case and these should be assessed for
any impact on the list of SCEs. These changes would
result from:
— A hydrocarbon free environment.
— Hazard identification primarily focussed on heavy
construction, lifting and marine operations.
— Residual hazards after the decommissioning:
- navigational/marine traffic;
- environmental/pollution;
- seabed/fishing gear.
The amended SCE list will be significantly different
from the operational case and PSs should be revised or
rewritten and a decommissioning verification scheme
produced that will confirm ongoing suitability of SCEs
during key stages of the decommissioning.
 9
CHANGE MANAGEMENT
9.1 MODIFICATIONS
9.1.1 Importance of duty holders’ Management
of Change systems
Duty holders should have a documented and effective
process for the management of change and
modifications to platform systems, components or
structures. Responsibility and/or accountability of
individuals within the duty holder’s organisation for the
various functions within the change process should be
clearly defined. Changes directly affecting SCEs or
impacting on SCE functions in managing risk should
provide for update of any formal risk assessments where
appropriate. The process should make explicit reference
to the involvement of the ICP in all modifications which
impact upon existing SCEs or the creatation of new
ones. The 'management of change' document should be
controlled by the duty holder and referenced in the duty
holder’s verification scheme.
9.1.2 Need for SCE Impact study
During the assessment of individual modifications, it is
important to have a thorough understanding of the
original MAH identification and the philosophies for
prevention, mitigation and control. All modifications
should be assessed to establish their impact on the
existing list of SCEs or if they create additional SCEs.
For those modifications which are confirmed to have
safety critical content, the following aspects need to be
considered:
21
— Identification of new SCEs.
— Reassessment of existing Performance Standards
and the need for new Performance Standards for
new SCEs.
— Need to clearly document project verification
activities for "initial suitability".
— Incorporation of changes and modifications into
ongoing operational verification (and maintenance)
regimes with any proposed revisions to SCE
maintenance regimes being reviewed by the ICP.
— Involvement of operations and the "Operational"
ICP in project scope.
9.2 TEMPORARY EQUIPMENT
9.2.1 Temporary equipment impact on SCEs
Duty holders should have a documented process in
place to demonstrate their intention and ability to
manage the transportation and use of temporary
equipment and in particular, equipment which adds to or
impacts upon the list of SCEs. This process should be
referenced in the Verification Scheme for each
installation.
9.2.2 Performance Standards for temporary
equipment
Performance Standards should be established for items
of temporary equipment in all cases where the existing
PS applicable to the installation is either inadequate or
inappropriate.
 GUIDELINES FOR THE MANAGEMENT OF SAFETY CRITICAL ELEMENTS
9.2.3 Assurance and verification activities for
temporary equipment
Temporary or portable equipment for use on an offshore
installation should be subject to appropriate assurance
and verification activities if:
— The equipment in itself creates an addition to the
platform list of SCEs (e.g. demountable drilling
equipment not permanently held on the
installation).
— The equipment impacts on any of the existing
platform SCEs:
- by virtue of the planned location on the
installation (e.g. engine driven generator/
compressor required to operate in a designated
hazardous area);
- by virtue of the proposed application (e.g. well
intervention equipment once it becomes part of
the reservoir pressure envelope).
22
The installation verification scheme should identify the
nature and frequency of assurance and verification
activities associated with temporary equipment; these
should include:
— Examination of equipment prior to shipment.
— Witnessing of testing prior to shipment.
— Review of manufacturers’ / suppliers’ records /
certification.
— Examination of equipment offshore.
— Auditing of the management processes and records
held:
- by the duty holder onshore and offshore;
- by the Shipping/Forwarding contractor.
Comprehensive records should be maintained by the
duty holder to confirm adherence to the process. These
records should be available to the ICP.
 10

REFERENCES AND
GLOSSARY OF TERMS

10.1 REFERENCES OF FURTHER 10.2 GLOSSARY OF TERMS

INFORMATION

List of references and further information sources from FEED Front End Engineering Design
HSE, UKOOA and EI: HUIC Hook Up, Installation and Commissioning
ICPs Independent Competent Persons
— A Guide to the Offshore Installations (Safety Case) MAHs Major Accident Hazards
Regulations 2005 (HSE, 2006) MDR Master Document Register
OSCR Offshore Safety Case Regulations
— Prevention of Fire and Explosion and Emergency PFEER Prevention of Fire and Explosion and
Response on Offshore Installations – Approved Emergency Response Regulations
Code of Practice and Guidance (HSE, 1997) PSs Performance Standards
SCEs Safety Critical Elements
— Asset Integrity Toolkit (UKOOA, 2006) UKOOA UK Offshore Operators Association

23
GUIDELINES FOR THE MANAGEMENT OF SAFETY CRITICAL ELEMENTS

24