Beruflich Dokumente
Kultur Dokumente
2nd edition
An IP Publication
Second edition
March 2007
GUIDELINES FOR THE MANAGEMENT OF
SAFETY CRITICAL ELEMENTS
Second edition
March 2007
Published by
ENERGY INSTITUTE, LONDON
The Energy Institute is a professional membership body incorporated by Royal Charter 2003
Registered charity number 1097899
Endorsed by
The United Kingdom Offshore Operators Association and the HSE Offshore Safety Division
The Energy Institute gratefully acknowledges the financial contributions towards the scientific and
technical programme from the following companies:
No part of this book may be reproduced by any means, or transmitted or translated into a machine language without
the written permission of the publisher.
The information contained in this publication is provided as guidance only and while every reasonable care has been
taken to ensure the accuracy of its contents, the Energy Institute cannot accept any responsibility for any action taken,
or not taken, on the basis of this information. The Energy Institute shall not be liable to any person for any loss or
damage which may arise from the use of any of the information contained in any of its publications.
The above disclaimer is not intended to restrict or exclude liability for death or personal injury caused by own
negligence.
Further copies can be obtained from Portland Customer Services, Commerce Way,
Whitehall Industrial Estate, Colchester CO2 8HP, UK. Tel: +44 (0) 1206 796 351
e: sales@portland-services.com
Page
Foreword . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii
Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viii
1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
2 Background to the revision of Guidelines for the management of safety critical elements . . . . . . . . . . . 3
3 Applicable legislation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
5 Identification of SCEs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
9 Change management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
9.1 Modifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
9.2 Temporary equipment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
v
vi
FOREWORD
In 2005, the UKOOA led Installation Integrity Working Group (IIWG) requested that the Energy Institute manage
the review and revision of the UKOOA Guidelines for the management of safety critical elements, first issued in
September 1996. This project required the formation of a separate (sub) Working Group from the parent IIWG
members.
The revision exercise was part of a programme of work undertaken by the IIWG which included development and
promotion of industry good practices and suitable performance measures. A principal deliverable of this Working
Group was the Asset Integrity Tool Kit, which includes an Assurance and Verification Tool outlining the
requirement for identification, assurance and verification of Performance Standards for Safety Critical Elements.
These Guidelines are therefore considered as providing valuable input for this element of the management of
installation integrity.
It is intended that these Guidelines should provide good practice for the management of safety critical elements for
offshore installations and will be of use principally for those involved in assurance and verification. The document
should also provide a useful guide for duty holders, managers of operations, safety, engineering and maintenance
functions, and an initial introduction for those who wish to become involved in the subject.
This document has been compiled as guidance only and while every reasonable care has been taken to ensure the
accuracy and relevance of its contents, the Energy Institute, its sponsoring companies, the document writer and the
Working Group members listed in the Acknowledgements who have contributed to its preparation, cannot accept
any responsibility for any action taken, or not taken, on the basis of this information. The Energy Institute shall not
be liable to any person for any loss or damage which may arise from the use of any of the information contained in
any of its publications.
These Guidelines will be reviewed in future and it would be of considerable assistance for any subsequent revision
if users would send comments or suggestions for improvements to:
e: technical@energyinst.org.uk
vii
ACKNOWLEDGEMENTS
The Institute wishes to record its appreciation of the work carried out by the following individuals:
Tim Walsh of Lloyds Register EMEA, for the drafting of this document.
Members of the Joint Industry Working Group, which was set up to steer the re-drafting programme and who have
provided valuable expertise:
Garry Mannett BV
Richard McCabe BV
Phil Rothie BV
Ruth White DNV
The Institute also wishes to recognise the contribution made by those who have provided comments on the Draft
document which was issued during an industry consultation period.
viii
1
INTRODUCTION
The purpose of this document is to provide industry document then describes the process by which SCEs are
guidance for the management of Safety Critical identified and performance standards set. The process of
Elements (SCEs) on offshore installations operating on verification is central to ensuring that the integrity of
the UK continental shelf. SCEs are the equipment and SCEs is maintained and guidance is provided for the
systems which provide the basis to manage the risks management of verification throughout the various
associated with Major Accident Hazards (MAHs). This stages of the asset lifecycle. The document also deals
document should be read in conjunction with the with the management of change in relation to SCEs and
Offshore Installations (Safety Case) Guidelines. This concludes by identifying sources of further information
publication replaces that of the same title produced by including good practice and FAQs.
the UK Offshore Operators Association (UKOOA) in This document is aimed at all those who have an
1996. interest and/or involvement in the management of SCEs,
The starting point for this guidance is a review of particularly those responsible for the management of
the applicable legislation and a summary of the key technical and operational activities within, or on behalf
concepts underpinning the management of SCEs. The of, duty holders.
1
GUIDELINES FOR THE MANAGEMENT OF SAFETY CRITICAL ELEMENTS
2
2
3
GUIDELINES FOR THE MANAGEMENT OF SAFETY CRITICAL ELEMENTS
4
3
APPLICABLE LEGISLATION
The requirement for industry to manage SCEs is — The Offshore Installations (Prevention of Fire and
covered either directly or indirectly by the following Explosion and Emergency Response) Regulations
regulations: 1995 (PFEER).
— The Offshore Installations (Safety Case) The following table shows how these regulations relate
Regulations 2005. to the management of SCEs.
5
GUIDELINES FOR THE MANAGEMENT OF SAFETY CRITICAL ELEMENTS
6
4
7
GUIDELINES FOR THE MANAGEMENT OF SAFETY CRITICAL ELEMENTS
8
5
IDENTIFICATION OF SCEs
Although there are various different, and equally which are common to all. These common steps are
acceptable, ways of identifying SCEs there are steps shown in Figure 5.1 and described below.
9
GUIDELINES FOR THE MANAGEMENT OF SAFETY CRITICAL ELEMENTS
Step 1: Identify the major accident events on the The outcome of these deliberations should be
installation recorded giving the reasons why an item has, or has not
been identified as safety critical and with reference to
This is carried out using a series of hazard identification the relevant major accident hazard.
techniques, involving both qualitative and quantitative
methods. The results from this process are generally Step 3: Identify PFEER Specified Plant
recorded in a Hazard Register which documents all of
the potential major accident event scenarios on an Specified Plant is any of the plant of an installation
installation, and should be documented in the safety which is provided:
case for the installation.
— To comply with Regulations 11(1)(a), 13, 15 and
Step 2: Identification of structures and plant which 16 of the PFEER Regulations.
can cause, contribute to, prevent or help
recover from a major accident — As a means of detecting fire and for detecting and
recording accumulations of flammable gases (as
Duty holders will generally utilise lists of plant and required by Regulation 10 of the PFEER
equipment, extracted from their computerised Regulations).
maintenance management systems, as the starting point
for assessing which of the items on the list are safety — Measures to combat fire and explosion as required
critical. The issue of 'how deep to dig' is one that by Regulation 12 of the PFEER Regulations.
requires to be addressed before the identification
process can begin. Approaches vary, but SCEs need to Step 4: Prepare a record of items identified as
be defined at an appropriate level such that they have a Safety Critical Elements
direct linkage to MAHs, and it is also clear whether or
not an equipment item forms part of one or more SCEs. It is important that the record of SCEs is maintained up
A team approach to SCE selection is usual as it is to date, therefore the major accident analyses and the
unlikely that a single person would have sufficient list of SCEs should be reviewed periodically. The list
technical appreciation of the major accident analyses should also be reviewed prior to the addition of new
and detailed knowledge of the installation. Starting from equipment or modification of existing plant.
the complete list of equipment the team should assess A typical (but non-exhaustive) example, showing
each item in turn and form a view as to whether it could the interrelationship between MAHs and SCEs is given
cause, contribute to, prevent or help recover from, a below.
major accident.
10
IDENTIFICATION OF SCEs
11
GUIDELINES FOR THE MANAGEMENT OF SAFETY CRITICAL ELEMENTS
12
6
DEVELOPMENT OF PERFORMANCE
STANDARDS
This activity follows from the identification of MAHs — Functionality – What is it required to do?
and selection of SCEs described in Section 5. — Availability – For what proportion of time will it be
The creation of Performance Standards (PSs) is the capable of performing?
process by which a duty holder sets out what is — Reliability – How likely is it to perform on
expected of an SCE. The PSs are the criteria against demand?
which the initial and ongoing suitability of an SCE is — Survivability – Does it have a role to perform post
assessed. Safety Integrity Level (SIL) assessments may event?
be used to develop PSs for instrument based protective — Interactions – Do other systems require to be
systems. functional for it to operate?
Performance Standards for SCEs are generally
defined in terms of:
13
GUIDELINES FOR THE MANAGEMENT OF SAFETY CRITICAL ELEMENTS
14
7
It is the responsibility of the duty holder to ensure that 2. Ensuring that assurance activities are carried out at
SCEs are able to perform their intended functions with the appropriate time by competent people.
the required availability and reliability throughout their
service. 3. Maintaining a record of these activities and any
findings that arise.
This should be achieved by the following means:
4. Addressing any deficiencies arising from assurance
1. Identifying those assurance activities, such as activities as soon as possible and taking any
maintenance, inspection and testing, that are temporary measures that may be necessary to
required to maintain the SCE in a suitable maintain risk ALARP until deficiencies have been
condition. rectified. Any temporary measures should be
subject to review and comment by the ICP.
15
GUIDELINES FOR THE MANAGEMENT OF SAFETY CRITICAL ELEMENTS
16
8
This section provides an overview of verification and The ICP is required to review and comment on the list
description of how verification should be approached of SCEs and ensure himself that Performance Standards
during the various stages of the asset’s life. are appropriate; any reservation raised by the ICP
should be recorded.
8.1.1 Elements of a verification scheme The verification scheme may be drawn up by either
the duty holder (or an appointee acting on its behalf), or
A verification scheme must address the following (see the duty holder in conjunction with the ICP. If it is not
OSCR (2005) Schedule 7): drawn up by the ICP, then the ICP must review and
comment on the scheme and a record of that review
1. The principles to be used in selecting persons to (including any comments or reservations as a result of
perform functions under the scheme and keep it unresolved issues arising) should be retained as part of
under review (i.e. the ICP). the scheme records.
The ICP is responsible for carrying out the
2. Arrangements for communicating necessary verification activities detailed in the verification
information to persons performing functions under scheme. The duty holder is responsible for ensuring that
the scheme and reviewing it. the ICP is provided with all access necessary and
information required to carry out the verification
3. The nature and frequency of examination and activities.
testing.
8.1.3 Verification activities
4. Arrangements for reviewing and revising the
scheme. Verification activities are those carried out by the ICP
and are intended to either directly establish the
5. Arrangements for record keeping for examinations suitability of the SCE, or to establish that appropriate
and tests carried out, results and findings, assurance activities have been undertaken (e.g. the
recommended actions and close-out of witnessing of emergency shutdown system function
recommended actions. tests).
Both assurance and verification activities should be
6. Arrangements for communicating 5. to the defined in the same written scheme of examination, but
appropriate level in the duty holder’s organisation. only an ICP can carry out verification activities.
17
GUIDELINES FOR THE MANAGEMENT OF SAFETY CRITICAL ELEMENTS
The verification scheme should provide a clear 8.2.2 Performance Standards for SCEs
indication of the nature and frequency of the verification
activity that the ICP is expected to carry out. Once SCEs have been identified, Performance
When assurance and maintenance work is carried Standards (PSs) need to be set for each (see Section 6).
out sufficient information should be recorded to show Those PSs associated with establishing “initial
that the SCE remains in good repair and condition. This suitability” may be different to those used to assess
is particularly important where availability and ongoing suitability throughout the operational life of the
reliability performance standards require to be SCE. There are a number of ways of dealing with this
demonstrable. issue including the development of separate PSs for
initial and ongoing assessment and the incorporation of
both into a single PS. Regardless of the approach taken,
8.2 VERIFICATION IN THE CONCEPT, FEED, it is essential that the requirement contained in the PS
DESIGN, CONSTRUCTION AND assures that the SCE can fulfil its function. The PS must
COMMISSIONING PHASES also be written in such a way that it can be clearly
established whether or not the required standard of
During these initial phases of a development project, the performance has been achieved.
duty holder is required to demonstrate “initial
suitability” of SCEs through the following: 8.2.3 Documenting the scheme
18
VERIFICATION THROUGHOUT THE ASSET LIFE
process is usually facilitated by a mark-up of the project activities should again, be related to the risk of failure of
Master Document Register (MDR). the SCE to perform and should be agreed between the
Sufficient records should be maintained by the ICP ICP and duty tolder.
to ensure that the documentation subject to review for Verification activities during commissioning should
each SCE is clearly identified and that its status, be supported by the issue of specific instructions to ICP
together with any associated ICP comment, can be surveyors.
readily established at any time during the process. The
duty holder may elect to maintain these records himself. (v) Verification during start-up activities
A clear system should be established by the project The project should produce a specific start-up plan for
to alert the ICP to changes to design documentation bringing the new or modified facilities into use. The
already examined which could affect the determination purpose of this is to allow the duty holder to manage the
of suitability. This will help to avoid any necessity for changing MAH and risk profile during this phase of the
examination of successive revisions of documentation project. This should be reviewed by the ICP and
in the future. The system should be subject to ICP audit agreement reached with the duty holder with regard to
and included as part of the overall verification scheme. a schedule for finally establishing suitability for each
SCE. Dependent on the situation, some SCEs will
(ii) Timing of verification submissions for design require to be fully functional (and verified) sooner than
Where possible, design documentation should be others and equally, “Partial” SCEs are likely to be
divided into logical packages per SCE in consultation required at some stages.
with the ICP and a schedule for submission/examination A formal documented process should be established
established. This will allow the most effective use of which allows the duty holder to assess the status of
resources on behalf of the ICP and enable the progress assurance and verification at each stage of the start-up
of the scheme, with regard to the different SCEs, to be process.
easily established.
It is particularly important that the ICP be given the (vi) Close-out of Construction (Project) Verification
opportunity to review and comment on the design early Scope
enough to be in a position to influence any changes At the end of the project, and as part of the handover to
necessary to ensure suitability. operations, the conclusions of the project verification
scheme should be documented and agreed.
(iii) Scope of procurement/fabrication verification These will include:
activities
As early as possible within the FEED and detailed — The results of the ICP scrutiny of the list of SCEs
design stages, a procurement register should be made and the verification scheme itself.
available to the ICP and agreement reached as to those — A completed matrix relating examinations
items which are to be subject to verification at source undertaken to particular SCEs.
(i.e. at a vendor’s works). — Completed and signed off ICP work instructions
The extent of verification activities proposed will issued at each stage.
be agreed between the ICP and duty holder and should — A statement of any conditions or reservations
relate to the risk associated with failure of each of the expressed by the ICP during the course of the
item(s) concerned. examinations.
Verification activities at vendors’ works or at major — A final statement as to the suitability of the
fabrication sites, should be documented by the issue of identified SCEs.
specific instructions to ICP surveyors complemented by
a mark-up of the vendor/fabricator’s planned inspection
and test schedules to indicate those points where 8.3 IN-SERVICE VERIFICATION
intervention is required.
Verification of the ongoing suitability of SCEs on
(iv) Scope of verification activities during HUIC offshore installations begins once they are in operation.
Prior to commencement of commissioning activities An in-service verification scheme should be prepared
(either onshore or offshore) the commissioning plans for during the construction phase and all interested parties
SCE systems should be made available for ICP review, made familiar with it before the installation is taken into
comment and mark-up, to indicate those activities operation. Those interested parties include:
subject to verification review and the extent of ICP
involvement. The nature and frequency of these — Duty holder’s verification engineer/coordinator.
19
GUIDELINES FOR THE MANAGEMENT OF SAFETY CRITICAL ELEMENTS
— Technical Authorities within the duty holder and 8.3.4 ICP Recommendations
engineering support organisations.
— Representatives from the duty holder’s Safety In instances where a compromised SCE is identified or
Engineering department. where a PS is inadequately addressed during the
— Relevant ICPs. verification process, the ICP report should contain a
clear statement regarding 'continuing suitability' and a
8.3.1 Units entering the UKCS recommendation as to the course of action which should
be adopted by the duty holder.
In the case of an existing installation being taken into The verification scheme should contain targets for
use on the UKCS for the first time, a safety case should initial response times and final close-out times for ICP
be developed and an associated verification scheme recommendations.
should be set in place in preparation for the beginning It is the duty holder’s responsibility to address any
of the operating period. It will be necessary for such a recommendation made by the ICP in order to restore the
scheme to address the 'initial' as well as the 'ongoing' affected SCE to the capability stipulated by the PS, in
suitability of the identified SCEs. the most expedient manner.
20
9
CHANGE MANAGEMENT
21
GUIDELINES FOR THE MANAGEMENT OF SAFETY CRITICAL ELEMENTS
9.2.3 Assurance and verification activities for The installation verification scheme should identify the
temporary equipment nature and frequency of assurance and verification
activities associated with temporary equipment; these
Temporary or portable equipment for use on an offshore should include:
installation should be subject to appropriate assurance
and verification activities if: — Examination of equipment prior to shipment.
— Witnessing of testing prior to shipment.
— The equipment in itself creates an addition to the — Review of manufacturers’ / suppliers’ records /
platform list of SCEs (e.g. demountable drilling certification.
equipment not permanently held on the — Examination of equipment offshore.
installation). — Auditing of the management processes and records
— The equipment impacts on any of the existing held:
platform SCEs: - by the duty holder onshore and offshore;
- by virtue of the planned location on the - by the Shipping/Forwarding contractor.
installation (e.g. engine driven generator/
compressor required to operate in a designated Comprehensive records should be maintained by the
hazardous area); duty holder to confirm adherence to the process. These
- by virtue of the proposed application (e.g. well records should be available to the ICP.
intervention equipment once it becomes part of
the reservoir pressure envelope).
22
10
REFERENCES AND
GLOSSARY OF TERMS
List of references and further information sources from FEED Front End Engineering Design
HSE, UKOOA and EI: HUIC Hook Up, Installation and Commissioning
ICPs Independent Competent Persons
— A Guide to the Offshore Installations (Safety Case) MAHs Major Accident Hazards
Regulations 2005 (HSE, 2006) MDR Master Document Register
OSCR Offshore Safety Case Regulations
— Prevention of Fire and Explosion and Emergency PFEER Prevention of Fire and Explosion and
Response on Offshore Installations – Approved Emergency Response Regulations
Code of Practice and Guidance (HSE, 1997) PSs Performance Standards
SCEs Safety Critical Elements
— Asset Integrity Toolkit (UKOOA, 2006) UKOOA UK Offshore Operators Association
23
GUIDELINES FOR THE MANAGEMENT OF SAFETY CRITICAL ELEMENTS
24