Download ADNOC-COPV6!01!2004 (Ver-1) - CoP on Identification & Integrity Assurance of HSECES...
ABU DHABI NATIONAL OIL COMPANY
HEALTH SAFETY AND ENVIRONMENTAL MANAGEMENT MANUAL OF CODES OF PRACTICE VOLUME 6 : VERIFICATION OF TECHNICAL INTEGRITY
CODE OF PRACTICE ON IDENTIFICATION AND INTEGRITY ASSURANCE OF HSE CRITICAL EQUIPMENT AND SYSTEMS ADNOC-COPV6-01
HSE MANAGEMENT CODES OF PRACTICE Volume 6: VERIFICATION OF TECHNICAL INTEGRITY
Version 1 September, 2004
COP: IDENTIFICATION AND INTEGRITY ASSURANCE OF HSE CRITICAL EQUIPMENT AND SYSTEMS
Page 2 of 36
Document No: ADNOC-COPV6-01
RECORD OF REVISION Revision No.
Date
Section/Page
Reason
Copyright The copyright and all other rights of a like nature in this document are vested in Abu Dhabi National Oil Company (ADNOC), Abu Dhabi, United Arab Emirates. This document is issued as part of the Manual of HSE Codes of Practice (the “Manual”) and as guidance to ADNOC, ADNOC Group Companies and independent operators engaged in the Abu Dhabi oil & gas industries. Any of these parties may give copies of the entire Manual or selected parts thereof to their contractors implementing HSE standards in order to qualify for award of contracts or for the execution of awarded contracts. Such copies should carry a statement that they are reproduced by permission of ADNOC, and an explanatory note on the manner in which the Manual is to be used. Disclaimer No liability whatsoever in contract, tort or otherwise is accepted by ADNOC or any of its Group Companies, their respective shareholders, directors, officers and employees whether or not involved in the preparation of the Manual for any consequences whatsoever resulting directly or indirectly from reliance on or from the use of the Manual or for any error or omission therein even if such error or omission is caused by a failure to exercise reasonable care.
All administrative queries should be directed to the Manual of HSE Codes of Practice Administrator in:
Environment Health & Safety Division, Exploration & Production Directorate, Abu Dhabi National Oil Company, P. O. Box : 898, Abu Dhabi, United Arab Emirates. Telephone : (9712) 6023782 Fax: (9712) 6668089 Internet site: www.adnoc.com E-mail:
[email protected]
HSE MANAGEMENT CODES OF PRACTICE Volume 6: VERIFICATION OF TECHNICAL INTEGRITY COP: IDENTIFICATION AND INTEGRITY ASSURANCE OF HSE CRITICAL EQUIPMENT AND SYSTEMS
Version 1 September, 2004 Page 3
Document No: ADNOC-COPV6-01
CONTENTS
PAGE
I. PURPOSE..............................................................................................................4 II. DEFINITIONS.........................................................................................................4 III. EXISTING LAWS ...................................................................................................7 1. INTRODUCTION....................................................................................................8 2. IDENTIFICATION OF HSE CRITICAL EQUIPMENT AND SYSTEMS................12 2.1 HSECES ......................................................................................................12 2.2 HSE Critical Integrity Activities.................................................................15 3. PERFORMANCE STANDARDS..........................................................................17 3.1 Setting Performance Standards................................................................17 3.2 Performance Standards for HSECES, the Purpose of Which is to Prevent or Limit the Effect of a Major Accident.......................................17 4. HSE CRITICAL RECORDS .................................................................................18 5. INTEGRITY REVIEWS.........................................................................................19 5.1 Design .........................................................................................................19 5.2 Fabrication, Construction, Installation and Commissioning..................20 5.3 Operation ....................................................................................................21 5.4 Maintenance ...............................................................................................21 5.5 Modification and Repair.............................................................................22 5.6 Decommissioning and Disposal ...............................................................23 6. INSPECTION, TEST AND EXAMINATION .........................................................24 7. ASSURANCE AND AUDIT ..................................................................................25 7.1 HSECES Performance Assurance ............................................................25 7.2 The use of Key Performance Indicators...................................................26 7.3 Independent Competent Person ...............................................................26 7.4 HSE Critical Integrity Audit Scheme.........................................................26 8. CERTIFICATION..................................................................................................28 8.1 Certification Requirements .......................................................................28 8.2 Certification Procedures............................................................................28 9. CONTROL OF TEMPORARY CHANGES ...........................................................29 10. LONG-TERM SHUTDOWN..................................................................................30 REFERENCES ..........................................................................................................31 Appendix 1 Guidelines for determining the scope of HSE Critical Integrity Audits ..................................................................................................32
HSE MANAGEMENT CODES OF PRACTICE Volume 6: VERIFICATION OF TECHNICAL INTEGRITY COP: IDENTIFICATION AND INTEGRITY ASSURANCE OF HSE CRITICAL EQUIPMENT AND SYSTEMS
Version 1 September, 2004 Page 4
Document No: ADNOC-COPV6-01
I.
PURPOSE This Codes of Practice defines and documents a process by which the ADNOC Group can ensure that Health, Safety and Environment-critical equipment and systems (HSECES), operated by Group Companies, are both suitable for their required function and maintained in a condition so that they will continue to perform their required function. It covers any structure, plant, equipment or computer programmes which may be identified as HSECES and the procedures required to maintain the integrity of this equipment and systems. HSE-critical operating procedures, HSE-critical competencies and other aspects of HSEMS are not dealt with here, but are described in the ADNOC Code of Practice on HSE Administration Systems’ [9] and other relevant HSE Codes of Practice.
II.
DEFINITIONS Asset In the context of the ADNOC Codes of Practice an asset is an engineered piece of equipment (i.e. it excludes reservoirs, people, etc.). An asset can be categorised in various ways e.g. in order of increasing detail business unit, offshore platform or onshore plant, process train/unit, equipment type (e.g. pipelines, structures) or equipment tag numbers. Asset Integrity An asset has integrity if it operates as designed for its assigned life (or greater) with all its risks as low as reasonably practicable, or as nominated. Asset Integrity is also referred to as Technical Integrity throughout the ADNOC Codes of Practice. Assurance All activities necessary to make sure that HSE Critical Equipment and Systems (HSECES) are suitable, have the desired integrity and will continue to perform their function. Note: This should not be confused with assurance as in reporting that integrity “is O.K.” (or otherwise), i.e. an opinion derived from analysis of performance measures, inspection reports, etc. Such assurance is a professional opinion based on knowledge and experience and as such is not infallible. Availability The likelihood that a HSECES will perform its function on demand or when called upon to do so.
[9] ADNOC Manual of Codes of Practice: ‘Code of Practice on HSE Administration Systems’, ADNOC-COPV1-01.
HSE MANAGEMENT CODES OF PRACTICE Volume 6: VERIFICATION OF TECHNICAL INTEGRITY COP: IDENTIFICATION AND INTEGRITY ASSURANCE OF HSE CRITICAL EQUIPMENT AND SYSTEMS
Version 1 September, 2004 Page 5
Document No: ADNOC-COPV6-01
Examination The process by which an Independent Competent Person satisfies himself that an HSECES is in a suitable condition by inspection field-testing, examination of records and interviews with personnel. Functionality What an HSECES does – its intended purpose e.g. a functional specification for a control or mitigation measure will describe how the HSECES will fulfil its role in limiting the event or protecting people HSE Critical Of particular importance to preventing, controlling or mitigating the risks from major accident hazards or occupational hazards with the potential for critical, severe or catastrophic consequences (as defined in ADNOC Risk Management Guideline). It can apply to equipment, management systems, procedures, records, activities and tasks (and the competencies required for these tasks). HSE-Critical Activities Activities that are important in preventing events with potential to cause serious harm to people, the environment or property or which can reduce the impact of such an event. Note: The definition of serious harm includes the critical, severe and catastrophic categories shown in the risk potential matrix in the ADNOC Risk Management Guidelines. HSE Critical Equipment and Systems (HSECES) Parts of an installation and such of its structures, plant equipment and systems (including computer programmes) or any part thereof, the failure of which could cause or contribute substantially to; or a purpose of which is to prevent or limit the effect of a major accident or any accident with severe or catastrophic consequences (as defined in ADNOC Group Guideline on HSE Risk Management *). * Note:
When comparing the definitions of ‘HSECES’ and ‘HSE Critical’ please note that the former excludes the category ‘Critical’ as defined in ADNOC Risk Management Guideline. This is excluded specifically to avoid unnecessary clutter of HSECES inventories.
HSE Critical Integrity Activity Activities such as design, construction, installation, commissioning, operation, modification, repair, inspection, testing or examination associated with assuring the integrity of a HSECES. HSE Critical Integrity Audit An audit of one or more HSECES, as conducted by an Independent Competent Person, to verify that the HSECES are, and remain, suitable, i.e. that they meet appropriate performance standards. .
HSE MANAGEMENT CODES OF PRACTICE Volume 6: VERIFICATION OF TECHNICAL INTEGRITY COP: IDENTIFICATION AND INTEGRITY ASSURANCE OF HSE CRITICAL EQUIPMENT AND SYSTEMS
Version 1 September, 2004 Page 6
Document No: ADNOC-COPV6-01
Independent Competent Person Person appointed by a Group Company to carry out audits of HSE Critical Integrity Activities. The Independent Competent Person must be able to demonstrate the necessary competence and experience and may be an outside consultant/contractor. Alternatively, the Independent Competent Person may be from within the Group Company organisation, provided that independence from the organisation(s) tasked with carrying out the HSE Critical Activities can be demonstrated. The Independent Competent Person may be a team of several individuals where this is required to ensure an appropriate level of competency or to complete audit tasks in a reasonable period of time. IPF Instrumented Protective Functions. Major Accident Major accident means an ‘Uncontrolled Occurrence’ in the operation of a site or pipeline which leads to severe or catastrophic consequences to people, assets, the environment and/or company reputation (as defined in the ADNOC Group HSE Risk Management Guidelines). The consequences may be immediate or delayed and may occur outside as well as inside the site. There will also be a high potential for escalation. Note: Examples of ‘Major Accidents’ would include, but are not limited to: •
loss of containment of flammable and/or toxic fluids leading to fire, explosion and/or toxic injury
•
events resulting in structural failure which could lead to further progressive collapse
•
loss of stability of mobile offshore installation
•
well blowouts
•
ships colliding with offshore installations or onshore jetties used for bulk loading explosive, flammable or toxic substances.
•
service vessel colliding with or otherwise affecting offshore installations
•
other external hazards affecting offshore and onshore sites e.g. Accommodation/work barges alongside fixed installations, helicopters and aircraft, road/marine product tankers
The definition of ‘Major accident’ specifically excludes ‘Occupational accidents’ which have bounded, albeit possibly severe or catastrophic consequences. This means that one or more pedestrian fatalities resulting from a road accident on a site (however regrettable and tragic) would not be defined as a ‘Major Accident’. Similarly, one or more fatalities resulting from a fall from a scaffolding platform (again regrettable and tragic) would not be defined as a ‘Major Accident’.
HSE MANAGEMENT CODES OF PRACTICE Volume 6: VERIFICATION OF TECHNICAL INTEGRITY COP: IDENTIFICATION AND INTEGRITY ASSURANCE OF HSE CRITICAL EQUIPMENT AND SYSTEMS
Version 1 September, 2004 Page 7
Document No: ADNOC-COPV6-01
The purpose of this definition of ‘Major accident’ is to identify ‘Major Hazard Sites’ for the purposes of this Code of Practice. ‘Major Hazard Site Operators’ will be required to prepare a COMAH Report and submit it to ADNOC . NDT Non Destructive Testing Performance Standard A statement which can be expressed in qualitative or quantitative terms, of the performance required of a system, item of equipment or computer programme and which is used as the basis for verification throughout the life cycle of the installation. Place of Safety Place remote from the actual and foreseeable harmful effects of any major accident where first aid can be administered, if required. Suitability Property of a HSECES that it is of a design and specification such that it is capable of fulfilling its intended function. Survivability Conditions necessary for a HSECES to remain functional during an incident until it has performed its function. Technical Integrity See Asset Integrity. Written Scheme of Examination Detailed listing of activities to be carried out by an Independent Competent Person during audits of a certain HSECES.
III.
EXISTING LAWS Relevant UAE legislation applicable to the subject of this Code of Practice is described in the ADNOC Codes of Practice on HSE Administration Systems’, [9].
[9] ADNOC Manual of Codes of Practice: ‘Code of Practice on HSE Administration Systems’, ADNOC-COPV1-01.
HSE MANAGEMENT CODES OF PRACTICE Volume 6: VERIFICATION OF TECHNICAL INTEGRITY
Version 1 September, 2004
COP: IDENTIFICATION AND INTEGRITY ASSURANCE OF HSE CRITICAL EQUIPMENT AND SYSTEMS
Page 8
Document No: ADNOC-COPV6-01
1.
INTRODUCTION This Code of Practice covers HSE Critical Equipment and Systems (HSECES) on assets operated by ADNOC Group Companies. HSECES is defined as parts of an installation and such of its structures, plant equipment and systems (including computer programmes) or any part thereof, the failure of which could cause or contribute substantially to; or a purpose of which is to prevent or limit the effect of a major accident or any accident with severe or catastrophic consequences (as defined in ADNOC Group Guideline on HSE Risk Management). Hence it is essential that the integrity of HSECES is assured throughout the lifecycle of facilities, from design to decommissioning and disposal. A typical asset integrity lifecycle is illustrated in Figure 1.
OPERATE INSPECT
COMMISSION
CORROSION MNGT
QA/QC
ASSET INTEGRITY MANAGEMENT SYSTEM
BUILD
MAINTAIN
REVI EW IMPROVE
PROCURE
DESIGN
Learning for future projects
CHANGE
DECOMMISSION DISPOSE
CONCEPT
INTE GRITY ASSURANCE
FIGURE 1: Asset integrity life cycle An asset has integrity: •
“When it operates as designed…….”. This means that it operates safely and complies with all tests and examinations. It also infers that the supporting management systems are being followed.
•
“for its designed life (or greater)….”. This means that replacements, upgrades and repairs must be done in a timely, planned manner.
•
“with all its risks as low as reasonably practicable, or as nominated.” This means that all safeguarding and emergency systems
HSE MANAGEMENT CODES OF PRACTICE Volume 6: VERIFICATION OF TECHNICAL INTEGRITY COP: IDENTIFICATION AND INTEGRITY ASSURANCE OF HSE CRITICAL EQUIPMENT AND SYSTEMS
Version 1 September, 2004 Page 9
Document No: ADNOC-COPV6-01
associated with the asset are in good shape and able to avoid any escalation or subsequent damage from incidents. The term “Assurance” as used in this document is essentially “ensuring that technical integrity exists” by means of an Asst Integrity Management System, and integrity assurance of HSECES is a critical subset of such a system. A simplified Integrity Management System for HSECES is illustrated in Figure 2. The identification of HSECES is dealt with in Section 2.1, which includes examples of HSECES. Activities that ensure HSECES are suitable for their defined function and will continue to remain so are termed HSE Critical Integrity Activities. These include design, maintenance and testing activities. They are described in Section 2.2. The correct performance of HSE Critical Integrity Activities assures integrity of the HSECES. HSECES must have performance standards. A performance standard is a statement expressed in qualitative or quantitative terms, of the performance required of a system, item of equipment or computer programme and which is used as the basis for verification throughout the life cycle of the installation. This is described in Section 3. ADNOC Group Companies must keep records relating to the HSECES and must allow Independent Competent Persons access to these records when carrying out audit duties to of the HSECES assurance process. This is described in Section 4. ADNOC Group Companies must carry out reviews at appropriate points throughout the lifetime of a facility to ensure that: •
HSECES are suitable for their intended function; and
•
HSECES remain in a condition whereby they can continue to perform their intended function.
The nature of these reviews and their timing is described in Section 5. In general, HSECES require regular examination, inspection and testing to ensure that they remain able to perform their function. The requirements for formalising and recording these activities to allow independent audits of the HSECES assurance process are described in Section 6. Section 7 deals with assurance and independent audits that verify that the systems, processes and procedures are in place and are being complied to ensure that HSECES remain able to perform their function. Some ADNOC Group Companies currently use the services of international certifying authorities, who regularly monitor HSECES and associated records to ensure they remain safe and operable according to international code. The relationship between certification and integrity assurance is discussed in Section 8.
HSE MANAGEMENT CODES OF PRACTICE Volume 6: VERIFICATION OF TECHNICAL INTEGRITY
Version 1 September, 2004
COP: IDENTIFICATION AND INTEGRITY ASSURANCE OF HSE CRITICAL EQUIPMENT AND SYSTEMS
Page 10
Document No: ADNOC-COPV6-01 OPERATIONS PHASE
PROJECT PHASE Establish Management System for HSECES Technical Integrity as req’d for Design, Engineering, Procurement, Construction, Commissioning
Transfer & update project records
• Organisation • HSECES activities and critical tasks • Required competencies
Establish Management System for HSECES Technical Integrity as req’d for Maintenance, Modification, Repair, Operation, Disposal, Decommissioning, Inspection, Testing, Examination, Certification • Organisation • HSECES activities and critical tasks • Required competencies
Define Major Accident Hazard Scenarios as per COMAH Report
Transfer & update project records
Define Major Accident Hazard Scenarios as per COMAH Report
Identify HSECES Parts of facility, the failure of which could cause or contribute substantially to; or a purpose of which is to limit the effect of a major accident
Transfer & update project records
Identify HSECES Parts of facility, the failure of which could cause or contribute substantially to; or a purpose of which is to limit the effect of a major accident
Define functionality of HSECES (how do they prevent, control, mitigate the risks from a major accident)
Transfer & update project records
Define functionality of HSECES (how do they prevent, control, mitigate the risks from a major accident)
Set HSECES performance standards Qualitative or quantitative statements of performance required (used as a basis for verification throughout the HSECES lifecycle)
Transfer & update project records
Set HSECES performance standards Qualitative or quantitative statements of performance required (used as a basis for verification throughout the HSECES lifecycle)
Design, Engineer, Procure, Construct, Commission to achieve HSECES performance standards
SUBJECT TO DESIGN INTEGRITY REVIEW (S)
Define procedures for performing HSE Critical tasks Define competencies for performing HSE Critical tasks & Implement competency training Monitor HSECES against performance standards and maintain HSECES to ensure performance standards are met • Examination, Inspection, Testing • Condition Monitoring, Reliability, Availability • Data collection & analysis, Records, Documentation, Certification • Safety Integrity Le vels (SIL) of HSE critical instrumentation • Failure modes & consequence analysis • Preventative/Breakdown Maintenance • Repair & Modification • Spare parts strategy
SUBJECT TO TECHNICAL INTEGRITY VERIFICATION & AUDIT Which requires written system and definition of organisation, activities, tasks and competencies
FIGURE 2: Simplified Management System for HSECES
HSE MANAGEMENT CODES OF PRACTICE Volume 6: VERIFICATION OF TECHNICAL INTEGRITY COP: IDENTIFICATION AND INTEGRITY ASSURANCE OF HSE CRITICAL EQUIPMENT AND SYSTEMS
Version 1 September, 2004 Page 11
Document No: ADNOC-COPV6-01
Temporary changes to plant design or operation must be controlled in order to ensure that integrity is not compromised and that HSECES can continue to perform their function. This is discussed in Section 9. Where plant is shutdown but left in place on site without deconstruction and removal, controls must remain in place to ensure that: •
The plant and structures remain sound and that any remaining materials hazardous to people or the environment are contained.
•
Equipment and systems with a HSE role that may still be required once the plant is shutdown e.g. necessary utilities, for example electrical power, lighting, fire water systems, are kept in a condition, such that they can fulfil their function.
This is dealt with in Section 10. This Code of Practice draws on relevant international legislation and best practice on HSE integrity assurance [1, 2, 3, 4, 8].
[1] Offshore Installation and Wells (Design and Construction etc) Regulations, 1996, HMSO. [2] Prevention Of Fire and Explosion and Emergency Response On Offshore Installations, Approved Codes of Practice and Guidance, Second Edition, UK Health And Safety Executive, 1997. [3] A Guide To The Offshore Installations (Safety Case) Regulations 1992, UK Health and Safety Executive, Second Edition 1998. [4] Pressure Systems Safety Regulations 2000, Approved Codes of Practice, UK Health and Safety Executive, 2000 [8] Guidelines For Management Of Safety-Critical Elements. A Joint Industry Guide, UK Offshore Operators Association, September 1996
HSE MANAGEMENT CODES OF PRACTICE Volume 6: VERIFICATION OF TECHNICAL INTEGRITY COP: IDENTIFICATION AND INTEGRITY ASSURANCE OF HSE CRITICAL EQUIPMENT AND SYSTEMS
Version 1 September, 2004 Page 12
Document No: ADNOC-COPV6-01
2.
IDENTIFICATION OF HSE CRITICAL EQUIPMENT AND SYSTEMS
2.1
HSECES A definition of HSECES is given in Section 1. Examples of HSECES include but are not limited to: •
Critical structures whose failure could lead to a multiple fatality accident, such as offshore platform jackets and accommodation unit topside support structures.
•
Equipment where loss of integrity could result in an escape of fluid under pressure or hazardous material with the potential to cause harm to people and/or the environment.
•
Structures supporting equipment where loss of integrity could result in an escape of hazardous material with the potential to cause fatality and/or damage to the environment.
•
Structures designed to protect other structures or equipment from the full force of an impact which other wise has the potential to cause major accidents.
•
Integrity protection systems such as relief valves, instrumented protective systems and restriction orifices that protect the plant from loss of containment as a result of exceeding design conditions.
•
Other equipment and systems which play a significant role in preventing major accidents such as navigation aids (navaids).
•
Area classification systems and procedures designed to prevent ignition in case of an escape of flammable material. This includes, amongst others equipment such as ventilation systems that may be necessary to maintain the correct area classification.
•
Detection equipment and systems designed to alert the operators of an escape of hazardous material and possibly to initiate various control actions.
•
Release control equipment and systems such as emergency shutdown, non-return valves and blowdown, which are designed to limit the quantity of hazardous material involved in an incident.
•
Secondary containment equipment and systems designed to restrict hazardous materials spreading from a spillage location into other areas.
•
Fire and explosion suppression equipment and systems where people could otherwise be at risk.
•
Fire fighting equipment and systems.
•
Incident control equipment such as water sprays, foam systems and search and rescue equipment.
HSE MANAGEMENT CODES OF PRACTICE Volume 6: VERIFICATION OF TECHNICAL INTEGRITY COP: IDENTIFICATION AND INTEGRITY ASSURANCE OF HSE CRITICAL EQUIPMENT AND SYSTEMS
Version 1 September, 2004 Page 13
Document No: ADNOC-COPV6-01
•
Portable gas monitoring and gas testing equipment, used either to supplement, or complement fixed equipment and systems, or for certifying safe conditions for work, e.g. prior to undertaking hot work or confined space entry under Permit to Work (PTW).
•
Personnel protective equipment for general use in an emergency such as life jackets, breathing apparatus, fireman’s gear, etc..
•
Equipment and systems designed to mitigate the consequences of fire and explosion such as fire walls, blast walls and passive fire protection.
•
Weighing and measuring equipment and systems whose failure could lead to or contribute to a major accident such as gas meters, pressure/temperature/level gauges, weigh bridges.
•
Lifting equipment and systems, jacking systems whose failure could lead to or contribute to a major accident.
•
Hazardous material transporting equipment and systems such as road tankers and ship tankers could lead to, or contribute to, or escalate a major accident within a facility.
•
Emergency power equipment and systems (emergency generators, switchgear, Uninterruptible Power Supplies (UPS), etc.).
•
Communications equipment and systems that alert people that an incident has occurred and which can be used to provide instruction as to further action.
•
Equipment and systems that allow communication between emergency response teams and the emergency control centre.
•
Equipment and systems that allow communication with external agencies that can provide assistance in dealing with the incident.
•
Equipment and systems that expedite the removal of people to a place of safety such as emergency lighting, escape routes, offshore platform evacuation systems and standby vessels.
HSECES not only include the specified equipment, but also any other HSECES required for the equipment to perform its specified safety function, including electric or hydraulic power supplies and connections. ADNOC Group Companies must identify HSECES for assets which they operate and for all new projects. A structured, methodical approach must be undertaken to identify HSECES. It must address each major accident hazard in turn and specifically list each of the HSECES associated with that particular hazard. The cross referencing of hazards to the particular HSECES is important as it focuses attention onto their purpose and importance. For an existing installation, this identification would comprise a structured review of existing documentation, analyses and assessments to collate and list all the HSECES.
HSE MANAGEMENT CODES OF PRACTICE Volume 6: VERIFICATION OF TECHNICAL INTEGRITY COP: IDENTIFICATION AND INTEGRITY ASSURANCE OF HSE CRITICAL EQUIPMENT AND SYSTEMS
Version 1 September, 2004 Page 14
Document No: ADNOC-COPV6-01
With a new design, a preliminary list of potential HSECES must be drawn up as early as possible. This will contribute to achieving an overall risk-based approach and enable the assurance and audit schemes to be developed and implemented as the design proceeds. With both existing and new designs, a hierarchical, sequential approach is advisable. 1. It must list any inherently safe features about the design or layout, in order to verify that they are not compromised during design, operation or modification. 2. Preventative (proactive) measures must be identified. The structure, wells and process hydrocarbon containment equipment and systems are likely to be HSECES as their failure may cause a major accident. On floating installations, equipment and systems to maintain both the stability and buoyancy must be considered. Any other equipment or systems whose failure could lead to a major accident must also be listed. The assurance of integrity of each of these is the primary means of risk reduction on an operating installation. The most important aspect is the assurance that the design codes are suitable for the hazards. It may be appropriate to identify each of the likely causes of failure of each of these systems using, for example, the application of HAZID or HAZOP techniques to identify HSECES and their contribution to avoidance of a major accident. 3. Reactive measures to control the scale, intensity or duration of an initial event or prevent its escalation to further endanger life must be identified. These systems must be identified within the existing or developing analysis of the severity of each hazardous event. Where an identified element makes little or no contribution to limiting these factors, or escalation is highly unlikely, then it may be excluded from the list of HSECES. 4. Mitigation measures to protect people and preserve life from the escalating event must be identified. These must have been identified during the examination of the direct and consequential exposure of people to the hazardous event and the assessment of the adequacy of the measures to protect them. Typically, these would include escape routes, refuges and the primary evacuation systems. Where these offer little or no contribution to preserving life, either because they are of limited effectiveness, or unlikely to be needed or used in a major emergency, then they may be excluded from the list of HSECES. A systems approach may be taken, such that a whole system is a HSECES but different parts are subject to different levels of assurance and audit. Alternatively, only those parts of the system which provide a significant contribution to a major accident, or its mitigation, may be selected as the HSECES.
HSE MANAGEMENT CODES OF PRACTICE Volume 6: VERIFICATION OF TECHNICAL INTEGRITY COP: IDENTIFICATION AND INTEGRITY ASSURANCE OF HSE CRITICAL EQUIPMENT AND SYSTEMS
Version 1 September, 2004 Page 15
Document No: ADNOC-COPV6-01
The primary purpose of the concept of HSE-criticality is to focus on what is important for the avoidance of a major accident. The final list of HSECES must be critically reviewed using experienced engineering judgement, common sense and a thorough understanding of the hazards. For sites with major accident potential, the HSECES will be listed in the COMAH Report [see ADNOC Code of Practice on Control of Major Accident Hazards [7] ], which also describes the system in place to manage HSECES. The list of identified HSECES is the foundation of the integrity assurance scheme. It must be kept up to date as the plant progresses through its life cycle. 2.2
HSE Critical Integrity Activities HSE Critical Integrity Activities are those activities, which must be carried out to ensure that HSECES are suitable, have the desired integrity and continue to perform their function. HSE Critical Integrity activities must be identified for all HSECES and for the entire asset lifecycle, and must include: •
Critical design, construction, installation, commissioning, maintenance, operation, modification and repair activities
•
Periodic testing of HSECES including testing of Instrumented Protected Functions (IPF) and systems.
•
Certification activities.
•
Independent inspection, examination and testing
In order to provide clarity in this identification, it is recommended to segregate asset groups and the lifecycle processes for these, upon which the HSE Critical Integrity Activities should be identified for each of the processes and each of the assets. In turn this may assist in providing clarity on the organisational aspects to manage HSE Critical Integrity Activities e.g. via appointed process owners. An example of this, as applicable to an Exploration and Production Group Company, is provided in figure 3. Group Companies must ensure that all HSE Critical Integrity Activities are identified, and that competent persons are assigned to perform these. It is worth noting that HSE Critical Integrity Activities include the HSE Critical Integrity Audits that are carried out by the Independent Competent Person(s) (see Section 7). The audit scheme is used to confirm that all HSE Critical Integrity Activities have been identified and are performed.
[7] ADNOC Manual of Codes of Practice: ‘Code of Practice on Control of Major Accident Hazards (COMAH)’, ADNOCCOPV5-01.
HSE MANAGEMENT CODES OF PRACTICE Volume 6: VERIFICATION OF TECHNICAL INTEGRITY
Version 1 September, 2004
COP: IDENTIFICATION AND INTEGRITY ASSURANCE OF HSE CRITICAL EQUIPMENT AND SYSTEMS
Page 16
Document No: ADNOC-COPV6-01 HSE MANAGEMENT SYSTEM OTHER SYSTEMS
OTHER SYSTEMS
ASSET INTEGRITY MANAGEMENT SYSTEM OTHE R INTEGRITY REQUIREMENTS
OTHE R INTEGRITY REQUIREMENTS HSE CRITICAL INTEGRITY ACTIVITIES
ACTIVITIES
PROCESSES
ASSETS
DESIGN
WELLS
PROCE DURES
PROCURE
FLOWLINES & PIPELINES
RECORDS
BUILD
STRUCTURES
QA/QC
TA NKS & VESSELS
COMMISSION
PIPEWORK & VALVES
OPERA TE
ROTA TING EQT
INSPECT
BOILE RS & HEATE RS
CORROSION MNGT
ELECTRICAL EQT
MAINTA IN
INS TRUMENTS
REVIEW/IMPROVE
HVAC & AC
CHA NGE
EMERGENCY & LIFE SAVING
TES TING
TRAINING REPORTING AUDIT ETC.
DISPOSE
INTEGRITY ASSURANCE OF HSECES FIGURE 3: Methodology (E&P) for identifying HSE Critical Integrity Activities
HSE MANAGEMENT CODES OF PRACTICE Volume 6: VERIFICATION OF TECHNICAL INTEGRITY COP: IDENTIFICATION AND INTEGRITY ASSURANCE OF HSE CRITICAL EQUIPMENT AND SYSTEMS
Version 1 September, 2004 Page 17
Document No: ADNOC-COPV6-01
3.
PERFORMANCE STANDARDS
3.1
Setting Performance Standards Performance standards must be prepared for all HSECES. The performance standards are the parameters which are measured or assessed so that the suitability and effectiveness of each HSECES can be assured and verified. They will be the essential requirements which the HSECES must maintain throughout its life in order to fulfil its role. However, the standards may be amended during the lifecycle if the circumstances change. Many existing arrangements provide performance standards for establishing the suitability and effectiveness of HSECES such as design codes, type approval, international standards, inspections and test programmes. In some cases, new performance standards may need to be developed. Performance standards must be appropriate for the particular application and may need to be reviewed during the lifecycle. In the case of preventative measures, these will be the parameters which are examined or measured to assure technical integrity. For control and mitigation measures, they will be the parameters which demonstrate that the HSECES will fulfil its role in limiting the event or protecting people.
3.2
Performance Standards for HSECES, the Purpose of Which is to Prevent or Limit the Effect of a Major Accident. Performance standards must be produced for all equipment and systems that: •
Protect people and the environment from a major hazard involving fire, explosion and the release of toxic gases and fumes.
•
Ensure effective escape from affected areas of the site, evacuation of the site or transference of people to a place of safety.
In this context a "Place of Safety" is defined as a place remote from any potentially harmful impact of the incident, where first-aid can be administered if required. The ADNOC Code of Practice on Crisis and Emergency Management contains further details regarding the "Place Of Safety" [5]. In this respect, a performance standard is a statement of the specification of equipment that reduces the risk to people from major accidents. Performance standards must be measurable and auditable. A performance standard must include specifics relating to the performance of the equipment (also termed functionality), the required availability or reliability of the equipment (if relevant) and the requirements for protecting it in an emergency, until it has performed its function (also termed survivability).
[5] ADNOC Manual of Codes of Practice: ‘Code of Practice on Crisis and Emergency Management’, ADNOC-COPV5-02.
HSE MANAGEMENT CODES OF PRACTICE Volume 6: VERIFICATION OF TECHNICAL INTEGRITY COP: IDENTIFICATION AND INTEGRITY ASSURANCE OF HSE CRITICAL EQUIPMENT AND SYSTEMS
Version 1 September, 2004 Page 18
Document No: ADNOC-COPV6-01
4.
HSE CRITICAL RECORDS ADNOC Group Companies must keep records regarding HSECES such that an Independent Competent Person can verify that : •
All HSECES have been identified.
•
All HSECES are suitable for their intended purpose.
•
That all necessary activities have been carried out to ensure that the HSECES continues to fulfil its intended purpose.
•
Any issues arising from previous audits by Independent Competent Persons have been addressed.
All HSE Critical Records must be available to Independent Competent Persons carrying out audits or other integrity assurance activities on request. The Company HSE Management System must ensure that HSE Critical Records are identified and kept up to date. All such records must be formally controlled and a custodian identified. HSE Critical Records must include: •
A list of HSECES.
•
Specification of the safe operating limits of equipment and systems containing hazardous materials or fluids at pressure.
•
Performance standards and supporting documentation (Section 2).
•
Written schemes of test and examination (Section 6).
•
Records of test and examination.
•
The audit scheme and supporting documentation (Section 7).
•
Any designer’s/manufacturer’s/supplier’s documentation relating to parts of the equipment included in any written scheme of test and examination.
•
The most recent reports pertaining to integrity assurance or audits carried out by Independent Competent Persons.
•
All other reports that contain information relevant to assessment of matters of HSE including, where necessary, the temporary status of HSECES and alternative means in place to ensure the intended purpose of the HSECES is met.
A list of Independent Competent Persons and certifying agencies who have done such work, or who could do such work, and their contact details must be held with a view to ensuring that any such work will only be carried out by parties that meet specified competency requirements, and can be mobilised quickly when required. Such information should preferably be kept at a single company location e.g. with the person appointed by the Group Company as the Independent Competent Person for technical integrity matters.
HSE MANAGEMENT CODES OF PRACTICE Volume 6: VERIFICATION OF TECHNICAL INTEGRITY COP: IDENTIFICATION AND INTEGRITY ASSURANCE OF HSE CRITICAL EQUIPMENT AND SYSTEMS
Version 1 September, 2004 Page 19
Document No: ADNOC-COPV6-01
5.
INTEGRITY REVIEWS
5.1
Design Group Companies responsible for design of a assets containing HSECES must ensure that these are designed and specified such that: •
All HSECES necessary for safe operation of the assets are included.
•
All HSECES are suitable for their intended purpose.
•
All activities necessary for integrity assurance can be carried out.
The designer must take account of: •
The expected working life of the asset.
•
The properties of materials handled.
•
Corrosive environments.
•
Extreme operating conditions, including start-up shutdown, and reasonably foreseeable fault or emergency conditions.
•
The need for asset examination and testing to ensure continued integrity throughout the design life.
•
Foreseeable changes to design conditions of equipment that may be connected to the asset, including those operated by third parties.
•
Protection against system failure using suitable measuring, control and protective devices.
•
Provision of door safety devices to prevent opening of equipment whilst pressurised.
•
Interlocking devices to ensure availability of pressure relief devices and emergency depressurising valves.
•
Suitable materials for each component part compatible with service and operating conditions.
•
External forces exerted on the asset including thermal, seismic, wind and wave loadings.
•
Safe access for operation, maintenance and activities associated with integrity assurance.
•
Indelibly marking of equipment with safe operating limits and other safety information.
Further guidance on safe design principles is given in ADNOC Codes of Practice Best Practice Note on ‘Outline Design Philosophy for Major Hazard Plant and Equipment’ [6]. [6] ADNOC Manual of Codes of Practice: ‘Best Practice Note on Outline Design Philosophy for Major Hazard Plant and Equipment’, ADNOC-COPV5-04.
HSE MANAGEMENT CODES OF PRACTICE Volume 6: VERIFICATION OF TECHNICAL INTEGRITY COP: IDENTIFICATION AND INTEGRITY ASSURANCE OF HSE CRITICAL EQUIPMENT AND SYSTEMS
Version 1 September, 2004 Page 20
Document No: ADNOC-COPV6-01
5.2
Fabrication, Construction, Installation and Commissioning Group Companies responsible for overseeing the fabricating, constructing, installing or commissioning assets that includes HSECES must ensure that nothing is installed that can give rise to danger or otherwise impair either the operation of the HSECES or assurance activities. Group Companies responsible for overseeing the carrying out installation works must ensure that those doing the installation have the required training, skills and experience and that they: •
Provide adequate supervision, taking into account the complexity of the system being installed. Critical stages of fabrication / installation activities such as welding procedures, testing, material laboratory analysis and NDT requirements should be witnessed.
•
Prepare suitable foundations to support the equipment, taking into account the nature of the ground, equipment weight and other internal loads and external forces.
•
Decide on the most suitable method of lifting and handling sizable loads to avoid harm to people and accidental damage.
•
Check for signs of damage to equipment during transit and prior to delivery to site for installation.
•
Protect the HSECES from the environment, including adverse weather, before and during installation.
•
Remove and dispose of protective packaging.
•
Ensure that hot work such as welding or cutting will not affect the integrity of the HSECES.
•
Ensure that protective devices are clear of obstruction, operate correctly without hindrance or blockage and that the discharge is routed to a safe place.
•
Ensure that access doors / hatches are clear of obstruction and operate correctly.
•
Ensure that any labels or markings attached to the HSECES.are clearly visible.
•
Provide adequate access for maintenance and examination purposes.
•
Provide suitable protection against mechanical damage such as accidental impact by vehicles.
•
Allow sufficient space for access around and beneath valves, including drain valves.
•
Clear away debris such as metal shavings or dust arising from the installation process.
•
Have the installation work checked and approved on completion by a suitably qualified and competent person.
HSE MANAGEMENT CODES OF PRACTICE Volume 6: VERIFICATION OF TECHNICAL INTEGRITY COP: IDENTIFICATION AND INTEGRITY ASSURANCE OF HSE CRITICAL EQUIPMENT AND SYSTEMS
Version 1 September, 2004 Page 21
Document No: ADNOC-COPV6-01
For sites with major accident hazard potential, details of the management system covering the above items must be part of the pre-construction COMAH Report submission for the new site or modification [7]. 5.3
Operation Group Companies must ensure that persons operating HSECES are given adequate instructions covering safe operation and actions to be taken in the event of any emergency. Group Companies must also ensure that persons operating such HSECES do so in accordance with these instructions. (It is also the responsibility of the Group Companies to determine competence requirements and establish a competence assurance system for personnel who carry out HSE Critical Integrity Activities). The operating instructions must contain all information needed for safe operation of the HSECES including appropriate limits within which it is to be operated and the environmental conditions in which it may safely operate. This will also include:
5.4
•
Normal start-up and shutdown procedures.
•
Equipment preparation for maintenance and reinstatement procedures.
•
Precautions for standby operation.
•
Function and effect of controls and protective devices.
•
Likely fluctuations expected in normal operation.
•
Requirements to ensure that the HSECES are adequately protected against operating outside their design envelop at all times.
•
Maximum loads which may safely be imposed on parts of the structure.
•
Procedures in the event of an emergency.
•
Reporting and recording of critical information which should include equipment failure reports for root cause analysis.
Maintenance Group Companies must ensure that the assets with HSECES which they operate are maintained in good repair so as to prevent danger. The type and frequency of maintenance for the HSECES must be assessed and a suitable maintenance programme planned. A suitable maintenance programme must take account of: •
The risks to health, safety and the environment from failure or deterioration.
•
The age of the asset.
•
The operating and process conditions.
[7] ADNOC Manual of Codes of Practice: ‘Code of Practice on Control of Major Accident Hazards (COMAH)’, ADNOCCOPV5-01.
HSE MANAGEMENT CODES OF PRACTICE Volume 6: VERIFICATION OF TECHNICAL INTEGRITY COP: IDENTIFICATION AND INTEGRITY ASSURANCE OF HSE CRITICAL EQUIPMENT AND SYSTEMS
Version 1 September, 2004 Page 22
Document No: ADNOC-COPV6-01
•
The working environment.
•
Instructions provided by the manufacturer or supplier.
•
Previous maintenance history.
•
Reports of examinations carried out by competent persons under a written scheme of examination.
•
Results of other relevant inspections, including Risk Based Inspection (RBI) and Fitness for Service Analysis.
•
Repairs and modifications to the HSECES.
It is essential to maintain the desired functionality of the HSECES during the operation and maintenance phases, which are characterised by their long-term nature and where controls are difficult to maintain at the same level. Processes that support these phases must be addressed e.g. amongst others:
5.5
•
Monitoring HSECES against performance standards.
•
Condition or reliability approach for maintenance.
•
Preventative maintenance approach.
•
Use of appropriate support software.
•
Spare parts strategy.
•
Examining HSECES failure modes and their consequences.
Modification and Repair Group Companies must ensure that any modification or repair to a HSECES which they operate does not give rise to danger or otherwise impair the operation of any protective device or inspection facility. When designing any modifications (including extensions or additions) or repairs the following must be taken into account: •
The original design specification and codes and standards are followed.
•
The duty for which the HSECES is to be used after the repair or modification including any change in the conditions to which equipment is exposed.
•
The effects of the repair or modification on the overall integrity of the asset.
•
Whether protective devices are still adequate.
•
Continued suitability of the written schemes of examination and audit.
•
Where necessary, hazard identification and risk analysis must be carried out to verify that HSE risk levels are not increased as a result of modifications.
HSE MANAGEMENT CODES OF PRACTICE Volume 6: VERIFICATION OF TECHNICAL INTEGRITY COP: IDENTIFICATION AND INTEGRITY ASSURANCE OF HSE CRITICAL EQUIPMENT AND SYSTEMS
Version 1 September, 2004 Page 23
Document No: ADNOC-COPV6-01
5.6
Decommissioning and Disposal Requirements for long-term shutdown of plant are given in Section 10. Where equipment is to be physically removed from site, Group Companies must ensure that activities carried out do not result in danger, for example by loss of containment of hazardous materials. Care must be taken during removal that the safety of any remaining equipment is not compromised, both during the removal process and afterwards. In particular attention must be paid to: •
Risk of impact on systems or equipment containing hazardous materials.
•
Access to remaining equipment for safe operation and maintenance including ladders, platforms and lighting.
•
Access to and operation of communications systems such as alarm points, telephones and public address systems.
HSE MANAGEMENT CODES OF PRACTICE Volume 6: VERIFICATION OF TECHNICAL INTEGRITY COP: IDENTIFICATION AND INTEGRITY ASSURANCE OF HSE CRITICAL EQUIPMENT AND SYSTEMS
Version 1 September, 2004 Page 24
Document No: ADNOC-COPV6-01
6.
INSPECTION, TEST AND EXAMINATION Group Companies must have a written scheme for periodic inspection, test and examination in place, before operating any asset containing HSECES. The written scheme of examination must: •
Address the relative criticality of the HSECES i.e. its importance with regard to causing, preventing or limiting the consequences of a major accident.
•
Address the likelihood and predictability of failure of the HSECES.
•
Specify the nature and frequency of examination and activities to be undertaken, including frequency of inspection, test, audit or recertification as applicable.
•
Relate to the performance standard for the HSECES.
•
Specify any measures necessary for safe examination.
•
Include existing, independent certification requirements e.g. lifting equipment, pressure relief devices and pressure vessels.
•
Specify examination prior to first start and after repair if applicable.
Group Companies must ensure that: •
A competent person holding a senior position in the company approves the written scheme of examination as being suitable, prior to its implementation and carries out a review at appropriate intervals.
•
The written scheme of examination is modified in accordance with any recommendation made by that competent person arising out of that review.
•
The written scheme of examination is revised and updated as necessary and in particular following engineering changes and modification.
Records of each inspection must be kept, including findings and recommendations of the Independent Competent Person (as part of the audit process), and must be available to those carrying out future reviews, as described in Section 4. The written schemes of examination form part of the audit scope as described in Section 7.4 and Appendix 1.
HSE MANAGEMENT CODES OF PRACTICE Volume 6: VERIFICATION OF TECHNICAL INTEGRITY
Version 1 September, 2004
COP: IDENTIFICATION AND INTEGRITY ASSURANCE OF HSE CRITICAL EQUIPMENT AND SYSTEMS
Page 25
Document No: ADNOC-COPV6-01
7.
ASSURANCE AND AUDIT
7.1
HSECES Performance Assurance ADNOC Group Companies must develop and implement a suitable assurance scheme to ensure that HSECES are suitable (or, where they have yet to be provided, will be suitable) and will remain in good repair and condition [8] throughout the lifecycle of the asset(s) for which they are provided. Responsibility for technical integrity of HSECES must rest with the Line i.e. the asset owner/holder. Depending on asset development phases, this will be either Projects (during project design, construction, installation and commissioning) or Operations (upon handover of newly built assets). Some Group Companies have a separate ‘Inspection’ organisation which verifies technical integrity in a service providing capacity to the asset owner/holder. Such ‘Inspection’ organisations are considered to be within the asset owner/holder sphere of responsibilities for the purposes of this document. Group Company Management has the final accountability for ensuring that their asset operations are complying with the ADNOC standards for HSE risk management. As consequence, Group Company Management need to be satisfied that HSECES meet appropriate performance standards and are operated and maintained by the Line along suitable procedures by competent personnel. This needs to be verified periodically by personnel that are deemed suitably competent and independent from the Line organisation. The performance of complementary ways:
HSECES
must
therefore
be
assured
in
two
o
By the routine checking of their design, maintenance, inspection and testing. All of these are described in the following sections: − Integrity Reviews during design: Section 5.1 − Integrity Reviews during fabrication, construction, installation and commissioning: Section 5.2 − Operation: Section 5.3 − Maintenance: Section 5.4 − Modification and repair: Section 5.5 − Decommissioning and disposal: Section 5.6 − Inspection, test and examination: Section 6
o
by independent verification through audits that these activities (see 1) are carried out by competent personnel in accordance with appropriate procedures and that HSECES are, and remain, suitable, i.e. that they meet appropriate performance standards. These independent audits must be carried out by what will be named the ‘Independent Competent Person’ in the sections below.
[8] Guidelines For Management Of Safety-Critical Elements. A Joint Industry Guide, UK Offshore Operators Association, September 1996
HSE MANAGEMENT CODES OF PRACTICE Volume 6: VERIFICATION OF TECHNICAL INTEGRITY COP: IDENTIFICATION AND INTEGRITY ASSURANCE OF HSE CRITICAL EQUIPMENT AND SYSTEMS
Version 1 September, 2004 Page 26
Document No: ADNOC-COPV6-01
7.2
The use of Key Performance Indicators Many Key Performance Indicators (KPIs) can be developed to maintain an overview of HSE Critical Integrity. In developing and selecting such KPIs for HSECES, care must be taken that these focus on criticality i.e. the equipment and systems that have a potentially HIGH risk impact. Also, the KPIs must provide an indication of integrity, as opposed to demonstrating efficiency of equipment or activities management only.
7.3
Independent Competent Person Group Companies must appoint one (or more) Independent Competent Person(s) to carry out audits of the assurance scheme for HSE Critical Integrity Activities. The Independent Competent Person(s) must be able to demonstrate the necessary competence and experience. The Independent Competent Person(s) may be from within the Group Company organisation, provided that independence from the organisation(s) tasked with carrying out the HSE Critical Activities can be demonstrated. Alternatively, the Independent Competent Person(s) may be an outside consultant/contractor. The Independent Competent Person may be a team of several individuals where this is required to ensure an appropriate level of competency or to complete audit tasks in a reasonable period of time. In all cases, the Group Company has the responsibility of defining competence/qualifications of the Independent Competent Person(s).
7.4
HSE Critical Integrity Audit Scheme The HSE Critical Integrity Audit Scheme must consider: •
Principles to be applied in selecting persons to perform audits and to keep the audit scheme under review.
•
Arrangements for the communication of information necessary for the proper implementation or revision of the audit scheme.
•
The nature and frequency of audits.
•
Arrangements for review and revision of the audit scheme.
•
The arrangements for making and preservation of records showing the audits carried out, the findings, remedial action recommended and remedial action performed.
•
Arrangements for communicating audit findings to an appropriate level within the Group Company's management.
HSE MANAGEMENT CODES OF PRACTICE Volume 6: VERIFICATION OF TECHNICAL INTEGRITY COP: IDENTIFICATION AND INTEGRITY ASSURANCE OF HSE CRITICAL EQUIPMENT AND SYSTEMS
Version 1 September, 2004 Page 27
Document No: ADNOC-COPV6-01
The Independent Competent Person is responsible for: •
reviewing the suitability of the Group Company specific HSECES Management System
•
implementing the HSE Critical Integrity Audit Scheme
•
reporting of audit findings to Group Company Management, which includes observation on adequacy of follow-up on actions from previous audits.
•
Updating the HSE Critical Integrity Audit Scheme periodically as necessary. Triggers for such an update must include: − A generic review at a minimum frequency of once every five years. − Findings during implementation of audits. − Irreversible deterioration of the performance of a HSECES. − Experience as a result of lessons learned from incidents on site, elsewhere in Abu Dhabi or worldwide. − Modifications that result in physical changes to the asset or the HSECES.
Guidelines for determining the scope of HSE Critical Integrity Audits are provided in Appendix 1.
HSE MANAGEMENT CODES OF PRACTICE Volume 6: VERIFICATION OF TECHNICAL INTEGRITY COP: IDENTIFICATION AND INTEGRITY ASSURANCE OF HSE CRITICAL EQUIPMENT AND SYSTEMS
Version 1 September, 2004 Page 28
Document No: ADNOC-COPV6-01
8.
CERTIFICATION
8.1
Certification Requirements Within ADNOC Group Companies, many HSECES, such as lifting equipment and pressure relief devices, are currently certified for service by internationally recognised certifying bodies. For such elements, the certification process can be built into the assurance scheme. Further activities beyond those currently carried out by the certifying body, e.g. the periodic testing of ESD valve leakage rates during shutdowns/turnarounds, may also be required to provide assurance that the HSECES is and remains suitable. The current certifying body may be appointed as the Independent Competent Person to review or implement the audit scheme or, alternatively, could contribute specific expertise. An action item follow-up system should be developed with a tracking system that ensures closure of action items.
8.2
Certification Procedures Where existing certification procedures are built in to the assurance scheme this must be clearly identified in the scheme and responsibilities assigned and recorded. In particular the mechanism for alerting the asset operator to defects and reservations identified during certification audits must be clearly spelt out within the audit scheme.
HSE MANAGEMENT CODES OF PRACTICE Volume 6: VERIFICATION OF TECHNICAL INTEGRITY COP: IDENTIFICATION AND INTEGRITY ASSURANCE OF HSE CRITICAL EQUIPMENT AND SYSTEMS
Version 1 September, 2004 Page 29
Document No: ADNOC-COPV6-01
9.
CONTROL OF TEMPORARY CHANGES Group Companies must ensure that temporary changes to the design or operation of a HSECES do not give rise to danger or otherwise impair the operation of any protective device or inspection facility. Group Companies must ensure that temporary changes are only authorised and implemented by those competent to do so. When designing temporary changes the following must be taken into account: •
The original design specification and codes and standards followed.
•
The duty for which the HSECES is to be used including any change in the conditions to which equipment is exposed.
•
The effects of the change on the overall integrity of the asset.
•
Whether protective devices are still adequate.
•
The likely duration of the change.
•
Continued suitability of written schemes of examination.
•
Continued suitability of the assurance scheme.
•
Review of relevant documentation and notification to the document controller.
During operations mode, when HSECES are temporality out of service (e.g. isolations and/or over-rides due to planned maintenance/inspection, breakdown) such events must be subject to control procedures that: •
Document the timing and reason for HSECES isolation, override or breakdown.
•
The authorisation given by a competent person to continue operation without the HSECES being available.
•
The period during which operation without the HSECES is permitted.
•
The timing that the HSECES is restored to service.
HSE MANAGEMENT CODES OF PRACTICE Volume 6: VERIFICATION OF TECHNICAL INTEGRITY COP: IDENTIFICATION AND INTEGRITY ASSURANCE OF HSE CRITICAL EQUIPMENT AND SYSTEMS
Version 1 September, 2004 Page 30
Document No: ADNOC-COPV6-01
10.
LONG-TERM SHUTDOWN When plant is subject to a long term shutdown and left in place without deconstruction and removal, all necessary steps must be taken to ensure that the plant is left in a safe condition and that necessary activities are undertaken on a regular basis, to ensure that the plant remains in a safe condition. HSECES for the shutdown plant must be identified and the necessary activities for inspection, examination, testing and audit put in place, to provide assurance that integrity is retained. The arrangement for long-term shutdown must be such as to allow safe access to carry out all necessary activities. Some general guidance for long-term shutdown is given below: •
Plant in long term shutdown must be clearly marked and identified both in the field and on drawings and other relevant documentation.
•
Areas containing both operational and long-term shutdown plant must be avoided.
•
Materials hazardous to personnel or the environment must be removed from long-term shutdown plant.
•
Long-term shutdown plant must be isolated from operational plant by physical breaks in pipework and electrical systems.
•
The status of sewer and drain connections to long-term shutdown plant must be considered in detail and suitable precautions introduced. Particular care must be taken if the sewer or drain system can contain hazardous materials.
•
Personnel access to long-term shutdown plant must be restricted where reasonably practicable.
•
It may be necessary to retain some equipment associated with long term shutdown plant where this is still required for safety or environmental reasons such as: lighting, alarm points, public address systems alarms, telephones, personnel protective equipment, breathing air manifolds, spill control equipment and fire control equipment.
•
The plant / equipment must ‘moth-balled’ and rendered safe.
HSE MANAGEMENT CODES OF PRACTICE Volume 6: VERIFICATION OF TECHNICAL INTEGRITY COP: IDENTIFICATION AND INTEGRITY ASSURANCE OF HSE CRITICAL EQUIPMENT AND SYSTEMS
Version 1 September, 2004 Page 31
Document No: ADNOC-COPV6-01
REFERENCES 1.
Offshore Installation and Wells (Design and Construction etc) Regulations, 1996, HMSO.
2.
Prevention Of Fire and Explosion and Emergency Response On Offshore Installations, Approved Codes of Practice and Guidance, Second Edition, UK Health And Safety Executive, 1997.
3.
A Guide To The Offshore Installations (Safety Case) Regulations 1992, UK Health and Safety Executive, Second Edition 1998.
4.
Pressure Systems Safety Regulations 2000, Approved Codes of Practice, UK Health and Safety Executive, 2000.
5.
ADNOC Manual of Codes of Practice: ‘Code of Practice on Crisis and Emergency Management’, ADNOC-COPV5-02.
6.
ADNOC Manual of Codes of Practice: ‘Best Practice Note on Outline Design Philosophy for Major Hazard Plant and Equipment’, ADNOC-COPV5-04.
7.
ADNOC Manual of Codes of Practice: ‘Code of Practice on Control of Major Accident Hazards (COMAH)’, ADNOC-COPV5-01.
8.
Guidelines For Management Of Safety-Critical Elements. A Joint Industry Guide, UK Offshore Operators Association, September 1996
9.
ADNOC Manual of Codes of Practice: ‘Code of Practice on HSE Administration Systems’, ADNOC-COPV1-01.
10.
Functional Safety of Electrical / Electronic / Programmable Electronic Safety Related Systems, IEC 61508, version 4.0, 1997.
HSE MANAGEMENT CODES OF PRACTICE Volume 6: VERIFICATION OF TECHNICAL INTEGRITY COP: IDENTIFICATION AND INTEGRITY ASSURANCE OF HSE CRITICAL EQUIPMENT AND SYSTEMS
Version 1 September, 2004 Page 32
Document No: ADNOC-COPV6-01
APPENDIX 1 GUIDELINES FOR DETERMINING THE SCOPE OF HSE CRITICAL INTEGRITY AUDITS
HSE MANAGEMENT CODES OF PRACTICE Volume 6: VERIFICATION OF TECHNICAL INTEGRITY COP: IDENTIFICATION AND INTEGRITY ASSURANCE OF HSE CRITICAL EQUIPMENT AND SYSTEMS
Version 1 September, 2004 Page 33
Document No: ADNOC-COPV6-01
GUIDELINES FOR DETERMINING THE SCOPE OF HSE CRITICAL INTEGRITY AUDITS With reference to the simplified HSECES Management System as illustrated in figure 2, audits of HSE Critical Integrity Activities must cover the following for both project and operations phases of assets: Management System for HSECES Technical Integrity Audits must verify the adequacy of the organisation and the competencies in place as required for HSECES asset maintenance, modification, repair, operation, disposal, decommissioning, inspection, testing, examination and certification. The Management System information must be collated and be readily accessible to those needing it. HSE Critical Integrity Audits must verify the arrangements for periodic review and revision (if required) of the Management System. Major Hazard Scenario’s Audits must verify that defined Major Hazard Scenarios cover all possibilities for the four risk categories i.e. people, assets, environment and reputation. Identified HSECES and functionality Audits must verify that HSECES are identified and recorded, which may already have been done as part of the site COMAH Report [7] if applicable. For each HSECES, the record must state why it is HSE-critical and how it relates to specific hazards. The record must also state the purpose of each HSECES. The Independent Competent Person must review the listing of HSECES and confirm that the listing is complete. Such a review must be carried out with understanding of the hazards present, using good engineering judgement. In order to define the level and scope of audits the Independent Competent Persons need an overview for each HSECES of: •
What parameters are measured, equipment tested or designs reviewed to assess whether or not the performance standards will be or have been achieved.
•
How the above parameters are measured.
•
Who verifies that the performance standards will be, or have been, achieved; (this may cover both the personnel carrying out routine inspection and testing and personnel who will independently verify this work).
•
When and how the performance standards are measured or assessed during the HSECES life-cycle.
•
Where the measurement, testing or assessment take place.
7] ADNOC Manual of Codes of Practice: ‘Code of Practice on Control of Major Accident Hazards (COMAH)’, ADNOCCOPV5-01.
HSE MANAGEMENT CODES OF PRACTICE Volume 6: VERIFICATION OF TECHNICAL INTEGRITY COP: IDENTIFICATION AND INTEGRITY ASSURANCE OF HSE CRITICAL EQUIPMENT AND SYSTEMS
Version 1 September, 2004 Page 34
Document No: ADNOC-COPV6-01
In general, the frequency and scope of HSE Critical Integrity Audits must depend on the criticality of the HSECES and upon the likelihood of its failure. The importance of a HSECES is its function relating to preventing major accidents or reducing their consequences. The criticality can usually be related to a qualitative hierarchy: 1. inherent safety 2. prevention 3. control and mitigation. This hierarchy includes measures: •
To eliminate hazards.
•
To minimise causes of events that might lead to loss of containment of hazardous materials.
•
To limit the severity of the incident.
•
To protect people from the incident.
The scope of the assurance and audit of performance of a HSECES also depends on the likelihood and predictability of its failure. The following must be considered: •
The causes of failure.
•
The type of failure: progressive deterioration or sudden failure.
•
The environmental conditions.
•
The development, testing and assurance of the product manufacturer.
•
Other independent testing, examination and audit (e.g. Certification).
•
The history of this type of HSECES.
•
Competence of personnel carrying out routine maintenance, inspection and testing.
•
Safety-factors that have been built into the element or the overall system.
•
The potential for common-cause failure: i.e. a single cause resulting in failure of both a duty component and its back up.
•
The requirements of codes and standards used in the design and construction of the HSECES.
•
Specific requirements from reliability analyses or other detailed studies.
•
The capacity for failure and fault tolerance within the HSECES.
Audits must verify that there is adequate provision for evaluating an identified discrepancy and that effective remedial measures are taken, so that the action is closed out.
HSE MANAGEMENT CODES OF PRACTICE Volume 6: VERIFICATION OF TECHNICAL INTEGRITY COP: IDENTIFICATION AND INTEGRITY ASSURANCE OF HSE CRITICAL EQUIPMENT AND SYSTEMS
Version 1 September, 2004 Page 35
Document No: ADNOC-COPV6-01
HSECES performance standards Audits must verify that suitable performance standards are defined for all HSECES and that these are used to assess the suitability and effectiveness of each HSECES. The audit must also verify that a suitable control system is in place for modifications of the performance standards. For new projects, audits must verify that the design of the systems and components is examined to ensure that they meet the performance standards. Audits must verify that the performance of new equipment is verified prior to use e.g. via examination or testing at the suppliers or during installation or commissioning. Where manufacturers have their own independent assurance schemes, audits must verify that these provide adequate assurance that the system or component meets the performance standards. Procedures for HSE Critical Integrity Tasks Audits must verify that adequate procedures are in place for the HSE Critical Integrity Tasks. Competencies for performing HSE Critical Integrity Tasks Audits must verify that personnel who perform HSE Critical Integrity Tasks are competent and that a suitable programme exist to maintain the defined prerequisite competency levels. HSECES Performance Audits must verify that: •
HSECES are subject to systematic examination, inspection and testing in accordance with documented plans.
•
HSECES are subject to condition monitoring with documented records of reliability and availability
•
Suitable documentation management is in place with complete records of HSECES
•
Up-to-date HSECES failure mode & consequence analysis is available.
•
Preventative maintenance is conducted in accordance with documented plans and breakdown maintenance is conducted in accordance with priorities which reflect the critical nature of the failed equipment.
•
Repair and modifications are conducted in accordance with equipment manufactures specification. Temporary modifications must be conducted in accordance with documented control procedures.
•
A spare parts strategy is in place and being followed to ensure that HSECES can at all times be serviced.
Audits must verify that the HSECES remain suitable for their intended purpose by monitoring results and comparing these with the performance standards.
HSE MANAGEMENT CODES OF PRACTICE Volume 6: VERIFICATION OF TECHNICAL INTEGRITY COP: IDENTIFICATION AND INTEGRITY ASSURANCE OF HSE CRITICAL EQUIPMENT AND SYSTEMS
Version 1 September, 2004 Page 36
Document No: ADNOC-COPV6-01
Where the Independent Competent Person has reservations regarding the continued suitability of a HSECES, the reservation must be reported as an audit finding.
