Download UKOOA, Guidelines for the Management of Safety Critical Elements 2007, 2007-04-10...
Guidelines for the management of safety critical elements
2nd edition
An IP Publication
Published by the Energy Institute
Licenced to: Jeremy Goddard. Single user licence only. IMPORTANT: This file is subject to a licence agreement issued by the Energy Institute, London, UK. All rights reserved. It may only be used in accordance with the licence terms and conditions. It must not be forwarded to, or stored or accessed by, any unauthorised user. Enquiries: e:
[email protected] t: +44 (0)207 467 7100
Energy Institute
This publication has been produced as a result of
61 New Cavendish Street
work carried out within the Technical Team of the
London W1G 7AR, UK
Energy Institute (EI), funded by the EI’s Technical Partners. The EI’s Technical Work Programme
t: +44 (0) 20 7467 7157
provides industry with cost effective, value adding
f: +44 (0) 20 7255 1472
knowledge on key current and future issues
e:
[email protected]
affecting those operating in the energy sector,
www.energyinst.org.uk
both in the UK and beyond.
ISBN 978 0 85293 462 3
Registered Charity Number 1097899
Licenced to: Jeremy Goddard. Single user licence only. IMPORTANT: This file is subject to a licence agreement issued by the Energy Institute, London, UK. All rights reserved. It may only be used in accordance with the licence terms and conditions. It must not be forwarded to, or stored or accessed by, any unauthorised user. Enquiries: e:
[email protected] t: +44 (0)207 467 7100
GUIDELINES FOR THE MANAGEMENT OF SAFETY CRITICAL ELEMENTS
Second edition March 2007
Licenced to: Jeremy Goddard. Single user licence only. IMPORTANT: This file is subject to a licence agreement issued by the Energy Institute, London, UK. All rights reserved. It may only be used in accordance with the licence terms and conditions. It must not be forwarded to, or stored or accessed by, any unauthorised user. Enquiries: e:
[email protected] t: +44 (0)207 467 7100
Licenced to: Jeremy Goddard. Single user licence only. IMPORTANT: This file is subject to a licence agreement issued by the Energy Institute, London, UK. All rights reserved. It may only be used in accordance with the licence terms and conditions. It must not be forwarded to, or stored or accessed by, any unauthorised user. Enquiries: e:
[email protected] t: +44 (0)207 467 7100
GUIDELINES FOR THE MANAGEMENT OF SAFETY CRITICAL ELEMENTS
Second edition March 2007
Published by ENERGY INSTITUTE, LONDON The Energy Institute is a professional membership body incorporated by Royal Charter 2003 Registered charity number 1097899 Endorsed by The United Kingdom Offshore Operators Association and the HSE Offshore Safety Division
Licenced to: Jeremy Goddard. Single user licence only. IMPORTANT: This file is subject to a licence agreement issued by the Energy Institute, London, UK. All rights reserved. It may only be used in accordance with the licence terms and conditions. It must not be forwarded to, or stored or accessed by, any unauthorised user. Enquiries: e:
[email protected] t: +44 (0)207 467 7100
The Energy Institute gratefully acknowledges the financial contributions towards the scientific and technical programme from the following companies: BG Group BHP Billiton Limited BP Exploration Operating Co Ltd BP Oil UK Ltd Chevron ConocoPhillips Ltd ENI ExxonMobil International Ltd Kuwait Petroleum International Ltd Maersk Oil North Sea UK Limited
Murco Petroleum Ltd Nexen Saudi Aramco Shell UK Oil Products Limited Shell U.K. Exploration and Production Ltd Statoil (U.K.) Limited Talisman Energy (UK) Ltd Total E&P UK plc Total UK Limited
Copyright © 2007 by the Energy Institute, London: The Energy Institute is a professional membership body incorporated by Royal Charter 2003. Registered charity number 1097899, England All rights reserved No part of this book may be reproduced by any means, or transmitted or translated into a machine language without the written permission of the publisher. The information contained in this publication is provided as guidance only and while every reasonable care has been taken to ensure the accuracy of its contents, the Energy Institute cannot accept any responsibility for any action taken, or not taken, on the basis of this information. The Energy Institute shall not be liable to any person for any loss or damage which may arise from the use of any of the information contained in any of its publications. The above disclaimer is not intended to restrict or exclude liability for death or personal injury caused by own negligence.
ISBN 978 0 85293 462 3 Published by the Energy Institute Further copies can be obtained from Portland Customer Services, Commerce Way, Whitehall Industrial Estate, Colchester CO2 8HP, UK. Tel: +44 (0) 1206 796 351 e:
[email protected] Electronic access to EI and IP publications is available via our website, www.energyinstpubs.org.uk. Documents can be purchased online as downloadable pdfs or on an annual subscription for single users and companies. For more information, contact the EI Publications Team. e:
[email protected]
Licenced to: Jeremy Goddard. Single user licence only. IMPORTANT: This file is subject to a licence agreement issued by the Energy Institute, London, UK. All rights reserved. It may only be used in accordance with the licence terms and conditions. It must not be forwarded to, or stored or accessed by, any unauthorised user. Enquiries: e:
[email protected] t: +44 (0)207 467 7100
CONTENTS Page Foreword . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viii 1
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
2
Background to the revision of Guidelines for the management of safety critical elements . . . . . . . . . . . 3
3
Applicable legislation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
4
Definitions and key concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.1 Safety critical elements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.2 Major accidents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.3 Performance standards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.4 Verification schemes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.5 Independent competent persons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
5
Identification of SCEs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
6
Development of Performance Standards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
7
Assurance of SCE integrity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
8
Verification throughout the asset life . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8.1 Overview of verification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8.2 Verification in the concept, feed, design, construction and commissioning phases . . . . . . . . . . . . . . . 8.3 In-service verification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8.4 Decommissioning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
9
Change management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 9.1 Modifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 9.2 Temporary equipment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
7 7 7 7 7 7
17 17 18 19 20
10 References and glossary of terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
v
Licenced to: Jeremy Goddard. Single user licence only. IMPORTANT: This file is subject to a licence agreement issued by the Energy Institute, London, UK. All rights reserved. It may only be used in accordance with the licence terms and conditions. It must not be forwarded to, or stored or accessed by, any unauthorised user. Enquiries: e:
[email protected] t: +44 (0)207 467 7100
vi
Licenced to: Jeremy Goddard. Single user licence only. IMPORTANT: This file is subject to a licence agreement issued by the Energy Institute, London, UK. All rights reserved. It may only be used in accordance with the licence terms and conditions. It must not be forwarded to, or stored or accessed by, any unauthorised user. Enquiries: e:
[email protected] t: +44 (0)207 467 7100
FOREWORD In 2005, the UKOOA led Installation Integrity Working Group (IIWG) requested that the Energy Institute manage the review and revision of the UKOOA Guidelines for the management of safety critical elements, first issued in September 1996. This project required the formation of a separate (sub) Working Group from the parent IIWG members. The revision exercise was part of a programme of work undertaken by the IIWG which included development and promotion of industry good practices and suitable performance measures. A principal deliverable of this Working Group was the Asset Integrity Tool Kit, which includes an Assurance and Verification Tool outlining the requirement for identification, assurance and verification of Performance Standards for Safety Critical Elements. These Guidelines are therefore considered as providing valuable input for this element of the management of installation integrity. It is intended that these Guidelines should provide good practice for the management of safety critical elements for offshore installations and will be of use principally for those involved in assurance and verification. The document should also provide a useful guide for duty holders, managers of operations, safety, engineering and maintenance functions, and an initial introduction for those who wish to become involved in the subject. This document has been compiled as guidance only and while every reasonable care has been taken to ensure the accuracy and relevance of its contents, the Energy Institute, its sponsoring companies, the document writer and the Working Group members listed in the Acknowledgements who have contributed to its preparation, cannot accept any responsibility for any action taken, or not taken, on the basis of this information. The Energy Institute shall not be liable to any person for any loss or damage which may arise from the use of any of the information contained in any of its publications. These Guidelines will be reviewed in future and it would be of considerable assistance for any subsequent revision if users would send comments or suggestions for improvements to: The Technical Department, Energy Institute, 61 New Cavandish Street, London W1G 7AR e:
[email protected]
vii
Licenced to: Jeremy Goddard. Single user licence only. IMPORTANT: This file is subject to a licence agreement issued by the Energy Institute, London, UK. All rights reserved. It may only be used in accordance with the licence terms and conditions. It must not be forwarded to, or stored or accessed by, any unauthorised user. Enquiries: e:
[email protected] t: +44 (0)207 467 7100
ACKNOWLEDGEMENTS The Institute wishes to record its appreciation of the work carried out by the following individuals: Tim Walsh of Lloyds Register EMEA, for the drafting of this document. Members of the Joint Industry Working Group, which was set up to steer the re-drafting programme and who have provided valuable expertise: Keith Hart Lee Broadley Simon Brown Bernard Emery Peter Griffiths Paul Kefford Bob Kyle Alex Macleod Bill McKenzie Alan Richardson Ian Wright
Energy Institute (Manager and Chairman) Talisman Energy Ltd HSE OSD HSE OSD HSE OSD Chevron UKOOA Lloyds Register EMEA BP Operating Company Ltd HSE OSD DNV
Assistance was also provided by: Garry Mannett Richard McCabe Phil Rothie Ruth White
BV BV BV DNV
The Institute also wishes to recognise the contribution made by those who have provided comments on the Draft document which was issued during an industry consultation period.
viii
Licenced to: Jeremy Goddard. Single user licence only. IMPORTANT: This file is subject to a licence agreement issued by the Energy Institute, London, UK. All rights reserved. It may only be used in accordance with the licence terms and conditions. It must not be forwarded to, or stored or accessed by, any unauthorised user. Enquiries: e:
[email protected] t: +44 (0)207 467 7100
1 INTRODUCTION document then describes the process by which SCEs are identified and performance standards set. The process of verification is central to ensuring that the integrity of SCEs is maintained and guidance is provided for the management of verification throughout the various stages of the asset lifecycle. The document also deals with the management of change in relation to SCEs and concludes by identifying sources of further information including good practice and FAQs. This document is aimed at all those who have an interest and/or involvement in the management of SCEs, particularly those responsible for the management of technical and operational activities within, or on behalf of, duty holders.
The purpose of this document is to provide industry guidance for the management of Safety Critical Elements (SCEs) on offshore installations operating on the UK continental shelf. SCEs are the equipment and systems which provide the basis to manage the risks associated with Major Accident Hazards (MAHs). This document should be read in conjunction with the Offshore Installations (Safety Case) Guidelines. This publication replaces that of the same title produced by the UK Offshore Operators Association (UKOOA) in 1996. The starting point for this guidance is a review of the applicable legislation and a summary of the key concepts underpinning the management of SCEs. The
1
Licenced to: Jeremy Goddard. Single user licence only. IMPORTANT: This file is subject to a licence agreement issued by the Energy Institute, London, UK. All rights reserved. It may only be used in accordance with the licence terms and conditions. It must not be forwarded to, or stored or accessed by, any unauthorised user. Enquiries: e:
[email protected] t: +44 (0)207 467 7100
GUIDELINES FOR THE MANAGEMENT OF SAFETY CRITICAL ELEMENTS
2
Licenced to: Jeremy Goddard. Single user licence only. IMPORTANT: This file is subject to a licence agreement issued by the Energy Institute, London, UK. All rights reserved. It may only be used in accordance with the licence terms and conditions. It must not be forwarded to, or stored or accessed by, any unauthorised user. Enquiries: e:
[email protected] t: +44 (0)207 467 7100
2 BACKGROUND TO THE REVISION OF Guidelines for the management of safety critical elements These include:
The first issue of the joint industry Guidelines for the management of safety critical elements was produced by a UKOOA led work group in September 1996, at a time when the new "verification regime" was being introduced. That document was primarily intended to provide guidance to the industry on how the new requirements should be implemented on installations that had been designed, constructed and operated under the previous "certificate of fitness" requirements. The UK oil and gas industry has been operating in accordance with the requirements of the Offshore Safety Case Regulations (OSCR) since 1996 and it is appropriate that the original guidelines should be revised to take account of experience gained in recent years. Since the publication of the original guidelines, there have also been additional developments from within industry which have impacted on the management of safety critical elements and for which guidance is provided in this document.
— Major modifications being carried out to existing installations as they are developed for changing field characteristics and functions, which may be very different to those for which they were originally designed. — Replacement of verification aspects of the Offshore Installations (Design & Construction) Regulations (1996) by the Offshore Safety Case Regulations (2005). — Installations that are being operated well beyond their original design life. — Changing ownership, and in some cases, multiple changes of ownership, of many older assets and the prevalence of smaller independent operators, some of whom are new entrants to the UK sector. — The increasing importance of decommissioning activities.
3
Licenced to: Jeremy Goddard. Single user licence only. IMPORTANT: This file is subject to a licence agreement issued by the Energy Institute, London, UK. All rights reserved. It may only be used in accordance with the licence terms and conditions. It must not be forwarded to, or stored or accessed by, any unauthorised user. Enquiries: e:
[email protected] t: +44 (0)207 467 7100
GUIDELINES FOR THE MANAGEMENT OF SAFETY CRITICAL ELEMENTS
4
Licenced to: Jeremy Goddard. Single user licence only. IMPORTANT: This file is subject to a licence agreement issued by the Energy Institute, London, UK. All rights reserved. It may only be used in accordance with the licence terms and conditions. It must not be forwarded to, or stored or accessed by, any unauthorised user. Enquiries: e:
[email protected] t: +44 (0)207 467 7100
3 APPLICABLE LEGISLATION The requirement for industry to manage SCEs is covered either directly or indirectly by the following regulations:
— The Offshore Installations (Prevention of Fire and Explosion and Emergency Response) Regulations 1995 (PFEER).
— The Offshore Installations Regulations 2005.
The following table shows how these regulations relate to the management of SCEs.
Regulations OSCR 2005
(Safety
Case)
Section Regulation 2
Areas covered Definition of Safety Critical Elements Definition of Major Accident Hazards Assurance of the fitness for purpose of SCEs Independent Competent Persons
PFEER 1995
Regulation 19
Duty holders’ responsibility with respect to the identification and management of SCEs
Schedule 7
Matters to be provided for in a verification scheme
Regulation 5
Performance Standards
Regulation 19
Assurance of the fitness for purpose of SCEs
5
Licenced to: Jeremy Goddard. Single user licence only. IMPORTANT: This file is subject to a licence agreement issued by the Energy Institute, London, UK. All rights reserved. It may only be used in accordance with the licence terms and conditions. It must not be forwarded to, or stored or accessed by, any unauthorised user. Enquiries: e:
[email protected] t: +44 (0)207 467 7100
GUIDELINES FOR THE MANAGEMENT OF SAFETY CRITICAL ELEMENTS
6
Licenced to: Jeremy Goddard. Single user licence only. IMPORTANT: This file is subject to a licence agreement issued by the Energy Institute, London, UK. All rights reserved. It may only be used in accordance with the licence terms and conditions. It must not be forwarded to, or stored or accessed by, any unauthorised user. Enquiries: e:
[email protected] t: +44 (0)207 467 7100
4 DEFINITIONS AND KEY CONCEPTS its purpose. It is a requirement that Performance Standards should be established for all SCEs.
There are a number of definitions and key concepts which are essential to the successful management of SCEs. Details of these are provided within the regulations, approved codes of practice and guidance documents; however the main concepts are summarised below.
4.4 VERIFICATION SCHEMES Verification schemes are written schemes implemented to confirm, or otherwise, that SCEs are suitable and remain in good repair and condition. As from April 2006 verification schemes should also cover specified plant required by PFEER and previously subject to PFEER written schemes of examination.
4.1 SAFETY CRITICAL ELEMENTS Safety Critical Elements are any part of the installation, plant or computer programmes whose failure will either cause or contribute to a major accident, or the purpose of which is to prevent or limit the effect of a major accident, and for the purpose of these guidelines, include items of specified plant referenced in Regulation 19 of PFEER.
4.5 INDEPENDENT COMPETENT PERSONS Independent Competent Persons (ICPs) are required to carry out various functions under the verification scheme to ensure that the process of managing risks associated with the Major Accident Hazards is working effectively. It is a requirement that ICPs must be sufficiently independent so as to be impartial and objective in their judgement such that safety is not compromised. The role of the ICP can either be undertaken by a single organisation or by a number of different individuals or organisations considering separate aspects of the installation. In the latter case however, greater co-ordination will be required by the duty holder to ensure that all parts of the scheme have been adequately addressed and that interfaces are effectively managed. Although not mandatory, it is generally recommended that where multiple ICPs are employed, one has an overseeing role.
4.2 MAJOR ACCIDENTS Major accidents are fires, explosions or releases of dangerous substances that will cause death or serious injury; major damage to the structure or plant or loss of stability; the collision of a helicopter; failure of life support systems for diving operations; or any other event involving death or serious injury to five or more people. 4.3 PERFORMANCE STANDARDS A Performance Standard is a qualitative or quantitative statement of the performance required of a system or item of equipment in order for it to satisfactorily fulfil 7
Licenced to: Jeremy Goddard. Single user licence only. IMPORTANT: This file is subject to a licence agreement issued by the Energy Institute, London, UK. All rights reserved. It may only be used in accordance with the licence terms and conditions. It must not be forwarded to, or stored or accessed by, any unauthorised user. Enquiries: e:
[email protected] t: +44 (0)207 467 7100
GUIDELINES FOR THE MANAGEMENT OF SAFETY CRITICAL ELEMENTS
8
Licenced to: Jeremy Goddard. Single user licence only. IMPORTANT: This file is subject to a licence agreement issued by the Energy Institute, London, UK. All rights reserved. It may only be used in accordance with the licence terms and conditions. It must not be forwarded to, or stored or accessed by, any unauthorised user. Enquiries: e:
[email protected] t: +44 (0)207 467 7100
5 IDENTIFICATION OF SCEs Although there are various different, and equally acceptable, ways of identifying SCEs there are steps
which are common to all. These common steps are shown in Figure 5.1 and described below.
Identify Major Accident events using the Safety Case
Identify structure and plant which can cause, prevent, detect, control, mitigate, rescue or help recover from a major accident
Identify PFEER specified plant
Record items identified as SCEs
Figure 5.1: Identification of SCEs 9
Licenced to: Jeremy Goddard. Single user licence only. IMPORTANT: This file is subject to a licence agreement issued by the Energy Institute, London, UK. All rights reserved. It may only be used in accordance with the licence terms and conditions. It must not be forwarded to, or stored or accessed by, any unauthorised user. Enquiries: e:
[email protected] t: +44 (0)207 467 7100
GUIDELINES FOR THE MANAGEMENT OF SAFETY CRITICAL ELEMENTS
The outcome of these deliberations should be recorded giving the reasons why an item has, or has not been identified as safety critical and with reference to the relevant major accident hazard.
Step 1: Identify the major accident events on the installation This is carried out using a series of hazard identification techniques, involving both qualitative and quantitative methods. The results from this process are generally recorded in a Hazard Register which documents all of the potential major accident event scenarios on an installation, and should be documented in the safety case for the installation.
Step 3: Identify PFEER Specified Plant Specified Plant is any of the plant of an installation which is provided: — To comply with Regulations 11(1)(a), 13, 15 and 16 of the PFEER Regulations.
Step 2: Identification of structures and plant which can cause, contribute to, prevent or help recover from a major accident
— As a means of detecting fire and for detecting and recording accumulations of flammable gases (as required by Regulation 10 of the PFEER Regulations).
Duty holders will generally utilise lists of plant and equipment, extracted from their computerised maintenance management systems, as the starting point for assessing which of the items on the list are safety critical. The issue of 'how deep to dig' is one that requires to be addressed before the identification process can begin. Approaches vary, but SCEs need to be defined at an appropriate level such that they have a direct linkage to MAHs, and it is also clear whether or not an equipment item forms part of one or more SCEs. A team approach to SCE selection is usual as it is unlikely that a single person would have sufficient technical appreciation of the major accident analyses and detailed knowledge of the installation. Starting from the complete list of equipment the team should assess each item in turn and form a view as to whether it could cause, contribute to, prevent or help recover from, a major accident.
— Measures to combat fire and explosion as required by Regulation 12 of the PFEER Regulations. Step 4: Prepare a record of items identified as Safety Critical Elements It is important that the record of SCEs is maintained up to date, therefore the major accident analyses and the list of SCEs should be reviewed periodically. The list should also be reviewed prior to the addition of new equipment or modification of existing plant. A typical (but non-exhaustive) example, showing the interrelationship between MAHs and SCEs is given below.
10
Licenced to: Jeremy Goddard. Single user licence only. IMPORTANT: This file is subject to a licence agreement issued by the Energy Institute, London, UK. All rights reserved. It may only be used in accordance with the licence terms and conditions. It must not be forwarded to, or stored or accessed by, any unauthorised user. Enquiries: e:
[email protected] t: +44 (0)207 467 7100
IDENTIFICATION OF SCEs
PRIMARY MAJOR HAZARDS
SAFETY CRITICAL ELEMENTS AND SUB-ELEMENTS PROCESS CONTAINMENT
PRESSURE VESSELS PIPING PIPELINES WELLS
IGNITION CONTROL
Ex CERTIFIED EQUIP. ELECTRICAL TRIPPING EQUIP. EARTHING AND BONDING EQUIP.
FIRE
EXPLOSION MAJOR ACCIDENT SCENARIOS
MAJOR ACCIDENT HAZARDS
MAJOR HAZARDS REGISTER
HELICOPTER CRASH
SAFEGUARDING SYSTEMS FIRE PROTECTION NAVIGATIONAL AIDS
SHIP COLLISION STRUCTURES
STRUCTURAL FAILURE
DROPPED OBJECTS
LIFTING EQUIPMENT ROTATING EQUIPMENT COMMUNICATIONS EQUIPMENT
TURBINE DISC FAILURE FLOW
ESCAPE, EVACUATION AND RESCUE EQUIPMENT
PROCESS SHUTDOWN SYSTEM EMERGENCY SHUTDOWN SYSTEM FIRE AND GAS SYSTEM WATER FIRE FIGHTING CHEMICAL FIRE FIGHTING PASSIVE FIRE PROTECTION AIRCRAFT SEACRAFT SUPPORT STRUCTURES FACILITY STRUCTURES EXPLOSION PROTECTION CRANES LIFTING GEAR AND BEAMS TURBINE P.M. FOR COMPRESSORS TURBINE P.M. FOR GENERATORS
MAINTENANCE MANAGEMENT SYSTEM
HAZARD IDENTIFICATION AND ASSESSMENT
RADIOS TELEPHONES PUBLIC ADDRESS LIFEBOATS LIFERAFTS HELICOPTER RESCUE BOX PERSONAL SAFETY EQUIPMENT
11
Licenced to: Jeremy Goddard. Single user licence only. IMPORTANT: This file is subject to a licence agreement issued by the Energy Institute, London, UK. All rights reserved. It may only be used in accordance with the licence terms and conditions. It must not be forwarded to, or stored or accessed by, any unauthorised user. Enquiries: e:
[email protected] t: +44 (0)207 467 7100
GUIDELINES FOR THE MANAGEMENT OF SAFETY CRITICAL ELEMENTS
12
Licenced to: Jeremy Goddard. Single user licence only. IMPORTANT: This file is subject to a licence agreement issued by the Energy Institute, London, UK. All rights reserved. It may only be used in accordance with the licence terms and conditions. It must not be forwarded to, or stored or accessed by, any unauthorised user. Enquiries: e:
[email protected] t: +44 (0)207 467 7100
6 DEVELOPMENT OF PERFORMANCE STANDARDS — Functionality – What is it required to do? — Availability – For what proportion of time will it be capable of performing? — Reliability – How likely is it to perform on demand? — Survivability – Does it have a role to perform post event? — Interactions – Do other systems require to be functional for it to operate?
This activity follows from the identification of MAHs and selection of SCEs described in Section 5. The creation of Performance Standards (PSs) is the process by which a duty holder sets out what is expected of an SCE. The PSs are the criteria against which the initial and ongoing suitability of an SCE is assessed. Safety Integrity Level (SIL) assessments may be used to develop PSs for instrument based protective systems. Performance Standards for SCEs are generally defined in terms of:
13
Licenced to: Jeremy Goddard. Single user licence only. IMPORTANT: This file is subject to a licence agreement issued by the Energy Institute, London, UK. All rights reserved. It may only be used in accordance with the licence terms and conditions. It must not be forwarded to, or stored or accessed by, any unauthorised user. Enquiries: e:
[email protected] t: +44 (0)207 467 7100
GUIDELINES FOR THE MANAGEMENT OF SAFETY CRITICAL ELEMENTS
14
Licenced to: Jeremy Goddard. Single user licence only. IMPORTANT: This file is subject to a licence agreement issued by the Energy Institute, London, UK. All rights reserved. It may only be used in accordance with the licence terms and conditions. It must not be forwarded to, or stored or accessed by, any unauthorised user. Enquiries: e:
[email protected] t: +44 (0)207 467 7100
7 ASSURANCE OF SCE INTEGRITY It is the responsibility of the duty holder to ensure that SCEs are able to perform their intended functions with the required availability and reliability throughout their service.
2.
Ensuring that assurance activities are carried out at the appropriate time by competent people.
3.
Maintaining a record of these activities and any findings that arise.
4.
Addressing any deficiencies arising from assurance activities as soon as possible and taking any temporary measures that may be necessary to maintain risk ALARP until deficiencies have been rectified. Any temporary measures should be subject to review and comment by the ICP.
This should be achieved by the following means: 1.
Identifying those assurance activities, such as maintenance, inspection and testing, that are required to maintain the SCE in a suitable condition.
15
Licenced to: Jeremy Goddard. Single user licence only. IMPORTANT: This file is subject to a licence agreement issued by the Energy Institute, London, UK. All rights reserved. It may only be used in accordance with the licence terms and conditions. It must not be forwarded to, or stored or accessed by, any unauthorised user. Enquiries: e:
[email protected] t: +44 (0)207 467 7100
GUIDELINES FOR THE MANAGEMENT OF SAFETY CRITICAL ELEMENTS
16
Licenced to: Jeremy Goddard. Single user licence only. IMPORTANT: This file is subject to a licence agreement issued by the Energy Institute, London, UK. All rights reserved. It may only be used in accordance with the licence terms and conditions. It must not be forwarded to, or stored or accessed by, any unauthorised user. Enquiries: e:
[email protected] t: +44 (0)207 467 7100
8 VERIFICATION THROUGHOUT THE ASSET LIFE 8.1.2
8.1 OVERVIEW OF VERIFICATION
The ICP is required to review and comment on the list of SCEs and ensure himself that Performance Standards are appropriate; any reservation raised by the ICP should be recorded. The verification scheme may be drawn up by either the duty holder (or an appointee acting on its behalf), or the duty holder in conjunction with the ICP. If it is not drawn up by the ICP, then the ICP must review and comment on the scheme and a record of that review (including any comments or reservations as a result of unresolved issues arising) should be retained as part of the scheme records. The ICP is responsible for carrying out the verification activities detailed in the verification scheme. The duty holder is responsible for ensuring that the ICP is provided with all access necessary and information required to carry out the verification activities.
This section provides an overview of verification and description of how verification should be approached during the various stages of the asset’s life. 8.1.1
Elements of a verification scheme
A verification scheme must address the following (see OSCR (2005) Schedule 7): 1.
The principles to be used in selecting persons to perform functions under the scheme and keep it under review (i.e. the ICP).
2.
Arrangements for communicating necessary information to persons performing functions under the scheme and reviewing it.
3.
The nature and frequency of examination and testing.
4.
Arrangements for reviewing and revising the scheme.
8.1.3
5.
Arrangements for record keeping for examinations and tests carried out, results and findings, recommended actions and close-out of recommended actions.
6.
Arrangements for communicating 5. to the appropriate level in the duty holder’s organisation.
Responsibilities of the ICP
Verification activities
Verification activities are those carried out by the ICP and are intended to either directly establish the suitability of the SCE, or to establish that appropriate assurance activities have been undertaken (e.g. the witnessing of emergency shutdown system function tests). Both assurance and verification activities should be defined in the same written scheme of examination, but only an ICP can carry out verification activities. 17
Licenced to: Jeremy Goddard. Single user licence only. IMPORTANT: This file is subject to a licence agreement issued by the Energy Institute, London, UK. All rights reserved. It may only be used in accordance with the licence terms and conditions. It must not be forwarded to, or stored or accessed by, any unauthorised user. Enquiries: e:
[email protected] t: +44 (0)207 467 7100
GUIDELINES FOR THE MANAGEMENT OF SAFETY CRITICAL ELEMENTS
8.2.2
The verification scheme should provide a clear indication of the nature and frequency of the verification activity that the ICP is expected to carry out. When assurance and maintenance work is carried out sufficient information should be recorded to show that the SCE remains in good repair and condition. This is particularly important where availability and reliability performance standards require to be demonstrable.
Once SCEs have been identified, Performance Standards (PSs) need to be set for each (see Section 6). Those PSs associated with establishing “initial suitability” may be different to those used to assess ongoing suitability throughout the operational life of the SCE. There are a number of ways of dealing with this issue including the development of separate PSs for initial and ongoing assessment and the incorporation of both into a single PS. Regardless of the approach taken, it is essential that the requirement contained in the PS assures that the SCE can fulfil its function. The PS must also be written in such a way that it can be clearly established whether or not the required standard of performance has been achieved.
8.2 VERIFICATION IN THE CONCEPT, FEED, DESIGN, CONSTRUCTION AND COMMISSIONING PHASES During these initial phases of a development project, the duty holder is required to demonstrate “initial suitability” of SCEs through the following:
8.2.3
Documenting the scheme
There is no fixed way of documenting a new construction verification scheme and a number of methods have been employed ranging from having all details and records in a single document to having a number of separate documents dealing with different requirements. In the later case, an overall document will be necessary in order to describe how the various pieces of documentation relate to each other. Whichever approach is taken, it should ensure that all the details required by Schedule 7 of OSCR are provided (see section 8.1).
— Consideration of the design. — Confirmation of the adequacy of manufacture, fabrication and installation. — Demonstration during commissioning that the SCEs are capable of meeting the required performance standards. The ICP’s role is to carry out independent examination of documents, activities and plant and equipment to confirm the level of compliance with the performance standards. The identification of SCEs and the setting of performance standards are important activities during these pre-operating stages of the project as they provide the foundation for managing the MAH risk. Development of a verification scheme for new construction requires input and co-ordination from a number of different parties within the duty holder’s organisation, and also from the ICP, design contractors, fabricators and completions team. The early engagement of all parties in the process is crucial to a successful outcome. Particular effort should be made to ensure that previous operational experience is utilised during the detailed design and construction phases. 8.2.1
Performance Standards for SCEs
8.2.4
Execution
During the design and construction phase the following issues need to be considered in executing the verification scheme: — Identification of design deliverables for verification. — Timing of verification submissions for design. — Scope of procurement/fabrication verification activities. — Scope of verification activities during Hook up Installation and Commissioning (HUIC). — Verification during start-up activities. — Close-out of Construction (Project) Verification Scope.
Major Accident Hazards and SCEs
It is usual to produce a document (MAH / SCE matrix) listing the SCEs and describing their derivation linkage to the MAH (See section 5). Where changes to process plant and equipment are undertaken, a similar document should be produced identifying the impact on the existing SCEs of each modification and identifying any new SCEs resulting from the changes to MAHs (see Section 9.1).
(i) Identification of design deliverables for verification It is important that the design deliverables that are subject to review by the ICP are clearly defined and agreed as early as possible in the life of the project. This 18
Licenced to: Jeremy Goddard. Single user licence only. IMPORTANT: This file is subject to a licence agreement issued by the Energy Institute, London, UK. All rights reserved. It may only be used in accordance with the licence terms and conditions. It must not be forwarded to, or stored or accessed by, any unauthorised user. Enquiries: e:
[email protected] t: +44 (0)207 467 7100
VERIFICATION THROUGHOUT THE ASSET LIFE
activities should again, be related to the risk of failure of the SCE to perform and should be agreed between the ICP and duty tolder. Verification activities during commissioning should be supported by the issue of specific instructions to ICP surveyors.
process is usually facilitated by a mark-up of the project Master Document Register (MDR). Sufficient records should be maintained by the ICP to ensure that the documentation subject to review for each SCE is clearly identified and that its status, together with any associated ICP comment, can be readily established at any time during the process. The duty holder may elect to maintain these records himself. A clear system should be established by the project to alert the ICP to changes to design documentation already examined which could affect the determination of suitability. This will help to avoid any necessity for examination of successive revisions of documentation in the future. The system should be subject to ICP audit and included as part of the overall verification scheme.
(v) Verification during start-up activities The project should produce a specific start-up plan for bringing the new or modified facilities into use. The purpose of this is to allow the duty holder to manage the changing MAH and risk profile during this phase of the project. This should be reviewed by the ICP and agreement reached with the duty holder with regard to a schedule for finally establishing suitability for each SCE. Dependent on the situation, some SCEs will require to be fully functional (and verified) sooner than others and equally, “Partial” SCEs are likely to be required at some stages. A formal documented process should be established which allows the duty holder to assess the status of assurance and verification at each stage of the start-up process.
(ii) Timing of verification submissions for design Where possible, design documentation should be divided into logical packages per SCE in consultation with the ICP and a schedule for submission/examination established. This will allow the most effective use of resources on behalf of the ICP and enable the progress of the scheme, with regard to the different SCEs, to be easily established. It is particularly important that the ICP be given the opportunity to review and comment on the design early enough to be in a position to influence any changes necessary to ensure suitability.
(vi) Close-out of Construction (Project) Verification Scope At the end of the project, and as part of the handover to operations, the conclusions of the project verification scheme should be documented and agreed. These will include:
(iii) Scope of procurement/fabrication verification activities As early as possible within the FEED and detailed design stages, a procurement register should be made available to the ICP and agreement reached as to those items which are to be subject to verification at source (i.e. at a vendor’s works). The extent of verification activities proposed will be agreed between the ICP and duty holder and should relate to the risk associated with failure of each of the item(s) concerned. Verification activities at vendors’ works or at major fabrication sites, should be documented by the issue of specific instructions to ICP surveyors complemented by a mark-up of the vendor/fabricator’s planned inspection and test schedules to indicate those points where intervention is required.
— The results of the ICP scrutiny of the list of SCEs and the verification scheme itself. — A completed matrix relating examinations undertaken to particular SCEs. — Completed and signed off ICP work instructions issued at each stage. — A statement of any conditions or reservations expressed by the ICP during the course of the examinations. — A final statement as to the suitability of the identified SCEs.
8.3 IN-SERVICE VERIFICATION Verification of the ongoing suitability of SCEs on offshore installations begins once they are in operation. An in-service verification scheme should be prepared during the construction phase and all interested parties made familiar with it before the installation is taken into operation. Those interested parties include:
(iv) Scope of verification activities during HUIC Prior to commencement of commissioning activities (either onshore or offshore) the commissioning plans for SCE systems should be made available for ICP review, comment and mark-up, to indicate those activities subject to verification review and the extent of ICP involvement. The nature and frequency of these
— Duty holder’s verification engineer/coordinator. 19
Licenced to: Jeremy Goddard. Single user licence only. IMPORTANT: This file is subject to a licence agreement issued by the Energy Institute, London, UK. All rights reserved. It may only be used in accordance with the licence terms and conditions. It must not be forwarded to, or stored or accessed by, any unauthorised user. Enquiries: e:
[email protected] t: +44 (0)207 467 7100
GUIDELINES FOR THE MANAGEMENT OF SAFETY CRITICAL ELEMENTS
8.3.4
— Technical Authorities within the duty holder and engineering support organisations. — Representatives from the duty holder’s Safety Engineering department. — Relevant ICPs. 8.3.1
In instances where a compromised SCE is identified or where a PS is inadequately addressed during the verification process, the ICP report should contain a clear statement regarding 'continuing suitability' and a recommendation as to the course of action which should be adopted by the duty holder. The verification scheme should contain targets for initial response times and final close-out times for ICP recommendations. It is the duty holder’s responsibility to address any recommendation made by the ICP in order to restore the affected SCE to the capability stipulated by the PS, in the most expedient manner.
Units entering the UKCS
In the case of an existing installation being taken into use on the UKCS for the first time, a safety case should be developed and an associated verification scheme should be set in place in preparation for the beginning of the operating period. It will be necessary for such a scheme to address the 'initial' as well as the 'ongoing' suitability of the identified SCEs. 8.3.2
ICP Recommendations
Scheme revision 8.4 DECOMMISSIONING
Verification schemes should be kept under continuous review and revised as often as is necessary to keep them up to date. In addition to periodic reviews a scheme review should be initiated by changes such as the following:
8.4.1
At least three months prior to decommissioning taking place, the duty holder should prepare revisions to the installation safety case and these should be assessed for any impact on the list of SCEs. These changes would result from:
— Revision of any Codes or Standards referenced in the scheme. — Modifications to the installation which result in amendments to the list of SCEs. — Significant revision to the installation Safety Case. — Changes to installation operating parameters. — Changes to environmental conditions. 8.3.3
Review of MAHs.
— A hydrocarbon free environment. — Hazard identification primarily focussed on heavy construction, lifting and marine operations. — Residual hazards after the decommissioning: - navigational/marine traffic; - environmental/pollution; - seabed/fishing gear.
Reporting
Reports of verification surveys undertaken by ICPs either onshore or offshore should be presented to the duty holder’s nominated representative in a timely manner. Each report should provide the duty holder with a clear representation of the condition of the SCE and confirmation or otherwise, that the PS has been fully addressed. It is not sufficient to report 'by exception' as this does not present a full picture of the condition of the SCEs.
The amended SCE list will be significantly different from the operational case and PSs should be revised or rewritten and a decommissioning verification scheme produced that will confirm ongoing suitability of SCEs during key stages of the decommissioning.
20
Licenced to: Jeremy Goddard. Single user licence only. IMPORTANT: This file is subject to a licence agreement issued by the Energy Institute, London, UK. All rights reserved. It may only be used in accordance with the licence terms and conditions. It must not be forwarded to, or stored or accessed by, any unauthorised user. Enquiries: e:
[email protected] t: +44 (0)207 467 7100
9 CHANGE MANAGEMENT — Identification of new SCEs. — Reassessment of existing Performance Standards and the need for new Performance Standards for new SCEs. — Need to clearly document project verification activities for "initial suitability". — Incorporation of changes and modifications into ongoing operational verification (and maintenance) regimes with any proposed revisions to SCE maintenance regimes being reviewed by the ICP. — Involvement of operations and the "Operational" ICP in project scope.
9.1 MODIFICATIONS 9.1.1
Importance of duty holders’ Management of Change systems
Duty holders should have a documented and effective process for the management of change and modifications to platform systems, components or structures. Responsibility and/or accountability of individuals within the duty holder’s organisation for the various functions within the change process should be clearly defined. Changes directly affecting SCEs or impacting on SCE functions in managing risk should provide for update of any formal risk assessments where appropriate. The process should make explicit reference to the involvement of the ICP in all modifications which impact upon existing SCEs or the creatation of new ones. The 'management of change' document should be controlled by the duty holder and referenced in the duty holder’s verification scheme. 9.1.2
9.2 TEMPORARY EQUIPMENT 9.2.1
Temporary equipment impact on SCEs
Duty holders should have a documented process in place to demonstrate their intention and ability to manage the transportation and use of temporary equipment and in particular, equipment which adds to or impacts upon the list of SCEs. This process should be referenced in the Verification Scheme for each installation.
Need for SCE Impact study
During the assessment of individual modifications, it is important to have a thorough understanding of the original MAH identification and the philosophies for prevention, mitigation and control. All modifications should be assessed to establish their impact on the existing list of SCEs or if they create additional SCEs. For those modifications which are confirmed to have safety critical content, the following aspects need to be considered:
9.2.2
Performance Standards for temporary equipment
Performance Standards should be established for items of temporary equipment in all cases where the existing PS applicable to the installation is either inadequate or inappropriate. 21
Licenced to: Jeremy Goddard. Single user licence only. IMPORTANT: This file is subject to a licence agreement issued by the Energy Institute, London, UK. All rights reserved. It may only be used in accordance with the licence terms and conditions. It must not be forwarded to, or stored or accessed by, any unauthorised user. Enquiries: e:
[email protected] t: +44 (0)207 467 7100
GUIDELINES FOR THE MANAGEMENT OF SAFETY CRITICAL ELEMENTS
9.2.3
The installation verification scheme should identify the nature and frequency of assurance and verification activities associated with temporary equipment; these should include:
Assurance and verification activities for temporary equipment
Temporary or portable equipment for use on an offshore installation should be subject to appropriate assurance and verification activities if:
— Examination of equipment prior to shipment. — Witnessing of testing prior to shipment. — Review of manufacturers’ / suppliers’ records / certification. — Examination of equipment offshore. — Auditing of the management processes and records held: - by the duty holder onshore and offshore; - by the Shipping/Forwarding contractor.
— The equipment in itself creates an addition to the platform list of SCEs (e.g. demountable drilling equipment not permanently held on the installation). — The equipment impacts on any of the existing platform SCEs: - by virtue of the planned location on the installation (e.g. engine driven generator/ compressor required to operate in a designated hazardous area); - by virtue of the proposed application (e.g. well intervention equipment once it becomes part of the reservoir pressure envelope).
Comprehensive records should be maintained by the duty holder to confirm adherence to the process. These records should be available to the ICP.
22
Licenced to: Jeremy Goddard. Single user licence only. IMPORTANT: This file is subject to a licence agreement issued by the Energy Institute, London, UK. All rights reserved. It may only be used in accordance with the licence terms and conditions. It must not be forwarded to, or stored or accessed by, any unauthorised user. Enquiries: e:
[email protected] t: +44 (0)207 467 7100
10 REFERENCES AND GLOSSARY OF TERMS 10.2 GLOSSARY OF TERMS
10.1 REFERENCES OF FURTHER INFORMATION FEED HUIC ICPs MAHs MDR OSCR PFEER
List of references and further information sources from HSE, UKOOA and EI: — A Guide to the Offshore Installations (Safety Case) Regulations 2005 (HSE, 2006) — Prevention of Fire and Explosion and Emergency Response on Offshore Installations – Approved Code of Practice and Guidance (HSE, 1997)
PSs SCEs UKOOA
— Asset Integrity Toolkit (UKOOA, 2006)
Front End Engineering Design Hook Up, Installation and Commissioning Independent Competent Persons Major Accident Hazards Master Document Register Offshore Safety Case Regulations Prevention of Fire and Explosion and Emergency Response Regulations Performance Standards Safety Critical Elements UK Offshore Operators Association
23
Licenced to: Jeremy Goddard. Single user licence only. IMPORTANT: This file is subject to a licence agreement issued by the Energy Institute, London, UK. All rights reserved. It may only be used in accordance with the licence terms and conditions. It must not be forwarded to, or stored or accessed by, any unauthorised user. Enquiries: e:
[email protected] t: +44 (0)207 467 7100
GUIDELINES FOR THE MANAGEMENT OF SAFETY CRITICAL ELEMENTS
24
Licenced to: Jeremy Goddard. Single user licence only. IMPORTANT: This file is subject to a licence agreement issued by the Energy Institute, London, UK. All rights reserved. It may only be used in accordance with the licence terms and conditions. It must not be forwarded to, or stored or accessed by, any unauthorised user. Enquiries: e:
[email protected] t: +44 (0)207 467 7100