SAFETY CRITICAL ELEMENT IDENTIFICATION PERFORMANCE STANDARD AND ENGINEERING VERIFICATION FOR OIL AND GAS INSTALLATION FESTIN

TOMY ENGINEER - SAFETY DESIGN PETROFAC INTERNATIONAL LTD. SHARJAH, UAE festin.tomy[at]petrofac.com Introduction The overall objective of the Engineering Verification for oil and gas installations is to ensure independent and competent scrutiny of those parts of the installation that is critical to safety, and to obtain assurance of the satisfactory condition of such items. Identification of the Safety Critical Elements (SCE) is the foundation for the Engineering Verification. Performance Standards provide a means to ensure that the SCEs are suitable for the required function, and that the SCEs retain integrity, remaining in good repair and condition. Performance standards are also required to ensure that equipment supporting Prevention of Fire, explosion and Emergency Response (PFEER) functions are suitable for the required function, and retains integrity, remaining in good repair and condition. The concept of Safety Critical Elements (for practical purposes the term Elements covers both systems and equipment), was introduced to the North Sea in the PFEER (Prevention of Fire, Explosion and Emergency Response) Regulations in 1995. As a result Operators are required to identify the SCE within their facilities and create and maintain performance standards for each. The UK Offshore Installations and Wells (Design and Construction, etc.) Regulations (DCR) from 1996 require independent and competent verification of those parts of an installation which are critical to safety (i.e. Safety Critical Elements). The purpose is to

obtain assurance of the satisfactory condition of such items. Design safeguards are incorporated into the facilities to manage (i.e. prevent, detect control/mitigate or respond to) hazards associated with operation of the plant. Each of the safeguards is required to provide a minimum level of operational performance, in terms of functionality, availability, reliability and survivability against major accident events, in order to ensure that the Risk Tolerability Criteria is met. Certain equipment and systems provide safeguards that may be considered to be sufficiently important to be classified as safety critical. This article provides a basis for the definition of those systems and associated equipment which are safety critical and definition as to how performance requirements for each should be developed presented and verified. Safety Critical Element A safety system will generally be dependent on a number of other systems for its successful operation. In the case of a deluge system for example, this would include the fire pumps, ring main, instrument air and fire detection. These systems, while they may be regarded as critical systems in their own right, must also be considered as sub-systems when determining the criticality of the deluge system. SCS may be divided into the following categories: Hardware Systems Any passive, structural, mechanical, electrical or electronic or programmable electronic systemPage 54

Journal of HSE & Fire Engineering Issue 2 March 2009 Page 45 such as a deluge, emergency shutdown (ESD), system loops, passive fire protection coatings, pressure containment, or similar. Software Systems Any procedure, programme or similar document based, person operated function, (e.g. hot work procedure, equipment maintenance procedure, emergency procedures, or similar.) Where a system, which if missing or nonfunctional, has a possible, perceived or minor (but not significant) impact on the outcome (risks) related to an event, then it should not be regarded as Safety Critical. An example is equipment such as fire extinguishers that are provided to respond to less than catastrophic events. If a non-catastrophic event (such as a paper basket fire) escalates into a catastrophic event, other systems come into play which will be classified SCS. In the case of a hardware system safety criticality may be demonstrated quantitatively from studies such as Safety Integrity Level (SIL) assessment, the Quantitative Risk Assessment (QRA) or a mixture of qualitative and quantitative assessment. However this would not generally be the case for software systems and a qualitative assessment based on industry experience will normally be required. Where computer software is used for safety systems, such as ESD or fire and gas then if the overall system is safety critical then the combination of hardware and software must also be assumed to be safety critical. A Safety Critical Element is defined as a system or component: Whose failure could cause or contribute to a major accident. Whose purpose is to prevent or limit the effect

of a major accident. Within potential safety critical systems, while many subsystems or components may be safety critical, there may be others that are not (e.g. DCS is not classified as safety critical; however, some functions may be safety critical depending on the configuration.) The term Safety Critical Element (SCE) includes equipment or systems (procedures) associated with, Prevention of Fire and Explosion and Emergency Response Regulation, PFEER requirements. SCE Assessment Methodology The starting point for identifying the safety critical elements is to identify the hazardous events. The majority of these can be identified from safety case /HSEIA supporting documentation e.g. HAZID/ENVID(Hazard Identification) Studies; HAZOP (Hazard and Operability Studies); Layout reviews; Instrument Protective Function assessment (SIL assessment); Quantitative Risk Assessment; Safety reviews and studies e.g. dropped object study; FMEA (Failure Mode and Effect Analysis); Human error identification methods; Safety Case; and Task risk assessment. Once the hazardous events have been identified, the potential causes can be established. Against each of the causes any preventative and mitigatory controls are highlighted with reference to supporting documentation. The documents should be based on demonstration of current suitability, not on specification of what is actually installed. Using the definition of SCE, engineering judgment and knowledge of the controls in place safety critical elements can be identified. In summary, the following steps should be adopted in the exercise: Step 1 HAZARDOUS SCENARIO

What is the hazardous event? Step 2 CAUSE(S) What can potentially cause the hazardous event?Page 55 Journal of HSE & Fire Engineering Issue 2 March 2009 Page 46 SCEs Categorization Each SCE is categorized according to function in relation to risk reduction. These categories are defined below: Prevention Measures - Measures, which ensure good fundamental, design to minimize or remove the risk of major accidents (inherent safety by design). Examples of this are: optimizing plant layout; limiting inventory available for release. Detection Measures - Automatic or manual measures, which detect hazardous situations requiring emergency action. Examples of these are: detecting and recording accumulations of flammable gases; flame detection. Warning Measures - Measures that alert personnel to an emergency situations including audible and visual Performance Standard for Safety Critical Element Performance standards are required for all SCS and their underlying SCE i.e. systems and equipment that contribute to the prevention, Step 3 PREVENTION CONTROLS What control

measures are in place to prevent the hazardous event for occurring? Step 4 MITIGATION CONTROLS What control measures are in place to mitigate (i.e. limit and/or prevent) escalation of the hazardous event? Step 5 SAFETY CRITICAL ELEMENT What safety critical elements are required to fulfill their intended function during the hazardous event? These include both management procedures and hardware systems. While it is generally possible to quantify the risk benefits provided by a hardware safety system, this is not always possible for software systems. For the purposes of this methodology software systems are defined as any procedure, program or similar documentbased, person-operated, function. In these cases a qualitative approach may be adopted to determine if these systems are safety critical. A critical system requires a performance standard which should reflect the ability of the system to perform, survive and operate on demand, and thus to protect personnel from major accident events (usually fire and explosion) and ensure effective emergency evacuation. The standard developed should be able to confirm that an acceptable level of risk is being achieved in design. The verification process should demonstrate that this will continue to be

maintained throughout the installation life. Performance Standards lay down criteria that can be measured or assessed so that the suitability and effectiveness of each SCE can be assured and verified. Methodology The initial step to preparing a Performance Standard is to set the scene. To do so, the following items should be addressed: Safety Critical Element (SCE) Description Identify the Safety critical element being considered and any sub-element integral to it. Where several sub-elements exist within a particular SCE, specific performance standards are prepared for each of the sub-elements. A unique reference number or identifier for each SCE and sub-element should be provided. Boundaries Define the scope, components and limits of the system to allow clear identification of the scope of the performance standards. detection, control or mitigation of hazardous events.Page 56 Journal of HSE & Fire Engineering Issue 2 March 2009 Page 47 Goal Definition what the SCE or sub-element, for whichever the performance standard is written, is meant to achieve. The rest of the FARSI parameters should contribute to the attainment of this goal. Detailing the Performance standard The second step is to define the various functions that the SCE is expected to perform, stipulating the minimum acceptable performance and taking into consideration the means by which the performance could be measured or demonstrated practically. The third step is to define the reliability and

availability. The availability is the proportion of the time during operation or standby that the SCE is expected to be ready to perform its function. Given that a system is available, the reliability is the probability of performing the required function on demand. A numerical value is not easy to derive for all systems; however where systems have been modeled in the Quantitative Risk Assessment (QRA) or Reliability Availability and Maintainability (RAM) study, the availability/reliability value employed in the QRA or RAM should be utilized. Where the required availability figures are not given in the QRA or RAM or other documentation then a formal issue shall be raised to define the data. The fourth step is to define the survivability or limitation of the SCE in its design environment and under what emergency conditions it should remain capable of performing its design function. The final step is to identify other systems whose performance could affect the effectiveness of a particular safety critical system. The interdependent system should be identified and the interdependent function should be stated, as well as the reason for interdependency. The dependencies should be one-way i.e. only functions on which the attainment of this performance standard is dependent should be identified - other systems that depend on this SCE should not be identified. In nut shell the following details shall be covered

in-order to effectively identify the Performance standard of each safety critical element. Functionality - What is it required to do? Availability - For what proportion of time will it be capable of performing? Reliability - How likely is it to perform on demand? Survivability Does it have a role to perform post eventPage 57 Journal of HSE & Fire Engineering Issue 2 March 2009 Page 48 Interactions - Do other systems require to be functional for it to operate? Verification Each performance standard should be subject to a rigorous review to ensure that the stated performance of the SCS/SCE has been correctly specified and will meet the stated objectives. It is also essential that the stated objectives are commensurate with the hazards and the hazard risks. When setting a performance standard it is essential that there is a clear audit trail to enable this verification to be carried out. Clear procedures are required as to how this verification is to be carried out, by whom, and by what time. Reference 1) IP Guidelines for the management of Safety Critical Elements 2) BG Guidance for the development & implementation of safety critical elements & Performance standard. 3) ISG safety critical equipment assignment std 4) UK HSE Safety Critical Element Guidance 5) ADCO Safety critical and Performance standardPage 58 Journal of HSE & Fire Engineering Issue 2 March 2009 Page 49 APPENDIX A: SAFETY CRITICAL ELEMENTS TEMPLATE AND EXAMPLE

Hazardous Scenario Cause(s) Prevention Controls Mitigation Controls Safety Critical Element Dependency and Interaction SCE Category Identify the hazardous event Example: Loss of Containment Define causes that could potentially lead to the hazardous event. Overpressure Define the control measures in place to prevent occurrence of the hazardous event. 1. Vessel accordance to API & ASME codes. 2. Pressure relief is provided on vessel and designed in

accordance with API RP 520. 3. High pressure alarm is provided. 4. Etc. (insert Reference to assessments, design specification and data sheet where possible) Define the control measures in place to mitigate (limit and/or prevent) escalation of the hazardous event. 1. Process trips 2. Isolation of inventory (ESD) 3. Emergency Procedure 4. etc. (insert Reference to assessments, design specification and data sheet where possible) Based on the prevention and mitigation controls, define the Safety

Critical Elements (SCE) that are required to fulfill their intended function during the hazardous event. ESD Pressure relief Vessel & associated pipework Process Alarms & trips Emergency Procedure UPS Define any dependencies and interactions with the SCE. UPSPage 59

Journal of HSE & Fire Engineering Issue 2 March 2009 Page 50 APPENDIX B: SAFETY CRITICAL ELEMENT PERFORMANCE STANDARD TEM EXAMPLE SCE: Flammable Gas Detection PS No: 1.0 Function: Detection Component: All Components DESCRIPTION / SYSTEM LIMITS This PS covers the Flammable Gas Detection systems at XYZ plant. The System field detector devices, field cabling, instrument terminations, including the control s functions and logic. The system also includes the electrical power supply.

ROLE The role of the Flammable Gas Detection System is to continuously monitor the de areas for flammable gas where ignitable concentrations could occur. On detection of gas the system shall automatically initiate alarms and automatic / control actions. GOALS The goals of the Flammable Gas Detection System are to: Detect flammable gas concentrations near the point of release. Initiate the appropriate alarm and control actions. Detect flammable gas concentrations at air intakes to buildings containing sa systems and potential ignition sources. Remain operational during an emergency for a time sufficient to allow intend functions and emergency response actions to be initiated. FUNCTIONALITY Function Performance Criteria Validation To provide adequate coverage of process facilities Reliable early detection utilising detector types most suitable for the expected hazard. Detectors to be strategically located to provide operator with earliest possible warning of gas build up or of migrating clouds. Design review of flammable gas detection philosophy and datasheets. Design review of C&E diagrams. Design review of flammable gas detector layouts. Functional testing of flammable gas detectors to confirm compliance with design requirements. Provide all other functional criteriaPage 60 Journal of HSE & Fire Engineering Issue 2 March 2009

Page 51 RELIABILITY / AVAILABILITY Critical system reliability Target reliability >99% Manufacturer/ suppliers shall provide documentation on the reliability of devices. SURVIVABILITY Fire Must be capable of withstanding an external fire. Minimum for 20 minutes Design Specification Requirements Design review of vendor supplied items to ensure consistency with project specification. INTERACTIONS/ DEPENDENCIES/ LIMITATIONS System Safety Critical? Y/N Interactions/ Dependencies/ Limitations PS Ref Essential Power/ UPS Yes To provide backup power for defined period of time. PS#15 Non-Hazardous HVAC Yes To close fire dampers PS#9 List down all other dependencie

Reference: http://seminarprojects.com/Thread-safety-criticalelement-identification-performance-standard-and-engineeringverific#ixzz2DX6uMBVl