14-06-2009, 09:02 AM
SAFETY CRITICAL ELEMENT IDENTIFICATION
PERFORMANCE STANDARD AND ENGINEERING
VERIFICATION FOR OIL AND GAS INSTALLATION
FESTIN TOMY
ENGINEER - SAFETY DESIGN
PETROFAC INTERNATIONAL LTD.
SHARJAH, UAE
festin.tomy[at]petrofac.com
Introduction
The overall objective of the Engineering
Verification for oil and gas installations is to
ensure independent and competent scrutiny of
those parts of the installation that is critical to
safety, and to obtain assurance of the
satisfactory condition of such items.
Identification of the Safety Critical Elements
(SCE) is the foundation for the Engineering
Verification. Performance Standards provide a
means to ensure that the SCEs are suitable for
the required function, and that the SCEs retain
integrity, remaining in good repair and
condition.
Performance standards are also required to
ensure that equipment supporting Prevention
of Fire, explosion and Emergency Response
(PFEER) functions are suitable for the required
function, and retains integrity, remaining in
good repair and condition.
The concept of Safety Critical Elements (for
practical purposes the term Elements covers
both systems and equipment), was introduced
to the North Sea in the PFEER (Prevention of
Fire, Explosion and Emergency Response)
Regulations in 1995. As a result Operators are
required to identify the SCE within their
facilities and create and maintain performance
standards for each.
The UK Offshore Installations and Wells
(Design and Construction, etc.) Regulations
(DCR) from 1996 require independent and
competent verification of those parts of an
installation which are critical to safety (i.e.
Safety Critical Elements). The purpose is to
obtain assurance of the satisfactory condition of
such items.
Design safeguards are incorporated into the
facilities to manage (i.e. prevent, detect
control/mitigate or
respond to)
hazards
associated with operation of the plant. Each of the
safeguards is required to provide a minimum level
of
operational performance, in terms of
functionality,
availability,
reliability
and
survivability against major accident events, in
order to ensure that the Risk Tolerability Criteria
is met.
Certain
equipment and systems
provide
safeguards that may be considered to be
sufficiently important to be classified as Ëœsafety
criticalâ„¢. This article provides a basis for the
definition of those systems and associated
equipment which are safety critical and
definition as to how performance requirements for
each should be developed presented and verified.
Safety Critical Element
A safety system will generally be dependent on a
number of other systems for its successful
operation. In the case of a deluge system for
example, this would include the fire pumps, ring
main, instrument air and fire detection. These
systems, while they may be regarded as critical
systems in their own right, must also be
considered as sub-systems when determining the
criticality of the deluge system.
SCS may be divided into the following categories:
¾
Hardware Systems
Any passive, structural, mechanical, electrical or
electronic or programmable electronic systemPage 54
Journal of HSE & Fire Engineering
Issue 2 March 2009
Page 45
such as a deluge, emergency shutdown (ESD),
system loops, passive fire protection coatings,
pressure containment, or similar.
¾
Software Systems
Any procedure, programme or similar document
based, person operated function, (e.g. hot work
procedure, equipment maintenance procedure,
emergency procedures, or similar.)
Where a system, which if missing or non-
functional, has a possible, perceived or minor
(but not significant) impact on the outcome
(risks) related to an event, then it should not be
regarded as Safety Critical. An example is
equipment such as fire extinguishers that are
provided to respond to less than catastrophic
events. If a non-catastrophic event (such as a
paper basket fire) escalates into a catastrophic
event, other systems come into play which will
be classified SCS.
In the case of a hardware system safety
criticality may be demonstrated quantitatively
from studies such as Safety Integrity Level (SIL)
assessment, the Quantitative Risk Assessment
(QRA) or a mixture of qualitative and quantitative
assessment. However this would not generally
be the case for software systems and a
qualitative assessment based on industry
experience will normally be required.
Where computer software is used for safety
systems, such as ESD or fire and gas then if the
overall system is safety critical then the
combination of hardware and software must also
be assumed to be safety critical.
A Safety Critical Element is defined as a system
or component:
¾ Whose failure could cause or contribute to a
major accident.
¾ Whose purpose is to prevent or limit the effect
of a major accident.
Within potential safety critical systems, while
many subsystems or components may be safety
critical, there may be others that are not (e.g.
DCS is not classified as safety critical; however,
some functions may be safety critical depending
on the configuration.) The term Safety Critical
Element (SCE) includes equipment or systems
(procedures) associated with, Prevention of Fire
and Explosion and Emergency Response
Regulation, PFEER requirements.
SCE Assessment Methodology
The starting point for identifying the safety critical
elements is to identify the hazardous events. The
majority of these can be identified from safety
case /HSEIA supporting documentation e.g.
¾ HAZID/ENVID(Hazard Identification) Studies;
¾ HAZOP (Hazard and Operability Studies);
¾ Layout reviews;
¾ Instrument Protective Function assessment
(SIL assessment);
¾ Quantitative Risk Assessment;
¾ Safety reviews and studies e.g. dropped object
study;
¾ FMEA (Failure Mode and Effect Analysis);
¾ Human error identification methods;
¾ Safety Case; and
¾ Task risk assessment.
Once the hazardous events have been identified,
the potential causes can be established. Against
each of the causes any preventative and
mitigatory controls are highlighted with reference
to supporting documentation. The documents
should be based on demonstration of current
suitability, not on specification of what is actually
installed. Using the definition of SCE, engineering
judgment and knowledge of the controls in place
safety critical elements can be identified.
In summary, the following steps should be
adopted in the exercise: -
Step 1
HAZARDOUS
SCENARIO
What is the
hazardous event?
Step 2
CAUSE(S)
What can potentially
cause the hazardous
event?Page 55
Journal of HSE & Fire Engineering
Issue 2 March 2009
Page 46
SCEs Categorization
Each SCE is categorized according to function in
relation to risk reduction. These categories are
defined below:
¾ Prevention Measures - Measures, which
ensure good fundamental, design to
minimize or remove the risk of major
accidents (inherent safety by design).
Examples of this are: optimizing plant
layout; limiting inventory available for
release.
¾ Detection Measures - Automatic or manual
measures,
which
detect
hazardous
situations requiring emergency action.
Examples of these are: detecting and
recording accumulations of flammable
gases; flame detection.
¾ Warning Measures - Measures that alert
personnel to an emergency situations
including audible and visual
Performance Standard for Safety Critical
Element
Performance standards are required for all SCS
and their underlying SCE i.e. systems and
equipment that contribute to the prevention,
Step 3
PREVENTION
CONTROLS
What control
measures are in place
to prevent the
hazardous event for
occurring?
Step 4
MITIGATION
CONTROLS
What control
measures are in place
to mitigate (i.e. limit
and/or prevent)
escalation of the
hazardous event?
Step 5
SAFETY
CRITICAL
ELEMENT
What safety critical
elements are required
to fulfill their intended
function during the
hazardous event?
These include both management procedures and
hardware systems. While it is generally possible
to quantify the risk benefits provided by a
hardware safety system, this is not always
possible for software systems. For the purposes
of this methodology software systems are defined
as any procedure, program or similar document-
based, person-operated, function. In these cases
a qualitative approach may be adopted to
determine if these systems are safety critical.
A critical system requires a performance standard
which should reflect the ability of the system to
perform, survive and operate on demand, and
thus to protect personnel from major accident
events (usually fire and explosion) and ensure
effective emergency evacuation. The standard
developed should be able to confirm that an
acceptable level of risk is being achieved in
design. The verification process
should
demonstrate that this will continue to be
maintained throughout the installation life.
Performance Standards lay down criteria that can
be measured or assessed so that the suitability
and effectiveness of each SCE can be assured
and verified.
Methodology
The initial step to preparing a Performance
Standard is to set the scene. To do so, the
following items should be addressed: -
Safety Critical Element (SCE) Description
Identify the Safety critical element being
considered and any sub-element integral to it.
Where several sub-elements exist within a
particular SCE, specific performance standards
are prepared for each of the sub-elements. A
unique reference number or identifier for each
SCE and sub-element should be provided.
Boundaries
Define the scope, components and limits of the
system to allow clear identification of the scope of
the performance standards. detection, control or
mitigation of hazardous events.Page 56
Journal of HSE & Fire Engineering
Issue 2 March 2009
Page 47
Goal
Definition what the SCE or sub-element, for
whichever the performance standard is written,
is meant to achieve. The rest of the FARSI
parameters should contribute to the attainment
of this goal.
Detailing the Performance standard
The second step is to define the various
functions that the SCE is expected to perform,
stipulating
the
minimum
acceptable
performance and taking into consideration the
means by which the performance could be
measured or demonstrated practically. The
third step is to define the reliability and
availability. The availability is the proportion of
the time during operation or standby that the
SCE is expected to be ready to perform its
function. Given that a system is available, the
reliability is the probability of performing the
required function on demand.
A numerical value is not easy to derive for all
systems; however where systems have been
modeled in the Quantitative Risk Assessment
(QRA)
or
Reliability
Availability
and
Maintainability
(RAM)
study,
the
availability/reliability value employed in the
QRA or RAM should be utilized. Where the
required availability figures are not given in the
QRA or RAM or other documentation then a
formal issue shall be raised to define the data.
The fourth step is to define the survivability or
limitation of the SCE in its design environment
and under what emergency conditions it should
remain capable of performing its design function.
The final step is to identify other systems whose
performance could affect the effectiveness of a
particular
safety
critical
system.
The
interdependent system should be identified and
the interdependent function should be stated, as
well as the reason for interdependency. The
dependencies should be one-way i.e. only
functions on which the attainment of this
performance standard is dependent should be
identified - other systems that depend on this
SCE should not be identified.
In nut shell the following details shall be covered
in-order to effectively identify the Performance
standard of each safety critical element.
Functionality - What is it required to do?
Availability - For what proportion of time will it be
capable of performing?
Reliability - How likely is it to perform on demand?
Survivability “ Does it have a role to perform post
eventPage 57
Journal of HSE & Fire Engineering
Issue 2 March 2009
Page 48
Interactions - Do other systems require to be
functional for it to operate?
Verification
Each performance standard should be subject
to a rigorous review to ensure that the stated
performance of the SCS/SCE has been
correctly specified and will meet the stated
objectives. It is also essential that the stated
objectives are commensurate with the hazards
and the hazard risks.
When setting a performance standard it is
essential that there is a clear audit trail to
enable this verification to be carried out. Clear
procedures are required as to how this
verification is to be carried out, by whom, and
by what time.
Reference
1) IP Guidelines for the management of
Safety Critical Elements
2) BG Guidance for the development &
implementation of safety critical elements &
Performance standard.
3) ISG safety critical equipment assignment std
4) UK HSE Safety Critical Element Guidance
5) ADCO Safety critical and Performance
standardPage 58
Journal of HSE & Fire Engineering
Issue 2 March 2009
Page 49
APPENDIX A: SAFETY CRITICAL ELEMENTS TEMPLATE AND EXAMPLE
Hazardous
Scenario
Cause(s)
Prevention
Controls
Mitigation
Controls
Safety Critical
Element
Dependency
and
Interaction
SCE
Category
Identify the
hazardous
event
Example:
Loss of
Containment
Define causes
that could
potentially lead
to the hazardous
event.
Overpressure
Define the
control
measures in
place to
prevent
occurrence of
the hazardous
event.
1. Vessel
accordance to
API & ASME
codes.
2. Pressure
relief is
provided
on vessel and
designed in
accordance
with API RP
520.
3. High
pressure alarm
is provided.
4. Etc.
(insert
Reference to
assessments,
design
specification
and data sheet
where possible)
Define the
control
measures in
place to
mitigate (limit
and/or
prevent)
escalation of
the hazardous
event.
1. Process trips
2. Isolation of
inventory
(ESD)
3. Emergency
Procedure
4. etc.
(insert
Reference to
assessments,
design
specification
and data sheet
where
possible)
Based on the
prevention and
mitigation controls,
define the Safety
Critical Elements
(SCE) that are
required to fulfill
their intended
function
during the
hazardous event.
¾ ESD
¾ Pressure
relief
¾ Vessel &
associated
pipework
¾ Process
Alarms &
trips
¾ Emergency
Procedure
¾ UPS
Define any
dependencies
and
interactions
with the SCE.
UPSPage 59
Journal of HSE & Fire Engineering
Issue 2 March 2009
Page 50
APPENDIX B: SAFETY CRITICAL ELEMENT PERFORMANCE STANDARD TEMPLATE WITH EXAMPLE
SCE:
Flammable Gas Detection
PS No:
1.0
Function:
Detection
Component:
All Components
DESCRIPTION / SYSTEM LIMITS
This PS covers the Flammable Gas Detection systems at XYZ plant. The System comprises
field detector devices, field cabling, instrument terminations, including the control system
functions and logic. The system also includes the electrical power supply.
ROLE
The role of the Flammable Gas Detection System is to continuously monitor the designated
areas for flammable gas where ignitable concentrations could occur.
On detection of gas the system shall automatically initiate alarms and automatic / manual
control actions.
GOALS
The goals of the Flammable Gas Detection System are to:
¾ Detect flammable gas concentrations near the point of release.
¾ Initiate the appropriate alarm and control actions.
¾ Detect flammable gas concentrations at air intakes to buildings containing safety critical
systems and potential ignition sources.
¾ Remain operational during an emergency for a time sufficient to allow intended
functions and emergency response actions to be initiated.
FUNCTIONALITY
Function
Performance Criteria
Validation
To provide adequate
coverage of process
facilities
Reliable early detection utilising
detector types most suitable for the
expected hazard.
Detectors to be strategically located to
provide operator with earliest possible
warning of gas build up or of migrating
clouds.
Design review of flammable
gas detection philosophy
and datasheets.
Design review of C&E
diagrams.
Design review of flammable
gas detector layouts.
Functional testing of
flammable gas detectors to
confirm compliance with
design requirements.
Provide all other
functional criteriaPage 60
Journal of HSE & Fire Engineering
Issue 2 March 2009
Page 51
RELIABILITY / AVAILABILITY
Critical system
reliability
Target reliability >99%
Manufacturer/ suppliers
shall provide documentation
on the reliability of devices.
SURVIVABILITY
Fire
Must be capable of withstanding an
external fire.
Minimum for 20 minutes
Design Specification
Requirements Design
review of vendor supplied
items to ensure consistency
with project specification.
INTERACTIONS/ DEPENDENCIES/ LIMITATIONS
System
Safety Critical?
Y/N
Interactions/
Dependencies/
Limitations
PS Ref
Essential Power/ UPS Yes
To provide backup
power for defined
period of time.
PS#15
Non-Hazardous
HVAC
Yes
To close fire dampers
PS#9
List down all other
dependencie
