SAFETY CRITICAL ELEMENT IDENTIFICATIONPERFORMANCE STANDARD AND ENGINEERINGVERIFICATION FOR OIL AND GAS INSTALLATIONFESTIN TOMYENGINEER - SAFETY DESIGNPETROFAC INTERNATIONAL LTD.SHARJAH, UAEfestin.tomy[at]petrofac.comIntroductionThe overall objective of the EngineeringVerification for oil and gas installations is toensure independent and competent scrutiny ofthose parts of the installation that is critical tosafety, and to obtain assurance of thesatisfactory condition of such items.Identification of the Safety Critical Elements(SCE) is the foundation for the EngineeringVerification. Performance Standards provide ameans to ensure that the SCEs are suitable forthe required function, and that the SCEs retainintegrity, remaining in good repair andcondition.Performance standards are also required toensure that equipment supporting Preventionof Fire, explosion and Emergency Response(PFEER) functions are suitable for the requiredfunction, and retains integrity, remaining ingood repair and condition.The concept of Safety Critical Elements (forpractical purposes the term Elements coversboth systems and equipment), was introducedto the North Sea in the PFEER (Prevention ofFire, Explosion and Emergency Response)Regulations in 1995. As a result Operators arerequired to identify the SCE within theirfacilities and create and maintain performancestandards for each.The UK Offshore Installations and Wells(Design and Construction, etc.) Regulations(DCR) from 1996 require independent andcompetent verification of those parts of aninstallation which are critical to safety (i.e.Safety Critical Elements). The purpose is to

obtain assurance of the satisfactory condition ofsuch items.Design safeguards are incorporated into thefacilities to manage (i.e. prevent, detectcontrol/mitigate orrespond to)hazardsassociated with operation of the plant. Each of thesafeguards is required to provide a minimum levelofoperational performance, in terms offunctionality,availability,reliabilityandsurvivability against major accident events, inorder to ensure that the Risk Tolerability Criteriais met.Certainequipment and systemsprovidesafeguards that may be considered to besufficiently important to be classified as ˜safetycritical™. This article provides a basis for thedefinition of those systems and associatedequipment which are safety critical anddefinition as to how performance requirements foreach should be developed presented and verified.Safety Critical ElementA safety system will generally be dependent on anumber of other systems for its successfuloperation. In the case of a deluge system forexample, this would include the fire pumps, ringmain, instrument air and fire detection. Thesesystems, while they may be regarded as criticalsystems in their own right, must also beconsidered as sub-systems when determining thecriticality of the deluge system.SCS may be divided into the following categories:¾Hardware SystemsAny passive, structural, mechanical, electrical orelectronic or programmable electronic systemPage 54

Journal of HSE & Fire EngineeringIssue 2 March 2009Page 45such as a deluge, emergency shutdown (ESD),system loops, passive fire protection coatings,pressure containment, or similar.¾Software SystemsAny procedure, programme or similar documentbased, person operated function, (e.g. hot workprocedure, equipment maintenance procedure,emergency procedures, or similar.)Where a system, which if missing or non-functional, has a possible, perceived or minor(but not significant) impact on the outcome(risks) related to an event, then it should not beregarded as Safety Critical. An example isequipment such as fire extinguishers that areprovided to respond to less than catastrophicevents. If a non-catastrophic event (such as apaper basket fire) escalates into a catastrophicevent, other systems come into play which willbe classified SCS.In the case of a hardware system safetycriticality may be demonstrated quantitativelyfrom studies such as Safety Integrity Level (SIL)assessment, the Quantitative Risk Assessment(QRA) or a mixture of qualitative and quantitativeassessment. However this would not generallybe the case for software systems and aqualitative assessment based on industryexperience will normally be required.Where computer software is used for safetysystems, such as ESD or fire and gas then if theoverall system is safety critical then thecombination of hardware and software must alsobe assumed to be safety critical.A Safety Critical Element is defined as a systemor component:¾ Whose failure could cause or contribute to amajor accident.¾ Whose purpose is to prevent or limit the effect

of a major accident.Within potential safety critical systems, whilemany subsystems or components may be safetycritical, there may be others that are not (e.g.DCS is not classified as safety critical; however,some functions may be safety critical dependingon the configuration.) The term Safety CriticalElement (SCE) includes equipment or systems(procedures) associated with, Prevention of Fireand Explosion and Emergency ResponseRegulation, PFEER requirements.SCE Assessment MethodologyThe starting point for identifying the safety criticalelements is to identify the hazardous events. Themajority of these can be identified from safetycase /HSEIA supporting documentation e.g.¾ HAZID/ENVID(Hazard Identification) Studies;¾ HAZOP (Hazard and Operability Studies);¾ Layout reviews;¾ Instrument Protective Function assessment(SIL assessment);¾ Quantitative Risk Assessment;¾ Safety reviews and studies e.g. dropped objectstudy;¾ FMEA (Failure Mode and Effect Analysis);¾ Human error identification methods;¾ Safety Case; and¾ Task risk assessment.Once the hazardous events have been identified,the potential causes can be established. Againsteach of the causes any preventative andmitigatory controls are highlighted with referenceto supporting documentation. The documentsshould be based on demonstration of currentsuitability, not on specification of what is actuallyinstalled. Using the definition of SCE, engineeringjudgment and knowledge of the controls in placesafety critical elements can be identified.In summary, the following steps should beadopted in the exercise: -Step 1HAZARDOUSSCENARIO

What is thehazardous event?Step 2CAUSE(S)What can potentiallycause the hazardousevent?Page 55

Journal of HSE & Fire EngineeringIssue 2 March 2009Page 46SCEs CategorizationEach SCE is categorized according to function inrelation to risk reduction. These categories aredefined below:¾ Prevention Measures - Measures, whichensure good fundamental, design tominimize or remove the risk of majoraccidents (inherent safety by design).Examples of this are: optimizing plantlayout; limiting inventory available forrelease.¾ Detection Measures - Automatic or manualmeasures,whichdetecthazardoussituations requiring emergency action.Examples of these are: detecting andrecording accumulations of flammablegases; flame detection.¾ Warning Measures - Measures that alertpersonnel to an emergency situationsincluding audible and visualPerformance Standard for Safety CriticalElementPerformance standards are required for all SCSand their underlying SCE i.e. systems andequipment that contribute to the prevention,Step 3PREVENTIONCONTROLSWhat control

measures are in placeto prevent thehazardous event foroccurring?Step 4MITIGATIONCONTROLSWhat controlmeasures are in placeto mitigate (i.e. limitand/or prevent)escalation of thehazardous event?Step 5SAFETYCRITICALELEMENTWhat safety criticalelements are requiredto fulfill their intendedfunction during thehazardous event?These include both management procedures andhardware systems. While it is generally possibleto quantify the risk benefits provided by ahardware safety system, this is not alwayspossible for software systems. For the purposesof this methodology software systems are definedas any procedure, program or similar document-based, person-operated, function. In these casesa qualitative approach may be adopted todetermine if these systems are safety critical.A critical system requires a performance standardwhich should reflect the ability of the system toperform, survive and operate on demand, andthus to protect personnel from major accidentevents (usually fire and explosion) and ensureeffective emergency evacuation. The standarddeveloped should be able to confirm that anacceptable level of risk is being achieved indesign. The verification processshoulddemonstrate that this will continue to be

maintained throughout the installation life.Performance Standards lay down criteria that canbe measured or assessed so that the suitabilityand effectiveness of each SCE can be assuredand verified.MethodologyThe initial step to preparing a PerformanceStandard is to set the scene. To do so, thefollowing items should be addressed: -Safety Critical Element (SCE) DescriptionIdentify the Safety critical element beingconsidered and any sub-element integral to it.Where several sub-elements exist within aparticular SCE, specific performance standardsare prepared for each of the sub-elements. Aunique reference number or identifier for eachSCE and sub-element should be provided.BoundariesDefine the scope, components and limits of thesystem to allow clear identification of the scope ofthe performance standards. detection, control ormitigation of hazardous events.Page 56

Journal of HSE & Fire EngineeringIssue 2 March 2009Page 47GoalDefinition what the SCE or sub-element, forwhichever the performance standard is written,is meant to achieve. The rest of the FARSIparameters should contribute to the attainmentof this goal.Detailing the Performance standardThe second step is to define the variousfunctions that the SCE is expected to perform,stipulatingtheminimumacceptableperformance and taking into consideration themeans by which the performance could bemeasured or demonstrated practically. Thethird step is to define the reliability and

availability. The availability is the proportion ofthe time during operation or standby that theSCE is expected to be ready to perform itsfunction. Given that a system is available, thereliability is the probability of performing therequired function on demand.A numerical value is not easy to derive for allsystems; however where systems have beenmodeled in the Quantitative Risk Assessment(QRA)orReliabilityAvailabilityandMaintainability(RAM)study,theavailability/reliability value employed in theQRA or RAM should be utilized. Where therequired availability figures are not given in theQRA or RAM or other documentation then aformal issue shall be raised to define the data.The fourth step is to define the survivability orlimitation of the SCE in its design environmentand under what emergency conditions it shouldremain capable of performing its design function.The final step is to identify other systems whoseperformance could affect the effectiveness of aparticularsafetycriticalsystem.Theinterdependent system should be identified andthe interdependent function should be stated, aswell as the reason for interdependency. Thedependencies should be one-way i.e. onlyfunctions on which the attainment of thisperformance standard is dependent should beidentified - other systems that depend on thisSCE should not be identified.In nut shell the following details shall be covered

in-order to effectively identify the Performancestandard of each safety critical element.Functionality - What is it required to do?Availability - For what proportion of time will it becapable of performing?Reliability - How likely is it to perform on demand?Survivability “ Does it have a role to perform posteventPage 57

Journal of HSE & Fire EngineeringIssue 2 March 2009Page 48Interactions - Do other systems require to befunctional for it to operate?VerificationEach performance standard should be subjectto a rigorous review to ensure that the statedperformance of the SCS/SCE has beencorrectly specified and will meet the statedobjectives. It is also essential that the statedobjectives are commensurate with the hazardsand the hazard risks.When setting a performance standard it isessential that there is a clear audit trail toenable this verification to be carried out. Clearprocedures are required as to how thisverification is to be carried out, by whom, andby what time.Reference1) IP Guidelines for the management ofSafety Critical Elements2) BG Guidance for the development &implementation of safety critical elements &Performance standard.3) ISG safety critical equipment assignment std4) UK HSE Safety Critical Element Guidance5) ADCO Safety critical and PerformancestandardPage 58

Journal of HSE & Fire EngineeringIssue 2 March 2009Page 49APPENDIX A: SAFETY CRITICAL ELEMENTS TEMPLATE AND EXAMPLE

HazardousScenarioCause(s)PreventionControlsMitigationControlsSafety CriticalElementDependencyandInteractionSCECategoryIdentify thehazardouseventExample:Loss ofContainmentDefine causesthat couldpotentially leadto the hazardousevent.OverpressureDefine thecontrolmeasures inplace topreventoccurrence ofthe hazardousevent.1. Vesselaccordance toAPI & ASMEcodes.2. Pressurerelief isprovidedon vessel anddesigned in

accordancewith API RP520.3. Highpressure alarmis provided.4. Etc.(insertReference toassessments,designspecificationand data sheetwhere possible)Define thecontrolmeasures inplace tomitigate (limitand/orprevent)escalation ofthe hazardousevent.1. Process trips2. Isolation ofinventory(ESD)3. EmergencyProcedure4. etc.(insertReference toassessments,designspecificationand data sheetwherepossible)Based on theprevention andmitigation controls,define the Safety

Critical Elements(SCE) that arerequired to fulfilltheir intendedfunctionduring thehazardous event.¾ ESD¾ Pressurerelief¾ Vessel &associatedpipework¾ ProcessAlarms &trips¾ EmergencyProcedure¾ UPSDefine anydependenciesandinteractionswith the SCE.UPSPage 59

Journal of HSE & Fire EngineeringIssue 2 March 2009Page 50APPENDIX B: SAFETY CRITICAL ELEMENT PERFORMANCE STANDARD TEMPLATE WITH EXAMPLESCE:Flammable Gas DetectionPS No:1.0Function:DetectionComponent:All ComponentsDESCRIPTION / SYSTEM LIMITSThis PS covers the Flammable Gas Detection systems at XYZ plant. The System comprisesfield detector devices, field cabling, instrument terminations, including the control systemfunctions and logic. The system also includes the electrical power supply.

ROLEThe role of the Flammable Gas Detection System is to continuously monitor the designatedareas for flammable gas where ignitable concentrations could occur.On detection of gas the system shall automatically initiate alarms and automatic / manualcontrol actions.GOALSThe goals of the Flammable Gas Detection System are to:¾ Detect flammable gas concentrations near the point of release.¾ Initiate the appropriate alarm and control actions.¾ Detect flammable gas concentrations at air intakes to buildings containing safety criticalsystems and potential ignition sources.¾ Remain operational during an emergency for a time sufficient to allow intendedfunctions and emergency response actions to be initiated.FUNCTIONALITYFunctionPerformance CriteriaValidationTo provide adequatecoverage of processfacilitiesReliable early detection utilisingdetector types most suitable for theexpected hazard.Detectors to be strategically located toprovide operator with earliest possiblewarning of gas build up or of migratingclouds.Design review of flammablegas detection philosophyand datasheets.Design review of C&Ediagrams.Design review of flammablegas detector layouts.Functional testing offlammable gas detectors toconfirm compliance withdesign requirements.Provide all otherfunctional criteriaPage 60

Journal of HSE & Fire EngineeringIssue 2 March 2009

Page 51RELIABILITY / AVAILABILITYCritical systemreliabilityTarget reliability >99%Manufacturer/ suppliersshall provide documentationon the reliability of devices.SURVIVABILITYFireMust be capable of withstanding anexternal fire.Minimum for 20 minutesDesign SpecificationRequirements Designreview of vendor supplieditems to ensure consistencywith project specification.INTERACTIONS/ DEPENDENCIES/ LIMITATIONSSystemSafety Critical?Y/NInteractions/Dependencies/LimitationsPS RefEssential Power/ UPS YesTo provide backuppower for definedperiod of time.PS#15Non-HazardousHVACYesTo close fire dampersPS#9List down all otherdependencie

Reference: http://seminarprojects.com/Thread-safety-critical-element-identification-performance-standard-and-engineering-verific#ixzz2DX6uMBVl