EP-HQ-GDL-008-00 Safety - Critical - Elements - Integrity - Management - Guideline [PDF]

Zitiervorschau

Safety Critical Elements – Integrity M anagement Guideline

Date 27 July 2012

Revision No. 00

Document No. EP-HQ-GDL-008-00

Responsible for Content:

E&P Production & Engineering Operations Integrity

Agreed By:

Greg Smart E&P Operations & Maintenance

Approved By:

Reinhart Samhaber SVP Production & Engineering

CONTENTS 1. Introduction .................................................................................................................. 4 1.1. Purpose, Scope & Application .......................................................................................... 4

2. Cross References ........................................................................................................ 4 3. Key Definitions ............................................................................................................. 5 4. SCE Management Process ......................................................................................... 5 4.1. Management Responsibilities........................................................................................... 6 4.1.1. E&P Head Office ...................................................................................................................... 6 4.1.2. E&P Assets .............................................................................................................................. 6 4.1.3. Role of Technical & Discipline Authorities ............................................................................... 6

5. SCE Identification ........................................................................................................ 6 5.1. Identification of Major Accidents ....................................................................................... 7 5.2. Major Accident Management & System Level SCEs ........................................................ 8 5.3. Equipment/Component (Tag) Level SCE Identification ................................................... 10 5.4. SCE Criticality Ranking .................................................................................................. 10

6. Determining Performance Standards......................................................................... 11 6.1. Describing Assurance Tasks .......................................................................................... 12

7. Role of Contractors and Suppliers in SCE Integrity ................................................... 13 8. Management of Change ............................................................................................ 13 9. SCE Integrity Assurance in Projects .......................................................................... 14 9.1. SCE Assurance Across Project Phases ......................................................................... 15 9.2. Managing SCE Failures and Deviations ......................................................................... 15

10.SCE Integrity Assurance in Operations ..................................................................... 15 10.1. CMMS Implementation ................................................................................................. 15 10.1.1. SCE System, Equipment and Component Hierarchy .......................................................... 18

10.2. Implementation of SCE Integrity Assurance Management............................................ 18 10.2.1. Maintenance, Inspection and Testing .................................................................................. 19 10.2.2. Recording and Reporting ..................................................................................................... 19 10.2.3. Management of Repairs ....................................................................................................... 19 10.2.4. Temporary and Portable Equipment .................................................................................... 20 10.2.5. Spares Management ............................................................................................................ 20

10.3. Managing Failures, Degradation, Deferment and Unavailability ................................... 20 10.3.1. Unavailability of SCEs .......................................................................................................... 20 10.3.2. Deferred Maintenance of SCEs ........................................................................................... 20 10.3.3. Failure and Degradation of SCEs ........................................................................................ 21 10.3.4. Risk Assessment and Mitigation .......................................................................................... 21 10.3.5. Approving Deviations from SCE Performance Standards ................................................... 22

10.4. Managing Defeat (Bypass/Override/Inhibit) of SCEs .................................................... 24 10.5. Unplanned Demands on SCEs..................................................................................... 24

SCE Integrity Management Guideline.docx EP-HQ-GDL-008-00

2 of 57

11.SCE Performance and KPIs ...................................................................................... 24 11.1. Set-up & Implementation of SCE Integrity Management............................................... 25 11.2. SCE Integrity Assurance in Projects ............................................................................. 25 11.3. SCE Integrity Assurance in Operations ........................................................................ 25

12.Verification & Audits of SCE Integrity Management ................................................... 26 12.1. General ........................................................................................................................ 26 12.2. Selection/Appointment of IVB/ICP ................................................................................ 26 12.3. Verification Scope and Methods ................................................................................... 26 12.4. Verification Terms of Reference ................................................................................... 28 12.5. Verification Scheme and Written Scheme of Examination (WSE) ................................. 28 12.6. Recording, Reporting and Close-out of Verification Activities ....................................... 29

13.Organisational Responsibilities and Competency ...................................................... 30 14.Terms & Abbreviations .............................................................................................. 31 LIST OF APPENDICES .................................................................................................. 34 Appendix 1 – SCE Categories and Examples of Safety Critical Elements ............................. 35 Appendix 2 – Example of SCE Performance Standard Data Sheet ....................................... 40 Appendix 3 – Example of SCE Performance Standard for Project Phases ............................ 44 Appendix 4 – Examples of Major Accident Events & Consequence Matrix ............................ 52 Appendix 5 – Method for SCE Safety Criticality Ranking ....................................................... 53 Appendix 6 – Example Method for Identifying SCEs at Tag Level ......................................... 55 Appendix 7 – Selecting Independent Verification Body (IVB) ................................................ 56

Figures and Tables Figure 1 – Overview of SCE Integrity Management Processes ..................................................... 5 Figure 2 - BowTie Methodology .................................................................................................... 7 Figure 3 - Examples of System Level SCEs ................................................................................. 8 Figure 4 - Decision Process for Identifying Safety Critical Elements ............................................. 9 Figure 5 - Decision Process for Identifying SCEs at Tag Level ................................................... 10 Figure 6 - Performance Standard Summary ............................................................................... 13 Figure 7 - Overview of SCE Integrity Assurance in Projects ....................................................... 14 Figure 8 - SCE Assurance Activities in Project Define & Execute Phases .................................. 15 Figure 9 - CMMS Implementation for SCE Integrity Assurance in Operations............................. 17 Figure 10 - SCE System-Equipment-Component Hierarchy ....................................................... 18 Figure 11 - Risk Management of Failed/Degraded, Unavailable, Defeated SCEs & Deferred Assurance ............................................................................................................................ 23 Figure 12 - Overview of Verification ............................................................................................ 29 Table 1 - Examples of Equipment Registers ............................................................................... 16 Table 2 - Verification Sampling & Frequency Based on SCE Criticality....................................... 27

SCE Integrity Management Guideline.docx EP-HQ-GDL-008-00

3 of 57

1. Introduction It is a requirement that all OMV facilities have a system in place which ensures that “the technical integrity of drilling units and production facilities can be assured and that major accidents are minimised.” - Management of Technical Integrity Standard, HSEQ-HQ-06-04-01 This guideline is a practical reference for implementing the integrity assurance requirements related to the Management of Technical Integrity Standard.

1.1. Purpose, Scope & Application The purpose of this document is to provide guidance on the management processes required for: • establishing technical integrity of a facility through the design, construction and commisssioning of safety critical elements; • maintaining integrity of safety critical elements through testing, inspection and maintenance; and, • managing risk during operations if safety critical elements are unavailable or cannot operate as designed. The scope of this guideline excludes occupational and workplace safety management and procedures. This guideline applies to OMV Exploration and Production GmbH, its controlled subsidiaries and to activities where OMV is the designated operator acting on behalf of a consortium. ‘Controlled’ means the ownership directly or indirectly of more than fifty percent (50%) of the shares of the rights of voting authority in a company, partnership or legal entity. At locations, where OMV is neither the operator nor holds the majority shareholding, OMV will seek to have similar management requirements adopted.

2. Cross References OMV E&P Engineering Guidelines and Design Philosophies, TO-HQ-02-001-01 Management of Technical Integrity Standard, HSEQ-HQ-06-04-01 HSE Case Standard, HSEQ-HQ-05-02-01 Guidelines for Leading & Lagging Process Safety Performance Indicators, HSEQ-HQ-08-03-00 Deviation from the Requirements of Technical Standards, EP-HQ-010 Well Operations Management System Manual, EP-EPP-WE-04-00 Well Engineering Technical Policy, EP-EPP-WE-03-02 Well Construction Process, EP-EPP-WE-01-00 Well Engineering Standard: Rig Audit: Pre-hire and Acceptance, EP-EPP-WE-07-01 Note: This Guideline incorporates and replaces Guidelines for Identifying Safety Critical Elements, EP-HQ-03-GL-008-00. OMV Group Capital Project Management Discipline Authority Framework Standard, GT-M-003 HSSE Management System, HSSE-D-002 Safety Management Directive, HSSE-D-004 Risk Management Standard, HSSE-S-004 HSSE in Projects Standard & RACI Checklist, HSSE-S-005 Safety in Design Standard, HSSE-S-014 Process Safety Management Standard, HSSE-S-016 Management of Change Standard, HSSE-S-021 Facility Documentation Recommendation, HSSE-R-028 Asset Integrity Recommendation, HSSE-R-0?? (shall be in place no later than December 31, 2012)

SCE Integrity Management Guideline.docx EP-HQ-GDL-008-00

4 of 57

3. Key Definitions Major Accident – This is an accidental event which has major or severe consequences for people or environment. The OMV definitions of ‘major’ and ‘severe’ consequences in this context, and examples of major accidents are provided in Appendix 4 – Examples of Major Accident Events & Consequence Matrix. Major Accident Hazard – Any substance or energy which if not contained could seriously harm people or the environment, either directly or by initiating events which could lead to a major accident. Safety Critical Element (SCE) – A safety critical element is any part of the facilities (including software) the failure of which could cause or contribute substantially to a major accident, or the purpose of which is to prevent or limit the effects of a major accident. Safety critical elements typically include installation hardware and equipment related software, which are designed to prevent or control a release of a major accident hazard, or which are intended to mitigate impacts. SCE Performance Standards – These describe how a SCE must perform in terms of its functionality, availability, reliability and survivability, and also identify any interdependence between SCEs.

4. SCE Management Process The management of SCEs begins at the Define stage of a project with a multi-disciplinary assessment of major accident hazards and risk. This assessment determines what safety critical elements are needed to manage the hazards. Performance standards of the SCEs are then specified so that technical integrity can be assured during the project, and also delivered on project handover to enable SCE integrity assurance in operations. SCE integrity assurance in projects focuses on QA/QC in design, procurement, fabrication/construction and commissioning. In operations, assurance focuses on maintenance, inspection and testing. The assurance process in both projects and in operations is subject to an audit process, referred to as ‘verification’. The following aspects are key to effective SCE integrity management and are described in more detail in this Guideline: 1. Identifying SCEs 2. Determining Performance Standards and assurance requirements 3. Verification & examination of SCE integrity assurance 4. Inspections, tests & quality assurance of SCEs in projects 5. Implementing SCE assurance in the CMMS 6. Maintenance, inspection & testing in operations 7. Management of failures, degraded performance, defeats and deferred assurance activities 8. Investigation of unexpected demands on SCEs 9. Analysis and reporting of SCE performance Figure 1 – Overview of SCE Integrity Management Processes

SCE Integrity Management Guideline.docx EP-HQ-GDL-008-00

5 of 57

4.1. Management Responsibilities 4.1.1. E&P Head Office Senior Vice President, Production & Engineering – will approve this guideline and will support and monitor its implementation in OMV operated assets. Where OMV is a partner in a non-operated joint venture, the SVP Production & Engineering will advocate for the adoption of this guideline or request that the JV operator demonstrates equivalent standards. Manager Operations Integrity, Production & Engineering department – is responsible for developing, maintaining and disseminating this guideline, and for providing support and clarification if required. Manager Operations & Maintenance, Production & Engineering department – is responsible for communicating SCE integrity management best practices to branch offices and for advising on implementation of this guideline by facility management.

4.1.2. E&P Assets General Managers/Asset Managers – are responsible for communicating this Guideline within their Asset(s), and for ensuring appropriate management systems and resources are in place. Where OMV is a partner in a non-operated joint venture, GMs are responsible for awareness/training and sensitive encouragement of the JV operator – particularly when it comes to conducting SCE integrity audits. Project Managers – are responsible for the identification, design and delivery of safety critical elements that are fully in compliance with their Performance Standards, supported by technical data and documentation required for incorporating SCEs inspection, testing and maintenance in the Computerised Maintenance Management System – CMMS (e.g. SAP) . Operations Managers – are responsible for maintaining the design functionality of all safety critical elements within their operation, by means of management programmes and procedures for testing, inspection, and maintenance, and through monitoring and analysis of SCE assurance via the CMMS. They have the responsibility for approving the equipment’s return to service. Well Engineering Managers – are responsible for establishing that prior to acceptance of drilling, workover and well services rigs and equipment, “that there are written standards in place for safety critical elements of equipment, personnel and procedures,” and that “the contractor operates & maintains the unit in accordance with the requirements set out.” – Drilling, Workover & Well Service Unit Audit: Pre-hire & Acceptance Standard.

4.1.3. Role of Technical & Discipline Authorities 1

Discipline or Technical Authorities are responsible for the technical specification of SCE Performance Standards relating to their discipline, and for providing discipline specific advice to the Project Manager during project life cycle and Operations/Asset Managers during operations. Refer to OMV Corporate Standard: ‘Discipline Authority Framework’. Prior to handover of a project Discipline Authorities must confirm that all SCEs have met their Performance Standards. In operations the Technical/Discipline Authority typically assists in risk assessment of Performance Standard variations and test results, and for defective SCEs, advises whether effective alternate temporary controls are possible and on corrective actions that would restore the safety critical functionality. Technical/Discipline Authorities are subject matter experts, and must have sufficient knowledge, experience and understanding of SCE Performance Standards and associated integrity asurance activities relevant to each phase of the asset lifecycle.

5. SCE Identification Safety critical elements are ideally identified at the Define stage of a project. However, if this has not been possible and/or in the case of existing operational Assets, the process should be completed at the earliest 1

The title ‘Technical Authority’ is commonly used in operations rather than ‘Discipline Authority’, but their functions in projects and in operations are largely equivalent and require comparable skills and expertise.

SCE Integrity Management Guideline.docx EP-HQ-GDL-008-00

6 of 57

opportunity. As is described in Section 8 - Management of Change, SCE identification is not a ‘once-only’ activity and needs to be re-assessed in relation to change of all types/sources that affect a project or Asset. Alternative methodologies for identifying SCEs are described in this Guideline, but whichever methodology is used the process shall be formally documented and the identified SCEs listed together with the justification and record of their major accident management role. This document provides guidance and recommendations on carrying out two ‘levels’ of SCE identification, the ‘system’ level and the ‘equipment/component’ (asset register tag) level. The importance of and reasons for this hierarchal approach to SCE identification are discussed in Section 10.1.1 and illustrated in Figure 10 - SCE System-Equipment-Component Hierarchy.

5.1. Identification of Major Accidents The starting point in the SCE identification process is the identification of hazards, which could lead to major accidents, and analysis of how these could occur, how they might escalate and what sort of consequences would result. Means of prevention and of control and mitigation (barriers) are then identified for each. Tools used in this process include HAZID, HAZOP and BowTie. Quantitative risk assessment (QRA) methods are then used to evaluate whether the proposed barriers are sufficient to reduce risk to a predetermined tolerable level and to meet the objective of reducing risk to as low as reasonably practicable (ALARP). Further details on risk management analysis and methodology are provided in the Group HSSE Risk Management Standard. The recommended approach for identifying safety critical elements is via the BowTie methodology. Figure 2 - BowTie Methodology

Threat 3

Consequence 3

HAZARD

Top event

Consequence 2 Barrier

Barrier

Threat 2

Consequence 1

Threat 1 Escalation factor

Escalation factor control

Escalation factor control

Escalation factor control

Escalation factor control

Escalation factor

Safety Critical Elements Safety critical tasks Engineering – Maintenance – Operations

SCE Integrity Management Guideline.docx EP-HQ-GDL-008-00

7 of 57

5.2. Major Accident Management & System Level SCEs Systems, equipment or components are safety critical if they perform one or more of the following functions in relation to one or more major accidents: A. Prevention (structural integrity, process containment and ignition control) – System, structure or equipment for primary containment (pressure envelope) of inventories that have the potential for major accidents, primary support of facilities and/or other SCEs, and for the control/prevention of ignition. B. Detection – System or equipment to detect that the primary safeguards have failed, for example ESD fire/gas/leak detection. 2 C. Control or Mitigation – Systems (or secondary safeguards) to provide protection, prevent the event escalating and bring the plant to a safe state. For example drainage, blow-down systems, fireprotection and suppression. D. Emergency Response & Lifesaving – Systems to minimise the effect of failure of primary and secondary safeguards, for example local alarms, systems to protect life and assist escape, evacuation & rescue, emergency communications, emergency power. Examples of SCEs in each of these categories are provided in Figure 3 below and in Appendix 1 – SCE Categories and Examples of Safety Critical Elements. Figure 3 - Examples of System Level SCEs

2

Detection, Control and Mitigation systems are grouped together, and referred to as ‘Recovery Barriers’, in IADC HSE Case Guidelines for Mobile Offshore Drilling Units, http://www.iadc.org, and referred to as ‘Mitigation & Recovery Controls’, in IEC/ISO 31010:2009 Risk management – Risk assessment techniques

SCE Integrity Management Guideline.docx EP-HQ-GDL-008-00

8 of 57

Notes on Figure 3 - Examples of System Level SCEs • If the failure of any item listed above cannot be shown to cause or contribute significantly to a major accident or reduce the severity of major accident consequences, then it may not be safety critical. • It is not necessary for several SCEs to fail simultaneously to lead to a major accident. Failure of a single SCE such as Structural Integrity or a combination such as loss of Process Containment and Ignition Control can lead directly to a major accident. As an alternative to using the Bow-tie methodology, Figure 4 below provides a basis for systematic screening of systems to determine if they are SCE. Note that at this initial ‘system’ level, equipment may also be considered where it functions in isolation from other equipment and effectively constitutes a system on its own. Figure 4 - Decision Process for Identifying Safety Critical Elements

SCE Integrity Management Guideline.docx EP-HQ-GDL-008-00

9 of 57

5.3. Equipment/Component (Tag) Level SCE Identification In order to effectively enable implementation of the SCE integrity assurance process into the CMMS, SCEs need to be identified at the tag level as they would appear in the asset register. Identification at tag level is not as straight-forward as it first appears, because although an equipment/component item is the ‘child’ of a system already identified as a SCE, this does not necessarily mean that it is also a SCE. The reason for this is that failure of individual equipment/component items within a system will not always prevent the achievement of the safety critical function(s). The key ‘rule set’ questions to be addressed in this process are: • Does the equipment/component item belong to a SCE system? • Will failure prevent achievement of the safety critical function performance defined in the Performance Standard? Figure 5 - Decision Process for Identifying SCEs at Tag Level

Appendix 6 – Example Method for Identifying SCEs at Tag Level, is a methodology/set of decision rules for determining whether an individual equipment item or component (down to the level assigned individual tag numbers within the CMMS Asset Register), can be considered to be a SCE.

5.4. SCE Criticality Ranking The main purpose of ranking the criticality of SCEs is to assist in determining verification sample size and/or verification task frequency (refer Section 12). Criticality ranking must not be used to justify changes in SCE performance standards or deferral of SCE assurance activities. Criticality ranking of SCEs provides a basis for: • Determining verification sample size and/or verification task frequency SCE Integrity Management Guideline.docx EP-HQ-GDL-008-00

10 of 57

• •

Assessment of cumulative risk when several SCEs are degraded or unavailable Determining the spares holding for SCE equipment and components

There are various methods of evaluating SCE criticality. The method described in Appendix 5 – Method for SCE Safety Criticality Ranking takes into account • The major accident management function of the SCE (F) • The consequence of failure (C) • Redundancy – the extent to which an alternative SCE can take over the function of the SCE in the event of its failure, and/or whether the SCE has inherent redundancy (R) The result of the ranking is a numerical rating for each SCE equal to (FxCxR) which then determines whether the criticality ranking is High (H), Medium (M) or Low (L). The process of criticality ranking is carried out for ‘system’ level SCEs and the ranking is then applied at the tag level; that is, the criticality ranking for the ‘parent’ system is applied to all ‘child’ tags identified as being SCE. Note that the level of SCE criticality ranking is not a justification for deferral of maintenance, inspection or other SCE assurance tasks. However, where a facility has an existing high number of deferred assurance tasks, then criticality ranking may assist in prioritisation of these, provided that an adequate risk assessment has been carried out and contingency measures are put in place (refer to Section 10.3.4).

6. Determining Performance Standards Each identified SCE – at the system level - will have its own Performance Standard. A Performance Standard should state the overall goals of the SCE. The goals will be aligned with the role that the SCE has in preventing or mitigating a major accident. From the goals, design engineers and operations and risk experts will assess the required function and level of performance of the safety critical elements. Functions and performance criteria may relate to a system (i.e. overall) and/or to individual equipment or component items. Although most SCE performance criteria remain applicable to all asset lifecycle phases, assurance activities (and hence verification activities), associated with project phases and operations are different. In projects (design, procurement, fabrication, construction and commissioning), the SCE assurance process will for example be based on equipment type testing and commissioning performance tests, while in operations the assurance tasks focus on maintenance, inspection and testing. Further details of these differences are provided in Sections 9 & 10. Refer to Appendix 2 and 3 for examples of SCE Performance Standards in projects and in operations. SCE Performance Standards can be described in qualitative or quantitative (preferably) terms and must specify: Functionality • What is the SCE required to do? (in relation to managing the major accidents) Availability • For what proportion of time is it required to be available and capable of performing its fucntions? Reliability • What is the minimum allowable failure rate of the SCE? • How likely is it to perform on demand Survivability • What major accident hazard effects must the SCE be able to survive and still perform its function(s)? • Does it have a role to perform post event? Dependencies • Which other SCEs are required to work for the SCE to meet its Performance Standard? Notes: 1. Reliability/availability apply – in principle – only to those SCEs that are required to perform in direct response to a major accident through automatic or manual initation SCE Integrity Management Guideline.docx EP-HQ-GDL-008-00

11 of 57

2. Survivability will generally only apply to SCE that are associated with the right-hand side of a Bow-tie (e.g. one exception to this is relief systems) The process of developing the Performance Standards requires technical expertise including knowledge of the assumptions in the facility risk model, the magnitude of potential fire and explosion events, understanding of how SCEs function and their reliability/availability. The link between QRA and reliability/availability must be demonstrated by including system reliability/availability targets for those systems where credit is claimed in the QRA – or other risk assessment method. For estabishing SCE performance criteria (relative to any of the above) there is a clear hierarchy of preference for the source to be used, as follows: • Risk and hazards assessment • Specific study or analysis • International Standard • Industry ‘good practice’ • Company Standard • Manufacturer recommendation Sufficient detail should be included in the reliability/availability section of the Performance Standard to enable realistic monitoring and analysis of the actual reliability based on CMMS records. For example, the probability of failure on demand derived from SIL assessment (e.g. IEC 61511) provides quantitative reliability criteria which can be incorporated into the Performance Standard for an ESD system. The magnitude of fire and explosion loads on each facility will be different and this may determine different approaches to the survivability of components or whole systems. Supporting studies, for example fire and explosion analysis, emergency systems survivability, and escape/temporary refuge and rescue assessment, should be used to provide input into the survivability requirements. SCE Performance Standards and the associated integrity assurance tasks for each should be documented for each lifeycle phase. Verification activities and frequencies should be documented in the Performance Standard, relative to each assurance task. Figure 6 below summarises this process.

6.1. Describing Assurance Tasks Assurance tasks typically take the form of a physical check of a defined operation, a measurement of a value against a target value or an observation of the equipment against a desired standard to confirm that the Performance Standard criteria are being met. The documentation of the assurance measure should provide a short description of the performance assurance activity with clear ‘yes/no’ or ‘pass/fail’ criteria, for example: • “Firewater pump starts on demand” • “Fire detector functions as specified” • “Emergency isolation valve ESD closure time is within 10 seconds” If quantitative results have to be recorded, e.g. time, pressure, temperature, these should be specified in the performance criteria with the required units of measurement.

SCE Integrity Management Guideline.docx EP-HQ-GDL-008-00

12 of 57

Figure 6 - Performance Standard Summary

7. Role of Contractors and Suppliers in SCE Integrity Throughout an Asset’s life-cycle there will be significant elements of projects and operations that will be contracted out to contractors, consultants, sub-contractors and suppliers. The requirements described in this Guideline need to be adhered to and implemented effectively by competent personnel, where their scope includes any aspects relating to SCEs. This applies for both hardware and services. Therefore, it is the responsibility of the contract owning OMV function to ensure that the necessary technical and commercial (including contractual terms and conditions) definitions are provided, that cascade this Guideline’s requirements to the relevant contracted entity.

8. Management of Change Modifications to the original design of facilities, or the installation/removal of equipment may introduce new SCEs or mean that existing SCEs are unable to meet their Performance Standards. These and any other changes that might potentially reduce the ability of SCEs to prevent or mitigate major accidents shall be fully investigated using the Management of Change (MoC) risk management process. It is also important that any proposed change to the SCE maintenance programme is screened in advance by the relevant Technical/Discipline Authority to determine whether it should be subject to MoC. Where any change is determined to have an effect on SCE Performance Standards, the Technical/Discipline authority should ensure revisions are made to the documents that describe the Performance Standards, required assurance tasks and verification activities, and that the details of these changes are recorded in the CMMS. Examples of changes that may require revision/modification of the Performance Standards for existing SCEs: • New equipment added to the facility • Redundant equipment is decommissioned or taken out of service • Changes in major accident hazards SCE Integrity Management Guideline.docx EP-HQ-GDL-008-00

13 of 57

• • •

Changes in the process operating envelope Changes in design or modifications to equipment Operating conditions (temperatures, pressures, levels, flows, compositions) are outside the basis of design

Any changes to personnel, organisation or competency, which might affect the effectiveness of SCE integrity management should also be subject to MoC. Further details are given in the OMV Management of Change Standard, HSSE-S-021.

9. SCE Integrity Assurance in Projects SCE integrity assurance requirements evolve throughout the life-cycle of any Asset. During the project phases, front-end engineering, detailed design & procurement, fabrication/construction and commissioning are key in relation to the establishment of SCE integrity. The process of identifying SCEs, developing Performance Standards with suitable and sufficient integrity assurance activities, and associated verification of these activities is essential to enabling effective sustainment of SCE integrity in the operational phase of the Asset. An overview of the SCE integrity assurance process during projects is given in Figure 7. During the execution of a project, the responsibility for implementing assurance activities is frequently associated with Contractors, Sub-contractors and Suppliers, so it is essential that the contracting strategy and the scope of work in each case – where SCEs are involved/affected – is aligned with the requirements of the Performance Sandards. Figure 7 - Overview of SCE Integrity Assurance in Projects

SCE Integrity Management Guideline.docx EP-HQ-GDL-008-00

14 of 57

9.1. SCE Assurance Across Project Phases Figure 8 below provides more detailed examples of SCE integrity assurance activities that may be conducted during project phases. Figure 8 - SCE Assurance Activities in Project Define & Execute Phases

9.2. Managing SCE Failures and Deviations Projects should have in place a defined process for identifying and managing failures of SCE and all deviations from the defined requirements (Performance Standards). This shall include; monitoring, assessing, recording, reporting and the implementation of corrective actions. The Management of Change process, described in Section 8 plays an important part in achieving this objective. Failures, in this context are considered to be failure to meet pass/fail criteria described in the Performance Standard, whereas a deviation is the deviation in terms of design alignment with the Performance Standard. For example, failure of a SCE may be identified during a Factory Acceptance test, or from records of commissioning function tests. A deviation may be revealed by an equipment purchase specification which does not meet the requirements of the Performance Standard. The process for managing failures and deviations shall also be defined in the Project Verification Scheme (see Section 12) together with the roles and responsibilities of those who are required to ensure its effective implementation in each project phase.

10. SCE Integrity Assurance in Operations The following Section addresses the processes and objectives relating to the management of SCE integrity assurance throughout an Asset’s operating life-cycle.

10.1. CMMS Implementation During operations the CMMS is an important tool for planning and managing SCE integrity assurance and records. Once the SCEs, Performance Standards and assurance requirements have been identified in the SCE Integrity Management Guideline.docx EP-HQ-GDL-008-00

15 of 57

project Define phase, they should be recorded in the Asset Register and then entered into the CMMS as an integral part of project execution and handover. The CMMS shall be set up to provide maintenance personnel and engineers with the ability to: • Monitor and analyse test, inspection and maintenance data regarding performance of all SCEs (individually) against their Performance Standards • Initiate appropriate mitigating measures in the event of failure/degraded performance of any SCE • Initiate appropriate mitigating measures in the event of the unavailability of any SCE • Initiate appropriate mitigating measures on deferment of any planned SCE integrity assurance task • Manage the maintenance programme so SCEs are functional, reliable and in a safe state of repair • Direct the scheduling of SCE equipment running hours and maintenance so as to maximise the mean time between failures (MTBF) • Direct the management of defective SCE equipment so as to minimise the mean time to repair (MTTR) • Ensure accurate and complete recording of SCE maintenance findings and histories, especially the pass/fail outcomes with respect to performance criteria In order to achieve these objectives the following specific tasks need to be undertaken. • Asset register: Safety critical equipment at tag level shall be identified in the asset register. This will enable the necessary alignment in terms of defining and executing integrity assurance tasks at the SCE system and equipment/component level. •

Task lists: Assurance tasks for each SCE shall be recorded in the CMMS.

•

Performance Standards: Maintenance task lists should be aligned with Performance Standards and equipment items which have to meet different Performance Standards clearly indicated; since the responsibility for the execution of maintenance and assurance tasks may involve several disciplines (e.g. mechanical, electrical and instrumentation technicians may be required for maintenance of field ESD instrumentation). It would be useful but not compulsory for each Performance Standard to be recorded in the CMMS so that details could be viewed in relation to any asset register item identified as belonging to the respective SCE/Performance Standard.

•

Maintenance plans: Activities, timings and frequencies shall be reflected by the maintenance plans in the CMMS. SCE assurance (testing and inspection) and maintenance tasks should be structured within Planned Maintenance Routines (PMRs) in the CMMS. For simplicity, SCE assurance tasks can be combined into the same PMR as routine maintenance on SCEs. The CMMS should record responsibilities of different disciplines for distinct aspects of SCE integrity assurance and also allow for tasks to be viewed in relation to overall systems performance/functionality as well as at equipment/component level.

•

KPI tracking: KPIs relevant to SCE performance shall be generated and monitored using the CMMS. The tracking of perfomance should include all the above aspects for SCEs at either system or equipment/component level. Facility equipment registers may exist in many forms. Many of these registers relate to equipment that is SCE. For those registers with an associated maintenance activity, it is considered good practice to have them embedded within or at the very least linked to the CMMS. The table below gives examples of registers that may be considered for inclusion in the CMMS. Where they already exist for operational Assets or are retrospectively created, their contents will provide for effective input to/support of many of the above CMMS set-up activities – particularly the identification of SCEs at Asset Register level. Table 1 - Examples of Equipment Registers • • • • • • • • •

Anomalies register Dead leg register Ex. certified equipment Flange bolting records Hose management register Locked open locked closed valves Mothballed & redundant equipment Portable appliance test register Portable gas sensor instruments

SCE Integrity Management Guideline.docx EP-HQ-GDL-008-00

• • • • • • • •

Pressure Safety Valves (PSV) Process alarm & trip schedule Seals & locks (to critical instruments) SIL assessment register Small bore pipe work Temporary & mobile equipment Temporary pipe work Temporary repairs (including patches)

16 of 57

Figure 9 - CMMS Implementation for SCE Integrity Assurance in Operations

SCE Integrity Management Guideline.docx EP-HQ-GDL-008-00

17 of 57

10.1.1. SCE System, Equipment and Component Hierarchy As has been discussed and described above the achievement of effective SCE integrity assurance during operations is at least partly dependent upon the clear linkage between the contents of the asset register, the Performance Standard(s) – one system/equipment may belong to more than one Performance Standard – requirements, and the actual assurance tasks. To achieve this it needs to be recognised that each SCE Performance Standard may require assurance tasks directed at both a system and/or equipment/component level. This is illustrated in the Figure below based on the example of the ESD system SCE. This shows that the ESD SCE is identified initially at the system level and that the ESD system comprises several equipment/component items. The only reason to differentiate between these within the ESD system is that the Performance Standard will identify different performance criteria relating to the functionality of the different equipment/components. The diagram shows five equipment items/components within the system and each one – in addition to the overall system (loop) function – requires specific assurance tasks to demonstrate the required performance. As a result of this the responsibility for carrying out assurance tasks for a single SCE system may involve more than one discipline. Figure 10 - SCE System-Equipment-Component Hierarchy

10.2. Implementation of SCE Integrity Assurance Management Once the CMMS has been set-up to facilitate the implementation of required SCE integrity assurance functions, the effective implementation of the SCE integrity assurance process can be carried out. This will address a wide range of functions including, maintenance, inspection, functional testing, repairs, control of spares and the

Filename: Guideline for Managing Safety Critical Elements EP-HQ-GDL-008-00

management of failures, deferment and other SCE performance degradation mechanisms. Each of these is addressed in the following sub-sections.

10.2.1. Maintenance, Inspection and Testing SCE maintenance, inspection and testing tasks must be aligned with maintenance and inspection strategies, and shall undergo the standard steps of the maintenance and inspection work management process: i.e. task identification; priority assignement; planning, preparation and scheduling; execution; testing; feedback and history recording. Clear definition of what constitutes the achievement or otherwise (pass/fail) of each assurance task is crucial so that the personnel conducting assurance tasks are able, with confidence and consistency, to accurately and correctly record the outcomes. Only if SCE integrity assurance outcomes can be reliably reported on and where necessary failures acted upon, will the assurance process be effective in its execution and reporting. Any failure or degraded performance/condition revealed by the maintenance/inspection process shall be subject to management controls as described in Section 10.3. In some cases it is not possible or practicable, or perhaps not at the required frequency to conduct SCE assurance with systems/equipment on-line. Therefore, to enable the required SCE integrity to be achieved and sustained each Asset should consider developing procedures for on-line and off-line testing and inspection of SCE functional performance. For example, annual closure tests of ESDVs may not be readily done, so alternative or backup methods of establishing integrity assurance should be considered, e.g. more frequent partial closure tests, or taking credit (with checks for correct functioning) for spurious ESD activations. If partial tests are conducted in place of full tests, these have to be supported by assessment of failure modes in relation to equipment design. SCE maintenance, testing and inspection shall be given priority over the tasks for non-SCEs. The objective is to achieve compliance with their due date. If it is not possible to carry out the scheduled maintenance, testing or inspection of a SCE, this must be managed as described in Section 10.3 below.

10.2.2. Recording and Reporting On completion of an assurance task, the work history should be completed and entered into the CMMS against work orders and notifications by the responsible person. The work order should then be subject to an established process including such actions as review, sign off, information transcription to software databases and hard copy filing, by defined persons. Assurance task recording should be evaluated for outcomes, methods and quality of details recorded. The records should be subject to systematic review and analysis to improve the effectiveness of the CMMS and to identify issues benefiting from remedial action. All assurance task recording and reporting shall provide input to the calculation of KPIs and associated SCE performance reports to senior management. Assurance task historical data should be used to assess: • The quality and completeness of data entry • The level of achievement of assurance task objectives and performance indicators • Trends in the status of SCEs and also trends in their general condition • Equipment failure mode frequencies • Root causes of failures

10.2.3. Management of Repairs Procedures are required for managing SCE repair/corrective maintenance, and for revalidation following a repair. As soon as a repair/corrective maintenance requirement is identified, the work should be discussed and prioritised in the daily review meeting. A latest date for completion of the repair should be determined and authorised by the Plant/Installation Manager with advice from the Technical/Discipline Authority as required. Defect repairs should be completed to rigorously defined specifications. Definition of these may involve equipment manufacturers, regulatory authorities, insurance providers, specialist repair companies, Technical & SCE Integrity Management Guideline.docx EP-HQ-GDL-008-00

19 of 57

Discipline Authorities and Independent Verifier. The process of specification should be documented and auditable. Defect repair by specialist contractors/companies should be subject to warranty conditions. Repair work planning should be subject to an appropriate level of management approval including risk assessment. After repairs are completed there should be a documented process of reactivation, test and inspection to ensure proper and continuing integrity and functionality. Details of repair specifications, repair management, risk mitigations and monitoring of repair condition should be controlled within the CMMS. Temporary repairs shall be allocated an ‘expiry date’ by which time a permanent repair shall be planned. Monitoring of temporary repairs and the respective risk mitigation measures should be conducted by technical and HSSE departments as required. All such repairs are to be reviewed at least every six months.

10.2.4. Temporary and Portable Equipment The introduction of temporary and portable equipment onto a facility may create new hazards or could affect the basis of previous risk assessments. The procedure for introducing temporary or portable equipment should require an assessment by operations management to determine whether it will be safety critical or impacts upon safety critical equipment, and should describe how such temporary impacts are managed. If the assessment finds that the temporary or portable equipment is safety critical (or impacts upon safety critical equipment), then performance testing and inspection activities must be defined prior to its deployment, and a timeframe set for when the equipment is either removed or must be subject to the Management of Change process and included in the CMMS.

10.2.5. Spares Management The CMMS software may include a section for spare parts, which may automatically upload data from maintenance, inspection and testing history to spares stock keeping. In such a case, it is essential that all references to spares used during SCE assurance tasks be accurate in description, reference number, quantity used, etc. With respect to spares management, the spares holding needs to take into consideration the relative criticality ranking of the SCEs. If unacceptable risk is introduced by the failure, unavailability or degradation of a SCE then spares holding and availability should be reviewed accordingly. If SCE components are removed for inspection or repair, they should be labelled with reference to asset, component part number and date removed.

10.3. Managing Failures, Degradation, Deferment and Unavailability 10.3.1. Unavailability of SCEs Any unavailability of a SCE shall be reported, assessed and managed in the same way as SCE failure, degradation and assurance deferment, as described in the following sections.

10.3.2. Deferred Maintenance of SCEs Deferment is the postponement, cancellation or delay of a scheduled event or task up to a certain defined date. There may be occasions where it is not possible to complete a scheduled SCE assurance task, resulting in a requirement for work to be deferred or cancelled. The reasons why this deferment has occurred shall be recorded, for example: • Unavailability of resources • Unavailability of spares, tools, test apparatus etc • Unavailability (or lack of access) to equipment or plant • Production priorities The risk created by deferment or cancellation of a SCE assurance task shall be assessed in the same way as a failure. The risk assessment process (described in Section 10.3.4 below), should consider the potential risk that a particular SCE might fail during the period of deferment. The risk assessment should be documented to justify SCE Integrity Management Guideline.docx EP-HQ-GDL-008-00

20 of 57

and explain the alteration to original task frequency, nature of task, testing methods, etc. For example, if the frequency is directly related to, for example SIL assessment, then there will be a quantitative effect from failure to carry out the activity within a defined timeframe. Such quantitative information can be used to define and justify acceptable windows within which no significant integrity impact will occur, and to trigger an assessment if it extends beyond the window. Deferment of SCE assurance tasks should be based on justifiable criteria obtained from operating experience, failure mode and effect analysis, risk-based and reliability-centred studies or manufacturers’ recommendations, or other valid sources. When such changes are made to the assurance plan, they should be reviewed to decide whether to put them through the MoC process. In any case, approved deferrals should be subject to on-going scrutiny to prove their continuing suitability. Deferment should be recorded in the Maintenance Management System work history, and shall indicate roles and responsibilities of the individuals dealing with the deferred maintenance situation. If an approved deferral period is unlikely to be met, this is a serious matter and shall be reported to the responsible manager in advance of the due date. Subsequent approval to extend the deferral period shall take into account the increased probability of failure of the SCE, and approval sought from site senior management.

10.3.3. Failure and Degradation of SCEs In this context failure is defined as the complete failure to achieve one or more SCE performance criteria, whereas degradation is defined as the partial failure to meet the complete/total performance expectation. If a SCE fails to meet its Performance Standard or is revealed to have degraded performance or condition during testing or other assurance task or it fails/degrades at any other time, the Maintenance/Inspection Technician shall record the details in the CMMS as soon as practicable, i.e. within one day. The information entered into the CMMS shall record; •

‘Failed’ or ‘Degraded’ – indicating that the SCE did not perform as per its acceptance criteria and that follow-up corrective actions are required, or • ‘Failed/Degraded and Fixed’ – indicating that the SCE did not initially meet the acceptance criteria but did so after remedial action, details of which should also be recorded in the technical history as a notification. If a failure or degraded situation cannot be rectified immediately, a quick decision has to be made on whether it is safe to continue to operate. A risk assessment is then required to identify and approve mitigation measures. Details of this risk assessment are provided in Figure 11 below.

10.3.4. Risk Assessment and Mitigation When a SCE failure or degraded situation has been identified/revealed, or a SCE has become unavailable, or a defeat is intended to be put in place, then the Plant/Installation Manager shall initiate a risk assessment as soon as practicable. The overall risk assessment process is summarised in Figure 11, below. The assessment should be carried out by a team with appropriate technical knowledge and experience in relation to the type of system under consideration, but would also typically include: • Plant/installation Manager • Technical/Process Safety Expert • Technical/Discipline Authority • Maintenance Supervisor • Operations Manager The team should consider direct and indirect effects of the unavailability of the SCE with the objective of identifying appropriate mitigations that will ensure safe continuation of operations. The risk assessment team should also consider the accumulated risk arising from the existing approved deviations and also the status of other degraded/failed/unavailable SCEs. For example, the identification of a hydrocarbon leak from a pressure vessel is a serious concern, but if this is in conjunction with an existing problem with fire and gas detection in the same location or faults found in certified electrical equipment, the risk is clearly magnified.

SCE Integrity Management Guideline.docx EP-HQ-GDL-008-00

21 of 57

Information required for the risk assessment includes: • Details of the SCE concerned • Relevant SCE Performance Standards and measurement criteria • Potential consequences of the defect, degradation, failure, unavailability etc., on overall performance of the SCE • Any impact on the performance of other SCEs, or on the safety of planned or current site activities • Any existing approved deviations from Performance Standards for other SCEs • Deferred maintenance of SCEs • Any existing defined restrictions or controls regarding safety operations, for example the Manual of Permitted Operations The output of the risk assessment must be documented and should include: • Summary of the situation/circumstances • Comments on the consequences that were considered • The proposed mitigating measures • Timescales (how long the mitigating measures will be permitted to remain in place) • Details of who needs to be informed Examples of risk mitigation measures are • No hot work • Partial de-manning • Establishment of restricted areas • Supplementary fire fighting systems • Temporary shutdown of some or all processes • Increased monitoring, testing or inspection • Temporary operating procedures or work instructions to reduce potential demands on the SCE • Temporary repairs

10.3.5. Approving Deviations from SCE Performance Standards A deviation from the requirements of the Performance Standard is approved for a specified time period, and requires either corrective or preventive work to be done in this timeframe or else permanent bypassing of the equipment must be approved through the Management of Change process. If the due date is likely to be passed a further risk assessment is required prior to the due date to determine appropriate action. The Plant/Installation Manager shall record details of deviations in the CMMS as soon as they are approved and also when they are closed out. All SCE deficiencies and approved deviations from Performance Standards should be reviewed frequently (at least weekly) by management, and the decision to run equipment should be reassessed in the light of the cumulative risks on operations.

SCE Integrity Management Guideline.docx EP-HQ-GDL-008-00

22 of 57

Figure 11 - Risk Management of Failed/Degraded, Unavailable, Defeated SCEs & Deferred Assurance

SCE Integrity Management Guideline.docx EP-HQ-GDL-008-00

23 of 57

10.4. Managing Defeat (Bypass/Override/Inhibit) of SCEs A SCE should never be bypassed, inhibited or overridden unless it is essential to do so to enable testing, inspection or maintenace by qualified personnel working under a strictly applied safe system of work. A formal ‘Defeats Register’ shall be maintained by the Operations Supervisor at each site. Review of this Register should be included in Shift Handover procedure, and integrated into the Permit to Work system. The following protocols are to be followed for defeats (bypasses, overrides or inhibits) of a SCE • Identification of all functions that the SCE is performing and reasons for the defeat • Formal risk assessment (see Section 10.3.4 above) and demonstration that a sound plan is in place in the absence of that particular element • Communication to all concerned about the associated risks and temporary safeguards in place regarding the absence of that particular element • Approval by the designated Technical/Discipline Authority to bypass a SCE for a defined duration e.g. 1 week • Communication to all after returning the SCE to service Examples of defeats are • Inhibiting fire pump start-up • Inhibits on Programmable Electronic (PE) logic solver or PE sensor • Bypassing a transmitter for a shutdown (ESD) function

10.5. Unplanned Demands on SCEs A written procedure is required to describe who is responsible for the investigation of any unplanned demands on a SCE, and what form this investigation and subsequent reporting should take. Such events, if they are properly recorded and assessed can confirm SCE integrity status, and may be taken as credit in lieu of planned function tests. To take credit for such a situation in lieu of a planned SCE assurance task, the details of the event should be documented as evidence that the assurance tasks were met. Unexpected demands on, or activation of, SCEs may be due to: • Loss of primary containment • Safe operating limit excursions • Failure of a utility • Inadvertent or intentional activation during maintenance activities • Spurious activation of SCEs due to equipment malfunctions or to false inputs, for example a smoke detector positive reading due to dirty optics or steam

11. SCE Performance and KPIs KPIs are required to enable measurement of the compliance and effectiveness of SCE integrity assurance and verification processes throughout the full asset life-cycle from project execution though to asset operations. These performance measures address the activities which maintain SCE performance, and also the initial establishment (set-up & implementation) of the necessary components of the SCE integrity management process. The KPIs listed below are recommendations based on industry best practice, and may be adapted or added to. The selection, definition and implementation of appropriate KPIs shall be coordinated by Asset and Project managers, who shall ensure that data quality, frequency & timeliness requirements, and the value of each measure are clearly understood by all personnel involved in: • recording data or entering information into the CMMS; • monitoring or reviewing KPI data; • analysis and preparation of management reports; and, • following up on KPI reports – to take decisions, develop improvement plans, communicate areas of concern etc.

SCE Integrity Management Guideline.docx EP-HQ-GDL-008-00

24 of 57

Note that some of the performance targets are shown as XX, which indicates that appropriate targets/measures should be discussed and defined by Asset/Project managers in consultation with their teams and appropriate Technical/Discipline Authorities.

11.1. Set-up & Implementation of SCE Integrity Management The following apply to each Asset and Project as per the definitions and descriptions provided in this Guideline: • All SCEs identified against a common and understood SCE definition • SCE Criticality Ranking has been completed in accordance with the agreed methodology • Performance Standards (PS), in compliance with the defined PS template have been prepared for each SCE • A Verification Scheme has been prepared in accordance with the SCE Integrity Management Guideline • SCE integrity assurance training has been completed for all Assets and Projects personnel who are involved in SCE assurance, in accordance with an agreed training programme • All SCEs have been identified within the CMMS at an equipment tag level • All Preventative Maintenance (PM) routines/procedures and their associated CMMS task instructions, and all Function Test (FT) procedures/task instructions associated with SCEs have been reviewed and aligned with the relevant SCE Performance Standards • Pass/Fail reporting fields for all SCE performance criteria (maintenance, inspection & test related) are provided in CMMS and have been populated with either guidance to determine pass/fail in each case, or with defined values • There is a response and corrective action process in place for all reported SCE deviation/noncompliance/anomalies (including PM “failure”) In all of the above cases the following applies: o Reviewed & agreed by an appointed Discipline/Technical Authority o For project SCEs; completed before the end of FEED o For new operational assets; completed before start-up o For existing operational assets; completed to an agreed schedule

11.2. SCE Integrity Assurance in Projects The following should apply to each project: • Project SCE Performance Standards issued to all Suppliers and Sub-contractors responsible for design, manufacture, fabrication, construction/installation or commissioning of SCEs • Project QA/QC functions (examination, review and witness) reflect the SCE criticality ranking in determining the relevant QA/QC Plans • MoC procedure incorporates assessment of impact on SCE integrity in all project phases • IVB/ICP appointed before start of detail design • Number of IVB/ICP non- compliance reports • Backlog (total no.) of un-closed IVB/ICP non-compliance reports • Backlog of un-closed IVB/ICP non-compliance reports in excess of XX days • Minimum, maximum & average time (days) to close IVB/ICP non-compliance reports • All SCE non-compliance reports & deviations are closed-out prior to start-up The above shall be measured and reported on a weekly and/or monthly basis.

11.3. SCE Integrity Assurance in Operations The following KPIs should be assessed by Asset management for relevance to their operations, and implemented accordingly: • XX% SCE PMs completed by target date (Target Date = due date) • XX% SCE Function Tests completed by target date per month • No. of (SCE) PMs/FTs in backlog in excess of XX days • XX% of PMs/FTs in backlog • No. of SCE PM/FT failures per each SCE system level group • Average deviation of SCE defeats SCE Integrity Management Guideline.docx EP-HQ-GDL-008-00

25 of 57

• • • • • • • • •

Total number of SCE defeats Backlog (total number) of uncorrected SCE failures/anomalies (e.g. damage, unsafe condition) Backlog of uncorrected SCE failures/anomalies in excess of XX days Minimum, maximum & average time (hours/days) to correct reported SCE PM/FT failures Number of anomalies reported that relate to SCEs (other than as a result of PM/FT failure) Number of IVB/ICP non-compliance reports Backlog (total no.) of un-closed IVB/ICP non- compliance reports Backlog of un-closed IVB/ICP non-compliance reports in excess of XX days Minimum, maximum & average time (days) to close IVB/ICP non-compliance reports

The above shall be measured and reported on a weekly and/or monthly basis.

12. Verification & Audits of SCE Integrity Management 12.1. General Internal and external audits, management reviews, statutory body inspection and review, and ‘Verification’ are all essential components of good SCE management. The verification process is directed at the SCE integrity assurance management system and how it is implemented during the project phases and throughout the operational life-cycle. Verification is carried out by an independent and competent person/organisation to confirm that the SCE integrity assurance process: • is in place; • is being implemented and complied with; • is being implemented effectively by competent persons; and • that the performance and condition (integrity) of all SCEs is initially suitable and sufficient, and • that they continue to perform as per their Performance Standards. Where verification has not previously been carried out - the initial verification should confirm that: • Major Accidents have been identified appropriately in relation to the hazards and risk assessments carried out. • SCEs have been correctly identified based on the identified Major Accidents. • SCE Performance Standards provide a suitable and sufficient definition of the appropriate SCE performance in alignment with the management of Major Accidents (to a level that is ALARP). • Identified integrity assurance activities documented in the Performance Standards are suitable and sufficient to ensure and demonstrate that the required performance is achieved and sustained • Where a Verification Scheme and/or Written Scheme of Examination has been prepared by the Project Team or Asset Team, that these adequately define the verification process and its implementation, recording and reporting.

12.2. Selection/Appointment of IVB/ICP Verification shall be carried out by persons and/or organisations that are both independent and competent (refer to the Management of Technical Integrity Standard). The terms used within the industry for this are IVB, Independent Verification Body (the organisation), and ICP, Independent Competent Person (an individual carrying out verification). Guidance on appointing and IVB is provided in Appendix 7 – Selecting Independent Verification Body (IVB).

12.3. Verification Scope and Methods The verification process – for both Projects and Operational Assets – shall comprise the following generic verification activities, as appropriate: • (A) Audit; of SCE integrity assurance related management systems and procedures, etc. • (E) Examination; the witnessing of SCE functional tests/factory acceptance tests/commissioning tests, maintenance activities, project QC activities, external physical examination of SCE hardware condition.

SCE Integrity Management Guideline.docx EP-HQ-GDL-008-00

26 of 57

• •

(R) Review; the review of project execution documentation and of historical records relating to the maintenance/inspection/testing of SCEs. (T) Testing; the verifier shall not normally conduct tests but if they have reason to believe that a test has been incorrectly done previously or omitted, then – where it is practicable and with agreement of the Project or Asset Team – they may initiate the testing of a SCE system or equipment item.

Based on the asset life-cycle and the activity type, the verification activity may be at the following locations, for example: • Verifier’s office • Project Team office • Fabrication yard • Construction site • Vendor premises • Asset site – onshore or offshore The extent of the verification process is described by both the frequency of verification activity, and the sample size, i.e. the percentage of documentation/records that should be verified for each SCE. Initially, the frequency and sample size are determined by each Asset Team or Project Team, but must be reviewed and accepted by the independent verifier. Frequencies and sample sizes shall be reviewed on the basis of the results and performance demonstrated during the verification programme. Table 2 below shows how SCE criticality ranking may be used as a good basis for determining Asset/Projectspecific verification frequency and sample sizes. (see Appendix 5 – Method for SCE Safety Criticality Ranking. Table 2 - Verification Sampling & Frequency Based on SCE Criticality Asset Life-cycle Criticality Rank A

Project

High Medium Low

*1

Operations

High Medium Low

12

Frequency (months) Site Based Office Based E R T A R *2 12 18 24

12 18 24

*3

A

*1

*2

25%

12

12 18 24

25%

Sample Size (%) Site Based Office Based E R T A R 25% 25% 35% *3 25% 20% 10% 10% 5% 5% 10% 25% 25% 35% *3 25% 20% 10% 10% 5% 5% 10%

*1 At the start of each new project execution phase and/or introduction of new main contractors *2 Frequency is not applicable for Project verification activities as these are carried out in accordance with a specified schedule of assurance activities during each of the project phases *3 Testing shall only be carried out in specific cases which cannot be prescribed in terms of frequency or sample size

SCE Integrity Management Guideline.docx EP-HQ-GDL-008-00

27 of 57

12.4. Verification Terms of Reference For a Project, the verification can be planned to address all project phases together or each one separately with different verifiers used for each. For an operational Asset the verification programme should typically be on an annual basis, with verification by an independent verification body on a 3-5 year basis. Where the verification process is being introduced for the first time to either an existing operational asset or a new operational asset, it is important to establish a verification “baseline”. This means that, initially, all verification tasks would be carried out in relation to all SCEs. Following this, each subsequent verification programme would only include those verification activities that are required in relation to the proposed frequency, or as determined in relation to enhanced or deteriorated SCE performance revealed by the preceding verification programme. Details of how the verifier is to be selected/appointed and the definition of the verification programme(s) shall be documented by Project Teams and Asset Teams in a Verification Scheme. The specific details of what verification tasks shall be carried out, by whom, where and when shall be documented in a Written Scheme of Examination (WSE). A template showing how this information can be generically defined and recorded is provided in Appendix 2 – Example of SCE Performance Standard Data Sheet.

12.5. Verification Scheme and Written Scheme of Examination (WSE) The Verification Scheme (VS) and Written Scheme of Examination (WSE) are the written details of the SCE integrity assurance verification management system, and its implementation. Typical contents of a Verification Scheme are: 1. Identification and listing of Major Accidents and SCEs. 2. SCE Performance Standards. 3. Method of updating the Scheme and means of communicating the contents to management, staff, and other stakeholders. 4. Basis for ranking SCE criticality and determining associated verification frequency and sample sizes. 5. Requirements for the selection/appointment of the Verifier (competency and independence). 6. The basis for taking credit for other independent and competent bodies that provide certification, classification etc., in lieu of verification. 7. The process for recording of verification findings and recommendations and the implementation and close-out of corrective actions. 8. Organisation structure, and roles and responsibilities of those involved in the implementation of the Scheme. 9. Define the processes for the establishing and maintaining records arising out of the implementation of the Scheme. 10. Description of the format of the Written Scheme of Examination defining the nature and frequency of verification activities, including examination, review and audit. The WSE describes the means of implementing the requirements of the VS in relation to each Asset and Project. The diagram below illustrates the way in which the WSE “fits in” to the overall SCE integrity assurance and verification process.

SCE Integrity Management Guideline.docx EP-HQ-GDL-008-00

28 of 57

Figure 12 - Overview of Verification

12.6. Recording, Reporting and Close-out of Verification Activities The Verification Scheme shall detail the arrangements for establishing and maintaining the records relating to implementation of the Verification Scheme and the Written Scheme of Examination. These records shall, at any given time demonstrate that SCE integrity objectives are being achieved, and at regular defined milestones (e.g. annually for an operational asset or at the end of project phases), that they have been achieved, or if not, what outstanding actions are required to be carried over to the next period. The Verifier may, through their findings, identify shortcomings in procedures and documentation or nonconformance in relation to any SCE (or associated management system requirements) condition or

SCE Integrity Management Guideline.docx EP-HQ-GDL-008-00

29 of 57

performance. These shall be reported by the Verifier and subject to acceptance and agreement with the Project Team or Asset Manager. For all project or operations verification programmes a SCE Verification Report should be prepared and issued by the Verifier. A similar report should be prepared at the end of each project phase. This report should include: • Summary of verification activities carried out • Listing of non-conformance details • Current status of all verification activities planned for execution during the reporting period and any not closed out in the preceding reporting period • Current status of all corrective actions, including any carried over from the preceding period • Statement of SCE performance/condition at the end of the reporting period • Identification of trends in relation to anomalies and non-conformances • Recommendations for improvements

13. Organisational Responsibilities and Competency Project Managers must ensure that Safety Critical Elements and their Performance Standards are identified and documented during the Define phase, and that during the Execute phase, SCE integrity assurance and verification are provided in the detailed engineering, procurement, construction/installation and commissioning. In the Operate phase, Operations Managers are accountable for • Ensuring that all site personnel know the facility’s SCEs and fully understand their functions. • Implementing and reporting on the SCE assurance programme and verification scheme. • Ensuring that SCE testing & inspection (assurance) and maintenance tasks are scheduled and completed on time as per their routine descriptions. • Ensuring risk assessment, mitigation measures and approvals are carried out for degraded/unavailable SCEs, defeats and deferred maintenance. • Regularly reviewing SCE maintenance data to look for areas of improvement. • Monitoring, analysing and reporting on SCE performance. Asset/Project managers shall assign functions and objectives to the appropriate managers and discipline technicians for activities relating to each of the SCE management processes described in this Guideline, and these are to be summarised in RACI diagrams. A list of critical activities for SCE inspection, testing and maintenance shall be documented and where appropriate, corresponding qualifications and training requirements should be identified. It is the responsibility of project and operations management to implement a competency assurance process that defines the necessary competence required for critical tasks relating to each SCE. Management should then personally ensure that the conduct and supervision of SCE assurance and maintenance tasks are undertaken by competent personnel, and that accountabilities for conduct and supervision are clearly described and allocated. In some organisations it is regarded as good practice for supervisors to sign task sheets in advance, as part of the permit to work, to confirm that the person(s) undertaking the SCE assurance tasks have the necessary understanding and qualifications to do the work. As a minimum the following items should be addressed when considering competence: • Complexity of the task and technology • Level of knowledge, qualifications and experience applicable to the functioning of the specific SCE (e.g. mechanical, electrical, instrumentation, structural, process/chemical) • Knowledge of the legal and safety regulatory requirements • Understanding of the process safety hazards, consequences and risk analysis • Management and leadership skills appropriate to the role

SCE Integrity Management Guideline.docx EP-HQ-GDL-008-00

30 of 57

14. Terms & Abbreviations TERM / ABBREVIATION

DEFINITION

Acceptance Criteria

Expresses the level of performance deemed acceptable for a given period or phase of activities. They may be defined in either quantitative or qualitative terms

ALARP

As Low As Reasonably Practicable. Reduction in risk balanced against the cost and benefit of achieving it. This level is when, objectively assessed, the cost & difficulty of additional risk reduction measures are unreasonably disproportionate to the further benefits obtained.

Asset Register

A list of all Assets in a particular works place, together with information about those Assets, such as manufacturer, location, etc. The Asset Registers is arranged as a hierarchy in the CMMS.

Availability

Availability measures the proportion of time that a system operates for, given that failures can occur and are then repaired. Availability measures the combined effects of Reliability and Maintainability.

Barrier

A functional grouping of safeguards and controls (SCEs), selected to prevent the realisation of a hazard. Barriers on the left-hand side of the Bow-Tie prevent or reduce the probability of a threat causing the top event. Escalation Barriers on the right-hand side of the Bow-Tie prevent the consequence, mitigate the extent of the consequence, and/or provide for immediate recovery.

Bow-Tie diagram

A diagram showing how a hazard could be released and how it might develop into a number of consequences. The left hand side considers threats and causes (fault-tree), the controls associated with these and any factors that might escalate likelihood. The right hand side of the diagram is the event tree showing escalation factors and recovery preparedness measures. The centre of the bow tie is commonly referred to as the ‘top event’ or major accident.

CMMS

Computerised Maintenance Management System, which in most OMV operated facilities is the Plant Maintenance and other modules of SAP designed to support effective and efficient management of maintenance data, processes and activities.

Corrective maintenance

Any maintenance activity which is required to correct a failure that has occurred or is in the process of occurring. This activity may consist of repair, restoration or replacement of components.

Deviation

An approved non-compliance with mandatory requirements of a procedure, standard or specification. In this manual, this is applied to SCEs which do not meet the specified Performance Standard, and SCE performance assurance tasks which will not be or are not carried out by the due date.

Discipline/Technical Authority

An expert in a specific discipline who is responsible for providing technical advice and support to the Project or Asset Managers. Roles are identified in the OMV Discipline Authority Framework

Facility

An installation comprising electrical and mechanical structure and hardware, electronics including software controls and process systems employed for a specific purpose as part of exploration & production. This definition includes drilling units on land or offshore, fixed or mobile, OMV owned or contracted. The term also applies to pipelines, wells and their ancillary systems.

FEED

Front End Engineering and Design which occurs within the DEFINE phase of a project.

HAZID

Generic term for the process of identifying credible hazards for a Quantified Risk Assessment (QRA). Includes specific tools such as HAZOP.

HAZOP

A hazard and operability study is a structured and systematic examination of a planned or existing process or operation in order to assess the potential for incorrect operation

SCE Integrity Management Guideline.docx EP-HQ-GDL-008-00

31 of 57

TERM / ABBREVIATION

DEFINITION or malfunction of individual items of equipment and their consequential effects on the facility or operation.

ICP / IVB

Independent Competent Person / Independent Verification Body. UK and other national authorities require independent verification of an organisation’s SCE assurance processes

KPI

Key Performance Indicator

MAE

Major Accident Event. This term is used interchangeably with the term ‘Major Accident’. An accidental event which has major or severe consequences for people or environment. The OMV definitions of ‘major’ and ‘severe’ are provided in Appendix 3

MoC

Management of Change: A process to ensure that appropriate review, approval, implementation, and tracking is in place to manage changes to the Asset or organisation.

Maintainability

Maintainability measures how quickly a system can be brought back into operation after a failure has occurred, and how often human interventions are required in terms of preventive maintenance activities, to bring back the equipment to its desired set of functionality.

Non-compliance

Non-fulfilment of a specified requirement

Notification

A request in the CMMS for maintenance work and/or recorded technical history of work executed.

Performance Assurance Task

A task which is carried out to establish whether an item is meeting the performance Acceptance Criteria specified in the Performance Standard.

Performance standard

A statement, expressed in qualitative or quantitative terms, of the performance (in terms of functionality, availability, reliability and survivability) required of a system or item of equipment, which is used as the basis for managing the risk of Major Accidents. Performance standards also identify any interdependence between SCEs.

Preventive Maintenance

Maintaining equipment and facilities in a satisfactory operating condition by providing for systematic inspection, detection, and correction of incipient failures either before they occur or before they develop into major defects.

QRA

Quantitative Risk Assessment is a method of evaluating and quantifying the probabilities of system failures and associated environmental and/or safety consequences

Reliability

Ability of an item to perform a required function under given conditions for a given time interval. Note: the term ‘reliability’ is also used to denote a probability or measure of reliability.

Risk

This is a probability measure which combines the chance that a specified undesired event will occur and the possible severity of the consequences of the event.

Risk Assessment

A careful consideration by competent people of the hazards associated with a task. The potential effect of each hazard, how severe it might be and the likelihood of its occurrence should be considered to determine the effort required to make the work site as safe as reasonably practicable.

SCE

A safety critical element is any part of the facilities (including software) the failure of which could cause or contribute substantially to a major accident, or the purpose of which is to prevent or limit the effects of a major accident.

SIF

Specific control functions performed by a SIS are called Safety Instrumented Functions

SIL

A Safety Integrity Level is a relative level of risk-reduction provided by a safety function. A ‘SIL rating’ is a defined measure of performance required for a Safety Instrumented Function. In the IEC 61508 Standard four safety integrity levels are

SCE Integrity Management Guideline.docx EP-HQ-GDL-008-00

32 of 57

TERM / ABBREVIATION

DEFINITION defined, with SIL 4 being the most dependable and SIL 1 being the least.

Safety Instrumented System (SIS)

Safety Instrumented Systems are designed to perform specific control functions to failsafe or maintain safe operation of a process when unacceptable or dangerous conditions occur. Safety Instrumented Systems must be independent from all other control systems that control the same equipment in order to ensure SIS functionality is not compromised. SIS are typically composed of control elements including software, sensors, logic solvers, actuators and other control equipment.

Threat

A possible cause that will potentially release a hazard and produce an incident. Threat classes include damage caused by: thermal, chemical, biological, radiation, electrical, climatic condition, uncertainty or human factors.

Verification Scheme

Written details of the ‘examination’ activities that are to be carried out relating to SCE integrity assurance, i.e. what is to be examined; the scope and nature of examination; when it should be done, and by whom. It describes the programme to be conducted by the IVB.

SCE Integrity Management Guideline.docx EP-HQ-GDL-008-00

33 of 57

LIST OF APPENDICES Appendix 1 – SCE Categories and Examples of Safety Critical Elements Appendix 2 – Example of SCE Performance Standard Data Sheet Appendix 3 – Example of SCE Performance Standard for Project Phases Appendix 4 – Examples of Major Accident Events & Consequence Matrix Appendix 5 – Method for SCE Safety Criticality Ranking Appendix 6 – Example Method for Identifying SCEs at Tag Level Appendix 7 – Selecting Independent Verification Body (IVB)

SCE Integrity Management Guideline.docx EP-HQ-GDL-008-00

34 of 57

Appendix 1 – SCE Categories and Examples of Safety Critical Elements SCE Category

Examples – these may or may not provide a safety critical function, depending on the major accident risk assessment

A. PREVENTION – Structural Integrity 1. Structural supports for safety critical elements

2. Lifting equipment in wellhead/ hydrocarbon process areas

3. Wireline equipment 4. WHP jacket & foundations

5. Vessel hull, mooring & ballasting systems

Structural components / supports for: • Load bearing pathway of the workover/drilling unit derrick, mast, and substructure • Flare tower • Safety critical vessels / process modules • FPSO turret • Lifeboats & helideck • Escape and evacuation routes • Workover/drilling unit hoisting system and its controls • Lifting systems and drill floor hoists (tuggers) • Overhead gantry crane • Offshore installation pedestal crane • Wireline lifting/support structure • Wireline winches & braking system • WHP Hull, Jacket and Foundations to support (under credible marine, operational and environmental loads), topsides including cranes, electrical intrumentation & switch room (EISR), temporary refuge (TR), acommodation module (AM) • Vessel hull plating and steel work • Mooring piles and chains • SBM and midwater arch anchor systems • Ballast/cargo management system to control stability and hull overstressing • Topsides anchor points and mooring load transfer system

A. PREVENTION – Process/Well Containment 6. Well containment

• • • • • • • •

SCE Integrity Management Guideline.docx EP-HQ-GDL-008-00

Blowout preventer, diverter system, lubricator system, choke and vent systems and associated control systems Xmas trees (tree body, valve stem seals & pressure retaining components Wellheads, including annulus outlet valve stem seals & pressure containing connections Completion (tubing, packer etc) Well plugs Valve removal plugs Production casing Tubing head & annulus pressure monitoring

35 of 57

SCE Category

Examples – these may or may not provide a safety critical function, depending on the major accident risk assessment

A. PREVENTION – Process/Well Containment (continued)

10. Tanks

Pressure vessels used in the following sevice • Oil or gas production • Gas injection • Fuel gas treatment & heating • Flare scrubber / knockout drum • Flammable chemicals • Steam generation • Inert gas storage • Glycol, hot oil etc. • Heat exchangers • Gas/oil fired heaters • Process hydrocarbon pumps, compressors and turbo expanders • Tanks containing hydrocarbons or other hazardous substances

11. Pipelines & Piping systems

•

12. Relief system

• • • •

7. Pressure vessels

8. Process heating

9. Rotating equipment

13. Gas tight floors/walls 14. Tanker loading systems

15. Oily water control

• • • •

Pipes & piping systems containing hydrocarbons or other hazardous substances under pressure Relief & safety valves Bursting discs Vacuum protection Gas tight floors/walls to prevent ingress or spread of gas into critical areas Loading pumps Transfer pipework Couplings, hoses, anti-static earthing devices Oil in water management system for discharged water

A. PREVENTION – Ignition Control 16. Hazardous area HVAC

•

17. Non-hazardous area HVAC

•

18. Certified electrical equipment

•

19. Inert gas blanketing

•

20. Earth bonding

• • •

21. Fuel gas purge system 22. Ignition control equipment

23. Flare tip ignition system

SCE Integrity Management Guideline.docx EP-HQ-GDL-008-00

• • • •

Supply & extract ventilation equipment used to prevent accumulation of flammable or harmful gas in hazardous areas Ventilation systems & equipment used to prevent accumulation of flammable or harmful gas in non-hazardous areas Equipment certified to operate in Ex zones System for providing inert gas (e.g. Nitrogen or CO 2 to blanket flammable atmosphere in tanks Earthing equipment to dissipate static electricity charge Lightning protection System for purging flammable gas from a contained space Flame arrester Exhaust temperature control Electrical insulation System to prevent gas from flare system accumulating, following planned or emergency depressurisation

36 of 57

SCE Category

Examples – these may or may not provide a safety critical function, depending on the major accident risk assessment

B. DETECTION – Detection Systems 24. Fire detection

•

25. Flammable gas detection 26. H 2 S / toxic gas detection

• • • •

27. Corrosion detection

•

Heat detectors, frangible bulbs, pneumatic triger lines UV or IR flame detectors, ionising or optical smoke detectors Manual alarm call points IR beam/point, catalytic & acoustic leak detectors Manual alarm call points Gas detectors, alarm functions and connections to facility alarm system/flashing beacons/sound devices Systems to detect excess rates of corrosion

C. CONTROL & MITIGATION – Protection Systems

29. Firewater main & pumps

• • •

Blast / fire walls Clear explosion vent paths Fire water pumps, motors, controls, valves, piping, tank

30. Deluge system

•

Fire water deluge system, piping & nozzles

31. Fixed fire extinguishing systems

•

32. Mobile fire extinguishing systems

•

Remotely or automatically triggered gas, foam, fine water spray & sprinkler systems for extinguishing fires in enclosed areas Firetruck, portable fire extinguishers

33. Corrosion protection

• •

28. Fire & explosion protection

34. Passive fire protection

• •

35. Equipment operating safeguards

•

36. Navigation aids & collision avoidance

• • •

Sand filters in flow to reduce rapid erosion in vessels and piping Chemical injection to control corrosion rates in vessels and piping Corrosion protection & monitoring systems Fire proofing retardants & coatings Compressor and turbine overspeed protection - software control system Aircraft warning lights on mast or flare tower (onshore/offshore) Navigation lights and foghorns (offshore) Radar systems on offshore installation and standby boat

C. CONTROL & MITIGATION – Shutdown Systems 37. ESD system

38. Depressurisation system

39. High integrity pressure protection systems (HIPPS)

SCE Integrity Management Guideline.docx EP-HQ-GDL-008-00

• • • • • • •

ESD trip Systems (high pressure,level trips etc) ESD system hardware and software Manual alarm call points & ESD buttons Blowdown valves. Pneumatic/hydraulic actuators and local control circuits. Rate-determining element for system to perform e.g. orifice plate Safety instrumented system which shuts off source of high pressure before design pressure is exceeded. Used for pipelines, equipment or piping systems that do not have sufficient mechanical protection for maximum envisaged fluid pressure

37 of 57

SCE Category

Examples – these may or may not provide a safety critical function, depending on the major accident risk assessment

C. CONTROL & MITIGATION – Shutdown Systems (continued)

42. Process emergency shutdown valves (ESDVs)

Components used to isolate well or annulus after a hazardous event: • Christmas trees (including actuated and manual isolation valves - UMGV, PWV, Swab, LMGV etc.) • Sub surface safety valves (SSSVs) • Actuated gas lift isolation valves • Injection check valves/storm chokes. • Pipeline isolation valves with ESD function to automatically isolate a flammable or harmful pipeline inventory from the process • Process ESDVs to automatically isolate a flammable or hazardous inventory in a facility

43. Subsea isolation valves (SSIVs)

•

44. Drilling well control equipment

•

40. Well isolation

41. Pipeline isolation valves

SSIVs isolate the inventory in the pipelines from the riser and topsides Drilling BOPs, BOP hydraulic controls, diverters, Kelly cocks & stub-in valves, well kill system, flow/gas & kick detection system

D. EMERGENCY RESPONSE & LIFESAVING 45. Temp refuge/muster

•

46. Escape/evacuation routes

• •

47. Escape lighting

•

48. Emergency communications

• • • • • • •

49. Uninterruptible power supply (UPS)

• •

• 50. Helicopter facilities

SCE Integrity Management Guideline.docx EP-HQ-GDL-008-00

•

Temporary refuge (also known as Primary Muster and Command Area) includes all the associated safety systems to enable personnel to muster safely and to provide a command and control facility during a major incident Escape ways within living quarters or work areas to a primary muster point or temporary refuge On offshore installations, the route from primary muster points to either the helideck or lifeboat Escape ways lights, with integral battery back-up power supply Installation PA system Visual warning signals in high noise areas Emergency response UHF radio system, hand-sets and antennas Marine VHF or ICC air band radios Lifeboat EPIRBs INMARSAT communication system CCTV to monitor condition of escape ways, confined spaces etc. Emergency telephone system UPS linked to essential safety systems (F&G, PA audio and visual alarms, SOLAS communications, Navaids & helideck lighting UPS includes batteries, rectifiers, inverters, cabling, ESD & EDP Structure and equipment that enable personnel evacuation by helicopter during a major incident

38 of 57

SCE Category

Examples – these may or may not provide a safety critical function, depending on the major accident risk assessment

D. EMERGENCY RESPONSE & LIFESAVING (Continued) 51. Emergency power

•

52. Open hazardous drains

•

53. Open non-hazardous drains

•

54. Potable water

•

55. Personal survival equipment

•

Generator & distribution equipment for emergency power supply Drains (and associated interceptors) from process / storage areas carrying flammable liquids and possibly deluge water following a loss of containment Drains that could potentially carry flammable or toxic liquids following a loss of containment Potable water for human use & safety showers

57. TEMPSC/lifeboats

• • • • • •

Lifejackets, immersion/survival suits, re-breathers/self-rescue sets Grab bags (flame-retardant gloves, torches, chemical light sticks, smoke hoods) BA sets, fire fighting suits and casualty rescue equipment Chemical handling suits and protective equipment Diving system Standby boat with sea rescue facilities Fast rescue craft with launching & recovery equipment Totally enclosed motor propelled survival craft / lifeboats

58. Tertiary escape systems

•

Offshore installation evacuation & descent devices

•

56. Rescue facilities

SCE Integrity Management Guideline.docx EP-HQ-GDL-008-00

39 of 57

Appendix 2 – Example of SCE Performance Standard Data Sheet Safety Critical Element

Hydrocarbon Containment

Hazard Management Categories Comprises: Performance Objective: Applicable Installations

Prevent

Detect

Control

Mitigate

Emergency Response



SCE ID.: Revision No. & Date: Performance Standard Owner:

Pressure Vessels (including Boilers)/Process Piping/Cargo Storage Tanks/ Valves / Pumps (referred to Safety Criticality Ranking: as Hydrocarbon Containment system HCS) To ensure hydrocarbon containment during normal operations through the design life of the facility To provide adequate margins of safety for any possible operational upset conditions and prevent a loss of containment event.

xxxx xxxx xxxx xxxx

FPSO / Wellhead Platform

FUNCTIONALITY Verification Activity Performance Criteria

Assurance Task

R=Review WT=Witness Testing VE=Visual Examination

ABS Annual & Special Import/Export System Surveys - Part 7, Chapter 7, Section 1 & 2 respectively.  All HCS shall be covered by the corrosion management Plan (CMP) e.g. inspection type / frequency etc.  The latest P&ID’s detailing HCS shall accurately represent the correct configuration & design conditions.  HCS where required be designed for sour service to NACE MR. 01-75  All topside & WHP piping is sized to keep flow velocities below defined erosion limits as per API 14E. Long “R” bends & target tees are provided All process piping is protected from external corrosion by paint system

• Carry out Routine Maintenance: - G-IC-1896-24M Ext. inspection. - G-IC-395 - 48M Int. inspection. • Refer to CMP for specific CA & inspection frequencies • Inspections should cover: - Wall thickness measurements - Welded joint condition - Internal condition is as per design & that there are no foreign bodies within the HCS - Leak test where appropriate as dictated by the relevant job card - Annual, Special & UWILD survey as per ABS rules / CMP Note: UWILD survey may be carried out in conjunction with the Hull subsea survey

• Review ABS Class surveys  Witness CFT • Carry out a sample review of maintenance/inspection & testing records of HCS  Review CMP  Review Inspection personnel qualifications • Review DCS records for any process upset conditions that resulted in an ESD & for any production time without the required Chemical inhibition. Review latest P&ID’s to verify any mods have been incorporated

Key Requirement P01.1 – Wall Thickness There shall be no Pressure Vessel, Process Piping system or cargo tank (otherwise referred to Hydrocarbon Containment system HCS) with a wall thickness (WT) less than its design minimum





SCE Integrity Management Guideline.docx EP-HQ-GDL-008-00

Type

R WT VE

Samp -le Size

Frequ -ency

12M

R

40 of 57

Example of SCE Performance Standard Data Sheet (Continued)

FUNCTIONALITY Key Requirement

Performance Criteria

Assurance Task

P01.2 – Physical Damage  There shall be no damage affecting the hydrocarbon containment system integrity

There shall be no unacceptable flaws in the HCS as per the CMP e.g.: - cracks in the HCS or supports. - corrosion (pitting etc.) in/on the HCS, flanges, bolting & supports - visible damage (gouges, dents, arc strikes) to HCS or supports.  No HCS with Wall Thickness less than design minimum. No unacceptable leaks/weeps from HCS, nozzles, or mech. Connectors.

P01.3- Structural support  Structure will be capable of adequate support for design life



• Carry out Routine Maintenance • Inspections should cover: - Welded joint condition - Nozzle / flange connections. - Protective external coating / insulation system - Corrosion under insulation - Impact damage - Condition of bolts, nuts, associated valves & pumps. - Instruments and associated tubing condition. - Vibration checks where required • Refer to sections P01.1 & 2 for specific Assurance activities

All hydrocarbon piping systems shall maintain appropriate levels of reliability / availability as per the design philosophies.





No cracks, corrosion or visible damage to the supports.

Verification Activity

SCE Integrity Management Guideline.docx EP-HQ-GDL-008-00



As per Functionality Assurance Activities

41 of 57

Samp -le Size

Frequ -ency



Refer to sections P01.1 for specific Verification activities as well as: Carry out visual inspection:  HCS (ext.) shell/wall & supports  Nozzles/flanges/Bolts/nuts  Coatings/Insulation/heat tracing  Check for any leakage  Bunding/drainage is clear



Refer to sections P02.1 & 2 for specific Assurance activities



Refer to Functionality Verification Activities

RELIABILITY / AVAILABILITY R/A of the HCS is inherent within its design i.e. All HCS is designed/rated to cover the field life as per as per the following codes & standards: - Pressure Vessels - ASME VIII Division 1 2004 - Process Piping - ASME B31.3.  R/A is kept to an acceptable level by maintaining the integrity of the HCS by: - Not exceeding max. design process conditions - Managing / Monitoring integrity levels as per Corrosion management Plan The hydrocarbon piping is insulated and heat traced to avoid wax formation

Type

VE

12M

Example of SCE Performance Standard Data Sheet (Continued)

SURVIVABILITY SCE

Performance Target

Hydrocarbon Containment



Survivability is also kept to an acceptable level by design i.e. the HCS is designed to withstand any credible impingement long enough to allow for mitigation processes to be activated / a safe abandonment of the installation - Having suitably SIL rated Protective Instrumentation to detect any upset process conditions & have Alarm/Trip functions as per the ESD C&E logic to avoid escalation. - Active Fire Protection systems - Blowdown & Relief system

Assurance Task 

As per Functional Assurance Activities

Verification Activity 

Type

Samp -le Size

Refer to Functional Verification Activities

Note: WHP HCS is not specifically designed to impingement /explosion from survive fire uncontrolled events. The WHP design is based on being normally unmanned & rapid evacuation philosophy when manned.

DEPENDENCY/INTERACTIONS SCE

Explanation

PS17 - C01 - Emergency Shutdown System

ESD will isolate inventories, hence prevents escalation

PS18 - C02 - Blowdown and Relief System PS 3 - P03 - Boiler System PS16 - D01 - Fire, Gas, Smoke & Heat Detection PS25 - M03 - Active Fire Protection

Blowdown/ relief system will protect HC system from overpressure Fuel gas is transferred to the Boiler burner management system F&G system detects presence of fire or gas in the vicinity of hydrocarbon vessels & initiates executive system Active fire protection cools down the equipment and suppresses fire to prevent escalation

SCE Integrity Management Guideline.docx EP-HQ-GDL-008-00

42 of 57

Frequ -ency

Example of SCE Performance Standard Data Sheet (Continued)

DOCUMENT REFERENCES Document Number

TP015-HSE-RE-0008 TP015-HSE-RE-0041 S236-P-DW-0100 MA-02-RE-0024 Rev 4 05603-BOD-2300-P-0001 Rev 0 05603-BOD-2300-S-0001 Rev 0 05603-BOD-2300-J-0001 Rev 0 05603-DWG-2300-P-0100 Rev 1 A06510-CLO-RX-003 Rev 0 05603-BOD-2300-M-0001 Rev 0 MA-02-RE-0006 S236-I-SP-0002 S236-S-SP-0003 S236-P-DS-0001 S236-P-DS-0002 S236-P-DS-0003 G-IC-1896G-IC-395

SCE Integrity Management Guideline.docx EP-HQ-GDL-008-00

Document Title

Raroa FPSO RAM Report Raroa FPSO SIL Report Raroa FPSO, Piping and Instrumentation Diagram Project Basis of Design + addendum for M2A & Manaia Process Basis of Design + addendum for M2A & Manaia Topsides Structural Basis of Design. Instrumentation Basis of Design. Cause and Effects Matrix. Dropped Object Study. Mechanical BOD. Maari Development Facilities Basis of Design Process Control and Shutdown Design Philosophy Raroa FPSO Structural & mechanical Design Basis Pressure Vessel Datasheet – 1st Stage Separator and Test Separator Pressure Vessel Datasheet – 2nd Stage Separator Pressure Vessel Datasheet – Electrostatic Coalescer 24M External inspection- Routine Maintenance Work instruction 48M Internal inspection – Routine Maintenance Work instruction

43 of 57

Appendix 3 – Example of SCE Performance Standard for Project Phases NOTE: Text in italics in this Appendix is provided only as guidance or as an example of details that might be included.

Safety Critical Element: Flare Performance Standard Goal

To direct relieved hydrocarbon inventory for safe disposal by flaring.

Boundaries

The Performance Standard on Flare systems (HP, LP) includes: • • • •

All the lines feeding the flare header from the outlet of the various valves and pressure relieving devices that discharge into the flare system; Flare purging, pilots and ignition systems; The flare KO drums and pump; and The flare headers through flare Knock Out (KO) drums to the flare tips.

The dependent SCEs such as Emergency Depressurization (EDP), Pressure Relief (PR) and Passive Fire Protection (PFP) are covered in separate Performance Standards (refer to Section 4.0 ‘Dependency’).

SCE Integrity Management Guideline.docx EP-HQ-GDL-008-00

44 of 57

Example of SCE Performance Standard in Project Phases: FLARE 1.0 FUNCTIONALITY Function

Criteria / Guidance

1. The flare system shall be designed to safely dispose of hydrocarbons from process equipment / systems to avoid hazards from over pressurization that may result in, or that are required to control/mitigate the severity of, a major accident hazard.

1.1 The flare system (HP, LP) should be capable of handling the highest identified gas flow from the plant on process upset conditions without exceeding the maximum allowable backpressure on the valves that discharge to the system. 1.2 In addition to the causes stated in API RP 520 and API RP 521 the emergency releases under start-up and shutdown conditions shall also be considered since they can be more severe than at design operating conditions. 1.3 Flow measuring devices shall be provided in each of the main flare headers. The instruments selected should be capable of: -identifying significant changes in flow-rate in order to assist the operator in recognising the occurrence of upset conditions; -measuring low flow-rates in order to quantify purge requirements (purge protection shall be provided for all flare systems to avoid flash back hazard); Purge rates shall be as per OMV/International Standard.

Assurance Task Insert (for new project) planned project assurance activities that will ensure and demonstrate achievement of each function’s criteria with reference to the actual document, report, calculation, drawing or procedure – generic examples of which have been included on the right.

Reference Flare system capacity calculation/analysis report.

Insert (for new project) planned project assurance activities that will ensure and demonstrate achievement of each function’s criteria with reference to the actual document, report, calculation, drawing or procedure – generic examples of which have been included on the right.

Process/Utilities Diagrams.

Operations & Maintenance Manual. Process/Utilities Diagrams.

Flow

HP & LP Flare System P&IDs

Flow

HP & LP Flare System P&IDs Operations & Maintenance Manual. Process Alarms Register/Set Points Process Cause & Effect Charts

1.4 All valves in the gas route SCE Integrity Management Guideline.docx EP-HQ-GDL-008-00

Verification

45 of 57

Task Insert verification tasks linked to the assurance tasks where individual assurance documents, etc are subject to review and a sample of other, supporting, documentation, and/or activities witnessed, is subject to a sampled review basis.

Example of SCE Performance Standard in Project Phases: FLARE 1.0 FUNCTIONALITY Function

Criteria / Guidance

Assurance Task

Verification Reference

Task

downstream of the relieving devices are to be locked open. 1.5 A flare ignition system of the flame front generating (FFG) type shall be used (due to its reliability and because if it fails it can be repaired while the flare relief system remains in service).

2. The flare tower shall be designed in such a manner that the heat radiation levels affecting escape, evacuation and emergency response are within acceptable limits.

1.6 A flare pilot monitoring system (e.g. thermocouples, infrared optical devices, or acoustic devices) shall alarm if any pilot is extinguished. 2.1 Considering the topographical and meteorological conditions, the height of the flare stack shall be selected to meet the following conditions: -The sterile area radius should be 60 m - At the boundary of the sterile area the heat radiation level shall be 6.3 kW/m2 maximum (excluding the effect of solar radiation) -At the property limit the heat radiation level shall be 3.15 kW/m2 maximum (excluding the effect of solar radiation)

Insert (for new project) planned project assurance activities that will ensure and demonstrate achievement of each function’s criteria with reference to the actual document, report, calculation, drawing or procedure – generic examples of which have been included on the right.

Flare Heat Study

HP & LP Flare System P&IDs Operations & Maintenance Manual.

2.2 Flare tip to be located so that it SCE Integrity Management Guideline.docx EP-HQ-GDL-008-00

Radiation

46 of 57

Insert verification tasks linked to the assurance tasks where individual assurance documents, etc are subject to review and a sample of other, supporting, documentation, and/or activities witnessed, is subject to a sampled review basis.

Example of SCE Performance Standard in Project Phases: FLARE 1.0 FUNCTIONALITY Function

Criteria / Guidance

Assurance

Verification

Task

Reference

Task

Insert (for new project) planned project assurance activities that will ensure and demonstrate achievement of each function’s criteria with reference to the actual document, report, calculation, drawing or procedure – generic examples of which have been included on the right.

Vendor Design Dossiers

Insert verification tasks linked to the assurance tasks where individual assurance documents, etc are subject to review and a sample of other, supporting, documentation, and/or activities witnessed, is subject to a sampled review basis.

prevents un-ignited gas release from forming a flammable or toxic cloud at any manned area on the plant or supporting vessels (maximum limits to be 40% LEL for flammable clouds and 10 ppm H2S concentration) Table 8, API 521 Recommended Heat Radiation levels.

3. The HP and LP flare system shall be procured, fabricated and constructed in accordance the design requirements.

2.3 The heat radiation levels from the ignited gas release will not exceed the following heat radiation levels: -the short term heat radiation at the nearest accessible points. to a maximum of 4.73 kW/m2; and -continuous radiation to a maximum of 1.58 kW/m2. 3.1 The materials and sizing selected in design to achieve the required flare flow rates shall be delivered, fabricated and installed by appointed suppliers and contractors. 3.2 The flare system and purge gas flow monitoring (and alarm) instrumentation shall be delivered and installed in accordance with the design; locations, type, set points. 3.3 All valves in the flare system piping shall be installed in the lockedopen position.

SCE Integrity Management Guideline.docx EP-HQ-GDL-008-00

Inspection Plans

and

Test

QA Inspection/Witness Reports Mechanical Completion and Pre-commissioning Procedures and Records

47 of 57

Example of SCE Performance Standard in Project Phases: FLARE 1.0 FUNCTIONALITY Function

Criteria / Guidance

Assurance

Verification

Task

Reference

Task

Insert (for new project) planned project assurance activities that will ensure and demonstrate achievement of each function’s criteria with reference to the actual document, report, calculation, drawing or procedure – generic examples of which have been included on the right.

Commissioning procedures and records

Insert verification tasks linked to the assurance tasks where individual assurance documents, etc are subject to review and a sample of other, supporting, documentation, and/or activities witnessed, is subject to a sampled review basis.

3.4 The Flare Ignition system shall be manufactured, delivered and installed in accordance with the design criteria (see above).

4. The HP and LP flare system shall be commissioned to demonstrate compliance with the design requirements.

3.5 The flare pilot monitoring system shall be manufactured, delivered and installed in accordance with the design criteria (see above). 4.1 The HP and LP flare systems shall be commissioned to demonstrate that the required design criteria is actually achieved by the as installed equipment with respect to; - handling maximum flare flow rates - Operation of all instrumentation (monitoring and alarm) at the correct set points. - Measurement of flare radiation levels.

SCE Integrity Management Guideline.docx EP-HQ-GDL-008-00

48 of 57

Example of SCE Performance Standard in Project Phases: FLARE 2.0 RELIABILITY / AVAILABILITY Function

Criteria / Guidance

1. The HP and LP flare systems shall always be available for the disposal of hydrocarbon gases.

1.1 The flare systems shall either have 100% availability, or the plant shall be shutdown, or a standby flare system shall be provided.

2. The flare ignition system and pilot flare monitoring system shall perform with high reliability.

2.1 The flare ignition system and pilot flame monitoring system shall have a probability of failure on demand of XX.

Assurance Task Insert (for new project) planned project assurance activities that will ensure and demonstrate achievement of each function’s criteria with reference to the actual document, report, calculation, drawing or procedure – generic examples of which have been included on the right.

Reference Operations and Maintenance Manual MOPO Case for Continued Operations Procedure Flare ignition system purchase specification and vendor design dossier. Flare ignition system reliability analysis report. Pilot flame monitoring system purchase specification and vendor design dossier. Pilot flame monitoring system reliability analysis report.

SCE Integrity Management Guideline.docx EP-HQ-GDL-008-00

49 of 57

Verification Task Insert verification tasks linked to the assurance tasks where individual assurance documents, etc are subject to review and a sample of other, supporting, documentation, and/or activities witnessed, is subject to a sampled review basis.

Example of SCE Performance Standard in Project Phases: FLARE 3.0 SURVIVABILITY Event

Component

1. Fire/Explosion

1.1 Flare tower, flare headers and associated equipment.

Criteria 1.1 The flare collection lines, headers and associated pipe supports should either be protected from the effects of MAH fire and/or explosion events, or located such that they are not affected. The appropriate measures shall be as determined by fire & explosion risk assessment and an assessment of the survivability of affected SCEs. 1.2 Steel structures supporting overhead pipe racks and individual pipe supports, located within an fire proofing zone, shall be fireproofed if the pipe is a flare line or an emergency depressurising vent line (Shell DEP 80.47.10.30, Section 3.3.4).

2. Impact mechanical damage

from

2.1 Flare tower, flare piping and associated equipment.

SCE Integrity Management Guideline.docx EP-HQ-GDL-008-00

2.1 The flare system piping to be located / routed or protected so as far as is practicable such that the flare components are not vulnerable to mechanical damage due to impact from

Assurance Task (for

Insert new project) planned project assurance activities that will ensure and demonstrate achievement of each function’s criteria with reference to the actual document, report, calculation, drawing or procedure – generic examples of which have been included on the right.

Reference QRA Fire & Explosion Risk Assessment Safety Critical Systems Survivability Study

NOTE: If fire and/or explosion protection is required, cross refer to the PFP and EXP Performance as Standards, applicable.

Dropped Object Study Flare System equipment and piping Layout Drawings Site

Access

50 of 57

Road

Verification Task Insert verification tasks linked to the assurance tasks where individual assurance documents, etc are subject to review and a sample of other, supporting, documentation, and/or activities witnessed, is subject to a sampled review basis.

Example of SCE Performance Standard in Project Phases: FLARE 3.0 SURVIVABILITY Event

Component

Criteria

Assurance Task

vehicles (onshore), lifting operations.

or

Reference Crash Barrier Layouts & Detail Design Drawings & Calculations.

Verification Task

4.0 DEPENDENCY System

Reason

Emergency Depressurization (EDP)

EDP provides depressurization from various process equipment by directing to flare, etc through emergency depressurization valves. Depressurization from process equipment by directing to flare, etc is achieved through Pressure Relief/Safety Valves,, etc. The flare lines, support, etc. will be protected with PFP coating as necessary to protect from potential fires.

Pressure Relief (PR) Passive Fire Protection (PFP)

SCE Integrity Management Guideline.docx EP-HQ-GDL-008-00

51 of 57

Appendix 4 – Examples of Major Accident Events & Consequence Matrix Major accidents are those events which have ‘major’ or ‘severe’ consequences for people or the environment as shown in the Consequence Matrix below. Examples of events which could lead to major accidents • • • • • • • •

Tanker truck crash at a production facility Gas release from a wellhead (potential for an explosion?) H 2 S release (close to an operational or inhabited area?) Serious oil leak at an operational site (potential for major fire?) Structural failure of a hydrocarbon pressure vessel Lifting equipment failure resulting in a dropped object near wellhead or process area Crude oil spillage into the sea Boat collision with an offshore production platform

Note: Health effects from sickness or from injuries caused by personal occupational accidents are not addressed by Safety Critical Elements.

Consequence

5

4

3

Severe

Major

Moderate

People

Environment

1 fatality of public >1 fatality of workforce > 6 people of workforce and/or public hospitalised

Serious long term environmental damage. Significant impact on highly valued or sensitive species, habitat or ecosystem

1 fatality of workforce > 3 people on-site hospitalised 1 person of public hospitalised 1 person of workforce with onset/signs of severe irreversible health effect >1 person of public with reversible health effect

Very severe, persistent environmental damage extending over large area. Long term impairment of ecosystem function

1 person of workforce >2 days lost 1 person of workforce with onset/signs of moderate irreversible health effect 1 person of public with moderate reversible mid-term health effect

Serious mid-term environmental impacts Moderate reversible environmental damage extends beyond site boundary Slight reversible on-site environmental damage

2

Minor

1 person of workforce 1 or 2 days off work 1 person of workforce with moderate reversible mid-term health effect 1 person of public with minor reversible short term health effect

1

Slight

1 person of workforce injured, able to continue work but first aid needed 1 person of workforce with minor reversible short term health effect

Matrix adapted from Project Risk Management Standard for Capital Projects, GT-M Standard 004 and Risk Assessment and Evaluation Criteria, HSE Standard 020

SCE Integrity Management Guideline.docx EP-HQ-GDL-008-00

52 of 57

Appendix 5 – Method for SCE Safety Criticality Ranking Each identified SCE can be criticality ranked based on its risk management role, its consequence of failure and redundancy. SCE criticality is divided into three (3) groups: High (H), Medium (M) and Low (L). The method of ranking each SCE will account for the following considerations: • The risk management function of the SCE (F) • The consequence of failure (C) • Redundancy – the extent to which an alternative SCE can take over the function of the SCE in the event of its failure, and/or whether the SCE has inherent redundancy (R) SCE Criticality Ranking score = F x C x R The Function Score (F): The function of SCE in contributing to MAH management. Management role of SCE Preventive Control Mitigation/Emergency Response

Score 3 2 1

Table 1 - SCE Function (F) Score The Consequence of Failure (C) Score: The severity of consequences resulting from SCE failure. Consequence Major Significant Moderate

Description Severity of the consequences is significantly affected by the failure of the SCE Severity of the consequences is affected by the failure of SCE Severity of the consequences is not increased by the failure of the SCE

Score 3 2 1

Table 2 - Consequence of SCE Failure (C) Score Redundancy (R) Score: The extent to which an alternative SCE can take over the function of the failed SCE, or the extent to which the design incorporates redundancy. Redundancy of the SCE There is no SCE that can fully duplicate the function of the SCE subject to its failure or unavailability The design of the SCE includes for redundancy There is an independent alternative SCE that can assume the functionality of the failed SCE

Score 3 2 1

Table 3 - SCE Redundancy (R) Score SCE Criticality Ranking: The final criticality rank of each SCE is determined on the ranges of criticality scores resulting from the application of the above. SCE Criticality Ranking score = F x C x R Score ranging from 13 to 27 Score ranging from 6 to 12 Score ranging from 1 to 5

SCE Ranking High (H) Medium (M) Low (L)

Table 4 - SCE Criticality Ranking Range

SCE Integrity Management Guideline.docx EP-HQ-GDL-008-00

53 of 57

An overview of the SCE criticality ranking process is shown in the following flowchart. Flowchart - SCE Criticality Ranking Process

SCE Integrity Management Guideline.docx EP-HQ-GDL-008-00

54 of 57

Appendix 6 – Example Method for Identifying SCEs at Tag Level

SCE Categories 1. HC/HF/PE (Hydrocarbon, Hazardous Fluid, Pressure Envelope) Category 2. ESD Category 3. EPG Category 4. ET Category 5. CEE Category 6. AFP Category 7. Flare Category 8. EDP Category 9. UPS Category 10. Structural Category 11. SLPS Category 12. PR Pressure Relief

Notes: 1.

HC & Hazardous Fluid (HF) Systems include: Propane, Butane, Pentane, Ethane, Acid Gas, ADIP, Storage Fluid (HF) Tank Boil – Off Gas, Sulphur, Fuel Gas, NGL Diesel (Large inventories only >2” pipe), Methanol. (HC-HF inventories) 2. Gas powered turbines drivers – Only fuel gas components are SCE - HC-HF-PE (Pressure Envelope) category. 3. Instruments directly exposed to an HC-HF inventory will be SCE - category HC-HF-PE. 4. Vibration monitoring (for e.g.) is not SCE as it provides mechanical protection only 5. With respect to note 4, such instruments will also be SCE if associated with fire pumps/drivers (AFP) or emergency power drivers/generators (EPG). 6. The following utilities are not consider to be SCE in any category; Lube oil, Hydraulic Oil, Amine De-oxidant, Nitrogen, Potable/Cooling/Sea Water, Diesel (See Note 1) Oil Mist, Closed Drains, Atmospheric Vents, Glycol, Anti Foam. 7. Equipment to re-charge fire protection systems (e.g. CO 2 , Inergen) or BA sets is not SCE. 8. If one or more of tags within an FC are known or thought likely to be SCE then that FC should be referred to Stage 2. A – Failure will result in a major accident hazard B – Equipment is required to operate to prevent, mitigate, control or provide emergency response in event of major accident event

SCE Integrity Management Guideline.docx EP-HQ-GDL-008-00

55 of 57

Appendix 7 – Selecting Independent Verification Body (IVB) To achieve the objectives of the SCE Integrity Management Guideline, it will be necessary to appoint an Independent Competent Person (ICP) or Independent Verification Body (IVB) to carry out the tasks defined in a Verification Scheme. An Independent Competent Person, is a person with the required competency and independence (refer to definitions below) to carry out verification of the suitability of SCE Performance Standards and methods of sustaining and demonstrating the performance and condition of SCEs. The ICP would normally be a part of a wider organisation; the Independent Verification Body. The Independent Verification Body is an organisation that provides and manages the deployment of ICPs to carry out required verification activities. Typically, the ICP is required to undertake the following verification activities as a means of ensuring that SCEs are, or will be, suitable and will remain in good condition: • Reviewing and commenting on the identification of SCEs. • Reviewing and commenting on the SCE Performance Standards. • Reviewing and commenting on the Verification Scheme. • Auditing compliance with, and effectiveness of, the SCE integrity management system processes and procedures. • Examination, including re-testing where appropriate, of the SCEs. • Examination of any engineering, specification, certificate, CE marking or other document, marking or standard relating to those elements relating to the design, procurement, fabrication, construction/installation and commissioning of SCE systems and equipment. • Witnessing of SCE integrity assurance work in progress during relevant asset life-cycle phase. • Issuing of all relevant reports including any anomalies, non-compliance and recommendations if appropriate – relating to deviations from SCE Performance Standards. Selection of IVB/ICP nd rd The following applies to IVB/ICP provided on a 2 Party (from within the organisation) or 3 Party (external) basis. Prior to selection, OMV shall require the IVB/ICP to demonstrate the following capabilities: • Sufficient impartiality and independence from OMV line management influences to make valid and independent judgements on safety issues; • Relevant and demonstrable competence as an individual / organisation in the various activities it is required to undertake under the applicable OMV Operations or Project Verification Scheme; • Sufficient technical knowledge and proven ability to enable an accurate assessment to be made as to the suitability or otherwise of the SCE’s; • The ability to provide competent personnel to undertake the tasks, whenever and wherever they may be required to be undertaken; and • The ability to provide continuity in the activities performed under the Verification Scheme Competence Requirements All verification activities detailed in the Written Schemes are required to be carried out by a competent person. This person may be employed by OMV or another employer, or be self-employed. Competence must include having the necessary theoretical and practical knowledge and actual experience of similar plant to be examined. Adequate examination of some equipment requires specialised technical knowledge. In each case OMV shall ensure that competent personnel are selected to carry out all activities required by the Verification Scheme. In addition the ICP may carry out spot checks of assurance activities where not witnessed by themselves. In the case of sub-contractors to OMV who are undertaking assurance activities (e.g. specialist equipment manufacturers), OMV shall be satisfied, prior to contract award and at reasonable intervals thereafter, that the organisation provides sufficient numbers of personnel with the range of expertise to carry out its SCE integrity SCE Integrity Management Guideline.docx EP-HQ-GDL-008-00

56 of 57

related functions. An understanding of the importance and implications of verification tasks being undertaken by an individual is also a vital consideration when evaluating competence. Independence Requirements The ICP appointed by OMV will possess sufficient independence that he / she is free from the influence of others to the extent that, the discharge of his / her duty under the Verification Scheme remains unaffected. That is, he / she shall be sufficiently free from the influence of other persons responsible for the SCE integrity assurance activities during project execution and/or maintenance and operations within the OMV organisation (and others acting on their behalf) to ensure verification in accordance with the Verification Scheme.

SCE Integrity Management Guideline.docx EP-HQ-GDL-008-00

57 of 57