asset integrity summary guidance annual …...for duty holders to review their maintenance,...

ASSURANCE VERIFICATION

✓✓

ASSET INTEGRITY

✓

WORKFORCE MANAGERS INDEPENDENTVERIFIERS

ENGAGEMENT

PROCESSES

Annual Review 2010ASSURANCE & VERIFICATION SUMMARY GUIDANCEManaging Risks to prevent and minimise the impact of Major Accidents

2

2

OUR VISION

Making the UK the safest place to work in the worldwide oil and gas industry

✓

12

ASSURANCE & VERIFICATION - SUMMARY GUIDANCE

CONTENTS

INTRODUCTION 2

LEGISLATION 3

MAH MANAGEMENT FRAMEWORK 4

MANAGING MAH THROUGH BARRIERS 5

PERFORMANCE STANDARDS 8

ASSURANCE AND INTEGRITY MANAGEMENT 9

VERIFICATION 11

TRAINING AND COMPETENCE 18

MANAGEMENT OF CHANGE 19

TEMPORARY EQUIPMENT 20

References 21

Acknowledgements 21

✓

2


INTRODUCTION

Offshore Oil & Gas is a unique industry where we work and live in relatively close proximity to large inventories of flammable, explosive and sometimes toxic substances. This brings significant challenges in the event of an emergency, when there is an urgent need to distance ourselves quickly from the hazard or even to evacuate or escape by air or sea. It is therefore clear that offshore installations demand a high level of attention to risk management.

Following the Piper Alpha disaster, Lord Cullen’s inquiry and report raised 102 recommendations that were endorsed by the Government and led to a suite of new goal-setting safety Legislation. This safety regime was intended to put in place mandatory requirements which, if followed correctly, would reduce the likelihood that such a major accident could happen again. Today, this Legislation remains the framework we use to address and manage the risks of Major Accident Hazards (MAHs) on Offshore Oil and Gas installations within UK waters.

The Regulations specifically introduced the concept of Safety Critical Elements (SCEs) and additional requirements for the examination of safety plant and equipment by Independent and Competent Persons (ICPs) or Independent Verification Bodies (IVBs) through a process known as Verification. At the same time, requirements were established for Duty Holders to review their maintenance, inspection and testing processes to minimise MAH risk. These are referred to as Assurance activities and often encompassed within the overall Verification Scheme.

The suite of Offshore Safety Regulations, and the associated Verification and Assurance processes, is internationally recognised as best practice. However, while substantial improvements in safety have been achieved as a result of the Regulations, the level of understanding and interpretation has been shown to vary significantly. The UK Health and Safety Executive (HSE) also expressed concern that Verification was not delivering the benefits expected by Stakeholders.

In response to this, our Industry embarked on a 2 year programme of work, through Step Change in Safety, to investigate the challenges faced and to develop guidance to:

• Raise understanding of the framework for MAH Management• Improve understanding of the role and responsibilities of the Duty Holder in assuring the performance of SCEs• Improve understanding of the verification process• Clarify the role and function of the ICP• Provide a reference document for use by Duty Holders and ICPs

To meet the needs of different Stakeholders it was decided to produce three documents:

• The first consists of two flyers, providing a brief high level overview communicating the basic messages of Assurance, verification and major Hazard management, for senior leaders and for the workforce.

• The second document (this document) provides detail on the framework and the intent behind the Regulatory requirements. It targets those who need a working understanding of the principles to support the compliance processes by raising understanding of the expectations of Assurance / Verification and the benefits brought to both safety and production.

• The third document is a practitioner’s guide for those with responsibility for developing and managing activities in support of Assurance and Verification. It provides detailed guidance on “how to” implement Assurance and Verification, sharing good tried and tested processes.

2

1

3

✓

32


LEGISLATION

The Offshore Installations (Safety Case) Regulations (OSCR)

Offshore installations operating within UK waters are required to have a Safety Case which has been accepted by the HSE. The purpose of this document is to provide an overview to demonstrate that a series of formal assessments have been made to ensure that the facilities’ design and the Company’s management systems are consistent with the requirement for safe and responsible operation, and that the Duty Holder has both “the ability and means to control major accident risks effectively”.

It also provides the strategy for safe operation of the installation, which the Duty Holder intends to undertake to ensure compliance with relevant statutory provisions and risks to personnel are As Low As Reasonably Practicable (ALARP).

The content of the Safety Case includes a full description of the installation; its plant, pipelines, operations and combined operations; and the arrangements in place to protect personnel from hazardous events and situations.

The Safety Case demonstrates how the Duty Holder assures legislative compliance through the identification of hazards with potential to cause major accidents, evaluation of the associated risks and provision of the means, including the suitability of SCEs, to manage these. It further demonstrates that the Verification Scheme is in place and operating as required.

The Safety Case also describes the arrangements for management of change, audit, reporting and assurance of contractor compliance.

The Offshore Installations (Prevention of Fire and Explosion, and Emergency Response) Regulations (PFEER)

These Regulations require that the Duty Holder takes appropriate measures to protect personnel on the installation from fire and explosion and to secure effective emergency response. The Duty Holder must assess and identify events which could give rise to a Major Accident involving fire or explosion; or the need for evacuation, escape or rescue to avoid or minimise the consequences of a Major Accident.

For such events, the Duty Holder shall evaluate their likelihood / consequences and establish appropriate standards of performance to be attained by anything provided as a preventive or mitigating measure. As the plant and equipment required to meet the requirements of PFEER are also SCEs, they are normally included in a common Written Scheme of Examination (WSE) for completion of Assurance and Verification activities.

The

Off

sho

re In

stal

lati

on

s (S

afet

y C

ase)

R

egu

lati

on

s (2

005)

Pipeline Safety Regulations (PSR, 1996)

Offshore Installations and Pipeline Works (Management and Administration)

Regulation (1995)

Prevention of Fire and Explosion and Emergency Response on offshore installations

(PFEER, 1995)

Offshore Installations and Wells (design and Construction etc) Regulations (DCR, 1996)

Offshore Installations and Wells (design and Construction etc) Regulations (DCR, 1996)

UK Offshore Legislation

✓

4


The Offshore Installations and Wells (Design and Construction, etc) Regulations (DCR)

These Regulations require all wells to be covered by a Well Examination Scheme. This scheme represents the activities performed by a Well Examiner, an ICP appointed by the Duty Holder (Well Operator), to establish that wells are designed, constructed, commissioned, operated, maintained, modified (including interventions and workovers) and abandoned in a safe and appropriate manner.

Wells connected to an installation are deemed safety critical under the OSCR and should be included in the Verification Scheme for the installation. However, both DCR and the OSCR allow work carried out in one Scheme to be cited as part of the other Scheme. During its lifecycle, a well may move between the Well Examination Scheme and the Verification Scheme. It is therefore essential that the Well Operator and any installation Duty Holder are aware at all times of which wells are covered by which Scheme.

MAH MANAGEMENT FRAMEWORK

Major Accidents represent events which cause death, serious injury or major damage to plant. Such accidents rarely occur as a result of failure of a single piece of equipment or one wrong action by an individual, instead, they are epitomised by a series of failures of plant, personnel functions, processes and procedures.

Major accidents cannot happen without exposure to hazards such as fire, explosion, toxic substances, weather, diving activity or ship movements. The OSCR requires that these hazards and their potential consequences are defined. It is then possible to define strategies for minimising the risk of their occurrence through the provision of careful design, key safety plant and equipment, and good operations and maintenance processes. These strategies effectively provide the basis by which risks are managed through elimination, prevention, detection, control, mitigation and finally rescue and recovery means.

DEVELOpING ACCIDENT

Eliminate > Prevent > Detect > Control > Mitigate > Rescue > Recover

• Plant Layout• Process containment• Ignition prevention• Emergency Shut Down• Structure

• Fire & Gas Detection

• Blowdown system• Passive Fire protection• Emergency ShutDown• Alarm & Public Address system

• Fire Fighting equip.• Temporary Refuge

• Escape equip• Lifeboat

• Safety boat

Fire & Explosion

Structural collapse / Sinking

✓

54


Safety Critical Elements (SCEs)

The key safety plant and equipment required to manage risk is identified from the foregoing strategies and these are the Safety Critical Elements, or SCEs, defined in the OSCR as those parts of the installation and its plant, the failure of which could cause or contribute substantially to a major accident, or the purpose of which is to prevent, or limit the effect of, a major accident.

Major Accident Hazards (MAHs) are established from a Hazard Identification study (HAZID). SCEs are identified from analysing those hazards, and constitute the means required to manage the associated risks. Examples of SCEs and relevant associated equipment (sometimes referred to as sub elements) are shown below.

MajorAccidentScenario

FireProcess Containment Process Containment

Hazard Identification& Assessment

Primary Major

HazardsSafety Critical Elements & Sub Elements

Ignition ControlEx. Certified Equip.

Electrical Tripping Equip.Earthing & Bonding Equip.

Safeguarding systems Process Shutdown SystemEmergency Shutdown System

Fire & Gas Alarm System

Water Fire Fighting HVACChemical Fire Fighting TR

Passive Fire Protection

Seacraft

Support StructuresFacility Structures

Explosion Protection

CranesLifting Gear and Beams

Turbine for CompressorsTurbine for Generators

RadiosTelephones

Public Address

LifeboatsLife Rafts

Helicopter Rescue BoxPersonal Safety Equipment

Well and Components e.g. Xmas Tree, Wellhead, Casing

Annuli, BOP

Explosion

HelicopterCrash

ShipCollision

StructuralFailure

DroppedObjects

Turbine Disc Failure

Well Blowout

MajorAccidentHazards

MajorAccidentRegister

Identification of Safety Critical Elements

Fire Protection

Navigational Aids

Structures

Lifting Equipment

Rotating Equipment

CommunicationsEquipment

Escape, EvacuationAnd Rescue Equipment

Well Control & Containment

Process Flow

✓

6


Performance Standards

Having identified the key items of safety critical equipment (the SCEs), we then define the functions they are required to perform, and confirm the equipment is capable of consistently and continuously performing those functions. This is defined in Performance Standards (one for each SCE). The SCEs are assessed against Performance Standards through Assurance and Verification activities to give confidence that the SCEs will fulfil their intended purpose whenever required.

It is important that we understand how safety is assured through the Safety Case, and how the reliable performance of SCEs, in accordance with their Performance Standards, will minimise the consequences of realised MAHs. This helps us appreciate the importance of SCEs and recognise how we can support and assure safety within our own job roles, bringing benefits in safety to all.

Assurance

Assurance represents activities performed to ensure SCEs meet Performance Standards. This includes activities in all phases of the lifecycle and may involve activity by design contractors in the design, procurement and construction phases which the Duty Holder needs to monitor to ensure the SCEs are “initially” suitable. During the operational phase, the Duty Holder uses preventive maintenance strategies including inspection, planned maintenance and testing, to ensure that SCEs are consistently and continuously meeting Performance Standard requirements. Assurance also includes design and construction of modifications and the management of change / impact on SCEs through the use of a Management of Change (MOC) process. Verification

Verification represents the activities, in addition to Assurance, which are performed by an ICP, appointed by the Duty Holder, to confirm whether the SCEs will be, are, and remain suitable, or adequately specified and constructed, and are being maintained in adequate condition to meet the requirements of the Performance Standards.

MajorAccidentHazards

SafetyCritical

Elements

PerformanceStandards

Processes

SafetyCase

Integrity Reporting

Compliance

Definition

Assurance ActivitiesProcurement, Construction,OperationsMaintenanceInspection

Independent Verification

✓

76


MANAGING MAH THROUGH BARRIERS

Findings show that Major Accidents typically occur as a result of the combined failure of numerous processes and plant integrity / people activities, often referred to as the barriers between the hazard and the occurrence of an accident. To ensure these barriers are effective in preventing the initiation or arresting the escalation of an event leading to an accident, there are common building blocks that must be identified / considered, as follows:

Together, if managed effectively, these building blocks can reduce the risk of a Major Accident. The “Swiss Cheese” model shown below is a concept defined by James Reason and illustrates simple examples of Plant barriers (SCEs) in a Loss of Hydrocarbon Containment Major Accident scenario, where the holes in the barriers reflect a path through which the hazard is realised.

Barrier Model

PROCESS the setting of standards and expectations through management processes and procedures, and;

PEOPLE the organisational culture established, the values adopted and the way people behave and the functions they perform, and;

PLANT the provision of suitably designed and constructed plant to adequately meet defined needs and the condition in which it is maintained.

The Step Change in Safety Practitioner’s Guide 3 Assurance and Verification Guidance illustrates a scenario of failing barriers progressively escalating an event to a Major Accident, and highlights how a fully operating barrier without defects (or holes) might have prevented an accident or reduced the magnitude of its consequences. It also presents comprehensive examples of SCEs grouped and tabulated by Barrier type.

Hazard

PREVENTContainment

DETECTGas/FlameDetection

CONTROLESD

Blowdown

MITIGATIONFire Protection,

Deluge

Release

Event

RESCUE & RECOVERY

Lifeboat, Rescue Boat

✓

8


pERFORMANCE STANDARDS

Performance Standards are a legal requirement for PFEER-related elements and the commonly adopted means to meet the OSCR requirements for ensuring SCE suitability. Appropriate Performance Standards are required for SCEs over their full lifecycle, from design to decommissioning, and it is important to ensure safe transition between lifecycles phases.

They are a robust means to manage our major hazards and their associated risks. If each SCE meets its Performance Standard at all times, the likelihood of a Major Accident is reduced. However, failure of an SCE to meet its defined Performance Standard can increase the likelihood or consequences of a Major Accident.

Dangers can arise from a poorly defined Performance Standard if it is difficult to measure or understand, or, if there are omissions. As such, to ensure consistency and alignment in presenting the details of what an SCE must achieve in order to fulfil its role in hazard management, Performance Standard templates use specific and tailored criteria to:

• Describe goals and boundries• Describe / define the scope and functionality of the system• Specify criteria for each safety critical component with a clearly defined (technical) basis• Define measurable / auditable parameters with defined acceptance criteria

The codes, standards and specifications used in the original design of SCEs should be identifiable from the Performance Standards so that suitability can be maintained throughout the Asset’s life.

Performance Standards and SCEs are commonly grouped by Barrier Type, eg Prevention, Detection, Control, Mitigation and Emergency Response. It is likely that more than one parameter will be needed to detail the required performance of the SCE as a barrier. Good barrier performance is achieved through the well written procedures, adhered to by people who are competent for their defined roles in maintaining and assuring the performance of SCEs.

As noted in the PFEER Regulations, Performance Standards may be described in terms of Functionality, Availability, Reliability and Survivability. Along with Interactions with other SCEs, this is commonly known as the FARSI model.

Performance Standards should be periodically reviewed in order to incorporate new learnings and to consider if they are still suitable as required by the Regulations. The review of Performance Standards should be carried out in conjunction with the Safety Case thorough review or when there is a significant change to the Asset such that a Safety Case revision is necessary, eg field developments etc. Also, over time, additional criteria may be necessary to address failure modes that may emerge or develop as a result of the ageing processes which impact on Assets in later life.

Functionality What the SCE must do

Availability Will it be ready and able to perform when required?

Reliability Will it perform its function dependably?

Survivability Will it be available and capable of performing its function during an event

✓

98


ASSURANCE AND INTEGRITY MANAGEMENT

Assurance is the process of providing and witnessing evidence to establish confidence that activities are being performed in accordance with required processes and procedures, and observing results in relation to prescribed performance requirements. Assurance processes normally encompass a well documented cyclic form of continuous improvement that involves:

• Understanding what plant and equipment exists • Establishing its criticality to business needs, including safety and environment• Identifying degradation mechanisms and providing means to minimise their effects• Monitoring condition • Taking action to resolve problems and providing re-instatement where necessary• Managing the integrity and safety of the plant when changes are required• Using knowledge gained to review / revise plans for improved plant management

This is often referred to as a ‘Plan – Do – Check – Act‘ approach which forms the framework for a widely recognised Integrity Management System.

More detail on this process can be found in the Step Change Asset Integrity Toolkit.

Integrity Management processes are defined by each Duty Holder and may include:

• Maintaining a complete inventory of all assets under management• Identifying and understanding the degradation and failure mechanisms• Specifying and applying appropriate maintenance activities• Specifying and applying appropriate inspection and testing regimes • Implementing robust deferral and deviation processes• Monitoring integrity compliance through suitable reports / KPIs, eg SCE backlog• Assessing degraded performance; taking actions to mitigate / re-instate condition• Providing and consistently applying a Management of Change (MOC) process• Planning and completing suitable audits• Management of temporary equipment

These activities are performed by a range of people in different organisational groups, both on and offshore, and understanding the roles, responsibilities and coordination of functions performed is essential to achieve effective performance.

Assurance applies to all plant and equipment, and a good Assurance process proactively addresses degradation to ensure plant and equipment condition is known at all times through its operational life and appropriate actions are taken in advance of failures.

Check

DoAct

Plan

InspectMaintain

Test

SCEsPerformance

Standards

✓

10


Maintenance

Maintenance strategies are required to deliver maintenance regimes that ensure Performance Standards are demonstrably achieved. Strategy objectives should be result-oriented with the goal of improved equipment reliability, productivity and asset preservation, eg preserving technical integrity, increasing operating efficiency, minimising scheduled downtime etc. The strategy should define critical spares requirements and key maintenance support contract services.

Maintenance and inspection routines are developed for all equipment and entered into the Maintenance Management System (MMS), where they are scheduled at specific frequencies in accordance with the maintenance strategies. Scheduling ensures the “best fit” of maintenance activities based on priority, compliance and imposed constraints.

Maintenance work is selected on the basis of criticality and risk and the tools and processes applied are based on availability and reliability requirements and the complexity and lifecycle of the facility.

The MMS serves as a data repository, ensuring Maintenance and Reliability records are accurate and readily available, through the lifecycle of the Asset, to demonstrate compliance with Asset, Company and Legal requirements. All relevant information, eg equipment condition, resources used, failure / damage codes, inspection records, certification etc, is recorded in the MMS, providing a valuable reference for analysis. The MMS is used to communicate SCE Performance Standard requirements and to monitor and report maintenance work performed on SCEs. When testing or maintaining SCEs, it is important to record the “as found” status of the equipment as this helps determine Reliability and Availability. It is equally important to record the “as left” condition, so that personnel know the operational status of the SCE.

Where failures occur, a procedure should be in place to address all repairs and the failure should be risk-assessed to determine the impact upon the equipment involved and its suitability to continue in operation. The process should address the quality of repairs and ensure the original design integrity or Original Equipment Manufacturer (OEM) requirements are maintained. Repairs should be approved by the appropriate Technical Authority where the system is deemed safety critical.

Continuous Monitoring and Update

Successful Assurance and Integrity Management requires the ongoing monitoring and reporting of operational performance and maintenance / inspection in order to confirm the success, or otherwise, of the Integrity Management measures.

The Duty Holder also needs to assess the effect of cumulative risk of impairments and failures on SCEs across all areas of plant, equipment and systems to ensure that MAHs remain adequately controlled to acceptable levels.

Key Performance Indicators (KPIs) are an essential feature of a good Integrity Management System. The indicators can be “leading”, where they flag low performance which could lead to problems or failures ahead, or “lagging”, where they record numbers of defects or failures.

KPIs may vary for each Duty Holder and it is essential to provide a clear definition to ensure information is both consistently reported and clearly understood. Examples of KPIs include safety critical Maintenance Backlog, number of Inhibits / isolations under management, number of impaired SCEs, number of Safety Critical Anomalies etc.

Formal processes for the identification, monitoring, measurement and trending of performance indicators should be in place and measured results should be tracked against performance targets to demonstrate compliance, delivery or improvement.

Audits of the activities defined and performed under the Assurance processes should be carried out periodically and used to drive improvement of the processes.

✓

1110


VERIFICATION

The purpose of a Verification Scheme is to ensure that SCEs and specified plant will be, are, and remain suitable by complying with Performance Standards through each phase of an installation’s lifecycle. Implementation of the Verification Scheme provides additional confidence, independent of the Duty Holder’s Assurance process, that the parts of the installation deemed Safety Critical are suitable. A good Verification process not only ensures legislative compliance, it drives real improvements in Assurance.

The Verification Scheme is developed by, or in consultation with, the ICP to contain:

• The principles to be applied by the duty holder for the installation in selecting persons, to perform functions under the scheme; and to keep the scheme under review.

• The nature and frequency of examination and testing of SCEs , where nature describes the Verification activities to be completed by the ICP; ie review, examine, inspect, witness, audit etc, and frequency quantifies how much the ICP will do in terms of sample size and the period that the activity re-occurs

• Arrangements for review and revision of the Scheme• Arrangements for making and preserving records of examination and testing, findings, remedial actions

recommended and remedial action performed• The arrangements for communication of necessary information • Arrangements for communicating matters to a suitable level in the Duty Holder’s organisation

A typical Operational Verification Scheme will specify the following types of activities:

Type Verification Activities (Nature)

OFFSHORE • Witness SCE Assurance activities, eg tests, inspections, musters etc • Visually examine condition of SCEs, eg piping, vessels, hazardous area

equipment etc • Audit compliance with SCE Assurance Processes, eg Control of

Temporary Equipment, Management of Inhibits, Control of Lo/Lc Valves, Management of Defined Life Repairs etc, through inspection and testing, and the review of any offshore records

ONSHORE • Review Maintenance and Inspection records confirming they are:- suitable for assuring the Performance Standard - conducted at the specified frequency - reported correctly stating ‘As-Found’ and ‘As-Left’ condition- reporting remedial work and ensuring it has been correctly prioritised

/ executed • Review planned maintenance deferrals• Review procedural compliance audits (typically on a less frequent basis)

of specific SCE assurance management systems, eg Piping and Vessels Inspection strategy encompassing the RBI implementation, defined life repairs etc.

✓

12


ICP Responsibilities

The ICP has a responsibility to:

• Comment on the record of SCEs• Draw up or liaise in the development and periodic review of the Verification Scheme• Perform Verification activities as defined in the Verification Scheme• Report to the Duty Holder on the suitability of SCEs, detailing examinations / reviews performed, findings and

remedial actions recommended• Communicate any reservations on the List of SCEs or the content of the Verification Scheme to the Duty Holder The ICP provides an independent view of the initial and ongoing suitability of the SCEs to manage risks through the means defined in the Safety Case, and translated through the Performance Standards. The Duty Holder retains accountability and responsibility for managing risk through management systems / processes, people and plant.

The ICP should however identify errors in the Duty Holder’s Assurance processes which could compromise the objectives of the SCE, ie being effective when required. The ICP must therefore undertake sufficient activities in order to form a professional judgement whether the SCEs are likely to remain in good condition and repair, and function as required until they are verified again.

The following diagram provides an overview of the process and illustrates the boundaries of Duty Holder Assurance and ICP Verification.

Identify Major Accident Hazards and Conduct

PFEER Assessment

Identify Safety Critical Elements and

Specified Plant

Set Performance Standards

Review and Develop Means of Assurance

Implement Assurance Activities through the

MaintenanceManagement System

Projects & ModificationsModify or put in new

Safety Critical Elements

New SCE’s

Develop Verification Scheme

(Operations / Projects /

Modifications)

Review andComment

Completed by / or in consulation

with ICP.ICP to comment

on suitability of scheme

Execute Verification Activities in

accordance with Scheme

(Report/Track)

ASSURANCE BY DUTY HOLDER

YES

NO

VERIFICATION BY INDEPENDENT COMPETENT PERSON (ICP)Figure 5

✓

1312


Phase Duty Holder SCE Assurance ICP Verification Activities

SCE Identification Identify and record SCEs installed or impacted by the Project / Modification

Comment on the list of SCEs

Design Design documents: P&IDs / C&Es / Calculations / Specification Data Sheets etc

Review design documentation, incl sample design calculationsAudit design processReview deviations to Performance Standards (technical)

Procurement QA checks on equipment / materials ordered and received

Review / examine Procurement Orders and goods received

Fabrication / Construction QA PlansQA inspections / reviews

Examine / witness fabrication and constructionReview fabrication and construction dossiers (Material / Welding / NDT / Testing records)

Transportation / Installation QA inspections Examine equipmentReview records

Site Commissioning Testing of SCEs / Specified Plant to assure compliance with Performance Standards

Witness testingExamine equipment against designReview recordsReview punch-list itemsReview technical deviations

Close out / Handover to Operations

Compile and review closeout packsPopulate relevant Duty Holder databases for SCE maintenance / inspectionIssue handover documentation detailing outstanding items, incl Verification activities and findings

Review databases for population of new equipment and suitability of assigned operational assurance activities, eg maintenance / inspectionReview outstanding punch-list items and status of Verification

Initial Suitability

Verification Schemes are required for Projects, Operations and for Modifications. For all, the initial suitability of SCEs must be ensured through Verification before SCEs become operational. Whether a project or modification introducing new SCEs is “greenfield” (all new) or “brownfield” (major upgrade), the Verification Scheme must detail the Verification activities for all phases as follows:

✓

14


Management of Verification

The expectations of Verification should be clearly defined and communicated to personnel through corporate policy, job descriptions, Verification procedures and presentations etc. Senior management should support the Verification process through appropriate resourcing, expediting, interaction and performance monitoring.

Duty Holders should detail how they manage Verification, either through a procedure or the Verification Scheme. This would normally be integrated into the Duty Holder’s Safety Management System (SMS). The management process should define:

• The principles for selection of the ICP• Planning, ICP interface and Communications• Reporting of Verification Activities and Verification Findings• Lines of communication between ICP / Duty Holder and Engineering Contractor • Review and Revision of the Verification Scheme• Roles and Responsibilities, including reporting routes• Interface with Well Examination (see DCR under Legislation section) The Duty Holder must also:

• Periodically review the competence and independence of persons executing Verification activities• Provide adequate resources to facilitate the management of Verification including the necessary financial

provisions• Periodically audit the Verification Scheme as part of the overall SMS• Ensure that a periodic management review of the Verification Scheme is completed by, or in consultation with,

an ICP and, where necessary, revise or replace it • Record any reservations made by the ICP on the record of SCEs or the Scheme • Notify the ICP in the event of major repairs and breakdowns of SCEs• Ensure regular meetings between ICP and Duty Holder to review status of activities completed, and SCE

compliance with Performance Standards• Maintain ICP correspondence records

Verification Planning

Effective planning of Verification activities is key to ensuring the scope is completed in the most efficient manner. The ICP requires access to asset / project plans in order to identify appropriate times for visits and even to link visits to certain key activities, eg Riser ESDV testing.

For Verification to be of value, it must be completed as close to the Assurance taking place as possible. This means the ICP should be involved early in each phase and they should complete their activities in a timely manner. It is recommended that the Duty Holder makes the Verification scope expectations clear to the ICP by setting milestones to be completed by certain dates.

Verification Reporting

The Duty Holder should monitor the progress and completion of Verification activities on a regular basis. If progress falls behind plan, a meeting should be held with the ICP to develop a recovery programme, as failure to complete the planned Verification could ultimately lead to an Improvement Notice by The HSE on the Duty Holder. ICPs should also raise concerns when the Verification programme is not being completed in a timely manner. Senior management should be kept informed through the use of Key Performance Indicators (KPIs) and progress reporting.

ICP reports must be issued regularly to confirm completion of the Verification scope of work, and these should clearly state whether the examined SCE meets the Performance Standard. Where the ICP notes deficiencies within the Performances Standards or Verification Scheme these should be formally raised.

In addition to the regular Verification Report, the ICP may provide overview presentations on Verification activity progress. It is also recommended that the ICP delivers an annual End-of-Year Verification Report / Presentation to the Duty Holder’s senior management.

✓

1514


Verification Findings Management

The Duty Holder’s procedure / process for the management and investigation of Verification Findings should address:

• Reporting of Verification Findings: a visible and robust method of raising and closing Verification Findings. Database systems are good practice as they provide visibility and facilitate effective interrogation

• ICP involvement in the close-out of Verification Findings• Escalating Verification Findings, eg where no progress is being made, due date has elapsed or where closure

cannot be resolved• Letters of Concern and Letters of Reservation• Roles and responsibilities for responding to Verification Findings

For Findings raised by the ICP, the Duty Holder should aim to identify and remedy the root cause in order to avoid recurrence and to promote internal learning. To achieve this, the Duty Holder may instruct the ICP to carry out a review of the findings raised against historic common failures (recorded on MMS) and to check the failed equipment was being suitably maintained. This approach gives the ICP a fuller picture of the issue raised and the findings can drive the Duty Holder to the most effective solution.

Verification Findings should be reviewed on a regular basis by the Duty Holder and the ICP. Verification Findings should have realistic target closure dates which are set by the ICP and Duty Holder in accordance with severity.

Verification Findings are categorised in many different ways, as detailed in each Duty Holder’s Verification Scheme. However, as an industry, Verification Findings are reported to Oil & Gas UK for input into an industry KPI that tracks the overall level of open and overdue Verification Findings based on the following categories: Level 1 Performance Standard satisfied, but ICP may suggest improvement to system or request additional

information to demonstrate compliance

Level 2 Single Performance Standard failure with no immediate threat to the integrity of the installation

Level 3 Fundamental SCE Assurance systemic failures that need senior management to remedy / resource, Multiple failures of a Performance Standard and / or immediate threat to the integrity of the Installation

Verification Scheme Review and Audit

The Verification Scheme and associated key documentation should be kept under continuous review, revised as often as necessary, and maintained up-to-date. In addition to periodic reviews, a Verification Scheme review should be initiated by changes such as: revision of any codes / standards referenced in the Scheme; modifications to the installation which result in amendments to the list of SCEs or Performance Standards; revision to the Safety Case; and changes to installation operating parameters or environmental conditions.

Changes to the Verification Scheme need to be well managed to ensure all relevant personnel are made aware and necessary approvals are obtained. Depending upon the content of the Verification Scheme, SCE Performance Standard owners (Technical Authorities or Subject Matter Experts), Discipline Engineers, Safety Engineering, Verification focal points and ICPs may need to be involved. Audits of the Verification management process should be carried out on a periodic basis and should include all key Stakeholders.

✓

16


Well Examination Interface

DHSVs and Wellhead valves are normally identified as safety critical and as such require Verification. This creates an overlap between the Operations Verification Scheme and the Well Examination Scheme, eg activities covered by the ICP may include witnessing the operation of Xmas tree wing valves and inspection of the Xmas tree. This information should be reported back to the Well Examiner. The key is for the Duty Holder to establish a clear interface process, with no gaps, and effective communication between examining parties.

Combined Operations (COMOPS)

Combined operations are defined as operations involving the temporary interaction of two or more installations; eg a drilling rig operating alongside the platform or a bridge-linked flotel during major works on the platform.

There are a number of interfaces during a combined operation that are likely to result in amendment to the record of SCEs, eg alarms, communications, means of access, firewater system interconnections etc.

The interfaces need to be clearly defined before the combined operations begin. Duty Holder and ICP management for each installation must understand and agree the SCEs and Performance Standards affected, as well as the Verification activities required by the ICPs. Any resultant changes to the Verification Schemes may be included as an appendix for the duration of the combined operations. Verification findings raised should be managed as per the Verification Scheme but with both Duty Holders notified of the outcome.

Once the drilling rig, flotel or vessel is removed, the ICP should carry out Verification activities to ensure that the integrity of the Installation has been returned to the original state, or complies with the requirements for the revised arrangements following modifications.

Verification of Decommissioning and Abandonment

The activities required for decommissioning and field abandonment by the Duty Holder must be documented and are subject to approval by the HSE and the DECC.

A new hazard assessment must be carried out, leading to a revised list of the SCEs required to manage those hazards. New Performance Standards and relevant means of Assurance and Verification will be required for each phase, concentrating particularly on what SCEs are required, what they must achieve, and the order that safety critical equipment is removed / switched off. Note that all SCEs must remain fit for purpose until the associated hazard is no longer present, eg gas detectors need to remain operational until the installation is permanently gas free.

Hazards may change during different phases of Decommissioning and plans and procedures should be established for timely review / revision to ensure that both appropriate SCEs and PS are in place for the correct hazards and; inspection, maintenance, assurance and verification activities, match these.

✓

1716


Verification Relationships and Communication

Our studies show there is a good understanding of the purpose of the Safety Case Regulations and there is unanimous recognition that Verification has an important role in hazard management. Often however, the benefits of Verification are simply seen as Regulatory compliance rather than the direct business benefits of an effective safety management system. There are also a number of constraints preventing full integration of independent Verification activities and these are diluting the potential value and benefits to be gained by Duty Holders These issues and constraints include:

• A misconceived perception that the ICP is the Regulator’s “policeman”, rather than the Duty Holder’s agent supporting asset integrity

• The potential for contractual and commercial relationships that make it difficult for the Verifier to present unpopular findings and constructive recommendations

• A lack of interface between Duty Holders’ senior management and ICPs which can limit the benefits of verification activities

• Common views that ICPs are generalists, lacking discipline-specific knowledge, with limited drive by Duty Holders to set expectations for topic competence and inconsistent recognition (or application) of the IVBs’ broad multi-discipline back-up

• Changes in asset ownership and Duty Holder / Verifier organisation which need to be well managed to avoid loss of knowledge

Improved understanding at senior management level to promote leadership, together with education and awareness of the workforce, are seen as key to addressing these constraints and providing greater clarity on the purpose, benefits, roles and responsibilities of the Safety Case regime. The goal is to make that vital connection where leadership and commitment from senior management is not for Regulatory compliance but for the benefit of the business and all Stakeholders. Proactive Duty Holder leadership should be complemented by promotional campaigns supported by all key Stakeholders; Operators, Duty Holders, Regulators and Verification Bodies.

For ICPs, the reporting of findings must be comprehensive and justified, with due consideration of the value to the Duty Holder. ICPs should also promote examples where Verification has added value and share lessons learned with other Duty Holders.

✓

18


TRAINING AND COMpETENCE

ICP Competence

Duty Holders are legally responsible and should assure themselves that their selected ICPs are competent and can demonstrate the same. Duty Holders can achieve this by:

• Reviewing specified competency levels for ICPs• Reviewing / interviewing individual ICPs prior to acceptance• Documenting ICP acceptance• Conducting regular competency audits of their selected ICPs• Establishing the breadth and depth of knowledge of ICPs specific to wells and well-related equipment

Well Examiner Competence

The DCR place an obligation on the Well Operator to satisfy themselves of the independence and competence of the persons examining any part of the well. The Oil & Gas UK Well Life Practices Forum has produced guidelines on the Competency of Well Examiners.

Documented Systems of Competency Assessment

Each ICP company or person should have a system of documented competence, with traceable means of assessment, clearly stating the competence criteria and method of assessing the individual ICP. As a guide, the System should contain the following elements:

• Competency criteria by engineering discipline or SCE specific• Detailed criteria to define competence – in general a combination of technical knowledge and experience is

required• Frequency of review and assessment• Definition of which lifecycle phase the person is considered competent for• Increasing levels of competence may be defined

Although it is not part of the regulatory requirements, it is recommended that a similar documented competence review is applied to internal discipline Technical Authorities, safety-critical equipment vendors, service companies and engineering contractors.

Wider Industry Competence and Awareness of MAH Management

Personnel may be technically competent within their own discipline but can often fail to foresee that their actions may have far reaching implications in the event of a Major Accident. It is therefore important that personnel interacting with SCEs understand the intent of the Regulations, how compliance is achieved, how SCEs shall be suitable on a continuous basis and operate on demand.

To help raise awareness, Step Change in Safety has issued this guidance document, together with a more detailed practitioner’s guide for those developing and managing activities in support of Assurance and Verification and, a high level overview leaflet for broader industry consumption.

MAH Training Programmes by Dutyholders is encouraged with the intent of improving competency and addressing:• Intent and key requirements of the Regulations• Definition of SCE, links to MAH and Performance Standard creation• Role of Assurance and independent Verification • Barriers concept, using examples of cumulative failures• Safety critical impairment risk assessments, showing application across interacting SCEs

Competency requirements for persons with any responsibility for SCEs, from Technician to senior Management, should be defined within the Duty Holder’s Quality Management System.

✓

1918


MANAGEMENT OF CHANGE

Management of Change (MOC) is a vital element in supporting major accident prevention throughout an Asset’s lifecycle. An effective change management process will improve safety, production, Regulatory compliance and environmental performance.

A consistent approach is essential to assure changes proposed will provide sustained benefits and will not cause consequential losses on other linked processes and equipment. For this reason, MOC associated with technical modifications is a key process in company management systems.

Normally, the major MOC threat is that a change is not recognised or the impacts of the change are not recognised or planned for. Globally, the failure to manage change is consistently identified as a root cause or a significant contributor in major accidents.

Typically, the following are examples which would constitute changes requiring use of the MOC process:

• Changes affecting an SCE’s Functionality, Availability, Reliability or Survivability• New process facilities or equipment, including Temporary Equipment• Removing or by-passing equipment• New chemicals• Change of specification of equipment• Change in engineering procedures• Change in maintenance regime• Cumulative effect of a multitude of small changes• Software changes

Like for like replacements, changes to operational parameters within design limits and routine activities covered by standard maintenance and operations procedures, eg scaffolding, inspection etc, are not considered Technical modifications.

The scale and complexity of the modification will determine the personnel to be involved in the MOC process and the level of scrutiny that should apply. However, in all cases, MOC should be a controlled process, with authorisation consistently applied and broadly in line with the following:

IDENTIFY / INITIATE

SELECT DEFINE EXECUTE CLOSE OUT / OPERATE

Justify and define Change Request

Apply MOC Risk Assessment

Detailed design scope of work

Construction and commissioning

Lessons learned. Update records

For modifications to SCEs, it is essential that there is review by the Duty Holder, normally through relevant Technical Authorities, and a level of Verification by the ICP to ensure that SCEs will be, are, and remain “suitable for use”.

✓

20


TEMpORARY EQUIpMENT

Temporary Equipment may introduce additional hazards, or adversely affect existing SCEs. As such, the Duty Holder needs effective Assurance and Verification processes and associated management procedures to ensure control and suitability of Safety Critical Temporary Equipment.

This should define key roles and responsibilites, and a typical control process for Temporary Equipment may involve:

• Identification of requirement to assess the risk and specify the equipment• Provide equipment to meet specification• Assure equipment meets specification and Performance Standard prior to shipment through inspection, testing

and / or review of records• Receive equipment offshore, check for transit damage, confirm suitability for hook-up at location and ensure

controls are in place• Ongoing Assurance of “continued suitability” while onboard and in use

Duty Holders should define a time limit for Temporary Equipment. For large load-outs of Temporary Equipment with multiple tie-ins to platform systems, it may be better to use the Management of Change process to control Temporary Equipment.

The Verification process must be independent of the Assurance process. The Duty Holder’s Verification Scheme must again document the ICP’s Verification activities in terms of Nature and Frequency for Safety Critical Temporary Equipment. If the ICP raises any Findings, these should be brought to the Duty Holder’s immediate attention before the Temporary Equipment is put into operation.

✓

2120


REFERENCES AND FURTHER INFORMATION

For further details, reference should be made to the following:

• The Step Change in Safety Assurance and Verification Guidance Document

• The Public Inquiry into the Piper Alpha Disaster - Lord W Douglas Cullen

• Plant Ageing: Management of equipment containing hazardous fluids or pressure - Research Report RR509 HSE Books 2006

• Step Change - The Asset Integrity Toolkit

• Energy Institute Guidelines for the management of safety critical elements

• Energy Institute Research report: A framework for monitoring the management of ageing effects on safety critical elements

• A guide to the Offshore Installations (Safety Case) Regulations 2005

• HSG 65 Successful health and safety management

• Provision and Use of Work Equipment Regulations 1998 (PUWER)

• Directive 94/9/EC The ATEX Equipment Directive (also known as ATEX 95)

• Directive 99/92/EC The ATEX Workplace Directive (also known as ATEX 137)

• HSE Offshore Information Sheets 4/2009 (Guidance on management of ageing installations) and 5/2007 (Ageing semi-submersible installations)

• HSE Nature and Frequency of Verification of Safety Critical Elements HID Semi Permanent Circular SPC/Enforcement/43

• A guide to the well aspects of the Offshore Installations and Wells (Design and Construction, etc) Regulations 1996

• A guide to the installation Verification and miscellaneous aspects of amendments by the Offshore Installations and Wells (Design and Construction, etc) Regulations 1996 to the Offshore Installations (Safety Case) Regulations 1992

ACKNOWLEDGEMENTS

This document could not have been produced without significant contribution from many people with knowledge of Assurance and Verification. The text is the result of intense activity by these individuals. It is not a definitive guide, but represents the opinions of many who have worked with the Legislation and managed SCEs. Contributors to the document include:

AMEC IMESApache North Sea Limited Lloyds Register EMEABG Group Maersk FPSOsBP North Sea Maersk OilBritannia Operator Limited Nexen Petroleum UKBureau Veritas Oil and Gas UKCentrica Energy Perenco UK - SNSChevron Upstream Europe PetrofacConocoPhillips (UK) Limited Plant Integrity ManagementDiamond Offshore Drilling Shell U.K. Limited DNV Step Change in SafetyEnsco Talisman Energy (UK) Ltd.ExxonMobil TAQA Bratani GDF SUEZ E&P UK Ltd Total E&P UK LtdGL Noble Denton TransoceanThe Health and Safety Executive Wood Group

address 3rd Floor

The Exchange 2

62 Market Street

Aberdeen

AB11 5PJ

telephone 01224 577268

email [email protected]

website www.stepchangeinsafety.net

des

ign

ed b

y fo

yer

gra

ph

ics

First printed June 2012

asset integrity summary guidance annual …...for duty holders to review their maintenance,...

Documents