Guidelines for the management of

safety critical elements

2nd edition

IP

An IP Publication

GUIDELINES FOR THE MANAGEMENT OF

SAFETY CRITICAL ELEMENTS

Second edition
March 2007

Page
Blank
In
Original

GUIDELINES FOR THE MANAGEMENT OF

SAFETY CRITICAL ELEMENTS

Second edition
March 2007

Published by
ENERGY INSTITUTE, LONDON
The Energy Institute is a professional membership body incorporated by Royal Charter 2003
Registered charity number 1097899
Endorsed by
The United Kingdom Offshore Operators Association and the HSE Offshore Safety Division

The Energy Institute gratefully acknowledges the financial contributions towards the scientific and
technical programme from the following companies
BG Group
BHP Billiton Limited
BP Exploration Operating Co Ltd
BP Oil UK Ltd
Chevron
ConocoPhillips Ltd
ENI
ExxonMobil International Ltd
Kuwait Petroleum International Ltd
Maersk Oil North Sea UK Limited

Murco Petroleum Ltd

Nexen
Saudi Aramco
Shell UK Oil Products Limited
Shell U.K. Exploration and Production Ltd
Statoil (U.K.) Limited
Talisman Energy (UK) Ltd
Total E&P UK plc
Total UK Limited

Copyright 2007 by the Energy Institute, London:

The Energy Institute is a professional membership body incorporated by Royal Charter 2003.
Registered charity number 1097899, England
All rights reserved
No part of this book may be reproduced by any means, or transmitted or translated into a machine language without
the written permission of the publisher.
The information contained in this publication is provided as guidance only and while every reasonable care has been
taken to ensure the accuracy of its contents, the Energy Institute cannot accept any responsibility for any action taken,
or not taken, on the basis of this information. The Energy Institute shall not be liable to any person for any loss or
damage which may arise from the use of any of the information contained in any of its publications.
The above disclaimer is not intended to restrict or exclude liability for death or personal injury caused by own
negligence.

ISBN 978 0 85293 462 3

Published by the Energy Institute
Further copies can be obtained from Portland Customer Services, Commerce Way,
Whitehall Industrial Estate, Colchester C02 8HP, UK. Tel: +44 (0) 1206 796 351
e: sales@portland-services.com
Electronic access to EI and IP publications is available via our website, www.energyinstpubs.org.uk.
Documents can be purchased online as downloadable pdfs or on an annual subscription for single users and
companies. For more information, contact the EI Publications Team.
e: pubs@energyinst.org.uk

IV

CONTENTS
Page
Foreword

vii

Acknowledgements

viii

Introduction

Background to the revision of Guidelines for the management of safety critical elements 3

Applicable legislation

Definitions and key concepts

4.1 Safety critical elements
4.2 Major accidents
4.3 Performance standards
4.4 Verification schemes
4.5 Independent competent persons

7
7
7
7
7
7

Identification of SCEs

Development of Performance Standards

13

Assurance of SCE integrity

15

Verification throughout the asset life

8.1 Overview of verification
8.2 Verification in the concept, feed, design, construction and commissioning phases
8.3 In-service verification
8.4 Decommissioning

17
17
18
19
20

Change management
9.1 Modifications
9.2 Temporary equipment

21
21
21

10 References and glossary of terms

23

vi

FOREWORD
In 2005, the UKOOA led Installation Integrity Working Group (IIWG) requested that the Energy Institute manage
the review and revision of the UKOOA Guidelines for the management of safety critical elements, first issued in
September 1996. This project required the formation of a separate (sub) Working Group from the parent IIWG
members.
The revision exercise was part of a programme of work undertaken by the IIWG which included development and
promotion of industry good practices and suitable performance measures. A principal deliverable of this Working
Group was the Asset Integrity Tool Kit, which includes an Assurance and Verification Tool outlining the
requirement for identification, assurance and verification of Performance Standards for Safety Critical Elements.
These Guidelines are therefore considered as providing valuable input for this element of the management of
installation integrity.
It is intended that these Guidelines should provide good practice for the management of safety critical elements for
offshore installations and will be of use principally for those involved in assurance and verification. The document
should also provide a useful guide for duty holders, managers of operations, safety, engineering and maintenance
functions, and an initial introduction for those who wish to become involved in the subject.
This document has been compiled as guidance only and while every reasonable care has been taken to ensure the
accuracy and relevance of its contents, the Energy Institute, its sponsoring companies, the document writer and the
Working Group members listed in the Acknowledgements who have contributed to its preparation, cannot accept
any responsibility for any action taken, or not taken, on the basis of this information. The Energy Institute shall not
be liable to any person for any loss or damage which may arise from the use of any of the information contained in
any of its publications.
These Guidelines will be reviewed in future and it would be of considerable assistance for any subsequent revision
if users would send comments or suggestions for improvements to:
The Technical Department,
Energy Institute,
61 New Cavandish Street,
London
W1G 7AR
e: technical@energyinst.org.uk

vii

ACKNOWLEDGEMENTS
The Institute wishes to record its appreciation of the work carried out by the following individuals:
Tim Walsh of Lloyds Register EMEA, for the drafting of this document.
Members of the Joint Industry Working Group, which was set up to steer the re-drafting programme and who have
provided valuable expertise:
Keith Hart
Lee Broadley
Simon Brown
Bernard Emery
Peter Griffiths
Paul Kefford
Bob Kyle
Alex Macleod
Bill McKenzie
Alan Richardson
Ian Wright

Energy Institute (Manager and Chairman)

Talisman Energy Ltd
HSE OSD
HSE OSD
HSE OSD
Chevron
UKOOA
Lloyds Register EMEA
BP Operating Company Ltd
HSE OSD
DNV

Assistance was also provided by:

Garry Mannett
Richard McCabe
Phil Rothie
Ruth White

BV
BV
BV
DNV

The Institute also wishes to recognise the contribution made by those who have provided comments on the Draft
document which was issued during an industry consultation period.

viii

1
INTRODUCTION
The purpose of this document is to provide industry
guidance for the management of Safety Critical
Elements (SCEs) on offshore installations operating on
the UK continental shelf. SCEs are the equipment and
systems which provide the basis to manage the risks
associated with Major Accident Hazards (MAHs). This
document should be read in conjunction with the
Offshore Installations (Safety Case) Guidelines. This
publication replaces that of the same title produced by
the UK Offshore Operators Association (UKOOA) in
1996.
The starting point for this guidance is a review of
the applicable legislation and a summary of the key
concepts underpinning the management of SCEs. The

document then describes the process by which SCEs are

identified and performance standards set. The process of
verification is central to ensuring that the integrity of
SCEs is maintained and guidance is provided for the
management of verification throughout the various
stages of the asset lifecycle. The document also deals
with the management of change in relation to SCEs and
concludes by identifying sources of further information
including good practice and FAQs.
This document is aimed at all those who have an
interest and/or involvement in the management of SCEs,
particularly those responsible for the management of
technical and operational activities within, or on behalf
of, duty holders.

GUIDELINES FOR THE MANAGEMENT OF SAFETY CRITICAL ELEMENTS

BACKGROUND TO THE REVISION OF

Guidelines for the management of safety
critical elements
The first issue of the joint industry Guidelines for the
management of safety critical elements was produced by
a UKOOA led work group in September 1996, at a time
when the new "verification regime" was being
introduced. That document was primarily intended to
provide guidance to the industry on how the new
requirements should be implemented on installations
that had been designed, constructed and operated under
the previous "certificate of fitness" requirements.
The UK oil and gas industry has been operating in
accordance with the requirements of the Offshore Safety
Case Regulations (OSCR) since 1996 and it is
appropriate that the original guidelines should be
revised to take account of experience gained in recent
years. Since the publication of the original guidelines,
there have also been additional developments from
within industry which have impacted on the
management of safety critical elements and for which
guidance is provided in this document.

These include:
Major modifications being carried out to existing
installations as they are developed for changing
field characteristics and functions, which may be
very different to those for which they were
originally designed.
Replacement of verification aspects of the Offshore
Installations (Design & Construction) Regulations
(1996) by the Offshore Safety Case Regulations
(2005).
Installations that are being operated well beyond
their original design life.
Changing ownership, and in some cases, multiple
changes of ownership, of many older assets and the
prevalence of smaller independent operators, some
of whom are new entrants to the UK sector.
The increasing importance of decommissioning
activities.

GUIDELINES FOR THE MANAGEMENT OF SAFETY CRITICAL ELEMENTS

3
APPLICABLE LEGISLATION
The requirement for industry to manage SCEs is
covered either directly or indirectly by the following
regulations:
The Offshore Installations
Regulations 2005.

Regulations
OSCR 2005

(Safety

The Offshore Installations (Prevention of Fire and

Explosion and Emergency Response) Regulations
1995 (PFEER).

Case)

The following table shows how these regulations relate

to the management of SCEs.

Section
Regulation 2

Areas covered
Definition of Safety Critical Elements
Definition of Major Accident Hazards
Assurance of the fitness for purpose of SCEs
Independent Competent Persons

PFEER 1995

Regulation 19

Duty holders' responsibility with respect to the

identification and management of SCEs

Schedule 7

Matters to be provided for in a verification scheme

Regulation 5

Performance Standards

Regulation 19

Assurance of the fitness for purpose of SCEs

GUIDELINES FOR THE MANAGEMENT OF SAFETY CRITICAL ELEMENTS

DEFINITIONS AND KEY CONCEPTS

There are a number of definitions and key concepts
which are essential to the successful management of
SCEs. Details of these are provided within the
regulations, approved codes of practice and guidance
documents; however the main concepts are summarised
below.

its purpose.
It is a requirement that Performance Standards
should be established for all SCEs.
4.4 VERIFICATION SCHEMES
Verification schemes are written schemes implemented
to confirm, or otherwise, that SCEs are suitable and
remain in good repair and condition. As from April
2006 verification schemes should also cover specified
plant required by PFEER and previously subject to
PFEER written schemes of examination.

4.1 SAFETY CRITICAL ELEMENTS

Safety Critical Elements are any part of the installation,
plant or computer programmes whose failure will either
cause or contribute to a major accident, or the purpose
of which is to prevent or limit the effect of a major
accident, and for the purpose of these guidelines,
include items of specified plant referenced in
Regulation 19 of PFEER.

4.5 INDEPENDENT COMPETENT PERSONS

Independent Competent Persons (ICPs) are required to
carry out various functions under the verification
scheme to ensure that the process of managing risks
associated with the Major Accident Hazards is working
effectively. It is a requirement that ICPs must be
sufficiently independent so as to be impartial and
objective in their judgement such that safety is not
compromised. The role of the ICP can either be
undertaken by a single organisation or by a number of
different individuals or organisations considering
separate aspects of the installation. In the latter case
however, greater co-ordination will be required by the
duty holder to ensure that all parts of the scheme have
been adequately addressed and that interfaces are
effectively managed. Although not mandatory, it is
generally recommended that where multiple ICPs are
employed, one has an overseeing role.

4.2 MAJOR ACCIDENTS

Major accidents are fires, explosions or releases of
dangerous substances that will cause death or serious
injury; major damage to the structure or plant or loss of
stability; the collision of a helicopter; failure of life
support systems for diving operations; or any other
event involving death or serious injury to five or more
people.

4.3 PERFORMANCE STANDARDS

A Performance Standard is a qualitative or quantitative
statement of the performance required of a system or
item of equipment in order for it to satisfactorily fulfil
7

GUIDELINES FOR THE MANAGEMENT OF SAFETY CRITICAL ELEMENTS

IDENTIFICATION OF SCEs
Although there are various different, and equally
acceptable, ways of identifying SCEs there are steps

which are common to all. These common steps are

shown in Figure 5.1 and described below.

Identify Major Accident

events using the
Safety Case

Identify structure and plant which can cause, prevent,

detect, control, mitigate, rescue or help recover from a
major accident

Identify PFEER specified plant

Record items identified

as SCEs

Figure 5.1: Identification of SCEs

9

GUIDELINES FOR THE MANAGEMENT OF SAFETY CRITICAL ELEMENTS

The outcome of these deliberations should be

recorded giving the reasons why an item has, or has not
been identified as safety critical and with reference to
the relevant major accident hazard.

Step 1: Identify the major accident events on the

installation
This is carried out using a series of hazard identification
techniques, involving both qualitative and quantitative
methods. The results from this process are generally
recorded in a Hazard Register which documents all of
the potential major accident event scenarios on an
installation, and should be documented in the safety
case for the installation.

Step 3: Identify PFEER Specified Plant

Specified Plant is any of the plant of an installation
which is provided:
To comply with Regulations 1 l(l)(a), 13, 15 and
16 of the PFEER Regulations.

Step 2: Identification of structures and plant which

can cause, contribute to, prevent or help
recover from a major accident

As a means of detecting fire and for detecting and

recording accumulations of flammable gases (as
required by Regulation 10 of the PFEER
Regulations).

Duty holders will generally utilise lists of plant and

equipment, extracted from their computerised
maintenance management systems, as the starting point
for assessing which of the items on the list are safety
critical. The issue of 'how deep to dig' is one that
requires to be addressed before the identification
process can begin. Approaches vary, but SCEs need to
be defined at an appropriate level such that they have a
direct linkage to MAHs, and it is also clear whether or
not an equipment item forms part of one or more SCEs.
A team approach to SCE selection is usual as it is
unlikely that a single person would have sufficient
technical appreciation of the major accident analyses
and detailed knowledge of the installation. Starting from
the complete list of equipment the team should assess
each item in turn and form a view as to whether it could
cause, contribute to, prevent or help recover from, a
major accident.

Measures to combat fire and explosion as required

by Regulation 12 of the PFEER Regulations.
Step 4: Prepare a record of items identified as
Safety Critical Elements
It is important that the record of SCEs is maintained up
to date, therefore the major accident analyses and the
list of SCEs should be reviewed periodically. The list
should also be reviewed prior to the addition of new
equipment or modification of existing plant.
A typical (but non-exhaustive) example, showing
the interrelationship between MAHs and SCEs is given
below.

10

IDENTIFICATION OF SCEs

PRIMARY
MAJOR
HAZARDS

SAFETY CRITICAL ELEMENTS AND SUB-ELEMENTS

PROCESS
CONTAINMENT

PRESSURE VESSELS
PIPING
PIPELINES
WELLS

IGNITION
CONTROL

Ex CERTIFIED EQUIP.
ELECTRICAL TRIPPING EQUIP.
EARTHING AND BONDING EQUIP.

FIRE

EXPLOSION

MAJOR
ACCIDENT
SCENARIOS

MAJOR
ACCIDENT
HAZARDS

HELICOPTER
CRASH

SAFEGUARDING
SYSTEMS

FIRE
PROTECTION

NAVIGATIONAL
AIDS
SHIP
COLLISION
STRUCTURES

MAJOR
HAZARDS
REGISTER

STRUCTURAL
FAILURE

DROPPED
OBJECTS

LIFTING
EQUIPMENT

ROTATING
EQUIPMENT

COMMUNICATIONS
EQUIPMENT
TURBINE
DISC
FAILURE
FLOW

ESCAPE,
EVACUATION AND
RESCUE EQUIPMENT

11

PROCESS SHUTDOWN SYSTEM

EMERGENCY SHUTDOWN SYSTEM
FIRE AND GAS SYSTEM
WATER FIRE FIGHTING
CHEMICAL FIRE FIGHTING
PASSIVE FIRE PROTECTION
AIRCRAFT
SEACRAFT
SUPPORT STRUCTURES
FACILITY STRUCTURES
EXPLOSION PROTECTION
CRANES
LIFTING GEAR AND BEAMS
TURBINE P.M. FOR COMPRESSORS
TURBINE P.M. FOR GENERATORS
RADIOS
TELEPHONES
PUBLIC ADDRESS
LIFEBOATS
LIFERAFTS
HELICOPTER RESCUE BOX
PERSONAL SAFETY EQUIPMENT

MAINTENANCE MANAGEMENT SYSTEM

HAZARD
IDENTIFICATION
AND ASSESSMENT

GUIDELINES FOR THE MANAGEMENT OF SAFETY CRITICAL ELEMENTS

12

6
DEVELOPMENT OF PERFORMANCE
STANDARDS
This activity follows from the identification of MAHs
and selection of SCEs described in Section 5.
The creation of Performance Standards (PSs) is the
process by which a duty holder sets out what is
expected of an SCE. The PSs are the criteria against
which the initial and ongoing suitability of an SCE is
assessed. Safety Integrity Level (SIL) assessments may
be used to develop PSs for instrument based protective
systems.
Performance Standards for SCEs are generally
defined in terms of:

Functionality - What is it required to do?

Availability - For what proportion of time will it be
capable of performing?
Reliability - How likely is it to perform on
demand?
Survivability - Does it have a role to perform post
event?
Interactions - Do other systems require to be
functional for it to operate?

13

GUIDELINES FOR THE MANAGEMENT OF SAFETY CRITICAL ELEMENTS

14

ASSURANCE OF SCE INTEGRITY

It is the responsibility of the duty holder to ensure that
SCEs are able to perform their intended functions with
the required availability and reliability throughout their
service.

2.

Ensuring that assurance activities are carried out at

the appropriate time by competent people.

3.

Maintaining a record of these activities and any

findings that arise.

4.

Addressing any deficiencies arising from assurance

activities as soon as possible and taking any
temporary measures that may be necessary to
maintain risk ALARP until deficiencies have been
rectified. Any temporary measures should be
subject to review and comment by the ICP.

This should be achieved by the following means:

1.

Identifying those assurance activities, such as

maintenance, inspection and testing, that are
required to maintain the SCE in a suitable
condition.

15

GUIDELINES FOR THE MANAGEMENT OF SAFETY CRITICAL ELEMENTS

16

VERIFICATION THROUGHOUT THE

ASSET LIFE
8.1 OVERVIEW OF VERIFICATION

8.1.2

This section provides an overview of verification and

description of how verification should be approached
during the various stages of the asset's life.
8.1.1

The ICP is required to review and comment on the list

of SCEs and ensure himself that Performance Standards
are appropriate; any reservation raised by the ICP
should be recorded.
The verification scheme may be drawn up by either
the duty holder (or an appointee acting on its behalf), or
the duty holder in conjunction with the ICP. If it is not
drawn up by the ICP, then the ICP must review and
comment on the scheme and a record of that review
(including any comments or reservations as a result of
unresolved issues arising) should be retained as part of
the scheme records.
The ICP is responsible for carrying out the
verification activities detailed in the verification
scheme. The duty holder is responsible for ensuring that
the ICP is provided with all access necessary and
information required to carry out the verification
activities.

Elements of a verification scheme

A verification scheme must address the following (see

OSCR (2005) Schedule 7):
1. The principles to be used in selecting persons to
perform functions under the scheme and keep it
under review (i.e. the ICP).
2.

Arrangements for communicating necessary

information to persons performing functions under
the scheme and reviewing it.

3.

The nature and frequency of examination and

testing.

4.

Arrangements for reviewing and revising the

scheme.

8.1.3

5.

Arrangements for record keeping for examinations

and tests carried out, results and findings,
recommended actions and close-out of
recommended actions.

6.

Arrangements for communicating 5. to the

appropriate level in the duty holder's organisation.

Responsibilities of the ICP

Verification activities

Verification activities are those carried out by the ICP

and are intended to either directly establish the
suitability of the SCE, or to establish that appropriate
assurance activities have been undertaken (e.g. the
witnessing of emergency shutdown system function
tests).
Both assurance and verification activities should be
defined in the same written scheme of examination, but
only an ICP can carry out verification activities.

17

GUIDELINES FOR THE MANAGEMENT OF SAFETY CRITICAL ELEMENTS

The verification scheme should provide a clear

indication of the nature and frequency of the verification
activity that the 1CP is expected to carry out.
When assurance and maintenance work is carried
out sufficient information should be recorded to show
that the SCE remains in good repair and condition. This
is particularly important where availability and
reliability performance standards require to be
demonstrable.

8.2.2

Once SCEs have been identified, Performance

Standards (PSs) need to be set for each (see Section 6).
Those PSs associated with establishing "initial
suitability" may be different to those used to assess
ongoing suitability throughout the operational life of the
SCE. There are a number of ways of dealing with this
issue including the development of separate PSs for
initial and ongoing assessment and the incorporation of
both into a single PS. Regardless of the approach taken,
it is essential that the requirement contained in the PS
assures that the SCE can fulfil its function. The PS must
also be written in such a way that it can be clearly
established whether or not the required standard of
performance has been achieved.

8.2 VERIFICATION IN THE CONCEPT, FEED,

DESIGN, CONSTRUCTION AND
COMMISSIONING PHASES
During these initial phases of a development project, the
duty holder is required to demonstrate "initial
suitability" of SCEs through the following:

8.2.3

Consideration of the design.

Confirmation of the adequacy of manufacture,
fabrication and installation.
Demonstration during commissioning that the
SCEs are capable of meeting the required
performance standards.

Documenting the scheme

There is no fixed way of documenting a new

construction verification scheme and a number of
methods have been employed ranging from having all
details and records in a single document to having a
number of separate documents dealing with different
requirements. In the later case, an overall document will
be necessary in order to describe how the various pieces
of documentation relate to each other. Whichever
approach is taken, it should ensure that all the details
required by Schedule 7 of OSCR are provided (see
section 8.1).

The ICP's role is to carry out independent examination

of documents, activities and plant and equipment to
confirm the level of compliance with the performance
standards.
The identification of SCEs and the setting of
performance standards are important activities during
these pre-operating stages of the project as they provide
the foundation for managing the MAH risk.
Development of a verification scheme for new
construction requires input and co-ordination from a
number of different parties within the duty holder's
organisation, and also from the ICP, design contractors,
fabricators and completions team. The early
engagement of all parties in the process is crucial to a
successful outcome. Particular effort should be made to
ensure that previous operational experience is utilised
during the detailed design and construction phases.
8.2.1

Performance Standards for SCEs

8.2.4

Execution

During the design and construction phase the following

issues need to be considered in executing the
verification scheme:

Major Accident Hazards and SCEs

It is usual to produce a document (MAH / SCE matrix)

listing the SCEs and describing their derivation linkage
to the MAH (See section 5). Where changes to process
plant and equipment are undertaken, a similar document
should be produced identifying the impact on the
existing SCEs of each modification and identifying any
new SCEs resulting from the changes to MAHs (see
Section 9.1).

(i)

Identification
of design
deliverables
for
verification.
Timing of verification submissions for design.
Scope of procurement/fabrication verification
activities.
Scope of verification activities during Hook up
Installation and Commissioning (HUIC).
Verification during start-up activities.
Close-out of Construction (Project) Verification
Scope.

Identification of design deliverables for

verification
It is important that the design deliverables that are
subject to review by the ICP are clearly defined and
agreed as early as possible in the life of the project. This
18

VERIFICATION THROUGHOUT THE ASSET LIFE

process is usually facilitated by a mark-up of the project

Master Document Register (MDR).
Sufficient records should be maintained by the ICP
to ensure that the documentation subject to review for
each SCE is clearly identified and that its status,
together with any associated ICP comment, can be
readily established at any time during the process. The
duty holder may elect to maintain these records himself.
A clear system should be established by the project
to alert the ICP to changes to design documentation
already examined which could affect the determination
of suitability. This will help to avoid any necessity for
examination of successive revisions of documentation
in the future. The system should be subject to ICP audit
and included as part of the overall verification scheme.
(ii) Timing of verification submissions for design
Where possible, design documentation should be
divided into logical packages per SCE in consultation
with the ICP and a schedule for submission/examination
established. This will allow the most effective use of
resources on behalf of the ICP and enable the progress
of the scheme, with regard to the different SCEs, to be
easily established.
It is particularly important that the ICP be given the
opportunity to review and comment on the design early
enough to be in a position to influence any changes
necessary to ensure suitability.

activities should again, be related to the risk of failure of

the SCE to perform and should be agreed between the
ICP and duty holder.
Verification activities during commissioning should
be supported by the issue of specific instructions to ICP
surveyors.
(v) Verification during start-up activities
The project should produce a specific start-up plan for
bringing the new or modified facilities into use. The
purpose of this is to allow the duty holder to manage the
changing MAH and risk profile during this phase of the
project. This should be reviewed by the ICP and
agreement reached with the duty holder with regard to
a schedule for finally establishing suitability for each
SCE. Dependent on the situation, some SCEs will
require to be fully functional (and verified) sooner than
others and equally, "Partial" SCEs are likely to be
required at some stages.
A formal documented process should be established
which allows the duty holder to assess the status of
assurance and verification at each stage of the start-up
process.
(vi) Close-out of Construction (Project) Verification
Scope
At the end of the project, and as part of the handover to
operations, the conclusions of the project verification
scheme should be documented and agreed.
These will include:

(iii) Scope of procurement/fabrication verification

activities
As early as possible within the FEED and detailed
design stages, a procurement register should be made
available to the ICP and agreement reached as to those
items which are to be subject to verification at source
(i.e. at a vendor's works).
The extent of verification activities proposed will
be agreed between the ICP and duty holder and should
relate to the risk associated with failure of each of the
item(s) concerned.
Verification activities at vendors' works or at major
fabrication sites, should be documented by the issue of
specific instructions to ICP surveyors complemented by
a mark-up of the vendor/fabricator's planned inspection
and test schedules to indicate those points where
intervention is required.

The results of the ICP scrutiny of the list of SCEs

and the verification scheme itself.
A completed matrix relating examinations
undertaken to particular SCEs.
Completed and signed off ICP work instructions
issued at each stage.
A statement of any conditions or reservations
expressed by the ICP during the course of the
examinations.
A final statement as to the suitability of the
identified SCEs.

8.3 IN-SERVICE VERIFICATION

Verification of the ongoing suitability of SCEs on
offshore installations begins once they are in operation.
An in-service verification scheme should be prepared
during the construction phase and all interested parties
made familiar with it before the installation is taken into
operation. Those interested parties include:

(iv) Scope of verification activities during HUIC

Prior to commencement of commissioning activities
(either onshore or offshore) the commissioning plans for
SCE systems should be made available for ICP review,
comment and mark-up, to indicate those activities
subject to verification review and the extent of ICP
involvement. The nature and frequency of these

Duty holder's verification engineer/coordinator.

19

GUIDELINES FOR THE MANAGEMENT OF SAFETY CRITICAL ELEMENTS

Technical Authorities within the duty holder and

engineering support organisations.
Representatives from the duty holder's Safety
Engineering department.
Relevant ICPs.

8.3.1

Units entering the UKCS

In the case of an existing installation being taken into

use on the UKCS for the first time, a safety case should
be developed and an associated verification scheme
should be set in place in preparation for the beginning
of the operating period. It will be necessary for such a
scheme to address the 'initial' as well as the 'ongoing'
suitability of the identified SCEs.
8.3.2

8.3.4

ICP Recommendations

In instances where a compromised SCE is identified or

where a PS is inadequately addressed during the
verification process, the ICP report should contain a
clear statement regarding 'continuing suitability' and a
recommendation as to the course of action which should
be adopted by the duty holder.
The verification scheme should contain targets for
initial response times and final close-out times for ICP
recommendations.
It is the duty holder's responsibility to address any
recommendation made by the ICP in order to restore the
affected SCE to the capability stipulated by the PS, in
the most expedient manner.

Scheme revision
8.4 DECOMMISSIONING

Verification schemes should be kept under continuous

review and revised as often as is necessary to keep them
up to date. In addition to periodic reviews a scheme
review should be initiated by changes such as the
following:

Revision of any Codes or Standards referenced in

the scheme.
Modifications to the installation which result in
amendments to the list of SCEs.
Significant revision to the installation Safety Case.
Changes to installation operating parameters.
Changes to environmental conditions.
8.3.3

Reporting

Reports of verification surveys undertaken by ICPs

either onshore or offshore should be presented to the
duty holder's nominated representative in a timely
manner. Each report should provide the duty holder
with a clear representation of the condition of the SCE
and confirmation or otherwise, that the PS has been
fully addressed. It is not sufficient to report 'by
exception' as this does not present a full picture of the
condition of the SCEs.

8.4.1

Review of MAHs.

At least three months prior to decommissioning taking

place, the duty holder should prepare revisions to the
installation safety case and these should be assessed for
any impact on the list of SCEs. These changes would
result from:

A hydrocarbon free environment.

Hazard identification primarily focussed on heavy
construction, lifting and marine operations.
Residual hazards after the decommissioning:
navigational/marine traffic;
environmental/pollution;
seabed/fishing gear.

The amended SCE list will be significantly different

from the operational case and PSs should be revised or
rewritten and a decommissioning verification scheme
produced that will confirm ongoing suitability of SCEs
during key stages of the decommissioning.

9
CHANGE MANAGEMENT
Identification of new SCEs.
Reassessment of existing Performance Standards
and the need for new Performance Standards for
new SCEs.
Need to clearly document project verification
activities for "initial suitability".
Incorporation of changes and modifications into
ongoing operational verification (and maintenance)
regimes with any proposed revisions to SCE
maintenance regimes being reviewed by the ICP.
Involvement of operations and the "Operational"
ICP in project scope.

9.1 MODIFICATIONS
9.1.1

Importance of duty holders' Management

of Change systems

Duty holders should have a documented and effective

process for the management of change and
modifications to platform systems, components or
structures. Responsibility and/or accountability of
individuals within the duty holder's organisation for the
various functions within the change process should be
clearly defined. Changes directly affecting SCEs or
impacting on SCE functions in managing risk should
provide for update of any formal risk assessments where
appropriate. The process should make explicit reference
to the involvement of the ICP in all modifications which
impact upon existing SCEs or the creation of new
ones. The 'management of change' document should be
controlled by the duty holder and referenced in the duty
holder's verification scheme.
9.1.2

9.2 TEMPORARY EQUIPMENT

9.2.1

Temporary equipment impact on SCEs

Duty holders should have a documented process in

place to demonstrate their intention and ability to
manage the transportation and use of temporary
equipment and in particular, equipment which adds to or
impacts upon the list of SCEs. This process should be
referenced in the Verification Scheme for each
installation.

Need for SCE Impact study

During the assessment of individual modifications, it is

important to have a thorough understanding of the
original MAH identification and the philosophies for
prevention, mitigation and control. All modifications
should be assessed to establish their impact on the
existing list of SCEs or if they create additional SCEs.
For those modifications which are confirmed to have
safety critical content, the following aspects need to be
considered:

9.2.2

Performance Standards for temporary

equipment

Performance Standards should be established for items

of temporary equipment in all cases where the existing
PS applicable to the installation is either inadequate or
inappropriate.
21

GUIDELINES FOR THE MANAGEMENT OF SAFETY CRITICAL ELEMENTS

9.2.3

The installation verification scheme should identify the

nature and frequency of assurance and verification
activities associated with temporary equipment; these
should include:

Assurance and verification activities for

temporary equipment

Temporary or portable equipment for use on an offshore

installation should be subject to appropriate assurance
and verification activities if:

Examination of equipment prior to shipment.

Witnessing of testing prior to shipment.
Review of manufacturers' / suppliers' records /
certification.
Examination of equipment offshore.
Auditing of the management processes and records
held:
by the duty holder onshore and offshore;
by the Shipping/Forwarding contractor.

The equipment in itself creates an addition to the

platform list of SCEs (e.g. demountable drilling
equipment not permanently held on the
installation).
The equipment impacts on any of the existing
platform SCEs:
by virtue of the planned location on the
installation (e.g. engine driven generator/
compressor required to operate in a designated
hazardous area);
by virtue of the proposed application (e.g. well
intervention equipment once it becomes part of
the reservoir pressure envelope).

Comprehensive records should be maintained by the

duty holder to confirm adherence to the process. These
records should be available to the ICP.

22

10
REFERENCES AND
GLOSSARY OF TERMS
10.2 GLOSSARY OF TERMS

10.1 REFERENCES OF FURTHER

INFORMATION
List of references and further information sources from
HSE, UKOOA and EI:

FEED
HUIC
ICPs
MAHs
MDR
OSCR
PFEER

A Guide to the Offshore Installations (Safety Case)

Regulations 2005 (HSE, 2006)
Prevention of Fire and Explosion and Emergency
Response on Offshore Installations - Approved
Code of Practice and Guidance (HSE, 1997)

PSs
SCEs
UKOOA

Asset Integrity Toolkit (UKOOA, 2006)

23

Front End Engineering Design

Hook Up, Installation and Commissioning
Independent Competent Persons
Major Accident Hazards
Master Document Register
Offshore Safety Case Regulations
Prevention of Fire and Explosion and
Emergency Response Regulations
Performance Standards
Safety Critical Elements
UK Offshore Operators Association

GUIDELINES FOR THE MANAGEMENT OF SAFETY CRITICAL ELEMENTS

24

Energy Institute

This publication has been produced as a result of

61 New Cavendish Street

work carried out within the Technical Team of the

London W1G 7AR, UK

Energy Institute (El), funded by the El's Technical

Partners. The El's Technical Work Programme

t:+44 (0)20 7467 7157

provides industry with cost effective, value adding

f: +44(0)20 7255 1472

knowledge on key current and future issues

e: pubs@energyinst.org.uk

affecting those operating in the energy sector,

www.energyinst.org.uk

both in the UK and beyond.

ISBN 978 0 85293 462 3

Registered Charity Number 1097899