SCEmanagementmanualep2009-9009

Shell Exploration & Production

Safety Critical Element Management Manual

Operational Excellence Delivering Continuous Performance Improvement

Restricted

EP 2009-9009

Second Edition

Restricted EP 2009-9009


Reviewed by: EPT Global Technical Integrity Team

Approved by: Global Discipline Head Maintenance and Integrity (EPT-O-TFMI)

Date of issue: February 2009

ECCN number: Not subject to EAR - No US content

This document is classified as Restricted. Access is allowed to Shell personnel, designated Associate Companies and Contractorsworking on Shell projects who have signed a confidentiality agreement with a Shell Group Company. 'Shell Personnel' includes allstaff with a personal contract with a Shell Group Company. Issuance of this document is restricted to staff employed by a ShellGroup Company. Neither the whole nor any part of this document may be disclosed to Non-Shell Personnel without the priorwritten consent of the copyright owners.

Copyright 2009 SIEP B.V.

SHELL INTERNATIONAL EXPLORATION AND PRODUCTION B.V., RIJSWIJK

Further electronic copies can be obtained from the Global EP Library, Rijswijk.


EP 2009-9009 Restricted

1

Contents

Introduction ................................................................................................................................................................3

The business context ................................................................................................................................................5

Key terms ..............................................................................................................................................................5

Roles and responsibilities ..........................................................................................................................................6

SCE Management tools ...........................................................................................................................................6

Overview of the SCE Management process ................................................................................................................8

SCE Management through the Asset life cycle ..............................................................................................................9

The SCE Management process ...................................................................................................................................10

1. Identify SCEs and performance standards................................................................................................................11

1.1 Identify the Major Hazards ..............................................................................................................................13

1.2 Identify barriers and SCE groups ......................................................................................................................15

1.3 Identify SCEs in Asset Register ..........................................................................................................................17

1.4 Define Operate phase performance standards ....................................................................................................19

1.5 Upload SCE information into the CMMS............................................................................................................22

2. Align with maintenance strategies...........................................................................................................................23

2.1 Align maintenance strategy with assurance tasks..................................................................................................24

2.2 Prepare performance assurance tasks ................................................................................................................24

2.3 Upload to the CMMS.....................................................................................................................................24

2.4 Set up FSR....................................................................................................................................................25

3. Execute performance assurance activities.................................................................................................................26

3.1 Prepare, schedule and execute work .................................................................................................................27

3.2 Record results ................................................................................................................................................27

3.3 Analyse results...............................................................................................................................................27

3.4 Identify SCE performance assurance task backlogs ..............................................................................................27



2

4. Manage deviations ...............................................................................................................................................28

4.1 Perform risk assessment ...................................................................................................................................29

4.2 Identify mitigating actions ................................................................................................................................29

4.3 Execute mitigating actions................................................................................................................................30

4.4 Review and approve deviation .........................................................................................................................30

5. Analyse and improve ............................................................................................................................................31

5.1 Status reporting .............................................................................................................................................32

5.2 Review and improve status ..............................................................................................................................32

Appendix 1 - Link to the EP Business Model .................................................................................................................33

Appendix 2 - SAP specific requirements ......................................................................................................................34

Appendix 3 - Guidance on SCE groups and minimum performance assurance levels........................................................36

Appendix 4 - FSR specific requirements .......................................................................................................................50

List of acronyms/abbreviations ...................................................................................................................................51



3

Introduction

The objective of this manual is to describe the Globallymandated process which is applied during an Asset’s Operatephase to:

• provide assurance that the physical hardware barriers (SCEs)are in place and working to prevent initiation or escalationof major incidents or, if they are not, that risks areappropriately assessed and mitigating actions taken

• provide transparency and visibility of the management ofSCE performance assurance

• standardise the processes and use of the availablesupporting tools.

This manual covers those activities within the EP Business Modelprocesses EP.64 (Design, Construct, Commission, Modify andDe-Commission Facilities), EP.65 (Execute Operations Readinessand Assurance Activities) and EP.72 (Maintain and AssureFacilities Integrity) which are used to manage the Safety CriticalElements (SCEs). It is also applicable to wells SCEs, since thecustody of wells is the responsibility of the Productionorganisation during the Operate phase.

The activities are:

• identification of SCEs

• development of Operate phase elements of performancestandards and performance assurance tasks

• alignment of performance assurance tasks with other plannedmaintenance routines

• identification, control and close-out of non-conformancesthrough a deviation management process

• reporting of deviation status.

The term ‘SCE Management’ covers the method of providingworkable, sustainable, measurable and standardised processesand tools to assure the performance of SCEs to demonstratethat these hardware barriers are in place and effective.

In all other sections, ‘shall’ and ‘should’ have the followingmeanings.

The word ‘shall’ indicates a mandatory requirement governedby this manual.

The word ‘should’ indicates a recommendation or guideline.

Shell’s Group Asset Integrity Process Safety ManagementStandard requires that, “Businesses shall define, comply withand manage deviations from performance criteria for allidentified hardware barriers critical to Asset Integrity ProcessSafety”. The implementation of this requirement in EP is furtherdefined in the Technical Integrity Framework (EP.03.ST.04).

Following the requirements of this manual will ensurecompliance with the SCE Management aspects of the TechnicalIntegrity Framework during an Asset’s Operate phase.However, legislative requirements may demand that additionalmeasures shall be put in place. An overview of how thismanual interfaces with other EP manuals, guides and systems isshown in Figure 1 and the relationship with the EP BusinessModel is given in Appendix 1. The description of the SCEManagement process has been divided into five sections.These sections provide an overview of the process, highlightingthe main requirements and explaining why these are importantto the success of the process and the business.

There are also appendices which provide more detailedinformation on particular aspects of the process. These areincluded at the end of this manual. Further reference material,such as Global Performance Standard Templates, areaccessible through Shell Wikipedia in SWW.



4

Figure 1: Group/EP Asset integrity document structure

Standards - Asset Integrity - Process Safety Management

Manuals - Design and Engineering Manuals (DEMs), Asset Integrity - Process Safety Management Transition and Application Manuals

EP-BMS ‘Develop’ phase EP-BMS ‘Produce’ phase

Frameworks - EP HSE Framework, Technical Integrity Framework

EP.63Wells

EP.64 Engineering

EP.65OR&A

EP.71Produce

EP.72Maintain

and Assure

OperationalIntegrity

DesignIntegrity

TechnicalIntegrity

DesignIntegrity

TechnicalIntegrity

Operating Integrity

DesignIntegrity

TechnicalIntegrity

Operating Integrity

DesignIntegrity

TechnicalIntegrity

Operating Integrity

WellStandard

Well Designand

Engineeringmanuals

Wellguides

EngineeringStandard

Design andEngineering

manuals (defer to Group)

Engineeringguides

Operational Excellence StandardVol 1 Overview - EP 2008-9002Vol 2 Methodology - EP 2008-9003Vol 3 Review - EP 2008-9004Vol 4 Improving Performance - People - EP 2008-9005 Process - EP 2008-9006 Plant - EP 2008-9007 Production - EP 2008-9008

Operational Integrity - Field Operations contentTechnical Integrity - Work Preparation, Scheduling and Execution content - Safety Critical Element Management Manual content

Shell EP

Shell Group

Specific reference to:

Vision: “Our Assets are safe, and we know it”

Introduction

The business context


5

Effective management of all Assets’ Technical Integrity is afundamental part of the business and a key area for continuousimprovement across the whole of EP. Technical Integrity isdefined as follows:

Integrity of an Asset is achieved when, under specifiedoperating conditions, the risk of failure occurring which wouldendanger the safety of personnel, the environment or Assetvalue is tolerable and has been reduced to as low asreasonably practicable (ALARP).

The EP Technical Integrity Framework provides the basis formanaging Technical Integrity and specifies that Engineering isresponsible, with Operations input, for establishing TechnicalIntegrity in the design of a project or change whilst Operationsis responsible for safeguarding the Technical Integrity duringoperation. This is applicable to wells, pipelines and Facilitiesand can only be achieved by being properly addressed in allphases of the Asset life cycle, i.e. Identify and Assess, Select,Define, Execute, Operate and Abandon. Whilst TechnicalIntegrity is maintained by, amongst other things, defining andcarrying out routine operational, maintenance and inspectionactivities, it is important to be able to highlight those relating toSCEs and, specifically, their performance assurance tasks.Hence, the SCE Management process starts early in the projectdesign process, continues through the Operate phase and, asappropriate, into the Abandon phase.

Effective SCE Management is an important competency for allkey staff involved in the Asset life cycle. Shell CompetencyBased Development profiles are updated to reflect thecompetency requirements as per the criteria set by the TechnicalIntegrity Framework.

Key terms

There is a list of acronyms/abbreviations on page 51.However, it is important that the following terms are clearlyunderstood prior to reading this manual.

HEMP

The Hazards and Effects Management Process (HEMP - EP 2005-0300-ST) identifies and assesses HSE hazards,implements control and recovery measures, and maintains adocumented demonstration that major HSE risks have beenreduced to a level that is as low as reasonably practicable(ALARP) throughout the Asset life cycle.

Major Hazard (severity 5 or red risk)

Those hazards, i.e. substances, activities, operations orconditions which are assessed as having a consequenceseverity of 5 or risk ranking of red, as defined in the Group‘Risk Assessment Matrix’ (RAM).

Safety Critical Element (SCE) (also known as ‘HSE

Critical Element’)

An item of equipment or structure whose failure could lead tothe release of a Major Hazard or whose purpose is to preventor limit the consequences of a major incident, excludingbusiness loss. The term SCE has the same meaning as the termHSE Critical Element, as used in the EP 2005-0310-ST HSEcase standard and in the EP 2005-0100-SP-01 HSE glossaryof definitions.

Note

The SCE Management processes described in this manualonly deal with hardware and equipment related software orlogic systems, e.g. hydrocarbon containment systems,primary structures, fire and gas detection and protection,separation distances, evacuation systems, and do notinclude safety management systems, processes andprocedures.



6

Performance standard (PS) for Operate phase

A statement, which can be expressed in qualitative orquantitative terms, of the functional performance required of asystem or item of equipment, and which is used as the basis formanaging the risk from the Major Hazards.

Deviation

An approved non-compliance of the mandatory requirements ofa procedure, standard or specification. In this manual, this isapplied to assurance and safety critical corrective andpreventive work orders which will not be or have not beencarried out by the due date.

CMMS

Throughout this document, CMMS is used to refer to theComputerised Maintenance Management System, which inmost Operating Units is the plant maintenance and othermodules of SAP. The principles of this manual equally apply toany CMMS although some terms used may have meaningsspecific to SAP. Appendix 2 includes requirements specific tothe use of SAP as the CMMS.

Roles and responsibilities

The following are the three key roles in the SCE Managementprocess.

• Project Managers have single point accountability forestablishing Technical Integrity in the Asset’s project phases.

• Asset Managers have single point accountability forsafeguarding Technical Integrity of their Assets for theOperate and, as appropriate, Abandon phases. They arealso accountable for ensuring that the Technical Integrity ofexisting Assets is maintained at a tolerable level, both interms of the physical hardware and supporting processes.

The Project and Asset Managers are jointly accountable forsuccessfully managing the transition from the Asset’s projectphases to the Operate phase.

• Technical Authorities are responsible for providing disciplinespecific technical advice and support to the Project andAsset Managers and are the owners of the performancestandards for their assigned SCE groups. TechnicalAuthorities will be identified in accordance with the EPDiscipline Controls and Assurance Framework (DCAF).

SCE Management tools

The following mandatory tools (see boxed note) shall be used inEP for managing and reporting the SCE Management processduring an Asset’s Operate phase.

• CMMS - for managing the tasks and results recording.

• Total Reliability (TR) Measures dashboard - for performanceindicator reporting and trending.

• Facilities Status Reporting (FSR) tool - for status reporting anddeviation management.

These tools shall be established by the project team during theAsset’s Execute phase and operated and maintained during theAsset’s Operate phase.

However, in some specific cases, performance assurance taskresults may be best recorded outside of the CMMS. Thisshould only be considered if the assurance task outcome, i.e.pass/fail, requires evaluation of multiple variables, e.g.assessment of a pressure vessel’s suitability for continued serviceor assessment of wells against the well failure model. Where itis agreed that results are recorded outside of the CMMS, thefollowing conditions shall be met.

• The performance assurance task execution is managed(planned, prepared, scheduled and task completionrecorded) in the CMMS.

• The results are recorded in a tool which has adequatechange, access and other controls and is approved by EP’sIT organisation, e.g. PACER, eWIMS.

• Failed performance assurance tasks initiate a follow-oncorrective notification in the CMMS, preferably through aninterface between the application and the CMMS.

Introduction


7

• The mandatory SCE Management tools require accurate andtimely data in order to function effectively, and each OpCoshould implement adequate data and document controlprocesses to ensure that relevant master data is created andrecorded properly, that transactional data is accurate andtimely, and that effective change management of data anddocuments (including an audit trail) is in place.

Note

In this context mandated process/tool in EP means:

• no alternative tool or process development is allowed

• the process and tools are consistent with mandated/non-mandated sub-elements

• if no existing tool/process is in place the mandatedprocess and tools shall be implemented

• a tool can only be mandated if the underlying process ismandated

• implementation date of the mandated process and tools isflexible (to recognise that it could be dependant on otherpre-requisites being in place, or transition from existingtool) but shall be aligned with Global targets

• mandated tool or process is signed off by relevant Globaldiscipline head

• step-outs, i.e. no tool, are few and agreed at senior level(VP Production Engineering and VPP Region) only when:

¢ it does not make business sense to use the tool, e.g.size of venture, future of venture, implementation costoutweighs benefits, and

¢ the mandated process, including data collectionrequirements, can be met without using the tool.

The mandate for this SCE Management process and toolswere agreed by EP’s Maintenance and Integrity DisciplineLeadership Team (MIDLT).


The SCE Management process summarised in Figure 2 isdivided into five sections, each of which is outlined below anddescribed in more detail later in the manual.


8

Overview of the SCE Management process

Figure 2: SCE Management process - overview

1Identify SCEs and

performancestandards

2Align

maintenance strategies

3Execute

assurance activities

4Manage

deviations

5Analyse and

improve

1. Identify SCEs and performance standards

Major Hazards are identified during the HEMP and developedinto the bow-tie models to show the escalation, consequencesand barriers which are required to manage the hazards. Allresultant SCEs have their specifications defined to establishintegrity during the project and their Operate phaseperformance standards defined for project handover andsubsequent safeguarding of integrity.

The end result is a package of approved SCEs identified in theAsset Register with Operate phase performance standards.

2. Align maintenance strategies

The SCEs, performance standards and performance assurancetasks are brought together with the outcome of the risk andreliability management (RRM) studies to determine the tasks,their frequencies and to embed them into the plannedmaintenance routines within the CMMS.

3. Execute performance assurance tasks

The SCE’s performance assurance tasks are carried out to checkwhether the SCEs are functioning correctly and to identifycorrective actions, where required. The essential supportingmaintenance process is detailed in the Work Preparation,Scheduling and Execution Process Guide (EP 2006-5445).

The outcomes are completed performance assurance tasks,recorded results, follow-on work initiated for failed performancechecks and performance assurance tasks that have not beencompleted on time.

4. Manage deviations

The risks associated with a backlog of assurance and safetycritical work orders are properly assessed, authorised andappropriate mitigating actions taken to maintain control of therisks.

5. Analyse and improve

The status of the hardware barriers and performance assurancetasks are made readily available to operating staff to enablemanagement of the ongoing conformance of SCEs with theirperformance standards. This stage provides the visibledemonstration that the SCEs are functioning correctly or thatnon-conformances are managed through deviations.

SCE Management through the Asset life cycle

During an Asset’s life, the integrity is established by the projectteam and safeguarded by the operating team. The points atwhich key deliverables in the SCE Management process arecompleted are shown against each phase of the Asset life cyclein Figure 3.


9

Introduction

Figure 3: SCE Management process in Asset life cycle

Identify and Assess Select Define Execute Operate

Formulate andevaluate development options

Review developmentoptions

Initial operations assessment

Formulate andevaluate concept

Initial HEMP analysisfor each option(HAZID)

Review proposed concept - demonstrate ALARP

Operations philosophydevelopment

Front End EngineeringDesign (FEED)

HEMP analyses forFEED - bow-ties

SCE groupdetermination

Operation envelopedefinition

Design performancestandards

Design safety case

Basis for design

Detailed Facilitiesdesign

Refined HEMP analyses with specificbow-ties

SCE identification inAsset register andloading into CMMS

Refined designperformancestandards and assurance measures

Operate phaseperformance standards andassurance measures

Maintenance routinesincluding frequencyloaded into CMMS

Operations safety case

Construct Facilitiesand execute OR&Aplan

Commission and handover to Assetowner

Manage SCE performance assurance tasks and measures

Deviation control

SCE Status and KPI reporting

Management of Change process

VAR2

VAR3

VAR 4

PSUA

PSUA = Pre start-up audit


The SCE Management process


10

1.1

1.2

1.3

1.4

1.5

2.1

2.2

2.3

2.4

3.1

3.2

3.3

3.4

4.1

4.2

4.3

4.4

5.1

5.2

Identify the Major Hazards

Identify barriers and SCE groups

Identify SCEs in Asset Register

Define Operate phase

performance standards

Upload SCE information into

the CMMS

1.Identify SCEs

and performance

standards

2.Align with

maintenance strategies

Align maintenance strategy with assurance

tasks

Prepare performance assurance

tasks

Upload to the CMMS

Set up FSR

3.Execute

performance assurance activities

Prepare, schedule and

executework

Record results

Analyse results

Identify SCE performanceassurance

task backlog

4.Manage

deviations

Perform riskassessment

Identify mitigating

actions

Execute mitigating

actions

Review and approve

deviation

Status reporting

Review and improve

status

5.Analyse and

improve



11


The purpose of this section is to ensure that all hardwarebarriers which are necessary to control Major Hazards, areidentified and their SCEs, associated performance standardsand performance assurance tasks are defined.

The process starts during the Asset’s Select phase, in whichthe EP best practice (also known as generic) bow-ties areused for preliminary selection of SCEs. This is followed byan initial outlining of their performance requirements, whichshould be based on generic performance standards (toestablish Technical Integrity) and the Operate phaseperformance standard templates (to safeguard TechnicalIntegrity). The results are incorporated in the TechnicalIntegrity Plan, which is a Select phase deliverable. At thistime, the design specific values for the performancerequirements will only be defined to the extent necessary toassure alignment with Operation’s needs, which areestablished through OR&A activities.

During the Asset’s Define phase, the basis of design (BoD) isdeveloped, incorporating and refining key criteria from theperformance standards. The BoD is used during the FEED todevelop a conceptual design that will be developed furtheras the project goes through subsequent phases.

During the project Execute phase, the detailed designspecifications are developed and the SCE Operate phaseperformance standards are completed with the Asset specificperformance values. These SCE Operate phase performancestandards are used for acceptance during commissioning andare subsequently maintained during the Asset’s Operatephase.

During an Asset’s Operate phase it may be necessary toimprove the SCE identification and establish or updateperformance standards. In this case, the starting point is theHSE case in which the SCEs and their outline performancerequirements should be identified.

Risk and Reliability Management (RRM) is a suite of riskassessment processes which establish the optimised approachto maintaining and inspecting hardware to meet the businessobjectives. This combines the Reliability CentredMaintenance (RCM), Risk Based Inspection (RBI) andInstrumented Protective Function (IPF) methodologies. Theprocess is described in more detail in the Risk and ReliabilityManagement Process Guide (EP 2007-9010).

The end product of this section is a package of approvedSCEs and Operate phase performance standards withperformance assurance tasks and acceptance criteria thatcan be used as a basis for developing or adjusting plannedmaintenance routines.



12

• HSE Case (EP 2005-0310-ST).

• EP Hazards and Effects Management Process (EP 2005-0300-ST).

• Bow-Ties (EP 2005-0300-SP-02).

• Group HSE Manual ‘Risk Assessment Matrix’ 2006,Yellow Guide.

• Plant Maintenance Data Minimum Standard (EP 2007-5614).

• Engineering Information Specification (EIS) (DEP 82.00.10.30-Gen).

• MIE Toolkit (available on Shell Wiki; search term = MIE).

Tools

Measures listing

Number Measure Industry Average Top Quartile Tracking Frequency

13.P.01 SCEs with performance standards in place and aligned with 70% 100% Annually Safety Critical Tasks in the CMMS

Process map

• All Assets have an HSE case that identifies the MajorHazards and related hardware barriers necessary forthe Asset, derived from the HEMP.

• All SCEs have been identified in the Asset Register atthe appropriate level of granularity, and classified intothe most relevant SCE group.

• Performance standards are in place for all SCEs andare approved by the relevant Technical Authority.

• Specific, measurable acceptance criteria are recordedfor SCEs which have quantitative performanceassurance tasks.

• Any changes to SCEs and their performance standards(additions, removal and modification) are managedthrough the management of change process.

• The SCEs and performance standards are reviewedand updated every five years.

Identify the Major Hazards

Identify barriers and SCE groups

Identify SCEs in Asset Register

Define Operate phase performance standards

Upload SCE information into the CMMS

1.1

1.2

1.3

1.4

1.5

Best in class standard


1.1 Identify the Major Hazards

This activity is started during the Asset’s Select phase, in whichthe initial risks are identified, leading to the controls (barriers)which are required. SCE group identification and performancerequirements are identified using best practice bow-ties. This iscontinued during the Asset’s Define and Execute phases, duringwhich the detailed process design for the selected concept iscompleted, equipment is specified, and the Asset Register built.The risk studies for the final design will be documented in theDesign HSE case, and following project completion will befurther refined into the final Operations HSE case.

HEMP provides the framework for managing the major HSErisks to be tolerable and ALARP, and identify the controlsneeded to manage the residual risk. During the process,various HSE studies are undertaken and risks identified,

minimised and recorded in the risk register which is ultimatelydocumented in the HSE Case (EP 2005-0310-ST).

As part of the HEMP, Major Hazards are identified using theRisk Assessment Matrix shown in Figure 4 and described inmore detail in the Group HSE Manual for Risk AssessmentMatrix. Note that Major Hazards which would lead solely to aconsequence of ‘business loss’, i.e. loss of revenue, shall not tobe considered when identifying SCEs.


13

Figure 4: Risk Assessment Matrix

No injury or health effect

Slight injury or health

effect

Minor injuryor health

effect

Major injuryor health

effect

PTD or up to 3 fatalities

More than3 fatalities

Nodamage

Slightdamage

Minordamage

Majordamage

Massivedamage

Noeffect

Slighteffect

Minoreffect

Majoreffect

Massiveeffect

Noimpact

Slightimpact

Minorimpact

Majorimpact

Massiveimpact

0

Seve

rity

Peo

ple

Ass

ets

Envi

ronm

ent

Rep

uta

tion

CONSEQUENCES

Has happenedat the Location ormore than once per year in theOrganisation

Has happened inthe Organisation

or more than once per year in

the industry

Never heardof in theindustry

Heard of inthe industry

Has happenedmore than onceper year at the

Location

A B C D E

INCREASING LIKELIHOOD

Moderateimpact

Moderateeffect

Moderatedamage

1

2

3

4

5 Major Risk Are

a


Examples of Major Hazards are:

• condensate

• sea states

• collisions/allisions.

Examples of major incidents are:

• major fire or explosion resulting in more than three fatalities

• crude oil spillage resulting in pollution of a large part of ariver estuary and requiring extensive clean-up andremediation measures

• collision of helicopter, ship, road or rail tanker with theinstallation, resulting in a major incident.

Where the HEMP identifies Major Hazards, bow-tie models(see Figure 5) are required to be developed to:

• identify the potential Major Hazard release, escalation andconsequence scenarios

• identify the controls, i.e. barriers and escalation factorcontrols, required to effectively manage these hazards to betolerable and reduced to ALARP. The controls relevant to thismanual are:

o the SCEs

o an outline of the SCE’s performance requirements

o an outline of the HSE critical tasks (i.e. the performanceassurance tasks).

For further details on bow-ties, refer to EP 2005-0300-SP-02.


14

Figure 5: Bow-tie model

Top event

Threat 3

Threat 2

Threat 1Barrier Barrier

Escalationfactor

Escalationfactorcontrol




Escalationfactor

HSE criticalelements

HSE critical tasks• Engineering• Maintenance• Operation

HazardConsequence 3

Consequence 2

Consequence 1


1.2 Identify barriers and SCE groups

This section describes the roles and hierarchy of barriers,hardware barriers and SCE groups, which start to be usedduring the early project phases and continue into the Operatephase.

Barriers

The role of a barrier is to prevent or limit the consequences of amajor incident. Barriers may be:

• design features, e.g. separation distances

• hardware, e.g. pressure relief valve, fire detection system

• processes, e.g. lock out/tag out

• operational intervention tasks, e.g. plantmonitoring/shutdown.

This manual covers only the management of critical hardwarebarriers, whilst the other barriers are covered in HSE and othermanagement systems.

Hardware barriers

Hardware barriers for Major Hazards are high level groupingsof SCEs used for reporting purposes. There are eight hardwarebarriers as depicted in the ‘Swiss cheese model’, shown inFigure 6, which represent the two sides of the bow ties. Onlythose barriers identified from the bow-tie model are relevant toan Asset.

The hardware barriers are depicted with a number of smallholes that represent a design flaw or some potentialdegradation of their performance. On their own, thesedegradations may not be significant but, if the holes line up,there may be no effective barriers in place between safeoperations and escalating consequences, leading to a majorincident.

The illustration is used to show the importance of maintainingand knowing the integrity status of all the hardware barriers, sothat what might be considered to be relatively small faults inindividual barriers do not combine together in an unforeseenmanner that compromises the ability of the barriers to prevent orcontrol a major incident.

SCE groups

Each hardware barrier is sub-divided into SCE groups, forreporting and management purposes, although SCE groups areonly relevant to an Asset if corresponding HSE critical elementsare identified from the bow-tie model. These groups aredefined by their function in ensuring the barrier remains in place(they are not defined by location, equipment type, medium orservice, construction type or TA responsibility). The SCE groupsare listed against their respective barrier in Figure 6 with moredetail about SCE groups and examples of SCEs provided inAppendix 3.

The SCE groups are defined on a Global basis and additionsor changes shall be authorised by the owner of this document.

It is not necessary for all eight barriers to fail to lead to a majorincident. For example, failure of a single barrier such asstructural integrity or process containment may lead directly to amajor incident.


15



16

Figure 6: Hardware barriers and SCE groups

Structuralintegrity Process

containment Ignitioncontrol Detection

systems Protectionsystems Shutdown

systems Emergencyresponse Life

saving

Escalatingconsequences

• SI001 Structures Subsea/Vessel Hull/GBS/ Foundation Structures• SI002 Topside Structures• SI003 Heavy lift cranes and mechanical handling equipment• SI004 Bilge, ballast and cargo management systems • SI005 Road vehicles• SI006 Mooring Systems• SI008 Drilling Systems

• PC001 Pressure Vessels• PC002 Heat Exchangers• PC003 Rotating Equipment• PC004 Tanks• PC005 Piping Systems• PC006 Pipelines• PC007 Relief System• PC008 Operational Well Containment • PC009 Fired Heaters• PC010 Gas Tight Floor Walls (Offshore only)• PC011 Tanker Loading Systems – Floating Production Storage Offtake (FPSO) Unit only (TANDEM)• PC012 Helicopter Refuelling Systems• PC013 Well Intervention/Well Control Equipment

• IC001 Hazardous Area Ventilation• IC002 Non-hazardous Area Ventilation• IC003 Certified Electrical Equipment• IC004 Cargo Tank Inert gas System• IC005 Earth Bonding• IC006 Fuel Gas Purge System• IC007 Inert Gas Blanket System• IC008 Miscellaneous Ignition Control Components• IC009 Flare Tip Ignition Systems

• DS001 Fire and Gas Detection• DS002 Security Systems• DS003 Water in Condensate (gas dew point) measurement

• PS001 Deluge Systems• PS002 Fire and Explosion Protection• PS004 Fire Water Pumps• PS005 Fire water Ring Main and Other Distribution Systems• PS006 Passive Fire Protection• PS007 Gaseous Fire Protection Systems• PS008 Fine Water Spray (FWS) Systems• PS009 Sprinkler System• PS010 Power Management System• PS011 Fixed Foam Systems• PS012 Sand Filters• PS013 Chemical Injection Systems• PS014 Navigation Aids• PS015 Collision Avoidance Systems• PS016 Metocean Data Gathering Systems

• SD001 Emergency Shutdown System • SD002 Depressurisation System• SD003 High Integrity Pressure Protection Systems (HIPPS)• SD004 Operational Well isolation• SD005 Pipeline Isolation Valves• SD006 Process Emergency Shutdown Valves (ESDVs)• SD007 Subsea Isolation Valves (SSIVs)• SD008 Drilling Well Control Equipment• SD009 Utility Air

• ER001 Temporary Refuge/Primary Muster Areas• ER002 Escape and Evacuation Routes• ER003 Emergency/ Escape Lighting• ER004 Communication Systems• ER005 Uninterruptible Power Supply (UPS)• ER006 Helicopter Facilities• ER007 Emergency Power• ER010 Drain systems

• LS001 Personal Survival Equipment (PSE)• LS002 Rescue Facilities• LS003 Lifeboats/ TEMPSCs• LS004 Tertiary Means of Escape (Offshore only)

SCEgroups

Hardwarebarriers

It is not necessary for all eight barriers to fail to lead to a major incident. For example, failure of a single barrier such as structural integrity or process containment may lead directly to a major incident.


1.3 Identify SCEs in Asset Register

SCE

Every SCE (the actual piece of hardware) belongs to at leastone SCE group, the most appropriate of which shall beidentified in the Asset Register along with the relevant SCEgroup reference. Some details about SCEs, examples and theirallocation to SCE groups are provided in Appendix 3.

In cases where more than one SCE group may be relevant to asingle SCE, only one can be assigned in the Asset Register. Inthese cases, a judgement must be made on the mostappropriate SCE group to select. This should take into accountthe prime function of the item and likely failure modes as wellas the maintenance and/or inspection that will be applied tothe item and hence how any failure would be detected. Forexample:

• a process isolation ESD valve could conceivably be safetycritical in terms of its hydrocarbon containment role (PC005)and its role as an ESD system end element (SD001).However, its prime role is to be able to close to isolateprocess inventories and, therefore, the most appropriate SCEgroup for it to be assigned to would be SD006 (ProcessESD valve)

• a certified junction box within a fire and gas system loopcould be assigned DS001 fire and gas detection. However,as it is passive in its fire and gas functionality and its mostlikely failure mode would be of its EX classification.Therefore, it would be more appropriate to assign it toIC003 (certified electrical equipment). Note that assigningan SCE group in the Asset Register is used only for reportingpurposes. It should not preclude any other relevantperformance assurance tasks being assigned to the SCE.

The decision tree in Figure 7 shall be used to determine SCEsby considering whether the system or equipment is linked to theHSE bow-ties in any way and using the output of any RRM orRAM assessments.

At the conclusion of the SCE identification process, the reasonsfor the decision to allocate (or to not allocate) the SCE shall beproperly recorded.

Once the SCEs, SCE group performance standards and theperformance assurance levels have been identified from theprevious step, they shall be identified in the Asset Register.During the project Define phase this is done in the project AssetRegister and from the Asset’s Execute phase onwards, themaster Asset Register shall be held in the CMMS.

SCEs and the performance assurance task level

During this step, all SCEs shall be identified in the Asset Register(functional locations in SAP) with the relevant SCE group andflag indicating:

• those against which the performance assurance task will bemanaged (examples are given in section 1.3)

• those which are not specifically linked to the performanceassurance task but whose performance is tested during thattask (examples may be gas detection head, emergency lightfitting, fire pump starter motor).

Note that items in the Asset Register which are below an SCEin the hierarchy are only SCEs if their failure could directlycontribute to the hardware barrier being ineffective. It is,therefore, important that the identification of SCEs is notautomatically inherited by all Assets below a given SCE.


17



18

Figure 7: SCE Identification decision tree

Does the system or equipment belong to any of the SCE groups shown in the HSE case bow tie?

Q1.

Has the system or equipment been subject to a credible RRM assessment?

Q3.

Is the system or equipment in line with the hazard scenarios in the HSE case hazard register for Major Hazards?

Q2.

Non-SCE

?

?

?

No

Yes

No

No

No

Yes

Yes

SCEidentification

SCE

SCE

ü

ü

SCEü

SCEü

SCEü

S-RCM CRITICALITY CLASS

S-RBI CRITICALITY CLASS

SIFPro SIL Level

Criticality is High (H)or Extreme (E)

Criticality is High (H)or Extreme (E)

Criticality Negligible (N),Low (L), Medium (M) orMedium High (MH)

Criticality Negligible (N),Low (L), Medium (M) orMediumHigh (MH)

Non-SCE

Non-SCE

Non-SCE

Non-SCE

SIL=>1

SIL=a1 or a2

Yes i.e. risk is 5A,5B, 5C, 5D, 5E, 4D,4E or 3E

In RAM assessment, is the system or equipment criticality at severity 5 or red risk?

Q4.


1.4 Define Operate phase performance standards

The performance requirements developed during the first activity(see section 1.1) provides the starting point for refining theminto Asset specific Operate phase performance standards.These shall include acceptance criteria that the SCEs must meetand shall be developed in detail to enable the practicalverification that all hardware barriers are in place and effective.They are initiated during the Asset’s Define phase and finalisedwith specific performance requirements and performanceassurance tasks during the Execute phase as part of thedetailed design. These are the SCE performance standards tobe used and maintained during the Asset’s Operate phase.

The performance standards should not be confused with eitherthe design specifications required to establish Technical Integrityor the preventive maintenance strategy required for themaintenance of equipment, e.g. lubrication. They specificallycover only the tasks necessary to validate that SCEs perform thefunction necessary for the barrier to be effective.

Define performance assurance level

When defining the Operate phase performance standards, it isimportant to consider how the performance assurance task willbe carried out in practice during the Operate phase and toapply it at the appropriate level in the Asset hierarchy.Appendix 3 details the minimum level of granularity at which:

• the performance standards, performance assurance tasksand acceptance criteria shall be set, and

• the results shall be recorded.

The following are some examples which are also shown inFigure 8.

Performance standards and acceptance criteria are set atanything from a system and/or area to an individualmaintainable item. Examples are:

• at system level: o fire detection system

o emergency escape lighting system


19

Figure 8: Performance assurance level in Asset hierarchy (functional location structure)

Site

Plant

System/area

Package/skid

Individual tag

Fire and gas detectionEmergency escape lightingPiping sub-system for hydrocarbonPassive fire protection

Fire water pump skidEmergency generator

Pressure vessels for hydrocarbonEmergency shutdown valvesCertified electric motors Lo

wer

and

mor

e gr

anul

ar le

vel

Asset hierarchy(functional location structure)

Example assurance task ‘level’


o fire water pump system

o piping system or sub-system.

• at item level:o pressure vessel containing hydrocarbon

o pipeline emergency valve

o electrical motor operating in a potentially hazardous area

o emergency generator.

Results are specified as either a yes/no confirmation of anacceptance criteria being met or a specific quantitativemeasured value.

• Examples of yes/no confirmation:o emergency escape lighting checks for a system/area

o fire water pump functional check.

• Examples of measure values:o ESD valve closure time

o relief valve lift pressure.

Performance assurance tasks may be set at more detailedlevels, i.e. lower levels in the Asset hierarchy. However, thebenefit in the increased granularity of the performanceassurance must be weighed against the additional work inrecording the results. Appendix 3 has been created primarilyfor use on existing Assets whereas new Assets will generallydefine performance standards and record results at a moredetailed level. It is also possible that planned maintenanceroutines developed by the RRM analyses required for reliabilitymanagement purposes are more detailed than those for SCEManagement and would, therefore, also lead to a moredetailed approach.

Where assurance tasks are being managed at a system level,the SCE group of the system should be the same as the ‘child’items for which the tasks are being set. Otherwise the results ofthe assurance tasks cannot be properly monitored/allocated tothe correct SCE group and deviations potentially allocated tothe incorrect reviewers.

Select Global performance standard template

When the appropriate performance assurance level has beendetermined, the next step is to select the correct GlobalOperate phase performance standard template for the SCEgroup. These templates are Globally applicable, but can bemodified by each Operating Company to add detail orclarification, provided that the functional criteria is not changed.They are formatted to comply with the requirements of theCMMS (and specifically SAP) in terms of minimum assurancetasks, assurance measures, assurance value and units ofmeasure. An example of a Global performance standardtemplate is given in Figure 9.

The full set of Global performance standard templates can befound at:http://sww.wiki.shell.com/wiki/index.php/Safety_Critical_Element_global_performance_standard_template

Each Global Operate phase performance standard templatecontains the following information.

BBaarrrriieerr RReeffeerreennccee - reference in accordance with its type, e.g.structural barrier.

SSaaffeettyy CCrriittiiccaall EElleemmeenntt GGrroouupp - reference to the SCE groupname and reference, e.g. PC001 Pressure Vessels. Ifadditional performance standards are developed or thetemplate needs to be broken down to cater for differentequipment types within that SCE group, they shall be referencedwith alpha extensions, e.g. PC001A, PC001B, etc.

SSCCEE GGooaall - the functional goal of the SCE group in maintainingthe hardware barrier.

PPeerrffoorrmmaannccee ssttaannddaarrdd oowwnneerr - this needs to be completedlocally with the TA at Operating Company level who shall ownthe contents of that performance standard.

FFuunnccttiioonnaall ccrriitteerriiaa - key specific functions that have to beachieved to meet the SCE’s goals. The functional criteria aretypically broken down into discrete functional activities that allhave to be achieved to meet the overall goal.


20


MMiinniimmuumm aassssuurraannccee ttaasskk - specific task(s) that have to beperformed for each functional criteria in order to verify that therequired standard of performance is achieved. Theperformance assurance task typically takes the form of aphysical check against a desired standard of a definedoperation, a measurement of a value against a target value orby observing the equipment. Where the value is to berecorded after the task has been executed, that value shall notbe included in this task description but shall be in the assurancetarget value, see Figure 9.

AAssssuurraannccee mmeeaassuurree - a short unique description of theperformance assurance value which is to be recorded such as:

• examples for yes/no "Fire pump starts on demand", "HVACsystem operable"

• examples for quantitative "Firewater discharge pressure","Firewater flow rate".

These assurance measures (termed MICs - Master InspectionCharacteristics in SAP) shall be maintained as a single Globaldata set in the CMMS system.

AAssssuurraannccee vvaalluuee - describes the evidence that shall be recordedto demonstrate conformance with the performance standard.The performance assurance value shall be one of the following.

• Qualitative - in which case a simple yes/no signifyingwhether the acceptance criteria has been met, or

• Quantitative - in which case the dimension of the quantitativeresults is to be recorded, e.g. time, pressure, temperature.The units of measurement are specified in the next section.

Develop Operate phase performance standard

The Operate phase performance standard templates shall beapplied as follows to develop the performance standardcontents for the specific Asset.

1. Select the applicable performance standard template andcopy those elements (including tasks) which are relevant.Note that in exceptional cases, a suitable performancestandard template may not be available. In this case,additions or changes shall be notified to, and authorised by,the owner of this document.


21

Figure 9: Example Operate phase performance standard template

PS004 FIRE WATER PUMPS PERFORMANCE STANDARD OWNER Review # 1

By email06/08/2008

Signed offDate

Function no. Functional criteria Minimum assurance task Assurance measure

1

2 Fire pump starts on demand

3

4

Robert BaraciolliBARRIER REFERENCESAFETY CRITICAL ELEMENT GROUP

PROTECTION SYSTEMS

Y/N

Assurance value

Y/N

Y/N

Each fire pump shall operate in accordance with its design characteristic.

Each fire pump shall start ondemand from initiation signals.Each pump shall be capable of running without interruption for the duration of a defined emergency event.

Control Room Fire and Gas Panel shall indicate Fire Pumpstatus.

To supply combustion and cooling air to the diesel driversassociated with fire pumps.

1.1 Fire pump performance characteristicCarry out performance test run of fire pump in line with the design pump curve to ensure capability to deliver the largest firewater demand.

2.1 Fire pump initiation testThe fire pumps shall start, upon receipt of start signal from:• Local panel pushbutton• F&G panel pushbutton• Fire main pressure switchIt is not necessary to test all three of the above during each test performance, but the testing regime shall ensure all start signals are tested equally.

3.1 Fire pump status indicationInitiation, and running, of the fire pumps shall be indicated on the control room fire and gas panel.

4.1 Fire pump HVACThe dedicated fire pump HVAC systems shall be operable in terms of min/maxtemperature and air changes for the duration of the test.

Firewater discharge pressureFirewater flow rate

>=(pressure)>=(Flow)

To provide fire water on demand to extinguish or limit the spread and effects of a fireSCE GOAL

Fire pump running visible alarm

HVAC system operable

Operate phase performance standard template

5

Each pump shall be capable of running without interruption for the duration of a defined emergency event.

5.1 Fire pump support ancillariesThe fire pump supports system, fuel, lubrication and cooling systems shall be at full inventory and fully operable during pump testing.The pump should operate for a minimum specified duration. If there is none specified then not less than 30 minutes (refer to NFPA25 as a guideline).

Fire pump ancillaries satisfactory Y/N


1.5 Upload SCE information into theCMMS

2. Add requirements which are specific to the Asset and arenecessary to demonstrate that the SCE group is functioningcorrectly.

3. Add the specific values from the Asset’s design as follows:

• if the recorded value will be qualitative - add the specificvalues in the assurance task field

• if the recorded value will be quantitative - include theassurance target values in a spreadsheet format (see Figure10 for an example) which specifies:

o functional location (Asset identifier) against which theresults are to be recorded

o target value - the numeric acceptance criteria limits which define whether the SCE’s performance is acceptable.This may be a unique, maximum or minimum value or arange with upper and lower limits

o units of measurement - measurement units applicable tothe target value, e.g. psi, kPa, sec.

4. The completed performance standard shall be approved bythe relevant Technical Authority.

The Master Data Maintainer shall ensure that the SCEsidentified in the Asset Register are reflected in the functionallocation hierarchy in the CMMS with the following information.

• Flag to indicate it is an SCE.

• Date the last review was carried out.

• SCE group.

• Performance assurance task allocation required.

• Identifier showing the relevant performance standardtemplate.

• Assurance target value (if applicable).

This information should be initially entered into the CMMSduring the Asset’s Execute phase and during the Operate phasewhen an SCE identification update is required. As a minimum,SCEs and performance standards shall be reviewed every fiveyears, together with other related reviews such as HEMP andRRM.

Finally, the relevant Technical Authority shall check that theCMMS upload has correctly identified the SCEs in the AssetRegister. This may be a quality spot check as the TechnicalAuthority has been involved in the previous activity.


22

Figure 10: Example assurance target values table

Assurance target value examples

Itemreference Description

Functional location(added in next step) Assurance measure Assurance value

Targetvalue

RU.SUP.K23.P203ARU.SUP.K23.P203BRU.SUP.K23.SDV26001RU.SUP.K23.SDV26002RU.SUP.K23.SDV26003RU.SUP.K23.SDV26004RU.SUP.K23.A.X203ARU.SUP.K23.A.X203B

Units ofmeasure

P203AP203BSDV26001SDV26002SDV26003SDV26004X203AX203B

Copied from PS for clarityAsset identifier

Firewater pump AFirewater pump APipeline A emergency isolation valvePipeline B emergency isolation valvePipeline C emergency isolation valvePipeline D emergency isolation valveBattery bank A For UPSBattery bank B For UPS

Firewater flow rateFirewater flow rateESD valve closure timeESD valve closure timeESD valve closure timeESD valve closure timeMinimum durationMinimum duration

>=(Flow)>=(Flow)<=(Time)<=(Time)<=(Time)<=(Time)>=(Time)>=(Time)

100100105151033

m³/hrm³/hr

ssss

hrshrs


23

2. Align with maintenance strategies

• Plant Maintenance Data Minimum Standard (EP 2007-5614).

• Engineering Information Specification (EIS) (DEP 82.00.10.30-Gen).


In this section, the approved Operate phase performancestandards are structured and loaded into the CMMS withinPlanned Maintenance Routines against the relevant SCE.

During the Asset’s Execute phase, the RRM process takes intoaccount the design and other requirements, and is applied tothe SCEs to determine the routine maintenance strategy andperformance assurance task frequency. This then providesthe basis for performance checking at project handover andfor managing performance assurance tasks in the Asset’sOperate phase.

In cases where an existing Asset’s performance assurancerequirements need improvement, this activity shall be carriedout in the Asset’s Operate phase and will comprise a reviewand adjustment of existing maintenance plans in the CMMSor the creation of additional plans.

Tools

Measures listing


13.P.1 SCEs with performance standards in place and aligned 70% 100% Annually with Safety Critical Tasks in the CMMS

Process map

• Performance assurance tasks are optimised withplanned maintenance/inspection tasks.

• Performance assurance tasks are entered andmaintained in the CMMS.

• Assurance target values are entered and maintained inthe CMMS.

• Performance standards are accessible from the CMMS.

• All changes to SCEs and performance standards arereflected in the CMMS.

2.1

2.2

2.3

2.4

Align maintenance strategy with assurance tasks

Prepare performanceassurance tasks

Upload to the CMMS

Set up FSR



2.1 Align maintenance strategy with assurance tasks

The SCE performance assurance tasks and the maintenancerequirements defined during the Design phase or establishedduring the RRM process are combined to provide a clear andaligned strategy in which:

• SCE performance assurance tasks are integrated with normalmaintenance where it makes sense to do so

• the SCE performance assurance task frequency is derivedfrom the RRM results or other relevant sources

• duplicated tasks are eliminated

• the needs of Asset shutdowns are established and taken intoaccount.

Where items are not covered by RRM, the design and otherrequirements shall be taken into account when defining theperformance assurance task and frequency.

2.2 Prepare performance assurancetasks

In this step, the performance assurance tasks derived in theprevious section are structured within Planned MaintenanceRoutines to support the way in which maintenance will bemanaged and meet the requirements for loading into theCMMS. Details of the data requirements and guidance ondetailed structuring and the related rules are given in the DataMinimum Standard and the Integrity Assurance DataImplementation Guide. Some key elements are brought into thissection.

The performance assurance tasks specified within theperformance standard are used to generate the plannedmaintenance routines using the following principles.

• Performance assurance tasks may be combined in the sameplanned maintenance routine as routine maintenance taskson those SCEs but the operation shall be discretely identifiedas an assurance task and non-SCEs shall not be included.

• performance assurance tasks on several SCEs should becombined into the same planned maintenance routine tooptimise planning and execution effort. However, tasks frommore than one performance standard shall not be combinedinto the same task list.

• Where possible, general task lists and standard text (thatmay be re-used for many SCEs and planned maintenanceroutines) should be used to simplify set up and futurechanges.

The performance assurance task acceptance criteria limits arecontained in the task value data in the assurance target valuestable (Figure 10).

Finally, the relevant Technical Authority shall review andapprove the performance assurance task, acceptance criteria,measures and task frequency before it is loaded into theCMMS.

2.3 Upload to the CMMS

In this step, the Master Data Maintainer takes the results fromthe previous step, collates the data and, for Assets in theExecute phase, arranges for it to be loaded into the CMMS.When this is carried out as an improvement step during theAsset’s Operate phase, the existing planned maintenanceroutines are adjusted.

This step shall include a quality review and sign off by therelevant Technical Authorities to ensure that SCE performanceassurance tasks have been correctly represented in the CMMS.


24



25

2.4 Set up FSR

Facility Status Reporting (FSR) is the Global standard tool tosupport the management of the SCEs and it has three mainfunctions.

1. Visualisation (consolidated picture) of the status of theCMMS work orders and notifications and related deviationsby barrier/SCE group, at any level within the FSR Assethierarchy.

2. Communication - FSR monitors those items that requireaction, and notifies the relevant parties by e-mail.

3. A formal and auditable Deviation Management System.

Appendix 4 contains a listing of the key configuration itemswhich are needed to deploy FSR.



26

• Work Preparation, Scheduling and Execution ProcessGuide (EP 2006-5445).

• Corrective Maintenance Prioritisation Tool (CMPT).

• Manual of Permitted Operations (MOPO) (EP 2005-0300-SP-04).

3. Execute performance assurance activities

The SCE performance assurance tasks are carried out in thefield, the results are recorded and assessed for conformancewith the performance standard acceptance criteria and anyfollow on corrective work is identified. This section describesthe performance assurance steps that are in addition to thenormal maintenance work preparation, scheduling andexecution activities, which are detailed in the WorkPreparation, Scheduling and Execution Process Guide (EP 2006-5445).

The end result of the activities in this section is theidentification of:

• SCEs meeting their performance standards acceptancecriteria

• follow on corrective work for SCEs which do not meettheir performance standards acceptance criteria, whichincludes agreed priority and Latest Allowed Finish Date(LAFD)

• SCE performance assurance task backlog

• deviations needed.

Tools

Measures listing


0.P.1 Critical PM Compliance 90% 98% Monthly

0.P.3 Critical CM Compliance Not Known 100% Monthly

11.S.3 History Recorded Against Required Fields <85% >95% Monthly

11.S.4 Notification Approval Time 2 Days 1 Day Monthly

Process map

• All work is executed in accordance with the WorkPreparation, Scheduling and Execution process.

• All results from performance assurance tasks arerecorded in the CMMS.

• A new follow-on notification with priority (using theCMPT) and LAFD is raised for all performanceassurance tasks which are “Failed”.

• All follow-on activities unable to be completed beforethe LAFD have a deviation initiated.

• All SCE backlog work is identified as a non-conformance prior to the LAFD if this date cannot bemet.

3.1

3.2

3.3

3.4

Prepare, schedule and execute work

Record results

Analyse results

Identify SCE performanceassurance task backlog


3. Execute performance assurance activities

3.1 Prepare, schedule and execute work


27

In this step, the SCE performance assurance tasks are managedthrough the routine maintenance process in which they aregiven priority over other preventive maintenance tasks. Theobjective is to achieve compliance with their LAFD.

The performance standard shop paper is printed in addition tothe normal shop papers. This sheet provides a list of the SCEs,the performance assurance measure and value (where relevant)and space for recording the results.

3.2 Record results

After the performance assurance task is completed, theMaintenance Technician shall accurately record the results.They should initially be recorded on the shop paper and shallbe recorded in the CMMS as soon as practicable, i.e. withinone day of task completion. During this step the outcome of thetask shall be recorded as:

• “passed” indicating that the SCE has met the acceptancecriteria, or

• “failed and fixed” indicating that the SCE did not initiallymeet the acceptance criteria but a small remedial action wastaken to reinstate its performance, which was also recordedin the technical history as a notification, or

• “failed” indicating that the SCE did not meet the acceptancecriteria and that follow-on work will be required.

It is vital that the results are recorded accurately and in a timelymanner so that the associated risks are known and the need forfollow on corrective work is made immediately visible. In certaincases the Manual of Permitted Operations (MOPO) for theFacility may also prescribe actions that should be immediatelytaken in addition to the creation of follow-on corrective work.

The Maintenance Supervisor shall ensure that recorded resultsaccurately reflect the activities carried out as part of anassurance activity.

Note that, in some cases, the detailed results are recordedoutside of the CMMS, for example in a corrosion andinspection system, but in all cases the work completion shall be

recorded in the CMMS (refer to the section on SCEManagement Tools).

3.3 Analyse results

The results of the performance assurance task shall be assessedin order to determine if the performance meets the acceptancecriteria. If the outcome is “passed” or “failed and fixed”, nofurther action is required. If the outcome is “failed”, it is classedas a non-conformance and shall have:

• a flag in the CMMS

• a follow-on corrective maintenance notification that is raisedautomatically to rectify the malfunction

• a deviation raised before the LAFD if the follow-on workcannot be completed before that date.

Detailed information about the non-conformance shall also beentered into the follow on notification to help with evaluating itsimpact on the Technical Integrity during the deviationmanagement. This information should include details of thecondition found and any other relevant information for problemdiagnosis. The follow on corrective maintenance notificationshall be prioritised in the daily review meeting as part of thenormal maintenance management process using the CMPT, withTechnical Authority input as required. The priority then sets theLAFD of the follow on work.

If the follow on work cannot be completed before the LAFD, adeviation shall be initiated and assessed as detailed in sectionfour, Manage Deviations, of this manual.

3.4 Identify SCE performance assurance task backlogs

When it is not possible to execute an SCE performanceassurance task by the LAFD, it shall be identified as a non-conformance by raising a deviation request which is managedas detailed in the Manage Deviations section. This actionshould take place in advance of the LAFD being approached toensure the risks of delaying the task are adequately assessed.



28

• Work Preparation, Scheduling and Execution ProcessGuide (EP 2006-5445).

• Manual of Permitted Operations (MOPO) (EP 2005-0300-SP-04).

• Group HSE Manual ‘Risk Assessment Matrix’ 2006,Yellow Guide.

• Facility Status Report tool (FSR).


This section describes the management of deviations forassurance and safety critical SCE work orders which cannotbe completed before their LAFD. Deviations should be keptto a minimum by complying with the steps detailed in sectionthree of this manual and applying the principles of theMOPO.

Deviation management involves the assessment of the risks,identification and execution of mitigating actions and closeout of the deviation.

Tools

Measures listingNumber Measure Industry Average Top Quartile Tracking Frequency

13.S.3 Number of deviations without TA approval per Facility 2 0 Monthly

Process map

4.1

4.2

4.3

4.4

Perform risk assessment

Identify mitigating actions

Execute mitigating actions

Review and approvedeviation

• No known non-conformance exists without an approveddeviation being in place along with associatedmitigating actions.

• The deviation is reviewed by the relevant TechnicalAuthority(ies) and approved by the relevant Asset Teammember.

• A risk assessment is carried out for all deviations andfurther mitigations are established such that the risk ismanaged to ALARP.

• All mitigation activities are reviewed and approved bythe appropriate Technical Authority prior to execution(mandatory for temporary repairs).

• A review is carried out to investigate whether there is arequirement for a change to planned maintenanceroutines/tasks.

• A review is carried out to investigate whether there is arequirement for carrying out the Management ofChange (MoC) process.

• Deviations are managed in a system which allows easyaccess to all of their details and approval from localand remote locations.




29

4.1 Perform risk assessment

In this step, the OIM or Plant Manager shall ensure that a riskassessment is executed and that mitigating actions areproposed as soon as practicable. During the assessment, it isessential to consider the MOPO for the Facility, the cumulativerisks presented by all deviations as well as the current operatingsituation, and not just the deviation being addressed at thetime.

The assessment shall be reviewed and approved by theappropriate operations and technical persons. The OIM orPlant Manager shall assemble a risk assessment panel typicallyconsisting of the appropriate personnel such as:

• Technical Authority

• Technical Safety Engineer

• Operations Manager

• Engineering and Maintenance Team Leader

• Offshore Installation Manager/Plant Manager.

The minimum information required to review the non-conformance is as follows.

• Details of the equipment concerned - the SCE group andhardware barrier.

• The level of performance - the way it has failed.

• The acceptance criteria - the goal.

• The implications of the failure - the risks.

Details of the evaluation shall be recorded including thefollowing items.

• Possible escalations resulting from the release of eachhazard.

• Concurrent activities that were considered.

• Constraints or weaknesses in any of the hardware barriersdefending against escalation.

• Other deviations, which are known at that moment andimpact this deviation.

• Thinking ‘out of the box’ and ahead for the duration of thedeviation.

• Mitigating measures proposed with timescales.

The risk assessment shall be formally recorded against thedeviation.

4.2 Identify mitigating actions

In this activity, any mitigating actions shall be specified toprovide sufficient control over the risks identified in the riskassessment. The mitigating actions can take many formsincluding:

• temporary operating procedures

• increased operator checks

• increased maintenance, inspection or testing

• temporary repair

• reduction in activities that may increase the risk or demandfor the system

• shutdown of the whole or part of the process.

All deviations are temporary and require an expiry date beforewhich the corrective work shall either be completed or thesituation reassessed.

In the case of all temporary repairs and other non like-for-likechanges, a technical specification shall be prepared andapproved by the relevant Technical Authority before thedeviation review and approval process can continue.

The mitigating actions shall be formally recorded against thedeviation.



30

4.3 Execute mitigating actions

The relevant supervisor shall ensure that specified mitigatingactions are put and kept in place through their normal workprocess. In the case of maintenance, e.g. for temporaryrepairs, this shall be covered by a suitable authorised CMMSwork order.

4.4 Review and approve deviation

In this step, the OIM or Plant Manager shall only approve thedeviation after verifying that:

• the risk assessment has been completed

• the relevant Technical Authorities have been consulted andtheir requirements have been taken into account

• the mitigating actions are in place and will remain in placefor the duration of the deviation.

At this stage, there is still a non-conformance but it has beenapproved through the deviation management process. There isan approved and planned intention to operate outside of thenormal procedure, standard or specification but the risks havebeen formally assessed and mitigating actions have been taken.

The OIM or Plant Manager shall ensure that deviations areclosed out before their expiry date by one of the followingactions.

• Completion of the preventive task or the corrective work.

• Formal approval of a change to the SCEs performancestandard or the task frequency bringing it into conformance.

• Completion of a permanent change to render the deviationobsolete, e.g. permanent bypassing of the equipmentapproved through the MoC process.

If it is not possible to complete any of these actions by the duedate, the situation shall be risk assessed again to determine theappropriate course of action.



31

• Maintenance and Integrity Measures Dashboard.

• Facility Status Report tool (FSR).

This section describes the approach to be followed todemonstrate that all the SCEs required to manage TechnicalIntegrity are functioning correctly and that Technical Integrity isbeing safeguarded. To this end, the current status of SCEperformance assurance tasks are made visible andperformance indicators are made available to identify areasfor improvement. This is all based on data in the CMMS.

Tools

Measures listingNumber Measure Industry Average Top Quartile Tracking Frequency

0.P.1 Safety Critical PM Compliance 90% 98% Monthly

0.P.3 Safety Critical CM Compliance Not Known 100% Monthly

Process map

5.1

5.2

Status reporting

Review and improve status

• Up-to-date status reports are available on-line showingall safety critical preventive and corrective maintenancetasks that have passed their LAFD before taskcompletion or are approaching their LAFD.

• An up-to-date status report is available on-line to showthe SCE performance assurance task status andeffectively tracks task completion status.

• Actions are taken to improve the integrity status of theAsset.





32

5.1 Status reporting 5.2 Review and improve status

A status report shall be available at any time to show theintegrity status of the Asset. As a minimum, this report shall beupdated daily. It shall highlight safety critical preventive andcorrective tasks required on SCEs that have not yet beencompleted and for:

• safety critical preventive work orders that have:

o more than seven days until their LAFD (green)

o less than seven days until their LAFD (amber)

o exceeded their LAFD without an approved deviation inplace (red).

• safety critical corrective work orders that have:

o more than seven days until their LAFD (green)

o less than seven days until their LAFD (amber) -

o exceeded their LAFD without an approved deviation inplace (red).

• deviations:

o listing of all deviations with links to related tasks.

The report shall provide an overview of all safety critical tasksfor each Facility and include at least the following drill downand filter capabilities:

• drill down through the Asset hierarchy

• drill down by hardware barrier

• drill down by SCE group

• filter by corrective and preventive tasks

• filter by deviation status (approved/not approved) and byreview dates.

The Scheduler shall ensure that forward looking workload forintegrity related tasks are reviewed routinely. Plans shall be putin place to complete them by their due date or approve delaysthrough the deviation process.

Facility status

To ensure that tasks, which have not been completed on timethrough the proactive approach, are properly addressed, theFacility status report shall be reviewed once per day, usually inthe morning meetings. Any new task with a red status shall beidentified and the validity of the red condition confirmed andaction taken as follows.

• For corrective work, ensure the priority is correctly assessedbased on risk using the Corrective Maintenance PrioritisationTool.

• Determine if the work is already complete, in which case theorder and related notification should be confirmed ascomplete in the CMMS.

• If the work is not complete, advise line supervisors, initiate adeviation (see section 4.1), schedule the work to ensurecompletion and raise in the daily operations meeting.

It is important to understand the accumulation of risks frommultiple ‘red’ items. Therefore, cumulative risk assessmentsshould be undertaken to analyse, characterise, and quantify thecombined risks to human health or the environment from multiple‘reds’.

Performance indicators

Over time, statistics on the deviation process response time canbe used to review where there are bottlenecks in the processand remedial action can be taken accordingly. For thisprocess, the safety critical PM and CM compliance values andtrends shall be used as key indicators as to whether the work isadequately under control. Detailed information is provided inthe MIMS Measures Definitions document (EP 2007-9007).This information and snapshots of the Facility status shall beused in Asset Integrity Forums to target improvement.

Appendix 1 - Link to the EP Business Model


33

Appendix 1 - Link to the EP BusinessModel

The processes contained in this manual have been aligned withthe activities in the existing EP Business Model (EPBM) as listedbelow.

Figure 11: Link to EP Business Model

New Design, Construct, Modify and Decommission Facilities Define Facilities concept and PEP

Prepare Facilities basis for design

Identify SCE and performance standards

Define the Technical Integrity management Framework for Facilities

Define the Technical Authority Framework

Prepare HSE management system case

Identify major health, safety and environmental risksExecute Operations Readiness and Assurance Activities Define operations requirements

Define operations requirements and specifications

Update risk register/HSE for operations

Review and update the performance standards, including safety critical elements

Review and update the Technical Integrity management framework for Facilities

Review and update the Technical Authority Framework

Maintain and Assure Facilities Integrity Define maintenance and integrity requirements

Determine maintenance and integrity strategies

Determine maintenance strategies

Review maintenance and intervention strategies in the light of the other strategies on the Asset

Execute activities in the maintenance management system

Select maintenance and integrity strategies based on performance standards

Comply with requirements detailed in the maintenance management system and the performance standard produced

Update Asset Register and prepare for maintenance and integrity assurance

Established maintenance and integrity tasks based on strategies and performance standards

Operate, maintain, restore system to the design intent

Prepare and schedule maintenance and integrity task

Schedule all activities in the maintenance and integrity year plan activities in the Total Reliability process guides

Execute maintenance and integrity tasks, comply with performance standards

Monitor and control the execution of work which includes completion of hazard management activities

Obtain necessary authorisations; ensure activities are carried out in accordance with the performance standard

Ensure deviations are recorded and authorised by the Technical Authority and Plant Manager

Record history in the MMS

Raise corrective routines for defects or where equipment does not meet the performance standards

Assure Technical Integrity

Acquire the data to provide assurance of Technical Integrity and compliance with performance standard, health checks and audits

Analyse and improve equipment performance

Examine compliance of Safety Critical Elements with performance standards

Deviation control

EP.64

EP.64.03

EP.64.03.02

EP.64.03.02.01

EP.64.03.02.02

EP.64.03.02.03

EP.64.03.04

EP.64.03.04.01

EP.65

EP.65.03

EP.65.03.02

EP.65.03.02.10

EP.65.03.02.20

EP.65.03.02.21

EP.65.03.02.22

EP.72

EP.72.01

EP.72.01.03

EP.72.01.03.01

EP.72.01.03.02

EP.72.02

EP.72.02.02

EP.72.02.02.02

EP.72.02.04

EP.72.02.04.01

EP.72.03

EP.72.03.01

EP.72.03.01.01

EP.72.03.02

EP.72.03.02.01

EP.72.03.02.02

EP.72.03.02.03

EP.72.03.02.04

EP.72.03.02.05

EP.72.03.03

EP.72.03.03.01

EP.72.03.04

EP.72.03.04.02

EP.72.03.04.02.01

SAP specific requirements

In the Asset Register Comments

Functional Location

ABC Indicator A= SCE, B = Production Critical, C = Other

SCE Applicable Yes/No

SCE Group If above is Yes, e.g. PC001

Reason SCE Awarded EG from Safety Case, or RAM classification 5C

Date SCE Review Carried Out To assist with future reviews

PS Required Y/N Not all SCE functional locations require performance standards

PS Identifier If not using Global PST

PS Measures Values Target values for the PS measures

EP Well PSN For Wells only

In Maintenance Item

Functional Location Functional Location at work order header level

Object List List of Functional Locations to be used, if not same as header level. Should all relate to the same SCE group and identical to the header functional location SCE group.

Priority 0= Statutory/Legal; 1 = Safety/TI Critical

Compliance Category A= Safety Critical; I = Integrity Critical; P = Production Critical; R = Other

Task Lists Maximise the use of general task lists for maintainability

In Maintenance Plan

Frequency How often a work order will be created from the Maintenance Item

In Task List An agreed task list naming convention is important

Compliance Category A= Assurance; I = Safety Critical; P = Production Critical; R = Other

Class Criticality Identifies the relevant performance standard to be used

Last Review Date To assist with future reviews

Last Review Reason

Task List Deviation Reason

Task List Parent

34

RestrictedEP 2009-9009

When the CMMS is SAP, the data in this table, which containsthe most important data required to manage Technical Integrity,shall be maintained. Further information can be found in thePlant Maintenance Data Minimum Standard (EP 2007-5614)and MIE1081.11 - Integrity Assurance Data ImplementationGuide.

Appendix 2 - SAP specific requirements


35

RestrictedEP 2009-9009

Appendix 2 - SAP specific requirements

SAP specific requirements (continued)

In Notification

Condition after Malfunction code Wells and some OpCos only

CMPT Priority CMPT should be switched on for all Facilities Functional Locations

CMPT Likelihood

CMPT Consequence Severity Used to determine task criticality of work order

Required End Date Output of CMPT, used to populate LAFD of work order

Status To be kept up to date on timely basis

In Work Order

Work Order Type Use 72 FP; 72 FC; 72 WC; 72 WP only

LAFD Date used for compliance reporting, can be updated to deviation expiry date if the deviation approved

OLAFD Original LAFD, cannot be changed

Status To be kept up to date on timely basis


Appendix 3 - Guidance on SCE groupsand minimum performance assurancelevels

This Appendix gives guidance for the correct allocation ofSCEs, identified in the HSE case as part of the HEMP, to SCEgroups. It also specifies, for each SCE group, the minimumlevel at which there shall be performance standards andacceptance criteria defined.

The performance standard templates contain two type ofresponses for the Assurance Value.

• Yes/No: which is the least detailed approach, in which“yes” = performance standard has been met and “no” =performance standard has not been met, referenced againstan explicit performance assurance measure such as “Firepump starts on demand”.

• Characteristic: a quantitative measured result which iscompared with the target value to automatically determinewhether the acceptance criteria has been met.

For a few performance standards, it is acceptable to record thedetailed results of the Assurance Tasks in an alternate systemsuch as PACER or eWIMS, in which case it is mandatory toalso record at least the high level results in SAP eg “WithinSpecification”. These cases are clearly indicated as footnoteswithin each performance standard template, and this approachis not acceptable in any other cases.

Notes.

1. This is not intended as a ‘pick list’ of SCEs, although it doesprovide typical equipment type examples by SCE group.SCEs are only classed as such if their failure to performcould lead to the release of, or fail to limit the consequenceof, a Major Hazard as defined in the bow-tie model as partof the HEMP.

2. These examples are not intended to be exhaustive and areprovided for illustration purposes only.

3. “Minimum Level” means the least detailed position in theAsset hierarchy; application at a more detailed level wouldgive additional granularity in the SCE Management butwould take more effort to put in place and operate.

4. In order to allow for continuous quality improvement, changecontrol for this Appendix will follow the same process as forSCE groups and performance standards (MIE2012.03Management of Change for Identification of SCEs andPS.doc).


36

Appendix 3 - Guidance on SCE groups and minimum performance assurance levels


37

SCE group listing

SCE goal Typical equipment typesDescription Minimum level

SCE group: SI001SCE group title: Structures Subsea/Vessel Hull/GBS/Foundation StructuresPrimary subsea, vessel hull,gravity based or foundationstructures.

To provide and maintainstructural integrity under allexpected actions through servicelife. Provide sufficient robustnessto maintain availability of criticalsystems during a major incident.

• Foundations, including piles and pile guides and concrete supports

• Jacket and substructure, Gravity Based Structure (GBS)

• Vessel hull steel work and plating• Vessel bulkheads, underwater void spaces and

double bottoms• Sea water draw down system for GBS• Foundations, including piles and pile guides,

concrete supports and shallow foundations

At system level, e.g. hull

SCE group: SI002SCE group title: Topside StructuresTopsides or surface primarystructure.

To provide and maintainstructural integrity under allexpected actions through servicelife, and to provide sufficientrobustness to maintainavailability of critical systemsduring a major incident.

• Integrated deck/cellar deck/module support frame/deck trusses

• Module structure/module supports • Bridge structure and supports • TR structure, plating (skin) and supporting

structure • Topsides anchor and mooring points, load

transfer system • Structural steel supporting safety critical process

equipment • Dropped object protection • muster platforms and lifeboat davits • Escape and evacuation structure and supports • Flares, vents and drilling derrick structures • Crane pedestals • Helidecks and supporting structure

At module and elevationlevel

SCE group: SI003SCE group title: Heavy lift cranes and Mechanical handling equipmentHeavy lift cranes andmechanical handlingequipment are liftingappliances.

To maintain suitable integrity sothat loads, or any liftingcomponent, does not fail in amanner that could cause orcontribute to a major incident.

• Overhead gantry crane in hydrocarbon process area

• Offshore platform pedestal crane

At item level, i.e. percrane

SCE group: SI004SCE group title: Bilge, Ballast and Cargo management systemsBilge, Ballast and cargomanagement systems tocontrol stability, flooding andto limit overstressing of thehull structure.

To transport ballast water andremove bilge fluids to maintainstability of the floating vessel andreduce stresses within the hullduring all operational anddamage scenarios.

• Ballast and bilge pumps• Associated actuated valves, piping and

instrumentation• Loading/Stability Management System

At system level, e.g. hull

SCE group: SI005SCE group title: Road vehicles

Company owned vehiclesand other transport devices

To ensure the road-worthiness ofCompany operated roadvehicles.

Company owned vehicles such as light vehicles(including pool cars, ambulances and forklifttrucks), heavy goods vehicles, trailers and light andheavy buses

At item level, i.e. pervehicle



38

SCE group listing (continued)


SCE group: SI006SCE group title: Mooring SystemsMooring systems forhydrocarbon containingsystems, e.g. for:• floating production unit• storage unit• off-take unit.

To maintain vessel position. Anchors, chains, chain table and chain stoppers,turret structure, cathodic protection, main andradial bearings, mooring head, swivels, winchesand mooring system control

At system level

SCE group: SI008SCE group title: Drilling Systems

Drilling Systems (Offshoreand Onshore) which controlthe well during drillingoperations to prevent blow-out or damage to well orrelated Facilities.

Refer also to GPST SI001Subsea/Vessel Hull/GBS/Foundation Structures and SI002Topside Structures Structuralintegrity requirements describedin the contract documents forcontracted rigs.

At system level

SCE group: PC001SCE group title: Pressure VesselsPressure vessels that containhydrocarbons, chemicals orother materials providing fluidcontainment under normaloperating conditions.

To maintain integrity of thepressure envelope.

Vessels in the following services:• oil or gas production, processing, handling and

export• condensate/NGL processing, handling and

export• gas injection• fuel gas, treatment and heating• flare scrubber/knock out drum• flammable chemical• steam generation• Inert gas storage

At item level, i.e. pervessel

SCE group: PC002SCE group title: Heat ExchangersHeat exchangers that containhydrocarbons, chemicals orother materials providing fluidcontainment under normaloperating conditions.


Heat exchangers in the following services:• oil or gas production, processing, handling and


export• gas injection• fuel gas, treatment, heating and distribution• flare scrubber/knock out drum• flammable chemical treatments

At item level, e.g. perHeat Exchanger



39



SCE group: PC003SCE group title: Rotating EquipmentPressure containing envelopeof Rotating Equipment.

To maintain leak tight integrity.To ensure no catastrophic failureof component parts that couldresult in a major incident.

Process hydrocarbon pumps, compressors andturbo expanders in following services:• oil or gas production, processing, handling and


export• gas injection• fuel gas, treatment, heating and distribution• flare scrubber/knock out drum• handling flammable or hazardous chemical• inert gas transfer• gas turbines (including blade containment)

At item level, e.g. percompressor

SCE group: PC004 SCE group title: TanksTank envelope including theliquid and vapour spaces.

To maintain leak tight integrity. Hydrocarbon or hazardous material process tanksin the following services:• oil production, processing, handling and export• condensate processing, handling and export• flammable or hazardous chemicals• crude oil storage• diesel tanks

At item level, i.e. per tank

SCE group: PC005SCE group title: Piping Systems

Piping systems. To maintain the integrity ofpipework including instrumenttubing and flexible hoses whichcontain flammable, or explosiveliquid or gas.

Piping systems containing flammable or hazardousfluids under pressure:• within and between operating units• within and between modules

At sub-system level

SCE group: PC006SCE group title: PipelinesOnshore and offshorePipelines between Facilitiesincluding flexible pipelines,risers and J-Tubes that containrisers. Typical pipeline limitsare between the pig trapisolation valves at each endof the pipeline although thecritical elements may be asection of the pipeline,depending on the assessmentof risk.


Pipelines in the following services:• export/import crude oil• export/import gas• export/import condensate/NGLs• production reservoir fluids from remote wells• flammable chemicals used for injection into

remote wells• lift gas• gas/water injection

At item level i.e. perpipeline



40



SCE group: PC007SCE group title: Relief SystemRelief systems designed toprotect pressure containingequipment and piping fromover or under pressurisation.

To prevent a loss of containmentof process fluids in upsetconditions and the controlleddisposal of hydrocarbon fluids.

• Safety relief valve.• Pressure Vacuum Valve• Associated relief pipework

At item level, i.e. perrelief valve

SCE group: PC008SCE group title: Operational Well ContainmentWell containment covers allcomponents that provide anenvelope for containment ofwell pressure.

To contain hydrocarbons andother hazardous substances, andto isolate the well in response toan upset/abnormal event.

Well containment systems for:• onshore oil production and gas injection wells• offshore oil production and gas injection wells• remote subsea production wells.

At item level, i.e. perwell

SCE group: PC009SCE group title: Fired HeatersGas or oil fired heaters. To prevent fire and explosion in

Fired Heaters.At item level i.e. perheater

SCE group: PC010SCE group title: Gas Tight Floor Walls (Offshore only)Gas tight floors designed toprevent spread of gas intocritical areas.

To provide a vapour containingbarrier that minimises themigration of toxic orhydrocarbon gases from thestorage / ballast water systeminto the normal occupied area ofthe leg.

• Gas-tight floors of gravity base structures preventing vapours from oil in the storage cells from entering the leg.

• Some walls in closely constructed Facilities to limit gas spread during an incident.

At module and elevationlevel

SCE group: PC011SCE group title: Tanker Loading Systems – Floating Production Storage Offtake (FPSO) Unit only (TANDEM)Hydrocarbon envelope of acrude oil or condensatetanker loading system.

To ensure the safe offloading ofcrude oil from the FPSO to theShuttle Tanker without loss ofcontainment.

• Fixed transfer pipework• SBM• Loading pumps• Hoses and couplings• Anti-static earthing devices

At system level

SCE group: PC012SCE group title: Helicopter Refuelling SystemsHelicopter refuelling system. Prevent release of helifuel from

pressurised fuel systems whichcould lead to a fire.Prevent/avoid a helicopter crashdue to contaminated fuel.Prevent a static discharge whichcould ignite a fuel source.

Fuel storage tank, pipework, special fittings,hoses,fuelling nozzles, fuel filters and fuel pumps.

At system level

SCE group: PC013SCE group title: Well Intervention/Well Control Equipment

Wireline Equipment in welloperation.


• Wireline lifting/support structure a-frame) • Wireline winches and braking system• Lubricators• Wireline bops• Hydraulic supply

At system level



41



SCE group: IC001SCE group title: Hazardous Area Ventilation

Hazardous Area Ventilationsystems including allequipment to preventaccumulations of flammable orharmful gas.

To prevent the formation ofpotentially hazardousconcentrations of flammableand/or toxic gaseous mixtures inhazardous areas by providingadequate ventilation to dilute,disperse and remove suchmixtures to a suitable location.

• Fans• Dampers• Ducting• Associated instrumentation and alarms• Natural ventilation openings

At system level

SCE group: IC002SCE group title: Non-hazardous Area VentilationNon-hazardous areaventilation systems, includingall equipment to prevent theingress of flammable orharmful gas.

To prevent the ingress, or build-up, of flammable gas-air mixturesor life threatening atmosphereinto non-hazardous areas.

• Fans• Dampers• Ducting• Associated instrumentation and alarms• Emergency cooling systems

At system level

SCE group: IC003SCE group title: Certified Electrical EquipmentCertified Electrical Equipmentin hazardous areas.

To minimise the likelihood ofignition from electricalequipment in hazardous areas.

• Electrical motor including protection circuits installed to prevent overload of electrical equipment

• Lighting• Instrumentation• All other certified electrical equipment

Motors: at item levelOther: at system/arealevel

SCE group: IC004SCE group title: Cargo Tank Inert gas SystemInert gas blanket systemsprovided for crude oil storageto prevent the gas cap beingin the flammable range.

To ensure that Cargo and SlopTanks atmosphere aremaintained below the LowerExplosive Limit (LEL).

Typical earthing system comprises of earth rods,earth bar, earth cables and connectors

At system level

SCE group: IC005SCE group title: Earth BondingEarth bonding on equipmentto dissipate the build up ofstatic electricity.

To minimise the likelihood ofignition from static in hazardousareas during the release of aMajor Hazard.

At area level

SCE group: IC006SCE group title: Fuel Gas Purge SystemFuel Gas Purge System toprevent the presence of aflammable atmosphere in thesystem.

To provide sufficient purging ofthe flare or vent systems toprevent oxygen ingress and thepossibility of detonation withinthe flare and vent system.

At system level

SCE group: IC007SCE group title: Inert Gas Blanket SystemInert Gas Blanket System toprevent the presence of aflammable atmosphere intanks.

To provide an inert atmospherewithin enclosed process systemsin order to prevent the ignition offlammable inventory.

At system level



42



SCE group: IC008SCE group title: Miscellaneous Ignition Control Components

Component installed tominimise the risk of a sourceignition from mechanicalequipment that can generatesparks or hot surfaces aboveignition temperature in a faultor operational condition andin a hazardous area.

Component installed to minimisethe risk of a source ignition in ahazardous area.

At system level• Vent/exhaust flame traps• Anti-static devices, e.g. fan belts• Diesel/turbine exhaust temperature control

SCE group: IC009SCE group title: Flare Tip Ignition Systems

Flare Tip Ignition systems toensure that gas from the flaresystem does not accumulateand cause a hazard to theFacility, following planned oremergency depressurisation.

To ensure that gas from the flaresystem does not accumulate andcause a hazard to the Facility,following planned or emergencydepressurisation.

At system level

SCE group: DS001SCE group title: Fire and Gas Detection

Fire and Gas DetectionSystems for detection offlammable or toxic gas, orfires.

To detect all flammable gasaccumulations, oil mistaccumulations, the presence oftoxic gases (includingasphixiants and narcotics) andall fires and initiate an executiveaction.

• Flammable Gas Detection System comprising:o all types of detectors fitted, which may include

Catalytic detectors, Infra-Red Point Detectors, Infra-Red Beam Detectors and Acoustic LeakDetectors

o gas in service water detectiono HVAC gas detectiono flammable gas detection functions on main

and any additional Fire and Gas panels and outputs to end elements

• Manual Alarm Call points (MACs) System comprising:o GPA Call points positioned at various

locations around the installationo manual alarm functions on main and any

additional Fire and Gas panels and outputs toend elements

• Oil Mist Detection (OMD) System comprising:o oil mist detector heads, normally located in

areas where oil mists present a risk of fire andexplosion

o oil mist detection alarm functions on main andadditional Fire and Gas panels and outputs toend elements

• H2S Detection System comprising:o H2S detectors, alarm functions on main and

additional Fire and Gas panelso outputs to Facility alarm systems including

flashing warning beacons and local sounder devices initiated by H2S detection.

At system level



43



SCE group: DS001 (continued)SCE group title: Fire and Gas Detection

• Fire detection system comprising:o detectors fitted, (ultra violet flame detectors,

infra-red flame detectors, ionising smoke detectors, optical smoke detectors, heat detectors and frangible bulbs, pneumatic trigger Lines)

o detection functions on the main and any additional fire and gas panels and outputs to end elements

SCE group: DS002SCE group title: Security systemsAll systems to preventunauthorised access to theFacility.

To reduce the likelihood ofdamage to people orequipment.

• Access control devices• Closed Circuit Television Cameras (CCTV)s• DACA• Detectors and alarms• Perimeter fences

At system level

SCE group: DS003SCE group title: Water in Condensate (Gas Dew Point) MeasurementWater in Condensatedetection system to preventexcessive corrosion indownstream equipment orhydrate blockage.

Water in Condensate detectionsystem to prevent excessivecorrosion in downstreamequipment or hydrate blockage.Water Dew Point detectionsystem to prevent excessivecorrosion in downstreamequipment or hydrate blockage.

At system level

Deluge piping and nozzles

SCE group: PS001SCE group title: Deluge Systems

Firewater deluge system. To mitigate the consequence offire and explosion.

At system/area level

SCE group: PS002SCE group title: Fire and Explosion ProtectionFire and Explosion Protectionsystems installed to reducethe consequence of fires andexplosions.

To limit the effect of a fireand/or an explosion.

At area level

SCE group: PS004SCE group title: Fire Water PumpsFirewater pumping system To provide fire water on demand

to extinguish or limit the spreadand effects of a fire.

At pump set skid level

• Blast/fire walls, including supporting steelwork, and welded/bolted connections

• Pipe penetrations and cable transits in blast/fire walls and decks

• Doors within blast/fire walls and bulkheads• supports for safety critical piping, vessels and

equipment• Explosion vents and relief panel systems• Temporary Refuge external fabric (including

doors, windows and penetrations) and supporting steelwork

• Blast resilient aspects of buildings and fire protection aspects of buildings

Firewater pumping system including Motors,Pumps, Couplings, Starter, etc.



44



SCE group: PS005SCE group title: Fire Water Ring Main and Other Distribution SystemsFirewater ring maindistribution system from thefire pump discharge to theend-users.

To distribute sufficient fire waterto all fire water systems.

• Firewater tank.• Pipework (including supports) from the

1st manual isolation valve downstream of fire pump discharge to the end-useractivation valve

• Deluge set inlet isolation valve• Helideck monitor manual isolation valve• Sprinkler system manual isolation valve• Fire hydrant isolation valve• Fire hose isolation valve• Low ring main pressure switches• Fire main pressure control valves


SCE group: PS006SCE group title: Passive Fire ProtectionPassive fire protection tomaintain structural integrity inthe event of a fire.

To limit the effect of a fire onstructure, plant, safety systemsand personnel.

• Passive Fire protection coatings or barriers protecting critical structure, plant and safety systems.

At area level

SCE group: PS007SCE group title: Gaseous Fire Protection Systems

Gaseous fire protectionSystems for extinguishing firesin an equipment enclosure.

To mitigate the effects of a fireand to prevent escalation of firesin enclosed areas.

• CO2 system for switch room At system level

SCE group: PS008SCE group title: Fine Water Spray (FWS) Systems

Fine water spray systems forextinguishing fires in anequipment enclosure.

To mitigate the effects of a fireand to prevent escalation of firesin enclosed areas, e.g. dieselengine enclosures.

Protection to:• generators• turbines

At system level

SCE group: PS010SCE group title: Power Management System

Power management system tocontrol the operation ofcritical electrical switchgearthrough shedding of non-critical loads.

To maintain the stability of themain power generating systemby load sharing and shedding.

Electrical network monitoring and control systems At system level

SCE group: PS009SCE group title: Sprinkler Systems

Sprinkler systems, normally toprotect areas with nohydrocarbon inventory, andhazards arising from cellulosictype fires with lower heatpotential.

To control or extinguishlocalised fires and to preventescalation of fires.

Sprinkler-protected areas are:• office areas• accommodation modules• tea-shacks




45



SCE group: PS011SCE group title: Fixed Foam SystemsFixed foam systems. To provide an application of

foam to prevent, or mitigate,hydrocarbon pool fuel fires(including aviation fuel).


SCE group: PS012SCE group title: Sand FiltersSand removal Filter to reducerapid erosion rates on pipingand vessels.

To reduce rapid erosion rates onpiping and vessels.

Sand filters in flow line systems At item level, i.e. perfilter

SCE group: PS013SCE group title: Chemical Injection SystemsChemical injection system tocontrol otherwise rapidcorrosion rates in pipelines orpiping systems.

To ensure chemical injectionapplication complies with designintent to minimise internalcorrosion.

At system level

SCE group: PS014SCE group title: Navigation AidsNavigation aids to enable theinstallation and its structures tobe visible to marine andaviation traffic and to signal asafe line of approach ordeparture for helicopters,thereby preventing collisionwith the installation.

To alert marine vessels (offshoreonly) and aircraft of the positionof the installation so that theymay take timely action to avoidthe area.

• Aircraft warning obstruction) lights on masts or flare stacks onshore/offshore)

• Main, secondary and subsidiary navigation lights offshore)

• Foghorns (offshore)

At system level

SCE group: PS015SCE group title: Collision Avoidance SystemsRadar system to detect marinetraffic on a potential collisioncourse with the installation formovement monitoring,assessment and warning.

To avoid ship collision bypassing or drifting vessels withthe installation.

• Fixed radar system on installation offshore Facility

• Radar systems installed on the offshore standby vessels

At system level

SCE group: SD001SCE group title: Emergency Shutdown System

ESD System to take actionduring an incident to safelyshut down the process.

To achieve safe shutdown, ofplant and equipment, to preventor mitigate the consequences ofthe release of a Major Hazard.

• Anemometers for wind speed and direction• Meteorological sensors for air temperature, air

humidity, atmospheric pressure, cloud height and visibility

• Wave sensors and current speed and direction sensors

At system level

SCE group: PS016SCE group title: Metocean Data Gathering SystemsTo provide continuous,accurate, real-timemeteorological andoceanographic (Metocean)data for use in aviation andmarine logistics and otheroffshore operations that maybe affected by adverseweather.

To alert personnel to adverseweather by providing accurate,continuous, real-time metoceandata for decision making whenconducting weather sensitiveactivities to help prevent weatherrelated incidents.

At system level



46



SCE group: SD002SCE group title: Depressurisation SystemDepressurisation Systemincludes all valves foremergency depressurisationof flammable or harmfulinventories.

To prevent major escalationduring a fire incident by: • preventing the rupture of

process equipment or pipework which may suffer a decrease in mechanical strength due to the exposure or impact from an external source of heat or fire

• ensuring a rapid reduction in the size of any hydrocarbon inventor.

• Blowdown valves• Pneumatic/hydraulic actuators and local control

circuits• Any rate-determining elements (e.g. orifice

plates) that are essential for the system to achieve its performance requirements

At system level

SCE group: SD003SCE group title: High Integrity Pressure Protection Systems (HIPPS)HIPPS provide high integrityinstrumented overpressurisation protection forpipelines, equipment or pipingsystems that do not havesufficient mechanicalprotection for the maximumenvisaged fluid pressure.

To protect against over-pressurisation of gastransportation pipeline systems.

At system level

SCE group: SD004SCE group title: Operational Well IsolationWell Isolation systemincluding all components witha role to isolate the well, orannulus, following ahazardous event.

To isolate the well in response toan upset/abnormal event.

Xmas Trees including actuated and manualisolation valves – (UMGV, PWV, Swab, LMGV,etc.), Sub Surface Safety Valves SSSVs, actuatedgas lift isolation valves and injection checkvalves/storm chokes

At item level, i.e. perwell

SCE group: SD006SCE group title: Process Emergency Shutdown Valves (ESDVs)Process ESDVs toautomatically isolate aflammable or hazardousinventory in a Facility, eitheronshore or offshore.

To shut down the process inresponse to a hazardoussituation and also to prevent amajor incident.

At item level, i.e. pervalve

SCE group: SD005SCE group title: Pipeline Isolation ValvesPipeline Isolation Valves toisolate a flammable orharmful pipeline inventoryfrom the onshore or offshoreFacilities or public areas.

To reduce the inventory releasedin the event of a Major Hazardrelease.

At item level, i.e. perisolation valve

• Pipeline ESD valves, plant isolation or safety valves, pipeline block valves, pipeline check or non-return valves

• Pneumatic/hydraulic/electrical actuators and control circuits



47



SCE group: SD007SCE group title: Subsea Isolation Valves (SSIVs)Subsea isolation valves toisolate a flammable orharmful pipeline inventoryfrom the offshore Facilities.

To isolate the pipeline inventoryfrom the riser. To prevent additional pipelineinventory from causingescalation of an existingincident. (Only applicableoffshore).

At item level, i.e. pervalve.

SCE group: SD008SCE group title: Drilling Well Control EquipmentWell control equipmentrequired during drilling in caseof loss of control of the wellresulting in a drilling blowout.


Drilling Blowout Preventers (BOP)s, BOP HydraulicControl System, Choke manifold, Atmospheric andvacuum Degasser, Diverters, Kelly Cocks and Stab-in Valves, Well Kill System, Flow and Gas Detection(including Kick Detection) for Drilling Operations.

At system level

SCE group: SD009SCE group title: Utility air

Utility Air Systems. To prevent an unplanned and/orout-of-sequence operation ofsafety critical air controlledequipment, such as emergencyshutdown valves or delugesystems.

• Internal escape ways within the living quarters, offices or workspaces to the primary muster points within the temporary refuge or elsewhere

• On offshore installations, the route from the primary muster points to either the helideck, or lifeboat

• Signage systems• Escape gates in fences

At system level

SCE group: ER001SCE group title: Temporary Refuge/Primary Muster AreasTemporary refuge (alsoknown as Primary Muster andCommand Area) includes allthe associated safety systems.

The arrangements for TR shouldprovide sufficient protection toenable people to muster safely,to permit the emergency to beassessed, and to allow theappropriate parts of theemergency response plan to beexecuted during a majorincident.

At refuge/area level

SCE group: ER002SCE group title: Escape and Evacuation RoutesEscape and evacuationroutes are the designatedescape ways to be usedduring a major incident.

The arrangements for TR shouldprovide sufficient protection toenable people to muster safely,to permit the emergency to beassessed, and to allow theappropriate parts of theemergency response plan to beexecuted during a majorincident.

At area level



48



SCE group: ER003SCE group title: Emergency/Escape LightingLighting systems for escapeways and emergencyresponse locations, withintegral battery back-uppower or other independentpower supply.

To provide adequate illuminationat emergency response locationsand to escape routes in theevent of a major incident.

Lighting units with battery back up; emergencywarning lights


Typical telecommunications systems include:• installation PA system• visual warning signals in high noise areas,

onshore and offshore)• Emergency Response Team (ERT) UHF radio

system including hand-held sets, and antennas (offshore)

• marine VHF radios (offshore).• ICC air band radios (offshore)• lifeboat EPIRBs (offshore)• INMARSAT communication system (offshore)• telephone system

SCE group: ER004SCE group title: Communications Systems

Telecommunications equipmentrequired during a majorincident to enablecoordination of emergencyresponse, muster andevacuation.

To ensure that all personnel onboard or at site at any locationare made aware of any need formustering or abandonment oncethe decision has been made.To ensure that thecommunications systems andinformation required foremergency response control,platform evacuation, and with allexternal parties identified in theemergency plan, are available.

At system level

SCE group: ER005SCE group title: Uninterrupted Power Supply (UPS)UPS systems provide securepower supplies to feedessential systems when thenormal supply fails.

To provide an uninterruptedpower supply to the vital servicesduring a major incident whennormal power fails.

Typical UPS systems comprise batteries, rectifiers,inverters, cabling, ESD and EDP systems. Theytypically supply: fire and gas system, PA audio andvisual alarms, SOLAS communications (offshore),navigation aids and helideck lighting (offshore)

At item level

SCE group: ER007SCE group title: Emergency PowerEmergency generator foremergency power supply tosupport essential facilitiesduring an emergencyfollowing loss of the normalpower supply.

To provide an emergency powersupply to support essentialfacilities during an emergencyfollowing loss of the normalpower supply.

Typical emergency power supply system comprisesof emergency diesel generator

At item level, e.g.generator

SCE group: ER006SCE group title: Helicopter FacilitiesHelicopter facilities compriseall the structure andequipment required to enablepersonnel evacuation byhelicopter during a majorincident.

To avoid collision by thehelicopter with the installation.To facilitate the evacuation ofpersonnel from the installation tothe nearest place of safety.

At system level



49



SCE group: ER010SCE group title: Drain SystemsThe Drains system is used toremove hydrocarbons orflammable liquids following aloss of containment. It alsodrains deluge water from anarea during an incident,which may contain liquidhydrocarbons.

To prevent escalation of anincident following loss ofcontainment, fire and/orexplosion by removing orcontaining flammable liquidfrom hazardous areas.

• Offshore system providing drainage from process modules, including associated interceptors

• Onshore system providing drainage from storage and process areas, including associated interceptors

At system level

SCE group: LS001SCE group title: Personal Survival Equipment (PSE)

Personal Survival Equipmentsupplied on an installation toenable personnel to escapeto the Temporary Refugeand/or evacuate theinstallation during a majorincident.

To provide all personnelescaping from a Major Hazardwith suitable protective clothingand equipment. To provide personnel withinemergency response roles withsuitable protective clothing andequipment.

At category of equipmentlevel

SCE group: LS002SCE group title: Rescue FacilitiesPrimary Rescue facilities forrescue from the sea followingevacuation from an offshoreplatform, or from a helicopterditching.

To provide a good prospect ofsuccessfully rescuing casualtiesfollowing immediate notificationof their entry to the sea, underconditions which the need torescue personnel from the sea islikely to occur.

At category of equipmentlevel

SCE group: LS003SCE group title: Lifeboats/Totally Enclosed Propelled Survival Craft (TEMPSC)Lifeboats, Free-fall lifeboats orTotally Enclosed MotorPropelled Survival Craft(TEMPSC) may be requiredduring a major incident.

To facilitate a secondary meansof evacuation of personnel,independent of externalresources, when the primarymeans is unavailable.

At item level i.e. perLifeboat

Typical items included are: life jackets, (offshore),immersion suits, (offshore), grab bags offshore -containing survival suits, self-rescue sets, lifejackets, flame- retardant gloves, torches andchemical light sticks, respiratory protection aids (forescape) , BA sets (for escape), fire suits and firerescue equipment, chemical handling suits andprotective equipment

• Standby vessel and onboard facilities• Fast rescue craft and launch and recovery

mechanisms• Daughter craft and launch and recovery

mechanisms• Dacon scoops which are deployed when other

rescue methods are not safe to deploy due to weather conditions

• Radar system and related components

SCE group: LS004SCE group title: Tertiary Means of Escape (Offshore only)

Tertiary Means of Escapemeans to evacuate theplatform in the event that theprimary (helicopter) orsecondary (lifeboats) meansare not available.

To have a variety of means tofacilitate escape to sea ofpersonnel from the installationwhen primary and secondarymeans are unavailable.

At system level, i.e. foreach means of escape


Appendix 4 - FSR specific requirements

This list contains the key configuration data required to set upFSR for an OpCo.


50

FSR specific requirements

Configuration Comments

Asset hierarchy Structure should be as close to Total Reliability Measures as possible but reflect the OpCo organisation as role permissions may be linked to a location in the hierarchy.

Deviation approval workflow Determines the workflow order for deviation approval.

Role names Reflect the OpCo specific names.

Disciplines names Currently reflect the OpCo specific names, but expected to transition to the DCAF standard.

Deviation maximum and minimum Should be in line with OpCo policy and procedures.durations

Role permissions A matrix which defines who is allowed to approve a deviation, submit a deviation, etc. Should be in line with OpCo policy and procedures.

Discipline/SCE group mapping Defines which disciplines are assigned to which SCE groups for the purposes of reviewing a deviation.

Reviewers Defines which roles are assigned to each deviation for review purposes.

Traffic light logic Defines whether the OpCo uses the CAM code or CMPT consequence severity code to determine the task severity of a work order.

List of acronyms/abbreviations

See also EP 2005-0100-SP-01 HSE glossary of definitions.


51

List of acronyms/abbreviations

Acronym/abbreviation DefinitionAAI Asset Integrity

ALARP As Low As Reasonably Practicable

CCM Corrective Maintenance

CMMS Computerised Maintenance Management System

CMPT Corrective Maintenance Management Tool

DDCAF Discipline Controls Authority Framework

EEIS Engineering Information Specification

EP Shell Exploration and Production

EPBM EP Business Model

eWIMS Well Integrity Management System

FFEED Front End Engineering and Design

FSR Facility Status Report

GGPST Global Performance Standard Template

HHAZID Hazard Identification

HAZOP Hazard and Operability study

HEMP Hazard and Effects Management Process

HIPPS High Integrity Pressure Protection Systems

HSE Health, Safety and Environment

HSSE Health, Safety, Security and Environment

IIPF Instrumented Protected Function

JJHA Job Hazard Analysis

LLAFD Latest Allowed Finish Date

MMIE Maintenance and Integrity Execution

MIC Master Inspection Characteristic

MIMS Maintenance and Integrity Management Standard

MoC Management of Change

MOPO Manual of Permitted Operations



52

Acronym/Abbreviation DefinitionOOE Operational Excellence

OLAFD Original Latest Allowed Finish Date

OpCo Operating Company - previously termed OU

OPMG Opportunity and Project Management Guide

ORA Operations Readiness and Assurance

PPM Preventive Maintenance

PMR Preventive Maintenance Routine

PS Performance Standard

PST Performance Standard Template

QQRA Quantitative Risk Assessment

RRAM Risk Assessment Matrix

RBI Risk Based Inspection

RCA Root Cause Analysis

RCM Reliability Centred Maintenance

RRM Risk and Reliability Management

SSCE Safety Critical Element

SIF Safety Instrument Function

SIL System Integrity Level

TTA Technical Authority

TI Technical Integrity

TIF Technical Integrity Framework

TR Total Reliability

TR (equipment-related) Temporary refuge

WWIG Well Integrity Framework

WIMS Well Integrity Management Standard

EPT Shell International Exploration & Production B.V.Kesslerpark, Rijswijk (ZH), 2288 GS RijswijkThe Netherlands.

The copyright in this document is vested in Shell International Exploration andProduction B.V., The Hague, The Netherlands. All rights reserved. Neither thewhole or any part of this document may be reproduced, stored in any retrievablesystem or transmitted in any forms by any means (electronic, mechanical, reprographic,recording or otherwise) without the prior written consent of the copyright owner.

EP 2009-9009

Shell Exploration & Production

SCEmanagementmanualep2009-9009

Documents

Transcript of SCEmanagementmanualep2009-9009