Verification that safety-critical elements are suitable and effective

This technical bulletin provides guidance about the verification of safety-critical elements required under the Health and Safety at Work (Major Hazard Facilities) Regulations 2016, and the Health and Safety at Work (Petroleum Exploration and Extraction) Regulations 2016.

It applies to the verification required at the initial and ongoing stages for new and existing facilities and/or installations (as applicable).

Background

The Major Hazard Facilities Regulations and Petroleum Exploration and Extraction Regulations require that an operator/permit operator establishes a safety management system that addresses specified requirements. Those requirements include verification from an independent and competent person (ICP) that safety-critical elements (SCEs) are suitable and will perform their intended functions. Verification by an ICP is required for new and existing facilities, to ensure SCEs remain effective and reliable throughout their service life.

In order to verify that SCEs are suitable and will remain effective and reliable, an ICP must carry out an independent review which may include examination, testing, and review of evidence (as appropriate). An ICP may verify that an SCE is suitable, if they are satisfied there are no errors or failures in its design and construction that could prevent it from operating as intended, and in the case of ongoing suitability, that the SCE is in good repair and condition and remains suitable and effective.

Verification is separate to maintenance and testing of SCEs, and the ICP should be independent of the person who does the maintenance and testing.

The Independent Competent Person (ICP)

The duty holder (operator) is accountable for ensuring the SCEs have been verified by an ICP for both initial and ongoing suitability. The ICP provides an independent view of the initial, and ongoing suitability of the SCEs. The duty holder retains accountability, and is responsible for managing risk through the safety management system. The operator has a duty to ensure that those verifying the SCEs are both independent and competent.

The ICP must physically visit the facility and view the installed SCE when verifying the SCEs suitability. Reviewing pictures of the SCE (which could be out of date, or misleading) is not sufficient. ICPs should understand the risks and implications of getting verification wrong.

Let’s break down two key attributes required of an ICP

Independence

Regulation 4 of the Petroleum Exploration and Extraction Regulations describes a person as being independent in the exercise of a function if:

  1. the function does not involve the examination of any thing for which the person has or has had a level of responsibility that could compromise the person’s objectivity, or
  2. the function involves the examination of a thing and the person:
    1. is sufficiently independent of and separate from the line management of the thing to ensure that the person will be objective in the exercise of his or her function, and
    2. is sufficiently free from any influence that could compromise the person’s independence, including influence of an operational or a financial nature.

The above definition will apply to facilities under the Major Hazard Facilities Regulations, when providing guidance in the context of a bulletin addressing both regulations.

WorkSafe does not require that the verification must always be carried out by a third party, but independence requires that the person is free from influence and able to report the results of verification without repercussion. The ICP should be independent of the operating company’s management, should not have been involved in any aspect of anything likely to be verified, and should be free from financial or operational pressure that could impair their judgement. An ICP must be impartial and objective when performing and reporting on verification activities, and there should be no conflicts of interest.

The role of the ICP may either be undertaken by an individual or organisation, or by several different individuals or organisations. If the latter is the case, the operator’s safety management system should define how coordination will be achieved, to ensure that all parts of the verification scheme are adequately addressed and that interfaces between those individuals and organisations are effectively managed, for example, so that required information is communicated between them. Where there are multiple verifiers, one should have an oversight role.

The purpose of independence is to avoid common modes of failure, such as:

  • undue management pressure
  • misunderstanding within a team, bias, entrenched opinions
  • personal obligation or social pressure
  • lack of awareness of new technology or practices.

Competence

Regulation 2 of the Petroleum Exploration and Extraction Regulations defines a competent person as ‘a person who has the knowledge, experience, skill, and qualifications to carry out a task required by these regulations’. This definition will also apply to facilities under the Major Hazard Facilities Regulations, when providing guidance in the context of a bulletin addressing both regulations.

The operator must ensure that an ICP tasked with verifying a SCE has the necessary knowledge, experience, skill, and qualifications to do that.

In many cases, a single ICP will not have the knowledge, experience, skill, and qualifications to verify all SCEs at complex facilities. That is why multiple ICPs may be necessary. Each ICP must have competency in all the relevant/required disciplines (for example, process, mechanical, electrical, instrumentation etc) so that all aspects of the SCE performance can be properly evaluated. The range of competences should include design, maintenance systems and practical inspection, maintenance, testing and repair methods.

Initial suitability verification (new or existing facility or installation)

When considering ‘initial suitability’ the aim is to identify whether there are errors or failures in the design and construction of the SCEs that could prevent them from achieving their intended safety functions. In addition to ensuring SCEs remain suitable, the ICP should also consider the validity of performance standards particularly in light of changes in technology, knowledge etc.

If the facility or installation has been built, and is currently in operation, an initial suitability verification of SCEs by an ICP is still required, but the process is slightly different from a new facility or installation where the ICP would normally have had the opportunity to review and comment on the SCE during the design and construction phases to ensure suitability.

The ICP does not need to repeat the work of the designer but they should review sufficient documentation to be confident that the design and installation of the SCEs will meet appropriate performance standards and will achieve its intended safety function.

To achieve this operators must have some, or all of the information pertaining to the safety-critical element that may be required for verification from the following list:

  1. design documentation
  2. specification documentation, datasheets
  3. certificates of material used, test certificates etc
  4. other documentation (for example, risk assessments as required under the major hazard facilities, and petroleum and exploration regulations, safety integrity level (SIL) assessments, previous and current performance standards, documentation relating to modifications of the element) and/or
  5. review of the element against its performance standard and the relevant current standards or codes. (Departures from standards indicate areas where improvements may be required in order to ensure risks are reduced so far as is reasonably practicable).

An ICP considering initial verification of SCE suitability should consider the following:

  • major incident/major accident hazard identification, and analysis of those to confirm credibility, and that nothing obvious has been excluded/missed
  • SCE selection: methodology for selection; adequacy of list
  • performance standards
  • SCE conditional review, with specific consideration of construction and commissioning processes.

Ongoing suitability verification

Verification of SCEs by an ICP, is not a one-off activity. Ongoing verification (updated reports) by an ICP are required. After verification of initial suitability, ongoing monitoring of suitability of SCEs is required in accordance with the regulations.

Examples of assurance activities during ongoing operations include:

  • inspection, maintenance, testing, and repair
  • identification and remedy of failures, degraded performance, deviations, and deferred assurance activities
  • investigation of unanticipated demands on SCEs
  • analysis and reporting of SCE performance.

The review of information to confirm SCE suitability and that the SCE will remain effective, in good repair and condition, relies on the competency of the verifier (the ICP). This includes taking into account the operator’s safety management system, and the processes to manage the SCE.

Facility and process changes may impact ongoing suitability of SCEs. Where a change or modification at a facility has occurred, additional work may be necessary to ensure that the performance of the SCE has not been compromised, and it still delivers the required safety function, availability and reliability, that is, formal management of change procedures by competent workers should be applied.

When considering verification of ongoing suitability of SCEs the ICP should consider the following:

  • maintenance and ongoing function testing: appropriate inspection, maintenance and testing; witnessing of critical function tests
  • SCE performance and condition review: conditional monitoring; visual inspection; review of reliability/ availability of records; evaluation of maintenance records; examination of failure rates; assessment of actions management from inspections
  • management of plant changes/modifications.

To demonstrate that SCEs continue to be suitable and meet their performance standards, routine verification should be carried out to check that SCEs remain in a suitable condition. The frequency of this should be determined by the operator and documented in the operator’s safety management system. WorkSafe does not prescribe the required frequency, but will consider whether it is appropriate based on the scale, size and risk profiles of the facility.

Performance standards

Performance standards need to be in place for all major incident/accident control measures, and this includes safety critical elements.

A performance standard describes the objective and performance criteria that the SCEs are assessed against. The performance criteria are normally defined by taking into consideration functionality, availability, reliability, survivability and interaction aspects along with the associated assurance activities and pass/fail criteria.

The ICP should verify:

  • that a performance standard exists for each SCE
  • that the SCE achieves the requirements of the performance standard.

How much evidence should be examined?

WorkSafe expects operators to provide ICPs with sufficient information about the SCEs to enable the ICP to determine whether the SCEs are suitable, and likely to be effective if called upon.

What should be done if an ICP cannot verify an SCE?

If the ICP is unable to verify an SCE as suitable and/or maintainable, due to for example missing information, they should make the operator aware of their findings as soon as practicable.

When an operator becomes aware of an SCE verification issue or finding, it should be addressed as a priority. Addressing the verification finding(s) may in some instances mean replacement of the SCE with one that can be verified as being suitable. In some circumstances, it may necessitate the temporary shutting down of the facility until such time as a risk assessment and appropriate actions can be completed for the safe operation of the facility or installation.

References and further reading

The following references contain more detailed information about SCE management activities including assurance and verification.

Overseas/other info

UK Health and Safety Executive, Verification that safety-critical elements are ‘suitable’ at the commencement of a verification scheme(external link), SPC/Enforcement/174

Energy Institute, Guidelines for management of safety-critical elements (SCEs), third edition January 2020, ISBN 978 1 78725 155 7

WorkSafe guidance

Good Practice Guidelines, Major Hazard Facilities: Safety Assessment (Section 5.4)

Good Practice Guidelines, Major Hazard Facilities: Major Accident Prevention Policy and Safety Management System (Section 10)

Good Practice Guidelines, Major Hazard Facilities: Safety Cases (Section 4.3)

Interpretive Guidelines, Petroleum: Certificates of fitness and verification scheme for offshore installations (PDF 309 KB) (Section 3)

Bulletin: Defining safety-critical elements and demonstrating their independent verification at a major hazard facility

Download

/Public Release. View in full here.