Verification that safety critical elements are 'suitable' at the commencement of a verification scheme
1. This SPC provides inspectors with further guidance on the regulatory requirements for verification of the suitability of Safety Critical Elements (SCE) on existing installations. This SPC replaces SPC/Enforcement/46 version 2 which has been withdrawn.
2. An area of some debate between industry and HSE has been on how to verify that safety critical elements for an existing installation are suitable. Several questions have been raised, namely, (a) is this required for installations operating before the regulations were made and (b) what would be expected in these circumstances. In addition should suitability be examined on a continuous basis? This note gives an opinion on these questions.
The relevant regulation is 2(5) of the Offshore Installations (Safety Case Regulations) 2005 (SCR) and its associated guidance. As can be seen the relevant phrase in the regulation is in bullet point (a) and it is 'are suitable'. This is further reinforced by the third sentence (para 97) in the guidance which is "The scheme should ensure that safety-critical elements are 'suitable'.In conclusion the regulation requires that any verification scheme for an operating installation must start by investigating whether the safety critical elements are suitable and continue questioning their suitability throughout the installation's life particularly when knowledge, technology or standards change.
3. A verification scheme (SCR Guidance paragraph 97) must examine the safety critical elements to ensure they are suitable when brought into service or when the scheme commences. In addition, during the lifetime of the installation the suitability of SCEs needs to be reviewed particularly when knowledge, technology or standards change. Annex 1 indicates the means by which suitability can be assessed.
For an SCE to be suitable it must perform as required (ie meet the specified performance standard). In order to achieve this, the duty holder and the ICP will need to be satisfied and be able to show that the SCE is:
- suitably designed and constructed, and;
- maintained in good repair and condition;
Such as to achieve the required standard of performance, which itself needs to be kept up to date (following changes in knowledge, technology, circumstances, re-assessment of risk etc.).
Some duty holders have assumed that design and construction standards are no longer relevant, and that verification need only concern itself with ongoing maintenance for good repair and condition. This is incorrect, as design and construction are fundamental to SCE performance. Furthermore, the duty holder and ICP need to take due account of the implications of any subsequent changes in design and construction standards, any deterioration in condition, and any actual or anticipated changes in service conditions.
4. To use this information as a basis for forming opinions with regard to the adequacy of duty holders' verification schemes.
Relationship to other documents
- A guide to the Offshore Installations (Safety Case) Regulations 2005 L30 Third edition HSE Books 2006
- SPC/Enforcement/158 The offshore Installations (Safety Case) Regulations 2005
Further information and advice or opinion regarding the suitability of a particular scheme can be obtained from OSD 5.3, (01256 404164).
Annex 1 - Assessment of initial suitability
What is the purpose of a verification scheme?
The requirements of the regulations are amplified in the guidance paragraph 97 where it states:
The verification scheme would be expected to identify errors or failures in areas such as:
- The specification and selection of appropriate performance standards; and
- The design, construction and maintenance of elements, which have been identified as safety-critical so that appropriate preventative or remedial action can be taken.
In answering the question what is required in the demonstration of 'initial suitability' then the aim must be:
To identify errors or failures in the design and construction of the safety critical elements (SCE) that could prevent them from achieving their intended safety functions.
In addition to ensure SCEs remain suitable the scheme should also question the validity of performance standards particularly in light of changes in technology, knowledge etc.
How can 'initial suitability' be verified?
There are 2 aspects of what HSE would expect, one being what the duty holder must do and the other what is required from a verification scheme (ie the work undertaken by an independent and competent person [ICP]).
The duty holder must ensure that for their installation its safety critical elements are suitable for their intended purpose. To undertake this requirement the duty holder must have a methodology and an effective management system in place to deliver it. In addition to that the duty holder, in conjunction with their ICP, must devise a written scheme of verification to examine this methodology and management system to deliver it with the aim being to identify errors etc.
The first question is what could the methodology comprise of and the second what must the ICP do? An indication of the methodology expected to decide 'initial suitability' is given by regulation 2(6)(b). The regulation states that the means of achieving 'initial suitability' are:
"Examination of any design, specification, certificate, CE marking or other document, marking or standard relating to those elements…by such persons".
Thus for the ICP to carry out such an examination to verify initial suitability the duty holder must have some, or all, of the items below for each safety critical element:
- Design documentation;
- Specification documentation;
- Certificates of material used, test certificates etc.;
- Certificates of fitness (CoF) if the element was part of the previous certificate of fitness regime together with evidence to show that at the transition from that regime to the current that the element was 'fit' and that there were no remedial actions or that they had been closed afterwards;
- Other documentation (eg risk assessments as required under the safety case regulations and PFEER, SIL assessments, previous and current performance standards, documentation relating to modifications of the element) and / or;
- Review of the element against its performance standard and the relevant current standards or codes. (Departures from standards indicate areas where improvements may be required in order to ensure risks are ALARP.)
What should the duty holder have?
Thus for a safety critical element covered by the old CoF regime it would be considered that the duty holder should have, at a minimum, items d, e and f above. Items a to c should have been covered under the CoF regime.
For an element without a previous CoF then the duty holder should have available items a, b, c, e and f from the above list to show the element is suitable.
What should the ICP do?
For 'initial suitability' it has been established above that the purpose of the scheme is to identify errors or failures in design or construction, which could compromise its safety purpose. There are two cases to consider, namely one where the safety critical element was the same in the previous CoF regime as now and has not been altered and the second where the SCE (or its performance standard) has been modified or was not covered by the CoF regime. In both cases changes in technology, knowledge, standards etc. relevant to the SCE need to be considered to ensure that an opportunity to reduce risks to ALARP is not missed.
Where nothing has changed then on transition from the old CoF regime to the current verification scheme it would seem reasonable that the ICP would be required by the duty holder to test their methodology and management system by examining the items identified above (or by any other equally effective means). These items have been identified from the regulations.
Where a change has occurred then additional work is required by the ICP who must check that the performance of the SCE has not been compromised and delivers the safety benefit required. The work, in addition to that outlined in the paragraph above, would be concerned with the duty holder showing suitability and includes such activities as reliability studies, reviews of old and current performance standards etc.
The exact details of the scheme are safety critical element and evidence dependent and the duty holder must draw up the scheme in conjunction with their ICP.
How much evidence should the scheme examine?
In any verification scheme the biggest problem is how much of the evidence should the ICP examine. Paragraph 101 of the guidance to regulation 2(6) clearly indicates that not everything needs to be examined. Thus it would not be expected that the ICP would examine every piece of evidence for the initial suitability of a safety critical element but sufficient, in their judgement, to be confident that the duty holder's process would have delivered a relatively error free element.
From the regulations and the associated guidance it is considered that the following is required to satisfy the safety case regulations concerned with verification of the initial suitability of safety critical elements:
All installations must have an effective verification scheme that has examined whether the safety critical elements are (or will be) suitable.
Such a scheme would be expected to identify errors or failures in design and construction.
For each element evidence must exist to show that it is initially fit for purpose. The regulations suggest that such evidence could include design documentation, previous certificates of fitness, reviews of the element against current standards etc.
The ICP should examine the evidence to ensure that the element is free from error or failure during the design and construction phase that could compromise its fitness for purpose.
Except in areas of doubt it would not be expected that the ICP would examine every piece of evidence for the initial suitability of a safety critical element but to carry out sufficient examination for each element to ensure the duty holder's process was very likely to deliver an error free design for that element.