hseq-ro-06!04!00 management of technical integrity

7/25/2019 HSEQ-RO-06!04!00 Management of Technical Integrity

1/13


2/13

User Notes:

A controlled copy of the current version of this document is on Petrom Intranet EP. Before

making reference to this document, it is the user's responsibility to ensure that any copy iscurrent. For assistance, contact the Document Issuer.

This document is the property of Petrom EP. Neither the whole nor any part of this documentmay be disclosed to others or reproduced, stored in a retrieval system, or transmitted in anyform by any means (electronic, mechanical, reprographic recording or otherwise) withoutprior written consent of the owner.

Users are encouraged to participate in the ongoing improvement of this document byproviding constructive feedback.

Petrom EP Standard- HSEQ-RO-06-04-00

Valid from: 18.12.2008Management of Technical Integrity Page 2 of 11

Edition: 01


3/13

Table of Contents

1. Introduction 4

1.1. Scope 4

1.2.

Objective 42. Regulatory content 4

2.1 Define System Boundaries 5

2.2 Hazard Identification 5

2.3. Safety Critical Elements (SCE) 6

2.4. Performance Standards 7

2.5. Written Scheme of Examination 7

2.6. Independent Competent Person 7

2.7. Records 7

2.7.1 Definition of Failure 8

2.7.2 Failure Record Data Structure 8

2.8. Management Review of Technical Integrity 9

2.8.1 Aims 9

2.8.2 Summary Procedure 9

3. Responsibilities 9

4. Terms and abbreviations 10

5. Obsolete regulations 10

6.

Supporting documentation 10

7. Distribution list 11

8. Amendments from the previous edition 11

9. Annexes 11



Edition: 01


4/13

1.

Introduction

1.1. Scope

This standard applies to all Petrom activities of the EP and EPS Divisions.

1.2. Objective

The objective of this standard is to establish the conditions that the technical integrity ofproduction facilities can be assured and that unplanned failures of equipment and associatedutilities are minimised.

The primary benefit of managing integrity is to minimise the potential of harm to persons.This also has benefit in terms of minimising the impact on the environment. The concept ofintegrity is to not have any unplanned failures (ruptures, leaks, emergency venting, etc) thatcould result in release of hydrocarbons or chemicals to the atmosphere. Good integritymanagement is then a control process to reduce risks of pollution and minimise emissions.Additionally, well-maintained facilities will probably also keep running energy costs to aminimum.

The principles of integrity management and independent verification apply throughout thelifecycle of the facilities from design, construction, commissioning, start-up, production anddecommissioning (abandonment).

It is especially important to apply this standard whenever facilities are subject to change,upgrade and modification. Major accidents have resulted when changes have been made tothe original design intent and the impact on technical integrity has not been fully assessed.These changes do not have to be major; often a series of minor changes may in total have asignificant effect.

All facilities with the potential for a major accident (see Section 2.2 below) should be coveredby this standard including well systems (exploration, development, production and injection).International standards exist for more specific aspects of technical integrity and these arelisted in Section 6.

2.

Regulatory content

The overall process to manage technical integrity is shown in Figure 1 below. The process issometimes referred to as the written scheme of examination, or verification scheme for safetycritical elements.



Edition: 01


5/13

HAZID,

Risk Assessment,RAM Studies

List Safety Critical

Elements andAssociated

PerformanceStandards

Implementation

and Assessment ofResults

Written Scheme ofExamination:

- Verification

- ICP- Records

Review

andFeedback

Define SystemBoundaries

Figure 1: Management of Technical Integrity

The process shown in Figure 1 is described in more detail below.

2.1 Define System Boundaries

The boundaries would normally include the well system, flowlines, drilling/workoverequipment, production train (including control, detection, alarm and shutdown equipment),utilities, structures, fire fighting and life saving equipment and storage/export system. Foroffshore facilities, accommodation units should be included within the scope.

2.2 Hazard Identification

All facilities are required to have a risk assessment (refer to standard HSEQ-RO-04-02, RiskAssessment Criteria, latest revision) and this will include various techniques for identifyinghazards, e.g. hazard and operability study (HAZOP), failure modes and effects analysis, etc.The effects of the hazards when they become uncontrolled can be quantified usingconsequence models, such as gas dispersion, fire and explosion analysis. Combining theconsequences with the likely frequency will result in a risk profile to be developed for various

accident scenarios. RAM studies will also be required to optimise the selection of equipmentto minimise the risks.



Edition: 01


6/13

The risk assessment should identify the major accident scenarios. The definition of a majoraccident is:

A fire, explosion or the release of a dangerous substance involving death, serious injuryor environmental pollution (inside or outside of the facilities);

Major damage to the structure or facilities;

Collision of a helicopter with an offshore installation;

Failure of diving life support system (offshore installation); Any other event involving death or serious injury to five or more persons.The overall process of risk assessment and identifying major accident scenarios would bewithin the scope of a HSE Case (refer to standard HSEQ-RO-05-02 latest revision).

l tf

2.3. Safety Critical Elements (SCE)

The next stage in the process is to identify safety critical elements (SCE).

The definition of a SCE is:

- Any part of the facilities (including software) the failure of which could cause orcontribute substantial y to a major accident or the purpose is to preven or limit theeffects o a major accident.

The HSE Case quantitative risk assessment (QRA) uses numerical data such as event andfailure rate frequencies to calculate risk levels. This is done by assessing the frequency ofinitiating hazards and analysing the reliability of the mechanisms that are in place to preventescalation. The final consequences are based on harm to persons and are used to prioritise onrisk reduction measures.

The reliability data used in QRA can be used to derive inspection and test frequencies forsafety critical elements. However, this is not always possible. For example, an escape route isa safety critical element but defining a test frequency based on QRA principles does not havethe same practical (or mathematical) basis as the test frequency for equipment or systemswhich have historical failure rate data, e.g. an emergency shutdown valve. QRA also haslimitations because the consequence models cannot accurately represent the real world and

the likely behaviour or response of people which can often have significant impact on the finaloutcome for a hazardous event.

In conclusion, the risk assessment calculations from the safety case provide part of theinformation for selecting safety critical elements. However, expert judgement shall be used tointerpret the safety case studies, in consultation with operations personnel to select the safetycritical elements and develop the scope and frequency of inspection.

The selection philosophy makes use of the hazard management process which is appliedduring the lifecycle of an installation from design, construction, drilling, operation, combinedoperations, modifications, through to abandonment. The process takes the major accidentscenarios and examines the step by step development of the accident from initiating eventthrough to the point where the risk does not pose a further threat. The hazard management

process has five steps, as follows: Prevention Systems to control the primary initiating events;

Detection Systems to detect that the primary safeguards have failed;

Control Systems (or secondary safeguards) to prevent the event escalating andbring the plant to a safe state;

Mitigation Systems to minimise the effect of the failure of primary and secondarysafeguards;

Recovery Systems to recover from the effects of the incident and return facilitiesto a safe state.

Each step is systematically examined to assess the plant or equipment (and associatedsoftware), that contributes to preventing escalation of the hazardous event. The plant orequipment (and associated software) identified is recorded as safety critical.



Edition: 01


7/13

2.4. Performance Standards

Performance standards shall be defined for safety critical elements. Performance standardsshall be developed on a system or component level using major hazard information,reliability/availability data and operational judgement.

Performance standards shall include requirements relevant to the following categories:

Functionality The intended purpose and fundamental design performancerequirement for an SCE.

i

Reliability/Ava lability The probability that the system will work on demand.

Survivability The ability of the SCE to survive loadings from designaccidental events.

Interaction Dependencies and interactions with other systems orperformance standards.

System functional tests shall be implemented to verify that the individual SCE and theirinterfaces perform to the required standard. The system functional tests are a reality checkand simulate, as close as possible, how the equipment is expected to function in an

emergency.It is not always possible to carryout full functional tests on SCE when the installation is in theoperational lifecycle phase (e.g. for firewalls). In these cases other testing or inspection shallbe defined which shall give reasonable assurance that the SCE will stop the escalation of ahazardous event.

Additionally some SCE are defined at the sub-system or component level (e.g. fire detectors)and whilst they will be tested within an overall function test, individual component tests arerequired for the assurance of component reliability.

2.5. Written Scheme of Examination

The overall system for assurance of technical integrity should be documented in a written

scheme of examination. This would normally be integrated within the maintenance andinspection program for the facilities to minimise any unnecessary duplication. The writtenscheme of examination should be a controlled document.

The process of implementing the scheme is commonly referred to as verification and inpractice means providing assurance through measurement or testing that the facilities willperform or maintain their technical integrity under normal and emergency design conditions.

2.6. Independent Competent Person

A third party independent and competent person (ICP) shall be appointed to provideverification that the written scheme is based on correct interpretation of the risks, is beingimplemented correctly, records are accurate and are reviewed on an annual basis. The role of

the ICP is to provide an independent review of the overall system and not to be involved indetailed inspection or testing. However, the ICP should have the freedom to witness anycritical test and drill down in order to satisfy themselves that the system is workingsatisfactorily. Detailed guidance on the role and capabilities required by an ICP is provided inAnnex A.

2.7. Records

Records of the performance history for the safety critical elements shall be maintained. Aconsistent system for definitions and data collection shall be used to enable further analysisand comparison with internal and industry standards.



Edition: 01


8/13

2.7.1 Definition of Failure

Revealed failure: detected at the instance of occurrence. Unrevealed failure: not detected untilthe next test or demand. Failure modes are categorised as follows:

Critica A failure which is both sudden and causes cessation of one or more

fundamental functions. This failure requires immediate correctiveaction in order to return the item to a satisfactory condition.

l

r

r

Degraded A failure which is gradual, partial or both. Such a failure does not ceasethe fundamental functions, but compromises one or several functions.In time, such a failure may develop into a critical failure.

Incipient An imperfection in the state or condition of an item or equipment sothat a degraded or critical failure can be expected to result if correctiveaction is not taken.

A failure mode is defined as the effect by which a failure is observed on the item, rather thanthe effect a failure has on the system containing an item. For instance, if a gas detector fails torespond when the gas concentration increases substantially; the failure mode is defined as

critical. The effect on the gas detection system may not be critical if other detectors in thesystem detect and respond correctly to the increased gas concentration.

A planning and records system shall flag components or systems of components that aredefined as safety critical.

2.7.2 Failure Record Data Structure

Records of examination and test shall be logged in the history layout file for each safetycritical element. The file shall also be used to record modifications and all failures of the safetycritical elements. The record is formatted using the data collection structure from industrystandard references:

The record structure shall be as follows:

Operational Modes Continuous;Active, sleeping condition;Activated from stand-by condition.

Internal Environment Medium handled, operating pressure/temperature, corrosiveelements, etc.

External Environment Indoors, outdoors, open/sheltered, etc.

Failu e Cause Design error, fabrication/assembly error, incorrect installation,operator abuse, etc.

Failu e Mode Critical, degraded, incipient

Repair Time Man-hours to analyse the failure, repair and return the item to a

state of readiness including any testing. It excludes the time todetect the failure, time to isolate the equipment from theprocess before repair, delay and waiting for spare parts andtools.

Records which are not reliability oriented (e.g. results of structure damage surveys, failureinvestigations, etc) should be stored in the document control centre with a cross-reference tothe written scheme of examination.

Records that are no longer current because of revisions or expiration of the relevant part ofthe WSE shall be retained for at least six months or longer if required by local legislation.



Edition: 01


9/13

2.8. Management Review of Technical Integrity2.8.1 Aims

Formal management reviews should be carried out annually of the plans in place to ensureTechnical Integrity.The review should take place away from daily operational activity and should aim to identify:

Changes, upgrades or modifications to facilities and their impact on technical integrity. Progress against plans for upgrading, modifying or changing facilities.

Interpretation of results.

Future action plan.The review shall look at past achievements, identify the key learning points and planimprovements for the forthcoming year. In particular, the meeting shall identify whether thetechnical integrity of the facilities is satisfactory and if any restrictions need to be placed on itsoperation and manning.

2.8.2 Summary Procedure

On an annual basis the Production Manager shall convene a meeting to review the WSE forsafety critical elements. Attendees at the meeting shall typically include personnel as follows:

Production Manager (Chairperson).

Field Cluster Manager.

Plant Superintendent/Offshore Installation Manager.

Specialist Engineers (e.g. Mechanical, Process, C&I, Corrosion, etc).

HSEQ Representative.

ICP or its representative.

At the meeting the previous 12 months operation of the WSE for safety critical elements shallbe formally reviewed. A typical agenda could be as follows:

Review of actions arising from previous annual meeting.

Review of any changes, upgrades or modifications to the facilities.

Operations function: completion status report for the written scheme of examination. Operations function: summary of unrevealed failures and damage to the installation.

Engineering function: summary review of examination and test results on safety criticalelements during the preceding 12 month period.

Engineering function: long term trend analysis.

Engineering function: appraisal of pipelines, risers, jacket structural integrity andcontinued fitness for purpose.

Engineering function: appraisal of wells and topside facilities integrity (pressureenvelope) and continued fitness for purpose.

HSEQ Representative: impact on the safety case and report of relevant managementsystem audits.

Comments by the ICP on the continued fitness for purpose of the facilities.

Potential changes to operating conditions and loading on the facilities. Revisions required to the written scheme of examination.

Comments by the ICP on changes to the WSE.

Actions arising from the annual review shall be formally recorded and tracked on a database.

3.

Responsibilities

The Assets Managers and Field Cluster managers are responsible for implementingthese standards for all production facilities where Petrom is the operator.

For a development project within an Asset the Project Manager (or Field Cluster

manager, if appointed) is responsible for implementing these standards prior tohandover to the operating group.



Edition: 01


10/13

4.

Terms and abbreviations

4.1 Terms

Independent Competent Person- The person can be an individual or a corporate entity(when it sometimes referred to as an independent verification body).

Independent Verification Body- see ICP above.

RAM An acronym for reliability, availability and maintainability. Reliability measuresthe likelihood that a system will operate for a given time. Maintainability measures howquickly a system can be brought back into operation after a failure has occurred.Availability measures the proportion of time that a system operates for, given thatfailures can occur and are then repaired. Availability measures the combined effects ofreliability and maintainability.

Technical Integrity a concept that ensures the pressure containing envelope of thehydrocarbon processing system will not fail and cause unplanned release of well fluidsand stored energy that could create a hazard. It is a concept that includes associatedutilities, supporting structures and special activities connected with the facilities (e.g. for

offshore: diving and helicopter operations). Technical integrity is sometimes referred toas fit for intended purpose.

4.2 Abbreviations

EP Exploration & Production

EPS - Exploration & Production Services

HAZID Hazards Identification

HAZOP Hazards and Operability

ICP - Independent Competent Person

IVB- Independent Verification Body

QRA Quantitative Risk Assessment

RAM - Reliability, Availability and Maintainability SCE Safety Critical Element(s)

WSE Written Scheme of Examination

5.

Obsolete regulations-6. Supporting documentation Petrom EP, Guidelines for HSEQ in Projects, document no HSEQ-RO-04-01 latest

revision.

Petrom EP, Risk Assessment Criteria Standard, document no HSEQ-RO-04-02 latestrevision.

Petrom EP, HSE Case Standard, document no HSEQ-RO-05-02 latest revision. ISO/CD 19901-3 Petroleum and natural gas industries Specific requirements for

offshore structures Part 3: Topsides structure.

ISO/CD 19902 Petroleum and natural gas industries Fixed steel offshore structures.

ISO/CD 19904 Petroleum and natural gas industries Floating offshore structuresincluding station keeping.

IEC 61508 Functional safety of electrical/electronic/programmable electronic safety-related systems.

ANSI/API Standard 1160 Managing system integrity for hazardous liquid pipelines.

API Standard RP 579 Fitness for service.

ANSI/API Standard RP 580 Risk based inspection.



Edition: 01


11/13

7.

Distribution list

Petrom EP and EPS BU Managers;

Asset managers;

Field Cluster managers;

Project managers;

HSEQ EP;

HSEQ EPS.

8.

Amendments from the previous edition

Current edition Valid from Amended chapters

01 Approval date -

9.

Annexes

Annex A Selection criteria for Independent Competent Person (ICP)



Edition: 01


12/13

Annex A: Selection Criteria for anIndependent Competent Person (ICP)

The purpose of this Annex is to define the selection criteria, in terms of role and capabilities, for anIndependent Competent Person (ICP). It can be used as selection criteria to pre-qualify companiesthat are being considered for appointment as an ICP.

Petrom shall appoint a third party ICP to consult and comment on the written scheme of examination(WSE).

1. Functions

The general functions that the ICP shall be required to perform are as follows:

Witness/review major functional testing of SCE;

Review and comment on the WSE including revisions;

Review and comment on the record of safety critical elements including revisions; and formallynote any comments following these reviews.

On an annual basis the ICP shall be requested to review and comment on the examination and testrecords for the following plant and equipment:

Safety critical elements

Platform/ship structure and moorings (offshore)

Pipeline systems

Well systems (including well protectors for subsea wells

On an as required basis the ICP shall be requested to review and comment on the assessment andremedial plans following damage or failure to safety critical elements, structures, pipelines and wellsystems.

The ICP shall be required to attend the annual OMV Management Review of the WSE for SafetyCritical Elements and Asset Integrity.

2. Required ICP Management System Capabilities

Selection of an ICP (and ongoing appraisal) shall be by assessment of their overall capabilities andcommitment to providing a quality service to a recognized benchmark, such as the ISO 9000 series ofstandards. The ICP shall be appointed following satisfactory assessment of the management systemelements defined below.

2.1 Organization and Planning

The ICP shall have the capability to provide a full range of technical expertise for the specific facilities.The ICP function shall be independent from any other services provided by the parent company (e.g.quality assurance, engineering or consultancy services, etc). However, where an interface is required(or necessary) the ICP shall have internal controls to assure independence. The interfaces shall beclearly documented.

The ICP shall ensure that personnel of the appropriate competency are available for the expecteddemands of an operation that works continuously. Suitable planning provision shall be made toensure back up for high workloads or sickness/leave. Where the ICP intends using second or thirdparty personnel, the individuals shall be independent of any potential conflicts of interest and haveequivalent standards of competency as full time ICP staff.


Valid from: 18.12.2008Annex A of Petrom EP StandardManagement of Technical Integrity

Page 1 of 2Edition: 01


13/13

Where the ICP employs staff in other parts of its organization to carry out examination, testing orengineering consultancy activities and they will be required to demonstrate sufficient independenceexists within their organization to prevent conflicts of interest.

2.2 Engineering and Document Control

The ICP shall have the engineering capability to enable sound technical decisions to be arrived at by

reference to in-house expertise, validating computer software models, legislative information,technical standards and working knowledge of the exploration and production oil/gas industry.

Records and communications shall be subject to a formal document control which ensures thattransmittal, receipt, archive and retrieval facilities are efficient and secure. Appropriate back upsystems shall be in place.

2.3. Competency Assurance

The ICP shall have a system in place to ensure the competency of any personnel who provideservices to Petrom. The system should be based on a generic framework as follows:

Task Definition The required functions specified for the service to be provided shallprovide the basis for defining the tasks to be carried out by the ICP.

This will enable the correct level of skill for personnel to be defined toperform the specified function. Normally this would be identified in ajob description/function for an individual.

Skill Measurement A system which can measure the achieved level of skill to enable amatch with the tasks that an individual is expected to carry out. Thiscould include academic or in-house examinations, independentcertification from examination bodies or supervised work experience.

Skills Inventory A maintained database of the skills levels for individuals. Typically thiswould record references, professional qualifications, vocationaltraining, relevant proven experience.

Performance Monitoring

and Review A system that will regularly appraise the performance of individualsand provide feedback to improve or develop potential.

2.4. Audit

The ICP shall have an audit system to assess that their working practices meet planned arrangementsand that they are suitable to carry out the functions for an ICP as defined in this procedure.


Valid from: 18.12.2008Annex A of Petrom EP StandardManagement of Technical Integrity

Page 2 of 2Edition: 01

hseq-ro-06!04!00 management of technical integrity

Documents