DEP 80.80.00.15 EPE

TECHNICAL STANDARD
GUIDANCE FOR THE SELECTION OF

SAFETY CRITICAL ELEMENTS
DEP 80.80.00.15 EPE

March 2005
DESIGN AND ENGINEERING PRACTICE
This document is restricted. Neither the whole nor any part of this document may be disclosed to any third party without the prior written consent of Shell Exploration
and Production Europe. The copyright of this document is vested in this company. All rights reserved. Neither the whole nor any part of this document may be
reproduced, stored in any retrieval system or transmitted in any form or by any means (electronic, mechanical, reprographic, recording or otherwise) without the prior
written consent of the copyright owner.
DEP 80.80.00.15 EPE
March 2005
Page 2
USER GUIDELINE PREFACE

EPE docs are based on the experience acquired during their involvement with the design,
construction, operation and maintenance of processing units and facilities, and they are
supplemented with the experience of Group Operating companies. Where appropriate they are
based on, or reference is made to, international, regional, national and industry standards.
The objective is to set the recommended standard for good design and engineering practice applied
by Group companies operating an oil refinery, gas handling installation, chemical plant, oil and gas
production facility, or any other such facility, and thereby to achieve maximum technical and
economic benefit from standardization.
The information set forth in these publications is provided to users for their consideration and
decision to implement. This is of particular importance where EPE docs may not cover every
requirement or diversity of condition at each locality. The system of EPE docs is expected to be
sufficiently flexible to allow individual operating companies to adapt the information set forth in EPE
docs to their own environment and requirements.
When Contractors or Manufacturers/Suppliers use EPE docs they shall be solely responsible for the
quality of work and the attainment of the required design and engineering standards. In particular, for
those requirements not specifically covered, the Principal will expect them to follow those design and
engineering practices which will achieve the same level of integrity as reflected in the EPE docs. If in
doubt, the Contractor or Manufacturer/Supplier shall, without detracting from his own responsibility,
consult the Principal or its technical advisor.
The right to use EPE docs is granted by Operating Companies within EP Europe, under Service
Agreements with SIEP. Consequently, three categories of users of EPE docs can be distinguished:
1) Operating companies having a Service Agreement with SIEP. The use of EPE docs by these
operating companies is subject in all respects to the terms and conditions of the relevant Service
Agreement.
2) Other parties who are authorized to use EPE docs subject to appropriate contractual
arrangements (whether as part of a Service Agreement or otherwise).
3) Contractors/subcontractors and Manufacturers/Suppliers under a contract with users referred to
under 1) or 2) which requires that tenders for projects, materials supplied or - generally - work
performed on behalf of the said users comply with the relevant standards.
Subject to any particular terms and conditions as may be set forth in specific agreements with users,
EP Europe disclaim any liability of whatsoever nature for any damage (including injury or death)
suffered by any company or person whomsoever as a result of or in connection with the use,
application or implementation of any EPE doc, combination of EPE docs or any part thereof, even if it
is wholly or partly caused by negligence on the part of EP Europe. The benefit of this disclaimer shall
inure in all respects to EP Europe and/or any company affiliated to these companies that may issue
EPE docs or require the use of EPE docs.
Without prejudice to any specific terms in respect of confidentiality under relevant contractual
arrangements, EPE docs shall not, without the prior written consent of EP Europe, be disclosed by
users to any company or person whomsoever and the EPE docs shall be used exclusively for the
purpose for which they have been provided to the user. They shall be returned after use, including
any copies which shall only be made by users with the express prior written consent of EP Europe.
The copyright of EPE docs vests in EP Europe. Users shall arrange for EPE docs to be held in safe
custody and EP Europe may at any time require information satisfactory to them in order to ascertain
how users implement this requirement.
All administrative queries should be directed to the EPE doc Administrator in EP Europe.
(functional e-mail address: epe-standards-catalogs@shell.com).
Guidance for the Selection of Safety Critical Elements

DEP 80.80.00.15 EPE
March 2005
Page 3
TABLE OF CONTENTS
1. INTRODUCTION ........................................................................................................4
2. THE ROLE OF SCES IN MANAGING HSE HAZARDS .............................................6
3. MANAGEMENT OF SCES .........................................................................................7
3.1. OVERVIEW OF MANAGEMENT PROCESSES...................................................................7
3.2. SCE AND PERFORMANCE STANDARD MANAGEMENT PROCEDURE ..........................7
3.3. MANAGEMENT OF CHANGE..............................................................................................7
4. SELECTION OF SCES AND DEFINITION OF PERFORMANCE STANDARDS.......8
4.1. OVERALL PROCESS...........................................................................................................8
4.2. COMPOSITION AND ROLES OF EXPERT PANEL TO SELECT SCES..............................8
4.3. SCE SELECTION AND DOCUMENTATION PROCESS......................................................8
4.4. USE OF IPF/SIL CLASSIFICATIONS IN SELECTION PROCESS.......................................9
4.5. PERFORMANCE STANDARDS DEVELOPMENT PROCESS ..........................................10
5. THE DEFINITION OF MAJOR ACCIDENTS AND SCES ........................................12
5.1. INTRODUCTION ................................................................................................................12
5.2. DEFINITION OF MAJOR ACCIDENTS ..............................................................................12
5.3. DEFINITION OF SAFETY CRITICAL ELEMENTS .............................................................13
5.4. DEFINITION OF PERFORMANCE STANDARDS ..............................................................13
6. REFERENCES .........................................................................................................14
TABLES
Table 1: Sample of Template to Record SCE Selection.................................................................... 15
Table 2: Definition of Major Hazards in EPE ..................................................................................... 16
Table 3: Safety Critical Element Groups Structural Integrity ........................................................... 17
Table 4: Safety Critical Element Groups Process Containment ...................................................... 18
Table 5: Safety Critical Element Groups Ignition Control & Detection Systems .............................. 19
Table 6: Safety Critical Element Groups Protection Systems.......................................................... 20
Table 7: Safety Critical Element Groups Shutdown Systems.......................................................... 21
Table 8: Safety Critical Element Groups Emergency Response ..................................................... 22
Table 9: Safety Critical Element Groups Lifesaving Appliances ...................................................... 23
Table 10: Other Systems to Consider as Possible SCEs.................................................................. 24
FIGURES
Figure 1: Relationship Between Integrity Barriers and Typical SCEs ................................................ 27
Figure 2: Failure of Integrity Barriers Leading Directly to Major Accidents ........................................ 28
Figure 3: Relationship between the Major Accidents and Failure of the Key Barriers ....................... 29
Figure 4: Lifecycle Management of SCEs ......................................................................................... 30
Figure 5: Relationship Between Major Accidents and Risk Assessment Matrix ................................ 31
APPENDICES
APPENDIX A DETAILED GUIDANCE FOR SELECTION OF SAFETY CRITICAL ELEMENTS
(SCES) .....................................................................................................................32
APPENDIX B PERFORMANCE STANDARD TEMPLATE ............................................................86
APPENDIX C GLOSSARY OF ABBREVIATIONS AND DEFINITIONS .........................................87

DEP 80.80.00.15 EPE
March 2005
Page 4
1. INTRODUCTION
This document describes the process by which Shell Exploration and Production Europe (EPE)
selects the Safety Critical Elements (known as SCEs) for onshore facilities and offshore installations
(both referred to as installations in this document). The term Safety Critical Element also covers
items that may be critical to health or the environment. This document also describes the process by
which the Performance Standards for the SCEs are determined. The basis for the selection of SCEs
and Performance Standards is the assessment of Major Accidents identified in each installation HSE
case or those documents that support the case.
Major Accidents
Major Accidents are those events that have the potential to lead to multiple fatalities and/or major
environmental damage, and include such hazards as:
A release of hydrocarbons that could lead to fires or explosions.
A release of hazardous or toxic materials e.g. H2S.
Major damage to the structural integrity of an installation, including ship collision.
Major damage causing loss of stability of an installation.
Helicopter collision.
Other incidents including health issues that may lead to multiple fatalities and/or major
environmental damage.
It is not the intention of the SCE Management Processes to cover all HSE hazards, particularly those
relating to:
occupational or workplace activity hazards which may in the worst case scenario lead to a single
fatality;
environmental hazards of low severity.
Safety Critical Elements

SCEs are defined as those items of equipment or structures whose failure could lead to a Major
Accident or whose purpose is to prevent or limit the consequences of a Major Accident.
The SCE Management Processes only deal with installation hardware and equipment related
software or logic systems and do not include safety management systems, processes and
procedures. These are dealt with elsewhere under the scope of the EPE Corporate Management
System (CMS).
SCE Selection
This document provides detailed guidance on the selection of SCEs, and outlines the equipment and
structures that are expected to be SCEs for most installations. The aim of this guidance is to ensure
that as far as reasonably practicable there is a common basis for the selection and scope of SCEs in
EPE.
The equipment and structures that are expected to be Safety Critical for all installations (where
installed) are presented in Table 3 to Table 9. This is based on current understanding of hazard
management and the existing list of SCEs in EPE. Other systems which might potentially be SCEs
are identified in Table 10. For each of the SCEs identified in these tables detailed guidance on the
expected scope of the SCE at sub-system or component level is given in Appendix A .
Performance Standards
A Performance Standard is a statement of the performance required of an SCE, and which is used
as a basis for managing the hazard. Each SCE has a Performance Standard.
Performance Standards can be applied to persons and procedures as well as hardware systems and
items of equipment, though this document deals only with Performance Standards for installation
hardware and software logic systems.
Performance Standard Development

This document provides detailed guidance on the method for developing Performance Standards.
The aim of this guidance is to ensure that as far as reasonably practicable there is a common
approach for the development of Performance Standards in EPE.

DEP 80.80.00.15 EPE
March 2005
Page 5
Expert Panel Review

Each installation will require an installation specific review with input from the Assets, HSE Experts
and the relevant Technical Authorities to determine the exact scope of SCEs for each installation and
their appropriate Performance Standards. The review should be based on the assessment of Major
Accidents in the HSE Case and the understanding of the role that each potential SCE has in
managing the risks associated with these accidents. The deliverable will be an Installation Register
of SCEs and a suite of Performance Standards.
Different installations have different hazard management strategies, equipment, operations or
hazards therefore the list of SCEs and Performance Standards for each installation will be unique.
Each EPE region will have its own set of regulations which must be followed. This guidance
document is designed to assist in satisfying the various regulatory requirements in place for each
region. Generally, managing the Major Hazards by ensuring that sufficient integrity barriers remain in
place at all times will go much of the way to satisfying the regulations in all EPE regions.

DEP 80.80.00.15 EPE
March 2005
Page 6
2. THE ROLE OF SCES IN MANAGING HSE HAZARDS

It is necessary to identify SCEs to ensure that there is a clear understanding of which systems and
structures are important in managing the risks associated with Major Accidents and to establish
systems which allow the performance of SCEs to be established throughout their lifecycle.
Once the SCE has been identified it is necessary to define its critical function in terms of a
Performance Standard. Based on the Performance Standard, assurance tasks can be defined in the
maintenance system to ensure that the required performance is confirmed. By analysing the data in
the maintenance system confidence can be gained that all the SCEs required to manage Major
Accidents are functioning correctly. Alternatively corrective actions can be taken to restore the
integrity of the systems if deficiencies are identified.
The Shell Group [Ref.1] and most state legislative systems in EPE require a documented HSE Case
to be developed and maintained for each installation. As a part of this process the Major Accident
Hazards and the barriers required to prevent or manage these hazards are identified and assessed.
The role of barriers in preventing, or limiting the consequences of a Major Accident is often depicted
in the so called Swiss Cheese Model shown in Figure 1. It shows the SCEs represented as the
following types of generic barriers between safe operations and Major Accidents.
Structural Integrity
Process Containment
Ignition Control
Protection Systems
Detection Systems
Shutdown Systems
Emergency Response
Lifesaving
Each barrier will consist of one or more of the SCEs.
Each barrier is shown in Figure 1 with a number of small holes in it that represent some degradation
of the barriers performance or integrity. On their own these degradations may not be significant but if
the holes line up in a certain way there may be no effective barriers in place between safe operations
and Major Accidents.
The point of the illustration is to indicate the importance of maintaining the integrity of all the barriers,
so that what might be considered to be relatively small faults in individual barriers do not combine
together in an unforeseen manner that compromises the ability of the barriers to prevent a Major
Accident from occurring or their ability to control it.
It is worth noting that it is not necessary for all 8 barriers to fail to lead to a Major Accident. Failure of
a single barrier such as Structural Integrity or Process Containment barrier can lead directly to a
Major Accident as shown in Figure 2. Also failure of Process Containment and Ignition Control leads
to a different consequences than just loss of containment. Once these barriers have failed, failure of
the remaining barriers is likely to lead to worsening consequences. The relationships between these
barriers and the other Major Accidents is shown in Figure 3

DEP 80.80.00.15 EPE
March 2005
Page 7
3. MANAGEMENT OF SCES
3.1. OVERVIEW OF MANAGEMENT PROCESSES
The main processes required to identify SCEs and ensure that they achieve the required
performance during their lifecycle are shown in Figure 4.
The process starts with the HSE studies that support the installation HSE Case. The studies contain
information on the Major Accidents that could occur and the systems and equipment that are in place
to manage the risks from these events. This information plus other sources is used to help identify
the SCEs which have a significant role in the prevention, control, mitigation or recovery from Major
Accidents.
For each SCE the required performance in preventing, controlling, mitigating or recovery from Major
Accidents is determined and recorded in a written Performance Standard. The Performance
Standard also provides clear criteria to determine whether an SCE has achieved or failed its required
performance based on the results of assurance activities.
If an SCE fails to achieve its Performance Standard then the Installation team will take measures to
manage the increased risk through either pre-determined contingency actions or agree appropriate
actions after consultation with others if necessary.
The information stored in SAP PM from Performance Standard assurance routines can be reviewed
to determine whether there are any trends in operational performance that need remedial action. It
may also highlight areas where either the Performance Standards or the assurance tasks need to be
amended.
3.2. SCE AND PERFORMANCE STANDARD MANAGEMENT PROCEDURE

In order to ensure that SCEs are appropriate and suitable for their intended use throughout their
lifecycle, it is necessary to identify key roles and responsibilities for each stage of the SCE
management process outlined above.
The Asset Leaders are accountable for ensuring that all SCEs on their installations have been
identified and that suitable measures are in place to manage the performance of the SCEs during
their lifecycle. To assist the Asset Leaders in delivering their accountabilities a number of different
functions and disciplines in the organisation are responsible for activities within each stage of the
management process.
The activities and roles associated with the management of SCEs and Performance Standards are
described in EPE-WI-TI-01-01. [Ref.2]. The work instruction identifies that the Technical Authorities
are involved in ensuring that the correct SCEs are selected and that appropriate Performance
Standards and assurance activities are in place. A register of which TA is responsible for which SCE
is maintained by the owner of the Technical Authority system. This register can be found in the
Facilities Status Report (FSR) system.
3.3. MANAGEMENT OF CHANGE

Once the SCEs for each installation have been defined, and a register of SCEs produced, the
register needs to be maintained to reflect any changes that might occur as a result of
new equipment which is added to the installation;
redundant equipment which is decommissioned or taken out of service;
changes in our understanding of the hazards or the systems needed to manage them;
changes in process operating conditions, e.g. operating pressures and temperatures which might
affect the list of SCEs.
The rationale for changes to the SCE Register should be recorded to ensure there is a suitable audit
trail.
It is also important to manage changes to the Performance Standards in a similar manner to the SCE
Register. The Technical Authorities are responsible for assessing and approving any changes to the
Performance Standards in consultation with others.
Changes to SCEs and Performance Standards are covered in a EPE-WI-TI-01-01 [Ref.2] which
includes a pro-forma for the recording of changes to either SCEs or Performance Standards.

DEP 80.80.00.15 EPE
March 2005
Page 8
4. SELECTION OF SCES AND DEFINITION OF PERFORMANCE STANDARDS

4.1. OVERALL PROCESS
The main purpose of this document is to provide guidance on the selection of SCEs and definition of
associated Performance Standards. Therefore the process of selecting SCEs and PSs is described
below in detail. The key steps are as follows:
1. Collate information on Major Accidents and current SCEs and PSs from existing
documentation included in the HSE Case or supporting documents.
2. Collate or ensure access to other relevant installation documentation, such as layout
drawings, process flowsheets, operating procedures.
3. Convene an Expert Panel to select SCEs and define PSs.
4. Using the generic list of SCEs provided in Table 3 to Table 10 identify those that are
appropriate to the installation and discuss the role of each SCE and its effect on managing
the risks associated with one or more of the Major Accidents. From this, determine the
appropriate SCEs for the installation.
5. For each SCE, use the detailed guidance provided in Appendix A to determine the precise
scope (i.e. the Safety Critical sub-systems or components) of the SCE.
6. Record the key points of the discussion including the scope of the SCEs on the template in
Table 1.
7. Define the Performance Standard goal of the SCE appropriate to its role in a Major Accident.
8. Define the Performance Standard functional requirements of the SCE in terms of
Functionality, Availability, Reliability, Survivability and Dependencies. Set clear and
measurable pass / fail criteria against each requirement.
9. Against each functional requirement, define a clear set of contingency actions to be taken in
the event of a failure.
10. Record the requirements on the Performance Standard template in Appendix B
Performance Standard Template.
11. Issue to key stakeholders for review and comment.
12. Manage change to the SCE Register and Performance Standards in accordance with EPE-
WI-TI-01-01 [Ref.2].
4.2. COMPOSITION AND ROLES OF EXPERT PANEL TO SELECT SCES

It is recommended that the identification of SCEs and definition of PSs is performed as a multi-
discipline exercise to ensure all relevant factors are taken into account when developing the SCE
Register for each installation. The process of identifying SCEs and developing PSs requires a
knowledge of the role of the SCE, its basis of design and an awareness of the contribution it makes
to the level of risk on the installation. As such, experienced personnel from the following disciplines
should be involved in the process:
Facilitator to facilitate the expert panel. May also perform another role on the panel.
Secretary to record reasons for selection or rejection of items, scope of SCEs and Performance
Standard requirements.
Technical Safety and Environmental Experts to provide information on Major Accidents, SCEs
and Performance Standards included in hazard and risk assessments that support the HSE case
and to provide interpretation of local legislative requirements or practices.
Asset Representative to provide details on current operational arrangements and ensure
ownership of the SCE Register and Performance Standards document developed for the Asset.
Offshore Representative to provide detailed working knowledge of the installation equipment
and its operating conditions.
Technical Authorities to ensure the scope of the SCEs in their area of responsibility is correct
and that a consistent approach is taken across the Assets. To ensure that the Performance
Standards are SMART (Specific, Measurable, Achievable, Realistic and time-based)
It is important that the outcome of the exercise is well documented, so that it is clear why items were
accepted or rejected as SCEs, and the basis for definition of the detailed Performance Standard
requirements.
4.3. SCE SELECTION AND DOCUMENTATION PROCESS

Once the SCEs have been identified from the generic EPE lists in Table 3 to Table 9 it is necessary
to identify the sub-systems or component parts that are Critical. This should be done using the

DEP 80.80.00.15 EPE
March 2005
Page 9
detailed guidance provided in Appendix A Detailed Guidance for Selection of Safety Critical
Elements (SCEs).
In addition to the SCEs listed in Table 3 to Table 9 there is another set of potential SCEs presented
in Table 10. These should also be reviewed to determine whether any of the systems in this list are
Critical for a particular installation. Bearing in mind that the intent of the SCE philosophy is to
concentrate on the most important systems within each integrity barrier, it is necessary to distinguish
between systems that make a significant contribution to manage the risk from a particular hazard and
those whose contribution is small enough to be discounted.
Following completion of the review of the SCEs in Table 3 to Table 10 and identification of the
detailed SCEs at component / sub-system level it is necessary to consider whether there are any
other SCEs for a particular installation. The following questions cover the definition of an SCE:
Does the system / equipment prevent or limit the effect of a Major Accident?
Would failure of the system / equipment cause or contribute substantially to a Major Accident ?
Other questions which might affect the discussion are:
Is there specific local regulatory requirements or expectations for specific barriers and SCEs ?
Are there other SCEs which are considered to be good practice within the region or wider
industry?
Are there specific feature of the design and operating philosophy of an installation which means
that specific equipment or systems should be SCEs?
Does the risk of the hazard require redundancy or diversity in the SCEs to adequately manage the
hazard?
If an additional SCE is identified the reasons for its inclusion should be documented as part of the
selection process.
The discussion of each SCE and its role in managing the risks from the Major Accidents should be
recorded in the SCE Register template.
This has been structured around the SCEs included in Table 3 to Table 10 and provides space to list
the components or sub-systems that are SCEs based on the guidance in Appendix A . Once the
template has been completed it will form a basis from which changes to SCEs can be controlled.
A section of the template is presented in Table 1.
Once the SCE Register has been compiled it should be issued for review and comment by all
stakeholders.
In the UK the Independent Competent Person (ICP) will also review the list of SCEs and any
changes made to it to ensure that the SCEs are appropriate under a verification work instruction.
The activities and roles associated with the selection of SCEs are described in [Ref.2].
Management of Safety Critical Elements and Performance Standards.
4.4. USE OF IPF/SIL CLASSIFICATIONS IN SELECTION PROCESS

For certain systems, the Instrumented Protective Function (IPF) / Safety Integrity Level (SIL)
classification can be used to determine whether or not a component is Safety Critical.
Classification of functions is done in accordance with the Shell DEP - Classification and
Implementation of Instrumented Protected Functions [Ref. 3]. However, the use of the SIL
methodology based on IEC 61508 [Ref.4] is also acceptable. Typical SCEs that may have been
subject to IPF assessment are as follows:
ESD System,
ESD Valves,
Fire and Gas Detection,
Blowdown Valves,
Relief Valves,
Accommodation HVAC Fans and Dampers.
The IPF Classification methodology is a process by which each loop or function is subjected to a risk
assessment which applies a demand frequency and consequence of failure to derive an overall IPF
Class. The consequences are based on three categories:
Impact on Personnel Safety
Environmental Impact
Economic Impact

DEP 80.80.00.15 EPE
March 2005
Page 10
The class is used to determine the design configuration and the test interval for the function. The IPF
Classification scale ranges from I to VI (SIL 0 to 3) with the higher IPF/SIL class referring to the more
critical loop or function.
Generally, elements should be considered Critical if the consequence of failure could result in a loss
of containment that could ultimately cause death or serious injury to one or more person, or an
environmental incident of severity 4 or 5 on the Risk Assessment Matrix (
Figure 5). This corresponds to an IPF Personnel Safety Class of S2 (1 fatality) or higher and/or an
Environmental Class of E2 (1 tonne liquid / 4 scf gas). However, it is currently not practical to assess
a large number of functions against their Personnel Safety Class or Environmental consequences
alone as the IPF Class is also based on demand frequency. Therefore, since most functions of
overall IPF Class III (SIL 1), or above, are safety driven, then for ease of identification, it is suggested
that all functions of IPF Class III (SIL 1) and above are deemed as Critical.
4.5. PERFORMANCE STANDARDS DEVELOPMENT PROCESS

Once selected, it is necessary to develop detailed performance requirements from SCEs in the form
of Performance Standards. A Performance Standard is a statement of the performance required of
an SCE, and which is used as a basis for managing the hazard. Each SCE described in Appendix A
will have its own Performance Standard.
A Performance Standard should state the overall goals of the SCE. The goals will be aligned with the
role that the SCE has in a Major Accident. From the goals, detailed performance criteria can be
developed.
Performance Standards can be split into two distinct areas,-
Design, Construction and Commissioning
Operational Inspection, Maintenance and Testing
Performance Standard criteria are specified in terms of five general headings. These are,-
Functionality. What must the SCE achieve to fulfil the goals ?
Availability. When would the SCE be required to function ?
Reliability. What is the minimum allowable failure rate of the SCE ?
Survivability. Will it work when required ?
Dependencies. Which other systems are required to work for the SCE to meet its Performance
Standard ?
Each functional requirement in terms of the above categories should be linked to one or more
assurance tasks. An assurance task is an activity carried out by the operator to confirm that the SCE
meets, or will meet its Performance Standard. Examples of assurance tasks for design, construction
and commissioning activities are HAZOP studies, design IDCs, IPF reviews, review and approval of
design drawings, sign-off of construction workpacks, and sign-off of commissioning dossiers.
Examples of assurance tasks for operational activities are inspection routines, maintenance
activities, test routines and reliability monitoring. The process of developing the Performance
Standards will require a knowledge, amongst other things, of the assumptions in the installation risk
model, the magnitude of fire and explosion events and reliability of the various SCEs.
The link between QRA and reliability must be demonstrated by including system reliability targets for
those systems where credit is claimed in the QRA. The structure of some of the QRA models is such
that it may only be practicable to include a figure for a complete system rather than the separate
components, (e.g. the overall deluge system may have a nominal reliability figure, but is made up of
various components such as fire pumps, firewater ring main, deluge valves, etc.). Some reliability
figures may come from systems that have been subject to IPF classification, (see 4.4). Sufficient
detail should be included in the reliability / availability section of the Performance Standard to enable
monitoring of the actual reliability based on SAP records.
The magnitude of fire and explosion loads on each installation will be different and this may
determine different approaches to the survivability of components or whole systems. Supporting
studies should be used, where available to provide the input into the survivability requirements.
Each Performance Standard requirement should have clear pass / fail criteria. The value should be
specific and measurable and should reflect the outcome of the Major Hazard assessment in the HSE
Case.
Each Performance Standard requirement should specify a set of contingency actions that are to be
invoked if an SCE fails its pass / fail criteria. The contingency actions should be clear and specific

DEP 80.80.00.15 EPE
March 2005
Page 11
and are the means for managing the additional risk caused by the SCE failure. As a minimum they
should specify the essential measures to be implemented following detection of a failure.
An example of a Performance Standard template is shown in Appendix B Performance Standard
Template.
The activities and roles associated with the development of Performance Standards are described in
EPE-WI-TI-01-01[Ref.2].

DEP 80.80.00.15 EPE
March 2005
Page 12
5. THE DEFINITION OF MAJOR ACCIDENTS AND SCES

5.1. INTRODUCTION
The definitions of Major Accidents and SCEs causes confusion as there is no equivalent terminology
in the Shell Group. This section aims to provide further explanation to the descriptions already
provided.
5.2. DEFINITION OF MAJOR ACCIDENTS

A Major Accident needs to have the potential to result in consequences classed as severity 4 or 5 on
the group Risk Assessment Matrix [Ref.5], see Figure 5. However if all severity 4 accidents were
included this would include occupational or workplace activity hazards such as:
Trips, falls, etc.
Electrocution, man overboard incidents, etc.
Individual impact injuries from lifting operations or dropped objects.
These hazards are not considered to be Major Accidents, requiring management by the use of the
SCE process. Inclusion of the safety systems for these hazards would potentially result in all safety
related systems becoming SCEs. This is not the intention of the SCE philosophy.
Also, security hazards and terrorist threats are not included as major hazards in EPE HSE Cases.
This issue of defining Major Accidents (with respect to personnel safety) was addressed by the
International Association of Drilling Contractors (IADC) [Ref.6] when they developed guidance on the
development of an HSE Case that would be applicable for a Mobile Drilling Unit (MODU) operating in
any of the North West Europe Coastal States.
The IADC decided to adopt the UK legal definition as it is the most appropriate one in the region and
meets the requirements of other states. The UK legal definition of a Major Accident Hazard Offshore
is given in the UK Offshore Safety Case Regulations (SCR) [Ref.7].
Based on the UK legal definition the EPE interpretation of what constitutes a Major Accident for use
Onshore and Offshore is as follows:
A fire, explosion or release of a dangerous substance that could kill or seriously injury one or
more persons.
An event involving major damage to the installation structure.
An event involving loss of stability of the installation, including failure of the mooring system.
An event involving major subsidence. For onshore installations, this may be either to the
installation itself, or to adjacent land.
Collision of a helicopter, ship, road or rail tanker with the installation.
Failure of diving life support systems, or detachment of a diving bell or a subsea diving chamber.
Any other event involving death or serious injury to five or more persons.
In terms of environmental hazards, the UK Department of Environment, Transport and the Regions
published guidance [Ref.8] on identifying Major Accidents to the environment is used to define a
Major Environmental Hazard.
The interpretation of what constitutes a Major Environmental Hazard for use Onshore and Offshore in
EPE is as follows:
An event with the potential to pose knock-on threats to human health by contamination of food or
drinking water or impacts on sewage treatment regimes.
An event with the potential to affect large areas of land designated for conservation, amenity or
planning purposes. Large in an ecological sense may include extensive agglomerations of
fragmented habitats.
An event with the potential to be long-term or persistent and/or inhibit natural processes of
regeneration.
An event with the potential to be severe by causing significant permanent or long-term damage to
the ecosystem (direct, indirect, or knock-on), such as reduced biodiversity of protected habitats
(including local or national extinctions of protected species), or destruction/reduction in quality of a
significant proportion of the area of a rare habitat.
A summary of the definition of Major Accident and Environmental Hazards for use in EPE is shown in
Table 2.

DEP 80.80.00.15 EPE
March 2005
Page 13
5.3. DEFINITION OF SAFETY CRITICAL ELEMENTS

The definition of a Safety Critical Element is as follows:
any structure, plant, equipment, or system the failure of which could cause or contribute
substantially to a Major Accident, or whose purpose is to prevent or limit the effect of a Major
Accident.
any structure, plant, equipment or system the failure of which could cause or contribute
substantially to a Major Environmental Accident, or whose purpose is to prevent or limit the effect
of a Major Environmental Accident.
Safety Critical Elements include structures, plant, equipment, or physical systems, but exclude
procedures or management systems. The term contribute substantially is intended to include those
components whose failure would not directly initiate a Major Accident, but would make a significant
contribution to a chain of events which could result in a Major Accident.
An SCE is part of an integrity barrier which is made up of a number of Safety Critical systems. An
SCE may contain a large number of sub-systems or components, some of which have a Safety
Critical function and are therefore SCEs, and others which have no critical function, and are not
SCEs. This can be demonstrated using an ESD system as an example. Not all initiating devices,
such as pressure, level or temperature switches are Safety Critical, as this depends on the IPF
assessment for the function. However, the ESD logic is Safety Critical, as its failure could cause the
loss of any or all critical functions.
Although many items will be Critical, (where provided) on every installation, there will be some
variation because of the specific features of the design and operation of the installation.
It is important to note that in order for an element to be deemed as Critical, there must be a clear link
between a Major Accident and the SCE.
5.4. DEFINITION OF PERFORMANCE STANDARDS

From the UK PFFER Regulations [Ref.10] the definition of a Performance Standard is as follows:
A Performance Standard is a statement, which can be expressed in qualitative or quantitative terms,
of the performance required of a system, item of equipment, person or procedure, and which is used
as the basis for managing the hazard e.g. planning, measuring, control or audit through the life
cycle of the installation.
Each SCE requires a Performance Standard which consists of a set of functional criteria that should
be specific and measurable. The functional requirements should have clear and measurable pass /
fail criteria. Each Performance Standard will contain elements of design, construction, commissioning
and operation of the SCE. The functional criteria will be defined in terms of Functionality, Availability,
Reliability, Survivability and Dependencies. The Performance Standard should contain a set of
contingency actions to be taken in the event of a failure of a SCE to meet its functional performance
criteria.

DEP 80.80.00.15 EPE
March 2005
Page 14
6. REFERENCES
1. EP95 0310 HSE Case, Shell Exploration and Production 1995 (to be replaced by EP2005-0310 in
2005).
2. Identify and Maintain Safety Critical Elements and Performance Standards, Shell Exploration and
Production EPE work instruction EPE-WI-TI-01-01.
3. Classification and Implementation of Instrumented Protective Functions Shell Design and
Engineering Practice (DEP 32.80.10.10-Gen).
4. Functional Safety of Electrical / Electronic / Programmable Electronic Safety-Related Systems
(BS IEC 61508) ISBN 0580378497.
5. Shell Health, Safety and Environment Panel Risk Assessment Matrix, Issue 2.0, April 1999.
6. North West European HSE Case Guidelines for MODUs , IADC NSC, Issue 1, Feb 2003.
7. Health and Safety Commission A guide to the Offshore Installations (Safety Case) Regulations
1992 L30 Guidance on Regulations, Second edition 1998 ISBN 0717611655
8. Department of the Environment, Transport and the Regions Barbour Index Health & Safety
Professional Guidance on the Interpretation of Major Accident to the Environment for the
Purposes of the COMAH Regulations, June 1999 ISBN 0 11 753501 X.
9. Institute of Petroleum Model Code of Safe Practice, Part 15: Area Classification Code for
Petroleum Installations (IP15).
10. Health and Safety Commission The Offshore Installations (Prevention of Fire and Explosion, and
Emergency Response) Regulations Approved code of Practice and Guidance L65 Guidance on
Regulations, First edition 1995 ISBN 0717608743

Level SCE Integrity Barrier SCE Installation Selection Ref. SAP Functional Description SAP Object Area Assessment Remarks
SCE Name / Component Description Type SCE ? System No. Location (FL) Type
1 SI Structural Integrity
2 SI001 Subsea / Hull / GBS / Foundation Structures Main Yes Doc No.
3 SI001 Subsea Foundations, (including piles and pile guides) M Yes DEP.80.80.00.15.EPE
3 SI001 Primary Jacket and Substructure M Yes DEP.80.80.00.15.EPE
3 SI001 GBS Structure N/A N/A
3 SI001 Vessel Hull Steelwork and Plating N/A N/A
(incl. transverse & longitudinal framing, webs, gussets,
etc.)
3 SI001 Seawater Drawdown Tank (GBS Structures) N/A N/A
3 SI001 Cathodic Protection M Yes DEP.80.80.00.15.EPE
3 SI001 Secondary Jacket Bracing and Installation Systems P Yes DEP.80.80.00.15.EPE
3 SI001 Riser Guides and Protection P Yes DEP.80.80.00.15.EPE
3 SI001 Conductors and Conductor Guides P Yes DEP.80.80.00.15.EPE
3 SI001 Caissons and Caisson Supports P Yes DEP.80.80.00.15.EPE
3 SI001 GBS Inlet Strainers P Yes DEP.80.80.00.15.EPE
2 SI002 Topside Structures M Yes Doc. No.
3 SI002 Cellar Deck / Module Support Frame M Yes DEP.80.80.00.15.EPE
3 SI002 Module Supports and Trusses M Yes DEP.80.80.00.15.EPE
3 SI002 Bridge Structure and Supports N/A N/A
3 SI002 TR structure M Yes DEP.80.80.00.15.EPE
(including Framing, Plating, and Supports)
3 SI002 Topsides Anchor Points N/A N/A
(Mooring Load Transfer System)
3 SI002 Cathodic Protection M Yes DEP.80.80.00.15.EPE
3 SI002 Drilling Derrick P Yes DEP.80.80.00.15.EPE
3 SI002 Flare Stack / Boom P Yes DEP.80.80.00.15.EPE
3 SI002 Crane Pedestals P Yes DEP.80.80.00.15.EPE
3 SI002 Helideck and Support Structure P Yes DEP.80.80.00.15.EPE
3 SI002 Lifeboat/TEMPSC davits P Yes DEP.80.80.00.15.EPE
2 SI003 Heavy Lift Cranes M Yes Doc. No.
3 SI003 Pedestal Crane Load Bearing Components M Yes DEP.80.80.00.15.EPE
3 SI003 Crane Boom Limit Alarms and Trips M Yes DEP.80.80.00.15.EPE
Table 1: Sample of Template to Record SCE Selection

DEP 80.80.00.15 EPE
March 2005
Page 16
Event Consequence
Event Alone Death or Serious Injury Environmental
(No. of persons)
1 5 *Major / Massive
Effect
Loss of Containment (Flammable and/or
Toxic Gas, or other Hazardous Substance)
Major Structural Failure
Loss of Stability
Dropped Object
Ship Collision
Helicopter Crash
Other Vehicle Collision
Mooring Failure
Major Mechanical Failure
Diving Life Support / Mooring Failure
Denotes Major Hazard

*Major Effect: Severe environmental damage. The company is required to take extensive measures to restore the
damaged environment. Extended breaches of statutory or prescribed limits, or widespread nuisance
*Massive Effect: Persistent severe environmental damage or severe nuisance extending over a large area. Loss of
commercial, recreational use or nature conservancy, resulting in major financial consequences for the company.
Ongoing breaches well above statutory or prescribed limits.
Table 2: Definition of Major Hazards in EPE

DEP 80.80.00.15 EPE
March 2005
Page 17
Table 3: Safety Critical Element Groups Structural Integrity
Safety Critical Element Safety / Environmental Hazards SCE Role
Loss of Containment (LoC) - Fire
LoC Hazardous. Substance

Vehicle / Helicopter Collision
Soil / Groundwater Pollution

Seawater / River Pollution
Diving System Failure
Identifier Title
Structural Failure
Loss of Stability
LoC - Explosion
Mooring Failure
Dropped Object
Ship Collision
Air Pollution
Subsidence
Structural Integrity
SI001 Subsea / Hull / GBS / Failure of which could cause structural damage, instability
Foundation Structures of the installation and/or loss of containment.
SI002 Topsides / Surface Structures
SI003 Heavy Lift Cranes
SI004 Ballast and Cargo To prevent excessive stress in the hull structure or loss of
Management Systems stability of the vessel during loading/unloading operations.
SI006 Mooring Systems Failure of which could cause structural damage, instability
of the installation and/or loss of containment.
SI008 Drilling Systems

DEP 80.80.00.15 EPE
March 2005
Page 18
Table 4: Safety Critical Element Groups Process Containment

LoC Haz. Substance
Structural Failure
Identifier Title
Loss of Stability
LoC - Explosion
Mooring Failure
Dropped Object
Ship Collision
Air Pollution
Subsidence
LoC - Fire
Process Containment
PC001 Pressure Vessels Prevent a release of hazardous materials.
PC002 Heat Exchangers
PC003 Rotating Equipment
PC004 Tanks
PC005 Piping Systems
PC006 Pipelines
PC007 Relief System To prevent overpressure of the containment envelope.
PC008 Well Containment Prevent a release of hazardous materials.
PC010 Gas Tight Floor (GBS Structures)
PC011 Tanker Loading Systems
PC012 Helicopter Refuelling Equipment
PC013 Wireline Equipment

DEP 80.80.00.15 EPE
March 2005
Page 19
Table 5: Safety Critical Element Groups Ignition Control & Detection Systems

LoC Haz. Substance
Structural Failure
Loss of Stability
LoC - Explosion
Identifier Title
Mooring Failure
Dropped Object
Ship Collision
Air Pollution
Subsidence
LoC - Fire
Ignition Control
IC001 Hazardous Area Ventilation To prevent flammable gas, toxic gas, or oil mists from
accumulating to hazardous levels.
IC002 Non-Hazardous Area Ventilation To prevent flammable gas, toxic gas, or oil mists from
migrating into the non-hazardous area.
IC003 Certified Electrical Equipment To avoid ignition of flammable gas or oil mist.
IC004 Cargo Tanks Inert Gas System To prevent build-up of a flammable atmosphere in the
cargo tanks.
IC005 Earth Bonding To prevent build-up of static charge resulting in a
potential ignition source.
IC008 Miscellaneous Ignition Control To prevent any accumulation of flammable gas from
Components finding an ignition source.
Detection Systems
DS001 Fire and Gas Detection To detect hazardous accumulations of flammable gas,
toxic gas, or oil mists. To detect fires.

DEP 80.80.00.15 EPE
March 2005
Page 20
Table 6: Safety Critical Element Groups Protection Systems

LoC - Haz Substance
Vehicle/Helicopter
Soil/Groundwater
Structural Failure
Loss of Stability
LoC - Explosion
Mooring Failure
Dropped Object
Seawater/River
Ship Collision
Identifier Title
Air Pollution
Subsidence
LoC - Fire
Pollution
Pollution
Collision
Protection Systems
PS001 Deluge Systems To mitigate the effects of fires. Where required, to
contribute to reduction in explosion overpressure.
PS002 Fire and Explosion Protection To mitigate the effects of fires and explosions.
PS003 Helideck Foam Systems To mitigate the effects of helideck fires.
PS004 Firewater Pumps To provide firewater to end users when required.
PS005 Firewater Ringmain To convey firewater to end users when required.
PS006 Passive Fire Protection To mitigate the effects of fires.
PS012 Sand Filters To remove sand from the reservoir fluids to reduce
erosion rates in the downstream containment
envelope.
PS013 Chemical Injection Systems To condition the process fluids to avoid excessive
degradation of downstream containment envelope
and/or reduce levels of toxic gas.
PS014 Navigation Aids To provide warning to marine and air traffic.
PS015 Collision Avoidance Systems To provide warning of marine traffic which may be a
threat to the installation.
PS016 Meteorological Data Gathering To provide meteorological information for use in
System marine logistics and structural analysis.

DEP 80.80.00.15 EPE
March 2005
Page 21
Table 7: Safety Critical Element Groups Shutdown Systems

LoC - Haz Substance
Structural Failure
Loss of Stability
LoC - Explosion
Identifier Title
Mooring Failure
Dropped Object
Ship Collision
Air Pollution
Subsidence
LoC - Fire
Shutdown Systems
SD001 Emergency Shutdown System (ESD) To prevent loss of containment following
process upset events. To mitigate the
effects of an existing incident.
SD002 Depressurisation System To reduce the pressure and envelope in
the containment envelope during an
incident.
SD003 High Integrity Pressure Protection Systems To prevent overpressure of the
(HIPPS) containment envelope.
SD004 Well Isolation To isolate the well during an incident.
SD005 Pipeline Isolation Valves To isolate the pipeline inventory during an
incident.
SD006 Process Emergency Shutdown Valves (ESDVs) To isolate sections of plant during an
incident.
SD007 Subsea Isolation Valves (SSIVs) To isolate the pipeline inventory from the
riser during an incident.
SD008 Drilling Well Control Equipment To isolate the well following an incident
during drilling operations.

DEP 80.80.00.15 EPE
March 2005
Page 22
Table 8: Safety Critical Element Groups Emergency Response

LoC - Haz Substance
Identifier Title
Structural Failure
Loss of Stability
LoC - Explosion
Dropped Object
Mooring Failure
Ship Collision
Air Pollution
Subsidence
LoC - Fire
Emergency Response
ER001 Temporary Refuge / To provide a safe refuge, a place to muster and/or implement emergency
Primary Muster Areas procedures following an incident.
ER002 Escape and Evacuation To allow escape and evacuation of personnel following an incident.
Routes
ER003 Emergency / Escape To illuminate escape way routes following an incident.
Lighting
ER004 Communication Systems To provide means of communication during an incident and to coordinate
emergency response.
ER005 Uninterrupted Power To ensure power supplies to essential services during an incident.
Supply (UPS)
ER006 Helicopter Facilities To provide facilities to ensure safe helicopter operations and to avoid or
mitigate the effects of a helicopter collision.
ER007 Emergency Power To provide power to essential users and aid recovery from a Major
Accident in the event of loss of main power.
ER010 Open Hazardous Drains To remove a flammable or hazardous liquid inventory in a controlled
System manner to a safe location following a release.
ER011 Open Non-Hazardous To prevent toxic or flammable gas migration to a non-hazardous area
Drains System following a release.

DEP 80.80.00.15 EPE
March 2005
Page 23
Table 9: Safety Critical Element Groups Lifesaving Appliances

LoC - Haz Substance
Structural Failure
Identifier Title
Loss of Stability
LoC - Explosion
Mooring Failure
Dropped Object
Ship Collision
Air Pollution
Subsidence
LoC - Fire
Lifesaving Appliances
LS001 Personal Survival Equipment (PSE) To increase the likelihood of personnel to escape and
evacuate the installation following and incident.
LS002 Rescue Facilities Standby Vessel To increase the likelihood of rescue and recovery of
persons from the sea.
LS003 Lifeboats / TEMPSC To provide a means of evacuation for all personnel from
the platform independent of external facilities support.
LS004 Tertiary Means of Escape To provide a means of evacuation for personnel unable
to use helicopter or lifeboats.

DEP 80.80.00.15 EPE
March 2005
Page 24
Table 10: Other Systems to Consider as Possible SCEs

LoC - Haz Substance
Structural Failure
Loss of Stability
LoC - Explosion
Identifier Title
Mooring Failure
Dropped Object
Ship Collision
Air Pollution
Subsidence
LoC - Fire
Process Containment
PC015 Oil-in-(Produced)Water To prevent discharge of unacceptably high levels of oil to sea.
Control
PC016 Mechanical Handling To avoid a dropped object with the potential to breach the
Equipment containment envelope.
Ignition Control
IC006 Fuel Gas Purge System To prevent build-up of a flammable atmosphere in the Flare
system.
IC007 Chemical Tanks Inert Gas To prevent build-up of a flammable atmosphere in tanks
Blanket System containing flammable chemicals.
Detection Systems
DS003 Water-in-Condensate (Dew- To prevent unacceptably high levels of water in downstream
point) Measurement process and pipelines causing high corrosion rates.

DEP 80.80.00.15 EPE
March 2005
Page 25
Table 10 (continued): Other Systems to Consider as Possible SCEs

LoC - Haz Substance
Electrical Explosion
Structural Failure
Identifier Title
Loss of Stability
LoC - Explosion
Mooring Failure
Dropped Object
Cellulosic Fires
Ship Collision
Air Pollution
Subsidence
LoC - Fire
Protection Systems
PS007 Gaseous Fire Protection To suppress or extinguish a fire with the potential to
Systems escalate to a Major Accident.
PS008 Fine Water Spray (FWS) To suppress or extinguish a fire with the potential to
Systems escalate to a Major Accident.
PS009 Sprinkler Systems To suppress or extinguish a non-hydrocarbon fire in
normally manned areas.
PS010 Power Management Systems To protect High Voltage Equipment from overload
leading to a fire or explosion.
PS011 Fixed Foam System To provide a foam blanket on deluge application to
suppress the formation of smoke from pool fires.
Shutdown Systems
SD009 Utility Air Systems To avoid out of spec air resulting in failure to
depressurise control systems.

DEP 80.80.00.15 EPE
March 2005
Page 26
Table 10 (continued): Other Systems to Consider as Possible SCEs

LoC - Haz Substance
Structural Failure
Identifier Title
Loss of Stability
LoC - Explosion
Mooring Failure
Dropped Object
Ship Collision
Air Pollution
Subsidence
LoC - Fire
Emergency Response
ER008 Manual Fire-Fighting Equipment To provide a means to manually control small fires which
may have the potential to escalate to a Major Accident.
ER009 Process Control & Alarms To provide indication of process conditions during an
incident and plant shutdown.

DEP 80.80.00.15 EPE
March 2005
Page 27
Structural
Integrity Process
Containment Ignition
Control Protection
Safe Systems Detection
Systems Shutdown
Operation Systems Emergency
Response Lifesaving
-Subsea / -Pressure
Foundation Vessels
Structures -Heat -Haz. Area
-Deluge
-Topsides & / Exchangers Ventilation
Systems Escalating
Surface -Rotating - Non-Haz. Area -Fire & Gas Consequences
-Explosion - ESD
Structures Equipment Ventilation Detection
Protection - Depressurisation -Temporary
-Heavy Lift - Tanks - Certified
-Helideck - HIPPS Refuge -PSE
Cranes -Piping Electrical
Foam - Well Isolation -Escape & -Rescue
-Mooring Systems Equipment
Systems - Pipeline Isolation Evacuation Facilities
Systems - Pipelines - Cargo Tanks
-Firewater Valves Routes -Lifeboats /
-Drilling -Well Inert Gas
Pumps - Topsides ESDVs -Emergency / TEMPSC
Systems Containment System
- Firewater - SSIVs Escape Lighting -Tertiary
-Gas Tight - Earth Bonding
Ringmain -Communication Means of
Floor - PFP Systems Escape
-Tanker - Nav. Aids
Loading - UPS
-Collision -Helicpter
-Helicopter Avoidance
Refuelling Facilities
- Sand Filters -Open Haz. /
Equipment -Chemical Non-Haz. Drains
Injection - Em. Power
Figure 1: Relationship Between Integrity Barriers and Typical SCEs

DEP 80.80.00.15 EPE
March 2005
Page 28
Structural
Integrity Process
Do Other Barriers Containment Ignition
Remain Intact ? Control Do Other Barriers
Remain Intact ?
Safe
Safe
Operation
Operation
?
Major
? Accident -
Major Uncontrolled
Accident - fire or explosion ?
Other consequences
e.g. fire & explosion ?
Major Major
Accident - Accident - Major
Major Structural Narcotic or Accident -
Damage toxic effects Fire or
Explosion
Figure 2: Failure of Integrity Barriers Leading Directly to Major Accidents

DEP 80.80.00.15 EPE
March 2005
Page 29
Fire and/or explosion

Helicopter or vehicle
crash
Toxic or
Toxic, narcotic
narcotic
or
asphyxiation
hazard hazard
Major mechanical
failure
Containment
failure
Pollution hazard
Dropped object
Structural
failure
Subsidence
Mooring failure Ship or other vessel Loss of stability

collision
Figure 3: Relationship between the Major Accidents and Failure of the Key Barriers

DEP 80.80.00.15 EPE
March 2005
Page 30
KPIs
Set Performance Perform

Standards tasks
Report
results
Identify HSE Incorporate PS Short Term

Critical Elements acceptance criteria
into SAP PM Installation Team
routines. Lo
SAP PM ng Monitor results,
Te manage risk
rm
Assessment of
Major
Hazards
HSE/Safety
Case
On shore. Review Revisions to
trends and take Hardware
corrective action
Design
Identification of Revisions to
Major Hazards SCEs, Performance
Standards, or Assurance Tasks
HAZID/HAZOP
S ta n da rd isa tio im lic ity p ee d h arin g
Figure 4: Lifecycle Management of SCEs

DEP 80.80.00.15 EPE
March 2005
Page 31
Consequences Increasing likelihood
Environment
A B C D E
Reputation
Severity
Never Heard of Has Happens Happens
People
Assets
heard of in happened more than more than
in industry in our once per once per
industry company year in our year in our
company location
Slight health Slight Slight effect Slight impact
1 effect/injury damage
Low
Minor health Minor Minor effect Limited

2 effect/injury damage impact
Major health Localised Localised Considerable

3 effect/injury damage effect impact Medium
PTD or 1 to Major Major effect National

4 3 fatalities damage impact
More than 3 Extensive Massive International

5 fatalities damage effect impact High
Hazard that are potential

Major Accidents
Figure 5: Relationship Between Major Accidents and Risk Assessment Matrix

DEP 80.80.00.15 EPE
March 2005
Page 32
APPENDIX A DETAILED GUIDANCE FOR SELECTION OF SAFETY CRITICAL
ELEMENTS (SCES)
A.1. INTRODUCTION ..................................................................................................... 34

A.2. Subsea / Vessel Hull / GBS / Foundation Structures [SI001].............................. 35
A.3. Topsides / Surface Structures [SI002].................................................................. 36
A.4. HEAVY LIFT CRANES [SI003] ............................................................................... 38
A.5. BALLAST AND CARGO MANAGEMENT SYSTEMS [SI004]................................ 39
A.6. MOORING SYSTEM [SI006] ................................................................................... 39
A.7. DRILLING SYSTEMS [SI008] ................................................................................. 40
A.8. PRESSURE VESSELS [PC001] ............................................................................. 42
A.9. HEAT EXCHANGERS [PC002]............................................................................... 44
A.10. ROTATING EQUIPMENT [PC003].......................................................................... 45
A.11. TANKS [PC004] ...................................................................................................... 47
A.12. PIPING SYSTEMS [PC005] .................................................................................... 49
A.13. PIPELINES [PC006]................................................................................................ 52
A.14. RELIEF SYSTEM [PC007] ...................................................................................... 53
A.15. WELL CONTAINMENT [PC008] ............................................................................. 54
A.16. GAS TIGHT FLOOR (PC010).................................................................................. 55
A.17. TANKER LOADING SYSTEMS [PC011] ................................................................ 55
A.18. HELICOPTER REFUELLING EQUIPMENT [PC012].............................................. 56
A.19. WIRELINE EQUIPMENT [PC013] ........................................................................... 57
A.20. OIL-IN-(PRODUCED) WATER CONTROL [PC015] ............................................... 57
A.21. MECHANICAL HANDLING EQUIPMENT [PC016]................................................. 57
A.22. HAZARDOUS AREA VENTILATION [IC001] ......................................................... 58
A.23. NON-HAZARDOUS AREA VENTILATION [IC002] ................................................ 58
A.24. CERTIFIED ELECTRICAL EQUIPMENT [IC003] ................................................... 59
A.25. CARGO TANKS INERT GAS SYSTEM [IC004] ..................................................... 59
A.26. EARTH BONDING [IC005]...................................................................................... 59
A.27. FUEL GAS PURGE SYSTEM [IC006]..................................................................... 59
A.28. CHEMICAL TANKS INERT GAS BLANKET SYSTEM [IC007] .............................. 60
A.29. MISCELLANEOUS IGNITION CONTROL COMPONENTS [IC008] ....................... 60
A.30. FIRE AND GAS DETECTION [DS001] ................................................................... 61
A.31. WATER-IN-CONDENSATE/GAS (DEW-POINT) MEASUREMENT [DS003] ......... 62
A.32. DELUGE SYSTEMS [PS001].................................................................................. 63
A.33. FIRE AND EXPLOSION PROTECTION [PS002].................................................... 63
A.34. HELIDECK FOAM SYSTEM [PS003] ..................................................................... 63
A.35. FIREWATER PUMPS [PS004]................................................................................ 64
A.36. FIREWATER RINGMAIN [PS005] .......................................................................... 65
A.37. PASSIVE FIRE PROTECTION [PS006].................................................................. 65
A.38. GASEOUS FIRE PROTECTION SYSTEMS [PS007].............................................. 66
A.39. FINE WATER SPRAY (FWS) SYSTEMS [PS008] .................................................. 66
A.40. SPRINKLER SYSTEMS [PS009] ............................................................................ 67
A.41. POWER MANAGEMENT SYSTEM [PS010]........................................................... 67
A.42. FIXED FOAM SYSTEM [PS011] ............................................................................. 67
A.43. SAND FILTERS [PS012]......................................................................................... 68
A.44. CHEMICAL INJECTION SYSTEMS [PS013] .......................................................... 68

DEP 80.80.00.15 EPE
March 2005
Page 33
A.45. NAVIGATION AIDS (NAVAIDS) [PS014] ............................................................... 69
A.46. COLLISION AVOIDANCE SYSTEMS [PS015] ....................................................... 69
A.47. METEOROLOGICAL DATA GATHERING SYSTEM [PS016] ................................ 70
A.48. EMERGENCY SHUTDOWN SYSTEM (ESD) [SD001] ........................................... 71
A.49. DEPRESSURISATION SYSTEM [SD002] .............................................................. 71
A.50. HIGH INTEGRITY PRESSURE PROTECTION SYSTEMS (HIPPS) [SD003] ......... 72
A.51. WELL ISOLATION [SD004] .................................................................................... 72
A.52. PIPELINE ISOLATION VALVES [SD005]............................................................... 73
A.53. PROCESS EMERGENCY SHUTDOWN VALVES (ESDVS) [SD006]..................... 73
A.54. SUBSEA ISOLATION VALVES (SSIVS) [SD007] .................................................. 74
A.55. DRILLING WELL CONTROL EQUIPMENT [SD008] .............................................. 74
A.56. UTILITY AIR SYSTEMS [SD009] ............................................................................ 75
A.57. TEMPORARY REFUGE / PRIMARY MUSTER AREAS [ER001] ........................... 76
A.58. ESCAPE AND EVACUATION ROUTES [ER002]................................................... 77
A.59. EMERGENCY / ESCAPE LIGHTING [ER003] ........................................................ 78
A.60. COMMUNICATION SYSTEMS [ER004] ................................................................. 78
A.61. UNINTERRUPTED POWER SUPPLY (UPS) [ER005]............................................ 79
A.62. HELICOPTER FACILITIES [ER006] ....................................................................... 79
A.63. EMERGENCY POWER [ER007] ............................................................................. 80
A.64. MANUAL FIRE FIGHTING EQUIPMENT [ER008] .................................................. 81
A.65. PROCESS CONTROL AND ALARMS [ER009]...................................................... 81
A.66. OPEN HAZARDOUS DRAINS SYSTEM [ER010] .................................................. 82
A.67. OPEN NON-HAZARDOUS DRAINS SYSTEM [ER011] ......................................... 82
A.68. PERSONAL SURVIVAL EQUIPMENT (PSE) [LS001]............................................ 83
A.69. RESCUE FACILITIES [LS002]................................................................................ 83
A.70. LIFEBOATS / TOTALLY ENCLOSED MOTOR PROPELLED SURVIVAL
CRAFT (TEMPSCS) [LS003] .................................................................................. 84
A.71. TERTIARY MEANS OF ESCAPE [LS004].............................................................. 85

DEP 80.80.00.15 EPE
March 2005
Page 34
A.1. INTRODUCTION
The following guidance should be used for selecting platform-specific SCEs against
the Major Accident Hazards for each installation. Each SCE is broken down into its
component parts and guidance on the Safety or Environmentally Critical function of
each component is provided.

DEP 80.80.00.15 EPE
March 2005
Page 35
A.2. Subsea / Vessel Hull / GBS / Foundation Structures [SI001]
Safety Critical Subsea / Hull / GBS Structure (Offshore)
All Primary Subsea Structure should be considered Safety Critical. The basis for
selection of Primary Subsea Structure is that failure of any component would
constitute major damage to the structure of the installation and/or loss of stability of
the installation, or cause damage to hydrocarbon containment equipment. In the
case of Floating systems, failure of the hull would cause loss of stability or total loss
of the installation.
Examples of Safety Critical Primary Subsea Structure are as follows:
Foundations, including piles and pile guides
Jacket and Substructure
GBS Structure
Vessel Hull steelwork and plating. This includes transverse and longitudinal
framing, webs and gussets. Cargo tank vents, inlet and discharge valves, sea
chests and discharge stubs are included in SI004 (Ballast and Cargo
Management Systems).
Vessel bulkheads, underwater void spaces and double bottoms.
Where cathodic protection has been provided in the form of sacrificial anodes, these
will be considered Safety Critical unless it can be shown that they are not necessary
for maintaining the integrity of the structure.
For GBS Structures where the cells are required to be held in compression, a
Seawater tank and pipework are provided to prevent leg flooding and ensure
structural integrity. Where provided, this Seawater Drawdown Tank will be
considered Safety Critical unless it can be demonstrated that its failure could NOT
lead to major structural damage, and/or loss of stability of the platform
Environmentally Critical Subsea / Hull / GBS Structure (Offshore)
In the examples given above, failure could cause a Major Environmental Accident in
terms of loss of platform or storage inventory to the sea.
Safety Critical Foundation Structure (Onshore)
Onshore, concrete foundations that support Safety Critical vessels and equipment
should be considered Safety Critical.
Environmentally Critical Foundation Structure (Onshore)
As above, concrete foundations that support Safety Critical vessels and equipment
should be considered Safety Critical since their failure could result in a loss of liquid
containment that could contaminate the foundation soil and local groundwater.
Potential Safety Critical Subsea / Hull / GBS Structure (Offshore)
Most Secondary Subsea Structure and some Tertiary Structure may be Safety
Critical. The basis for selection of secondary/tertiary structure, as listed below, is
that either,-

DEP 80.80.00.15 EPE
March 2005
Page 36
Failure could cause a dropped / impacted load on Primary Subsea Structure
resulting in structural failure which would constitute major damage to the
structure of the installation and/or loss of stability of the installation, or
Failure could cause a dropped / impacted load on a hydrocarbon pipeline,

riser, or conductor which could lead to loss of containment and a release of oil
or gas with the potential to cause a fire or explosion resulting in death or
serious injury to one or more persons, or
Failure could cause a malfunction of the conductor cooling system which

could result in structural damage to the GBS due to over temperature (GBS
Inlet Strainers).
Examples of possible Safety Critical Secondary/Tertiary Structure, include,-
Secondary Jacket bracing and/or Jacket Installation Systems
Riser Guides and Protection
Conductors and Conductor Guides
Caissons and Caisson Supports
GBS Inlet Strainers
Potential Environmentally Critical Subsea / Hull / GBS Structure (Offshore)
All of the above structural elements may be Environmentally Critical for the reasons
stated above.
A.3. Topsides / Surface Structures [SI002]
Safety Critical Topsides Structure (Offshore)
All Topsides Primary Structure should be considered Safety Critical. The basis for
selection of Topsides Primary Structure is that failure of any component would
constitute major damage to the structure of the installation and/or loss of stability of
the installation, or cause damage to hydrocarbon containment equipment.
Examples of Safety Critical Topsides Primary Structure are as follows:
Cellar Deck / Module Support Frame
Module Supports and Trusses
Bridge Structure and Supports
TR Structure, plating (skin) and Supports
Topsides Anchor Points and Topsides Mooring Load Transfer System
Where cathodic protection has been provided in the form of sacrificial anodes, these
will be considered Safety Critical unless it can be shown that they are not necessary
for maintaining the integrity of the structure.

DEP 80.80.00.15 EPE
March 2005
Page 37
Environmentally Critical Topsides Structure (Offshore)
stated above.
Safety Critical Surface Structures (Onshore)
All structural steelwork that supports Safety Critical vessels and equipment should
be considered Safety Critical. Note that dedicated pipe and equipment supports are
covered under the Performance Standards for PC001 (Pressure Vessels), PC002
(Heat Exchangers), PC003 (Rotating Equipment), PC004 (Tanks), and PC005
(Piping Systems). Additionally, any structure the failure of which could result in
damage to Safety Critical vessels and equipment resulting in loss of containment,
should be considered Safety Critical.
Environmentally Critical Surface Structures (Onshore)
stated above.
Potential Safety Critical Topsides Structure (Offshore)
Most Topsides Secondary Structure and some Topsides Tertiary Structure may be
Safety Critical. The basis for selection of secondary/tertiary structure, as listed
below, is that either,-
failure could cause a dropped / impacted load on a hydrocarbon system

which could lead to loss of containment and a fire/explosion with the potential
to cause death or serious injury to one or more persons, or
failure could directly cause the death of five or more persons (e.g. collapse of
the drilling derrick or Flare Tower onto the TR, or
failure could render a critical safety / evacuation system unusable during a

Major Accident (e.g. failure of lifeboat davits).
Examples of potential Safety Critical Secondary/Tertiary Structure, include:
Drilling Derrick
Flare Tower/Boom
Crane Pedestals
Helideck and Support Structure
Segregating Blast / Fire Walls (Note that these Structural Elements are
covered under the SCE PS002 (Fire and Explosion Protection))
TEMPSC Davits
Supports for Escape and Evacuation Routes (Note that Escape and
Evacuation Routes are covered under the Performance Standard for ER002
(Escape and Evacuation Routes))

DEP 80.80.00.15 EPE
March 2005
Page 38
Potential Environmentally Critical Topsides Structure (Offshore)
Most Topsides Secondary Structure and some Topsides Tertiary Structure may be
Environmentally Critical. The basis for selection of secondary/tertiary structure is
that failure could cause a dropped / impacted load on a hydrocarbon system which
could lead to loss of containment of a large inventory into the sea.
A.4. HEAVY LIFT CRANES [SI003]
Heavy Lift Cranes are lifting appliances the failure of which could cause a dropped
load that could result in major structural damage and/or death of serious injury to 5
or more persons. Where lifting operations take place over live hydrocarbon
equipment, failure could cause a dropped load which could puncture the
hydrocarbon envelope leading to loss of containment, fire and/or explosion resulting
in death or serious injury to 1 or more persons.
Safety Critical Heavy Lift Cranes (Offshore)
The Platform Pedestal Cranes should be considered Safety Critical.
This SCE should consist of all load-bearing components of the platform pedestal
crane system whose failure could lead:
to a dropped, uncontrolled lower or swinging load
structural damage to the installation or equipment caused by failure of crane

components e.g. crane boom
It should also include trips and alarms associated with the crane boom limits of
operation, (where installed).
Environmentally Critical Heavy Lift Cranes (Offshore)
Where lifting operations take place over live hydrocarbon equipment, failure could
cause a dropped load that could puncture the hydrocarbon envelope, resulting in a
loss of liquids to sea.
Safety Critical Heavy Lift Cranes (Onshore)
Large overhead gantry cranes used for lifting over live Safety Critical equipment
should be considered Safety Critical as failure could cause a dropped load which
could puncture the hydrocarbon envelope leading to loss of containment, fire and/or
explosion resulting in death or serious injury to 1 or more persons.
Environmentally Critical Heavy Lift Cranes (Onshore)
Where lifting operations take place over live hydrocarbon equipment, failure could
cause a dropped load that could puncture the hydrocarbon envelope, leading to a
loss of containment with potentially serious environmental impact.
Note that other lifting appliances are covered by SCEs SI008 (Drilling Systems) and
PC016 (Mechanical Handling Equipment).

DEP 80.80.00.15 EPE
March 2005
Page 39
A.5. BALLAST AND CARGO MANAGEMENT SYSTEMS [SI004]
Ballast and cargo management systems comprise all hardware and control systems
required to:
Ensure stability of the vessel at all times;
Prevent loss of structural integrity by over-stressing the hull during periods of

cargo oil transfer, cargo oil loading and off-loading.
Safety Critical Ballast and Cargo Management Systems
Failure of the Ballast and Cargo Management System could potentially cause loss
of stability of the installation, flooding, or overstressing of the hull structure.
The Safety Critical components should include the following:
Ballast Valves and Actuators,
Ballast Lines,
Ballast Tanks, (these may be included under the SCE PC004 (Tanks)),
Sea Chests,
Inlet Strainers,
Discharge stubs,
Cargo Tank Vents,
Ballast Control Computer (e.g. Loadmaster) and Software,
Cargo and Ballast Control Instrumentation.
Additionally, any other underwater valves and strainers (e.g. cooling water system)
should be considered due to the potential for flooding due to equipment failure.
Environmentally Critical Ballast and Cargo Management Systems
Failure of the Ballast and Cargo Management System could potentially cause loss
of stability of the installation, or overstressing of the hull structure which could lead
to loss of containment from the installation hydrocarbon inventory.
Environmentally Critical components are as above.
A.6. MOORING SYSTEM [SI006]
Safety Critical Mooring System
Where a mooring system is used on a floating installation, the system should be

considered Safety Critical. The Safety Critical components of the mooring system
should include primary load bearing equipment.

DEP 80.80.00.15 EPE
March 2005
Page 40
The Safety Critical components should include the following:
Anchors and Chains
Chain Table and Chain Stoppers
Turret Structure
Cathodic Protection
Main and Radial Bearings
Mooring Head, Swivels, and Winches
Mooring System Control
The basis for selection of the Mooring System is that failure of a critical component
could result in loss of stability of the installation and damage to hydrocarbon
systems.
Environmentally Critical Mooring System
The mooring system should be considered Environmentally Critical if its failure

could result in a loss of containment from risers resulting in a serious environmental
impact.
A.7. DRILLING SYSTEMS [SI008]
Safety Critical Drilling Systems (Offshore and Onshore)
The drilling lifting system should be considered Safety Critical. Failure could cause
major structural damage, loss of control of the well during drilling operations, or
damage to well related equipment.
Note that currently, impact hazards to personnel on the drill floor during well
operations are considered to be managed by the safety management systems. This
is not included as a Major Accident Hazard in the HSE Cases.
Environmentally Critical Drilling Systems (Offshore and Offshore)
The drilling lifting system should be considered Environmentally Critical. Failure

could cause a well blowout during drilling operations, leading to loss of containment
resulting in serious environmental impact.
The critical components of the Drilling System are as follows:
Top Drive System,
Crown Block,
Travelling Block,
Hoisting Equipment,
Braking System,
Rotary Table,

DEP 80.80.00.15 EPE
March 2005
Page 41
Iron Roughneck,
Man-riding / Utility Winches,
Interlocks and Limit Switches,

DEP 80.80.00.15 EPE
March 2005
Page 42
A.8. PRESSURE VESSELS [PC001]
A Safety Critical Pressure Vessel is one that is normally designed, constructed and
installed to a recognised pressure vessel code or standard. This SCE also covers
fired heaters (Boilers) for steam generation. Note that containers that store liquids
on or around atmospheric pressure are regarded as Tanks, and are included under
SCE PC004 (Tanks).
The typical scope of a Safety Critical Pressure Vessel is the pressure-containing

envelope. That is, the vessel shell and supports, and all welded connections or
tapings connected to it, (including all nozzles, instrument and small-bore
appendages) up to and including the first mechanical joint(s).
Safety Critical Vessels
Vessels in the following fluid services are considered Safety Critical because they
provide hydrocarbon / flammable fluid containment under normal operating
conditions. Failure of any component could cause a loss of containment resulting in
a fire, explosion or release of a dangerous substance with potential to cause death
or serious injury to one or more persons.
The Safety Critical fluid services are as follows:
All Process Hydrocarbon Vessels, including those covered by the following

systems:
Oil Production, processing, handling and export
Gas Production, processing, handling and export
Condensate / NGL processing, handling and export
Gas Injection
Fuel Gas, treatment, heating and distribution
Flare Scrubber / KO Drum
Flammable Chemical Treatments rated by IP15 [Ref.9] as class 0, I, II, or III

(2), (e.g. Methanol, Saturated Glycol, Amine)
Steam Generation
Inert Gas Storage. Refer to IC004 (Cargo Tanks Inert Gas System)
Environmentally Critical Vessels
Vessels in the above fluid services are considered Environmentally Critical because
they provide hydrocarbon / flammable fluid containment under normal operating
serious environmental impact.

DEP 80.80.00.15 EPE
March 2005
Page 43
Potential Safety Critical Vessels
Vessels in the following fluid services may be considered Safety Critical because
they may contain hydrocarbons under abnormal conditions, (e.g. following a
platform trip and failure of an upstream isolation valve(s)). Under these
circumstances the failure of any component could cause loss of containment
resulting in a fire, explosion or release of a dangerous substance with potential to
cause death or serious injury to one or more persons.
These are:
Closed Process Drains System
Produced Water Treatment
Drilling Active Mud System
Potential Environmentally Critical Vessels
Vessels in the above fluid services may be considered Environmentally Critical

because they may contain hydrocarbons under abnormal conditions, (e.g. following
a platform trip and failure of an upstream isolation valve(s)). Under these
resulting in serious environmental consequences.
Non Safety / Environmentally Critical Vessels
Vessels in the following fluid services are not expected to be Safety or

Environmentally Critical. While these vessels may carry an amount of stored energy
that could cause an injury if someone was in the vicinity of a sudden energy release,
a failure will not cause a fire or explosion, and the material itself is not likely to cause
a serious injury. The fluid stored is not likely to cause a serious environmental
hazard.
Water Injection System,
Air Receivers / Air System,
Hydraulic / Lube Oil (where maximum operating pressure is less than 7

Bar(g)),
All other utility systems not listed in under this SCE.
Note: When making the assessment it is important to consider the location of the
vessel with respect to other critical equipment. If failure of the vessel is likely to
damage other equipment and lead to a Major Accident, then it should be considered
as Safety Critical. If there is adequate bunding and drainage to a safe location to
handle the expected volume of liquids, then the equipment need not be considered
Environmentally Critical.

DEP 80.80.00.15 EPE
March 2005
Page 44
A.9. HEAT EXCHANGERS [PC002]
A Safety Critical Heat Exchanger is one that is normally designed, constructed and
installed to a recognised code or standard.
The typical scope of a Safety Critical Heater or Cooler is the pressure-containing

envelope. That is, the vessel shell, tubes, supports and all welded connections or
tapings connected to it, (including all nozzles, instrument and small-bore
appendages) up to and including the first mechanical joint(s).
Safety Critical Heat Exchangers
Heaters / Coolers in the following fluid services should be considered Safety Critical
because they provide hydrocarbon / flammable fluid containment, and segregation
from non-hydrocarbon (e.g. cooling medium) systems under normal operating
conditions. Failure of any component could cause a loss of containment into the
atmosphere, or into a non-hazardous system, resulting in release or over-
pressurisation, culminating in fire, explosion or release of a dangerous substance
with potential to cause death or serious injury to one or more persons.
Safety Critical Heat Exchangers are as follows:
All Process Hydrocarbon Heaters and Coolers, including those covered by

the following systems:
Gas Injection
Flammable Chemical Treatments rated by IP15 [Ref.9] as class 0, I, II, or III

(2), (e.g. Methanol, Saturated Glycol, Amine)
Environmentally Critical Heat Exchangers
Heat Exchangers in the above fluid services are considered Environmentally Critical
because they provide hydrocarbon / flammable fluid containment under normal
operating conditions. Failure of any component could cause a loss of containment
Potential Safety Critical Heat Exchangers
Any Heat Exchangers servicing other systems are not likely to be Safety Critical, as
a failure will not cause a fire or explosion, and is not likely to escalate beyond the
immediate area.
Potential Environmentally Critical Heat Exchangers
Any Heat Exchangers servicing other systems are not likely to be Environmentally
Critical, as the fluid will not contain hydrocarbons or harmful substances.

DEP 80.80.00.15 EPE
March 2005
Page 45
heat exchanger with respect to other critical equipment. If failure of the exchanger is
likely to damage other equipment and lead to a Major Accident, then it should be
considered as Safety Critical. If there is adequate bunding and drainage to a safe
location to handle the expected volume of liquids, then the equipment need not be
considered Environmentally Critical.
A.10. ROTATING EQUIPMENT [PC003]
Rotating Equipment covers pumps, compressors, turbo-expanders, and gas

turbines that drive the compressors or alternators for generating electrical power.
The typical scope of a Safety Critical pump, compressor or turbo-expander is the

pressure-containing envelope. That is, the equipment shell up to and including the
suction and discharge flanges or mechanical joints, and all welded connections or
tappings connected to it, (including all nozzles, instrument and small-bore
appendages, and supports). It includes seals and the seal oil system.
Safety Critical Pumps / Compressors / Turbines
Pumps, compressors and turbo-expanders in the following fluid services are

considered Safety Critical because they provide hydrocarbon / flammable fluid
containment under normal operating conditions. Failure of any component could
cause a loss of containment resulting in a fire, explosion or release of a dangerous
substance with potential to cause death or serious injury one or more persons.
Safety Critical Pumps / Compressors / Turbines are as follows:
All Process Hydrocarbon Pumps, Compressors and Turbo-Expanders,

including those covered by the following systems:
Gas Injection
Flammable or Hazardous Chemical Treatments rated by IP15 [Ref.9] as class

0, I, II, or III (2), (e.g. Methanol, Saturated Glycol, Amine, Acid Systems)
Inert Gas Transfer. Refer to IC004 (Cargo Tanks Inert Gas System)
Steam
Note that the aviation fuel system pumps are covered under the SCE PC012
(Helicopter Refuelling Equipment).

DEP 80.80.00.15 EPE
March 2005
Page 46
Pumps in the following fluid services should be considered Safety Critical. They
convey liquids that, although normally non-hazardous or non-flammable when
contained at atmospheric pressure and temperature, when subjected to sufficient
pressure and temperature, they may, if released, create a flammable mist or liquid
spill. If that ignites it would cause a fire and/or explosion with the potential to cause
death or serious injury to one or more persons. They are:
Diesel fuel pumps, where maximum discharge pressure is above 7 bar(g)
Hydraulic Oil where maximum discharge pressure is above 7 bar(g)
Lube Oil where maximum discharge pressure is above 7 bar(g)
Aero gas turbines, used to drive compressors, turbo-expanders, or HV alternators

should be Safety Critical because failure of a turbine blade may cause the resultant
missile to rupture hydrocarbon-containing equipment in the immediate area. This
would result in a release, which if ignited could cause an explosion and/or fire that
could cause death or serious injury to one or more persons. Turbine blade failure
has been identified as a specific Major Accident Hazard in many of Shell EP
Europes HSE Cases.
Environmentally Critical Pumps / Compressors / Turbines
Pumps, compressors and turbo-expanders in the above fluid services are

considered Environmentally Critical because they provide hydrocarbon / flammable
fluid containment under normal operating conditions. Failure of any component
could cause a loss of containment resulting in serious environmental consequences.
Potential Safety Critical Pumps / Compressors / Turbines
Pumps / compressors in the following systems may be considered Safety Critical

resulting in a fire, explosion or release of a dangerous substance with potential to
cause death or serious injury to one or more persons.
The potential Safety Critical pumps / compressors / turbines are:
Toxic Chemicals
Potential Environmentally Critical Pumps / Compressors / Turbines
Vessels in the above fluid services may be considered Environmentally Critical


DEP 80.80.00.15 EPE
March 2005
Page 47
Non Safety / Environmentally Critical Pumps / Compressors / Turbines
The following pumps / compressors are not likely to be Safety or Environmentally

Critical. While this equipment may carry an amount of stored energy, a failure will
not cause a fire or explosion, and is not likely to escalate beyond the immediate
area. The fluid stored is not likely to cause a serious environmental hazard:
Water Injection Pumps,
Air Compressors,
Diesel Transfer Pumps (where maximum discharge pressure is below 7

bar(g)),
Hydraulic / Lube Oil transfer pumps (where maximum discharge pressure is

below 7 bar(g)),
Flammable Chemicals NOT rated by IP15 [Ref.9] as class 0, I, II, or III (2),
Any other utility system pump / compressor not listed under this SCE.
pump / compressor / turbine with respect to other critical equipment. If failure of the
rotating equipment is likely to damage other equipment and lead to a Major
Accident, then it should be considered as Safety Critical. If there is adequate
bunding and drainage to a safe location to handle the expected volume of liquids,
then the equipment need not be considered Environmentally Critical.
A.11. TANKS [PC004]
The typical extent of a Tank is the envelope that contains the liquid and vapour.
That is, the tank structure, supports, skin and all welded connections or tappings
connected to it, (including all nozzles, instrument and small-bore appendages) up to
and including the first mechanical joint(s).
Safety Critical Tanks
Tanks in the following fluid service should be considered Safety Critical because
they provide hydrocarbon / flammable liquid containment under normal operating
a fire, explosion or release of a dangerous substance with potential to cause death
or serious injury to one or more persons.
The critical fluid services are:
All Process Hydrocarbon Tanks, including those covered by the following

systems, (where applicable):
Condensate processing, handling and export
Tanks containing flammable or hazardous chemicals, rated by IP15 [Ref.9] as

class 0, I, II, or III (2), (e.g. Methanol, Saturated Glycol, Amine, Acid Systems)
Note that this scope includes Crude Oil Storage Tanks on FPSOs.

DEP 80.80.00.15 EPE
March 2005
Page 48
Note that the aviation fuel system tank(s) are covered under the SCE PC012
(Helicopter Refuelling Equipment).
Diesel tanks are treated differently to other vessels because although diesel is
flammable it is not readily ignited unless it is in contact with a hot surface, is at high
pressure, or is in a mist. The risk from Major Accidents involving diesel releases is
assessed in the HSE Case and supporting studies. A diesel storage tank may be
Safety Critical depending on the size of the inventory and its location where a fire
involving the tank contents could cause critical escalation that threatens the TR or
other critical systems required during a Major Accident. Reference to the installation
HSE Case and supporting studies is required to determine which diesel tanks are
Safety Critical. The basis of this selection is that a failure could cause a diesel spill
that, if ignited, would present a significant risk to the TR integrity.
Environmentally Critical Tanks
Tanks in the above fluid services are considered Environmentally Critical because
they provide hydrocarbon / flammable fluid containment under normal operating
serious environmental impact.
Diesel tanks with an inventory greater then 10,000 litres should be considered
Environmentally Critical as a failure could result in that inventory being lost to sea,
or land.
Potential Safety Critical Tanks
Tanks in the following systems may be considered Safety Critical because they may
contain hydrocarbons under abnormal conditions, (e.g. following a platform trip and
failure of an upstream isolation valve(s)), and hence under these circumstances the
failure of any component could cause loss of containment resulting in a fire,
explosion or release of a dangerous substance with potential to cause death or
seriously injury to one or more persons. They are:
Open Hazardous Drains System
Potential Environmentally Critical Tanks
Tanks in the above fluid services may be considered Environmentally Critical

Non Safety / Environmentally Critical Tanks
Tanks containing the following liquids / bulk are not likely to be Safety Critical, as a
loss of containment of the inventory is not likely to cause a fire, explosion or release
of a dangerous substance with the potential to cause death or serious injury to one
or more persons. The fluid stored is not likely to cause a serious environmental
hazard.

DEP 80.80.00.15 EPE
March 2005
Page 49
Diesel, where stored in relatively small quantities, (e.g. Diesel day/break
tanks), or located in areas where escalation to the diesel inventory is not
critical,
Non-flammable / Hazardous chemicals,
Cooling Medium,
Hydraulic / Lube Oil,
Service (Sea) Water, (unless there are connections to other hazardous

systems which could lead to hazardous material in the service water during
upset or failure conditions),
Domestic Hot Water,
Non-Hazardous Area Open Drains,
Drilling Cement,
Drilling Bulk Storage Tanks,
Any other Utility Systems not listed above.
Note: Tanks containing toxic chemicals should be considered on a case by case

basis. If a release of a toxic material from a tank is likely to present an immediate
risk to one or more persons then it should be considered Safety Critical. If a release
of a toxic material from a tank is likely to result in a serious environmental hazard,
then it should be considered Environmentally Critical.
A.12. PIPING SYSTEMS [PC005]
Critical piping systems will generally be those which may contain flammable or
hazardous fluids under normal, or abnormal conditions. The firewater system and
active fire protection system pipework should also be Safety Critical, however, the
scope of these are covered under the SCEs for PS001 (Deluge Systems), PS003
(Helideck Foam Systems), and PS005 (Firewater Ringmain), ER010 and ER011
(Hazardous/Non-Hazardous Open Drains).
The typical limit of a Safety Critical piping system is the pressure-containing

envelope between the various items of equipment, for example:
Vessel / Heat Exchanger nozzle mechanical joints,
Pump suction / discharge mechanical joints,
Xmas trees mechanical joints to flowlines, (Note that the Xmas tree and Well
Isolation valves are covered by the SCE SD004 (Well Isolation).
(Where a Safety Critical and Non-Safety Critical System interface) the first
tested point of isolation, such as an actuated ESDV.
The scope of Safety Critical pipework will be all pipe material, fittings, flanges,
valves, flowlines, instrument tappings, instrument tubing, permanent flexible hoses
and pipe supports. Temporary pipework is managed by the relevant temporary
equipment control procedure.

DEP 80.80.00.15 EPE
March 2005
Page 50
Safety Critical Piping Systems
The following piping systems should be considered Safety Critical because they
provide hydrocarbon / flammable fluid containment under normal operating
conditions. Failure of any part of the pressure envelope could cause a loss of
containment resulting in a fire, explosion or release of a dangerous substance with
potential to cause death or serious injury to one or more persons. They are:
All Process Hydrocarbon systems, including those covered by the following

systems:
Gas Injection
Relief / Flare / Vent Systems, including flare tips and the flare tip ignition
system. It should be noted that deterioration in the flare tip condition
could lead to excessive radiation or to hazards associated with unignited
gas
Flammable Chemical Injection Systems, rated by IP15 [Ref.9] as class 0, I, II,

or III (2), (e.g. Methanol, Saturated Glycol, Amine)
Steam Generation
Inert Gas Transfer. Refer to IC004 (Cargo Tanks Inert Gas System)
Environmentally Critical Piping Systems
Piping systems in the above fluid services are considered Environmentally Critical
operating conditions. Failure of any component could cause a loss of containment
Potential Safety Critical Piping Systems
Some pipework in the following systems may be considered Safety Critical. They
convey liquids that, although normally non-hazardous or non-flammable when
contained at atmospheric pressure and temperature, when subjected to sufficient
pressure and temperature, may if released create a flammable mist. Ignition could
cause a fire and/or explosion with the potential to cause death or serious injury to
one or more persons. They are:
Diesel fuel pipework (Topsides), where maximum operating pressure is above

7 bar(g)
Hydraulic Oil (Topsides) where maximum operating pressure is above 7

bar(g)
Lube Oil (Topsides) where maximum operating pressure is above 7 bar(g)

DEP 80.80.00.15 EPE
March 2005
Page 51
The following piping systems may be considered Safety Critical because they may
contain hydrocarbons under abnormal conditions, (e.g. following a platform trip and
failure of an upstream isolation valve(s), or following liquid spill into the open drains
system), and hence under these circumstances the failure of any component could
cause loss of containment resulting in a fire, explosion or release of a dangerous
substance with potential to cause death or serious injury to one or more persons.
These are:
Closed Process Drains
Produced Water System
Open Hazardous Drains System. Refer to ER010 (Open Hazardous Drains)
Potential Environmentally Critical Piping Systems
Piping systems in the above fluid services may be considered Environmentally

Critical because they may contain hydrocarbons under abnormal conditions, (e.g.
following a platform trip and failure of an upstream isolation valve(s)). Under these
Non Safety / Environmentally Critical Piping Systems
The following piping systems are not likely to be Safety Critical. While these
systems may carry an amount of stored energy, a failure will not cause a fire or
explosion, and is not likely to escalate beyond the immediate area. The fluid stored
is not likely to cause a serious environmental hazard:
Water Injection System Vessels,
Air Receivers / Air System Vessels,
Hydraulic / Lube Oil Reservoirs at pressures below 7 bar(g),
Flammable Chemical Treatments NOT rated by IP15 [Ref.9] as class 0, I, II,

or III (2) that pose no immediate risk of serious injury to personnel exposed to
them following an accidental release.
All other systems not referenced in the four above.
pipework with respect to other critical equipment. If failure of the piping is likely to
damage other equipment and lead to a Major Accident, then it should be considered
as Safety Critical.
Piping containing toxic chemicals should be considered on a case by case basis.

Release of a toxic material from piping will need to present an immediate risk to one
or more persons to be considered Safety Critical.

DEP 80.80.00.15 EPE
March 2005
Page 52
A.13. PIPELINES [PC006]
Critical Offshore Pipelines
Safety Critical Offshore Pipelines consist of all offshore pipelines and risers, and all
flexible pipelines and risers, as indicated below, within the 500m zone connected to
the platform.
Critical Onshore Pipelines
Safety Critical Onshore Pipelines consist of all pipelines as indicated below.
Safety Critical Pipeline Systems
The following pipelines should be considered Safety Critical because a failure of any
part of the pressure envelope could cause a loss of containment resulting in a fire,
explosion or release of a dangerous substance with potential to cause death or
serious injury to one or more persons.
Export / Import Crude Oil
Export / Import Gas
Export / Import Condensate / NGLs
Production Reservoir Fluids from remote wells
Any Flammable Chemicals (rated to IP15 [Ref.9] Class 0, I, II, or III(2)) used
for injection into remote wells
Lift Gas
Any J-Tubes that contain risers as listed above
Any pipeline protection, such as concrete mats, or rock-dump.
The limits of an offshore pipeline are from the 500m point away from the installation,
to the first point of automatic isolation (e.g. riser valve) on the platform topsides.
The limits of an onshore pipeline are at the isolation valves at each end of the
pipeline.
Where a pipeline is deemed as Safety Critical, the scope will include any cathodic
protection such as sacrificial anodes or induced current, unless it can be shown that
these systems are not necessary to maintain the minimum wall thickness.
The vent systems associated with flexible risers should be considered Safety Critical
if they provide early detection of deterioration of riser integrity and/or prevent
excessive build-up of pressure between riser layers.
Note that Offshore SSIVs, Offshore Riser Valves and Onshore Pipeline Isolation
Valves are included in SCEs SD007 (Subsea Isolation Valves) and SD005 (Pipeline
Isolation Valves).

DEP 80.80.00.15 EPE
March 2005
Page 53
Environmentally Critical Pipeline Systems
Pipelines with the above fluid services are considered Environmentally Critical
operating conditions. Failure of the pipeline could cause a loss of containment to
sea or land resulting in serious environmental impact. Additionally, Pipelines
containing chemicals which are considered environmentally hazardous will be
Potential Safety Critical Pipelines
Water Injection pipelines will be Safety Critical if the risk from possible back-flow of
hydrocarbons is assessed to be significant. If back-flow is considered a risk then the
first point of isolation (e.g. manifold isolation valve) will be the limit of the Safety
Critical pipeline.
Potential Environmentally Critical Pipelines
Water Injection pipelines will be Environmentally Critical if the risk from possible
back-flow of hydrocarbons is assessed to be significant.
Note: Pipelines/bundles containing control umbilicals are assessed on a case-by-

case basis, depending on the criticality of the equipment supplied, and the
consequences of loss of control. Generally loss of umbilical function is not Safety
Critical as the control systems are fail-safe. The assessment should consider the
risk from possible backflow of hydrocarbons into control umbilicals. If the fluid in the
umbilical is considered environmentally hazardous then the umbilical should be
A.14. RELIEF SYSTEM [PC007]
Relief Systems are Safety and Environmentally Critical.
The relief system is designed to protect pressure containing equipment from

overpressurisation. The relief system will prevent overpressurisation of vessels,
equipment and/or pipework if the process control system fails to control a process
upset condition. Thermal relief valves are Safety Critical for a different reason in
that they are installed to safely vent fluid inventories in the event of a heat source
impinging on the containment boundary.
Safety / Environmentally Critical relief components comprise
All Pressure, Thermal, Fire Relief Valves, and Bursting Discs (where used)
that satisfy the following conditions:
they form part of a protective layer for any process hydrocarbon

system, or,
they form part of any other system overpressure protective system

which has been assessed as IPF Class III / SIL 1, or higher. For more
information on IPF Classification and SCEs, refer to Section 4.4.
Note that the above is likely to include relief valves or bursting discs which protect
utility systems against overpressure from an influx of hydrocarbon due to a loss of
containment (e.g. protection of water systems against heat exchanger rupture).

DEP 80.80.00.15 EPE
March 2005
Page 54
Note that elements which directly influence the correct functioning of the relief
valves / bursting discs should also be Safety Critical. These would include heat
tracing of RV pilot lines, control valves (where the valve Cv determines the RV
capacity), high pressure trips and non-return valves.
Potential Safety / Environmentally Critical relief components are
Pressure, Thermal, Fire Relief Valves, or bursting discs not covered by the
above.
A.15. WELL CONTAINMENT [PC008]
Generally, Well Containment covers all components that provide an envelope for
containment of well pressure.
Safety Critical Well Containment Equipment
This includes onshore and offshore production and gas injection wells, but for
containment aspects only, would not normally include remote subsea production
wells. For subsea wells loss of containment would not be considered a direct threat
to the safety of the installation or personnel on it. The isolation of production wells,
onshore, offshore topsides, and subsea, should be considered separately and are
covered in SD004 (Well Isolation).
A failure of any Safety Critical component could cause loss of containment leading
to a fire/explosion with the potential to cause death or serious injury to one or more
person(s).
Typical Safety Critical components are as follows:
Xmas Trees (including tree body and all pressure retaining components)
Well Plugs
VR Plugs
Wellheads and all pressure-containing connections
Annulus Side Valves and Annulus Pressure Monitoring
Injection Check Valves / Storm Chokes
Well Test Equipment
Monitoring devices for well conditions, (e.g. Scale, Sand, CO2, H2S, Well
Growth, etc.)
Environmentally Critical Well Containment Equipment
This includes onshore and offshore production and gas injection wells, and remote
subsea production and gas injection wells. For subsea wells loss of containment
would be considered a direct threat to the environment. The isolation of production
wells, onshore, offshore topsides, and subsea, should be considered separately and
are covered in SD004 (Well Isolation).
Typical Environmentally Critical components are as listed above.

DEP 80.80.00.15 EPE
March 2005
Page 55
Potential Safety Critical Well Containment Equipment
The containment aspects of Subsea Wells are not likely to be Safety Critical. Well
control equipment and components for water injection wells are not considered
Safety Critical, unless there is a credible risk of back-flow of the reservoir fluid to the
water injection pipework. Conductors and conductor guides are covered under the
SCEs SI001 (Subsea/Hull/GBS/Foundation Structures) and SI002
(Topsides/Surface Structures).
Subsea production and gas injection wells are considered Environmentally Critical
as stated above.
A.16. GAS TIGHT FLOOR (PC010)
Safety Critical Gas Tight Floor
For GBS Structures where a gas-tight floor is provided which is intended to prevent
vapours from oil in the storage cells from entering the leg, this will be considered
Safety Critical, unless it can be shown that there is an insignificant risk from
migration of hydrocarbon vapour into the leg.
Potentially Environmentally Critical Gas Tight Floor
The gas tight floor is not likely to be Environmentally Critical unless its failure could
result in a loss of liquid hydrocarbons to the sea.
A.17. TANKER LOADING SYSTEMS [PC011]
Safety Critical Offshore Tanker Loading Systems
Where Crude Oil or Condensate is transferred to a Tanker for transportation, the

Tanker Loading System is likely to be Safety Critical. Failure of the hydrocarbon
envelope could result in a release and/or fire or explosion with the potential to cause
death or serious injury to personnel.
Safety Critical Components of the Offshore Tanker Loading System are as follows:
Cargo Loading Hoses and connections
Cargo Loading Hose Storage and Handling Reel
Mooring Hawser
Note that the cargo transfer pumps should be included in the SCE PC003 (Rotating
Equipment) and the cargo management system is in SI004 (Ballast and Cargo
Management Systems).
Environmentally Critical Offshore Tanker Loading Systems
Where Crude Oil or Condensate is transferred to a Tanker for transportation, the

Tanker Loading System is likely to be Environmentally Critical. Failure of the
hydrocarbon envelope could result in a release and loss of liquids to sea.

DEP 80.80.00.15 EPE
March 2005
Page 56
Safety Critical Onshore Tanker Loading Systems
For onshore plants where facilities for loading flammable or hazardous products
(e.g. Condensate or LNG) onto road or rail tankers are provided, these will be
Safety Critical. Failure of the containment envelope would result in a release and/or
fire or explosion with the potential to cause death or serious injury to personnel.
Safety Critical components of the Onshore Tanker Loading System are as follows:
Fixed Transfer Pipework
Loading Pumps, Hoses and Couplings
Anti-Static Earthing Devices
Potentially Environmentally Critical Onshore Tanker Loading Systems
For onshore plants where facilities for loading chemicals or other environmentally
hazardous products (e.g. Condensate or LNG) onto road or rail tankers are
provided, these may be Environmentally Critical. When carrying out the
assessment, consideration should be given to the volume of hazardous fluids that
are likely to be lost in the event of a failure.
A.18. HELICOPTER REFUELLING EQUIPMENT [PC012]
Safety Critical Helicopter Refuelling Equipment
Safety Critical Helicopter Refuelling Equipment will consist of all the equipment
required to avoid an uncontrolled loss of containment of helicopter fuel, at any time.
A fuel spill followed by ignition would result in a fire or explosion with the potential to
cause death or serious injury to one or more persons. Additionally, all equipment
that is provided to prevent or detect contamination of the Aviation Fuel is Safety
Critical.
The components of the helicopter refuelling system include the following:
Aviation Fuel Storage Tank.
Aviation Fuel Pipework, including special fittings, hoses and fuelling nozzles.
Aviation Fuel Filters.
Aviation Fuel Pumps.
Potential Environmentally Critical Helicopter Refuelling Equipment
The above helicopter refuelling equipment may be Environmentally Critical if the

inventory of helicopter fuel is considered to be significant in terms of a major
environmental hazard.

DEP 80.80.00.15 EPE
March 2005
Page 57
A.19. WIRELINE EQUIPMENT [PC013]
Safety Critical Wireline Equipment
Wireline Equipment is considered Safety Critical as failure of a component could

cause a loss of containment from the well. This could result in a fire and/or
explosion with the potential to cause death or serious injury to personnel.
The following components should be considered:
Wireline Lifting / Support Structure (A-Frame)
Wireline Winches and Braking System
Lubricators
Wireline BOPs and Hydraulic Supply
Environmentally Critical Wireline Equipment
Wireline Equipment is considered Environmentally Critical as failure of a component

could cause a loss of containment from the well. This could result in a serious
environmental hazard.
Environmentally Critical components are as listed above.
A.20. OIL-IN-(PRODUCED) WATER CONTROL [PC015]
Oil in Water measurement is not likely to be considered Safety Critical, as failure of

this system alone is not likely to result in a release of large quantities of
hydrocarbons in terms of personnel safety.
Environmentally Critical Oil in Water Control
Although not normally considered Safety Critical, failure of oil in water control /
measurement could result in discharges of liquid hydrocarbons to sea at high levels.
If the failure were to go unnoticed for a prolonged period, this could result in serious
environmental impact.
Components of the Oil-in-Water system to be considered are as follows:
Oil-in-Water Analyser
Routing / Shut-in Valves
Alarms and Trips
A.21. MECHANICAL HANDLING EQUIPMENT [PC016]
Potential Safety / Environmentally Critical Mechanical Handling Equipment
If there is no mechanical handling over live hydrocarbon systems then mechanical

handling equipment is not expected to be Safety or Environmentally Critical.
However where loads may require to be lifted over live hydrocarbon-containing
equipment, and failure could cause a dropped object with potential to puncture the
hydrocarbon envelope, then the load bearing components of the Mechanical
Handling Equipment should be considered Safety and Environmentally Critical.

DEP 80.80.00.15 EPE
March 2005
Page 58
A.22. HAZARDOUS AREA VENTILATION [IC001]
Safety Critical Hazardous Area Ventilation is all the equipment provided to prevent
accumulations of flammable or harmful gas that could present a Major Accident
Hazard, within hazardous areas.
The Safety Critical components should include the following
Supply and Extract Ducting.
Fire Dampers.
Fire Dampers Position Indication.
Fans and Supply Motors (including Scour Fans in partial naturally-ventilated

areas).
Control Air Solenoid Valves that activate damper closure.
Fan Control Logic.
Fan Status Indication.
Pressure Relieving Dampers.
Maintenance of Natural air-flow (in Naturally-Ventilated / Partial Naturally-

Ventilated Modules).
Potential Safety Critical components to be considered include the following
If Filter Banks are included in the ventilation system blockage or high DP across the
banks should be assessed to determine whether reduction of air-flow could
compromise the HVAC Safety Critical performance.
A.23. NON-HAZARDOUS AREA VENTILATION [IC002]
Safety Critical Non-Hazardous Area Ventilation is all the equipment provided to

ensure an environment in the non-hazardous areas is maintained to prevent
flammable or harmful gas migrating from a hazardous area to a non-hazardous
area.
Supply and Extract Ducting.
Fire Dampers.
Fire Dampers Position Indication.
Fans and Supply Motors.
Fan Control Logic.
Control Air Solenoid Valves that activate damper closure.
Fans Status Indication.

DEP 80.80.00.15 EPE
March 2005
Page 59
Pressure Relieving Dampers.
Differential Pressure Switches or Module Internal Pressure Sensors and

alarms.
Potential Safety Critical components to be considered include the following
If Filter Banks are included in the ventilation system blockage or high DP across the
banks should be assessed to determine whether reduction of air-flow could
compromise the HVAC Safety Critical performance.
A.24. CERTIFIED ELECTRICAL EQUIPMENT [IC003]
All Electrical Equipment intended for use in hazardous areas, or electrical

equipment in a non-hazardous area that is not tripped on detection of gas in that
area should be considered Safety Critical.
The basis for selection of Certified Electrical Equipment is that should a failure
occur, this could result in an ignition source for a release.
A.25. CARGO TANKS INERT GAS SYSTEM [IC004]
Where a system is provided to provide an inert gas blanket for crude oil storage, in
order to reduce the probability of ignition of stored hydrocarbons, this should be
Safety Critical. This will be primarily applicable to I.G. systems on FPSOs.
Additionally, where large quantities of inert gas are generated and stored, loss of
containment could present a threat of asphyxiation to personnel in the area. Note
that Inert Gas piping, storage and transfer will be included in the scope of PC005
(Piping Systems), PC001 (Vessels) and PC003 (Rotating Equipment) respectively.
Note that other types of ignitable atmosphere prevention are detailed in IC006 (Fuel
Gas Purge System) and IC007 (Chemical Tanks Inert Gas Blanket System).
A.26. EARTH BONDING [IC005]
Where earth bonding is used on equipment to ensure that a source of ignition

cannot be generated by a build-up of static energy, then this is Safety Critical. The
assessment should consider the likelihood that a spark would be generated, and the
location (Hazardous / Non-Hazardous) of the equipment.
A.27. FUEL GAS PURGE SYSTEM [IC006]
Systems which are provided for continuous supply of fuel / vent gas for system
purging should be considered Safety Critical if failure could result in a flammable
atmosphere that could be ignited.
The assessment should take into account the likelihood of ignition following failure
of the system, and the venting arrangements. An example of the use of this system
is the Flare / Vent purge system which prevents a combustible atmosphere from
forming in the flare KO drum.

DEP 80.80.00.15 EPE
March 2005
Page 60
A.28. CHEMICAL TANKS INERT GAS BLANKET SYSTEM [IC007]
Systems which are provided to inert a tank atmosphere should be considered Safety
Critical if failure could result in a flammable atmosphere that could be ignited. The
basis for selecting such a system as Safety Critical is that it is provided to prevent
ignition of a flammable inventory.
The assessment should take into account the likelihood of ignition following failure
of the system, and the venting arrangements for the chemical tanks.
A.29. MISCELLANEOUS IGNITION CONTROL COMPONENTS [IC008]
Any components that are specified for use in a potentially flammable environment,
which if they were not present could result in ignition of a gas cloud, should be
considered Safety Critical.
Typical Safety Critical components include the following
Vent / Exhaust Flame Traps
Anti-static Devices (e.g. Fan Belts)
Diesel / Turbine Exhaust Temperature Control
Electrical Cable Insulation

DEP 80.80.00.15 EPE
March 2005
Page 61
A.30. FIRE AND GAS DETECTION [DS001]
Safety Critical Fire and Gas Detection Systems will be all systems the purpose of
which is to detect hazardous accumulations of flammable or toxic gas, or fires that
could cause death or serious injury to persons on the installation. When determining
Safety Criticality, the IPF or SIL class should be considered as described in Section
4.4.
The SCE for Fire and Gas Detection can be divided into the following Safety
Critical components
Flammable Gas Detection. This should include the following:
All types of detectors fitted, which may include Catalytic detectors,

Infra-Red Point Detectors, Infra-Red Beam Detectors and Acoustic
Leak Detectors.
Gas in Service Water Detection (if fitted).
TR HVAC Gas Detection.
Flammable gas detection functions on main and any additional Fire and
Gas panels and outputs to end elements.
Manual Alarm Callpoints (MACs). This should include the following:
GPA Callpoints positioned at various locations around the installation.
Manual alarm functions on main and any additional Fire and Gas
panels and outputs to end elements.
Oil Mist Detection (OMD) (if fitted). This should include the following:
Oil Mist Detector heads, normally located in areas where oil mists
present a risk of fire and explosion.
Oil Mist Detection alarm functions on main and additional Fire and Gas
H2S Detection (if fitted). This should include the following:
H2S Detectors.
H2S Detection alarm functions on main and additional Fire and Gas
panels.
Outputs to Platform Alarm Systems including flashing warning beacons

and local sounder devices initiated by H2S Detection.
Fire Detection. This should include the following:
All types of Fire detectors fitted, (Ultra Violet Flame Detectors, Infra-
Red Flame Detectors, Ionising Smoke Detectors, Optical Smoke
Detectors, Heat Detectors and Frangible Bulbs, Pneumatic Trigger
Lines).
TR HVAC Smoke Detection.

DEP 80.80.00.15 EPE
March 2005
Page 62
Fire detection functions on the main and any additional Fire and Gas
The scope should include all output signals (where deemed critical by the IPF
Class) to the ESD System or electrical signal to actuating device (e.g. Solenoid
Valves, Tripping Circuits, etc.).
A.31. WATER-IN-CONDENSATE/GAS (DEW-POINT) MEASUREMENT [DS003]
Where managing the water content in the downstream process is critical to the
integrity of pipework, then systems used to detect high levels of water in condensate
or gas may be Safety and Environmentally Critical. Failure modes could include
excessive corrosion due to out of spec product, or hydrate blockage. Failure of the
downstream containment envelope could result in a serious safety or environmental
hazard. The assessment should consider the likelihood of downstream equipment
failure, the length of time required to cause failure, and if there are any other means
of detecting high levels of water in the process stream.

DEP 80.80.00.15 EPE
March 2005
Page 63
A.32. DELUGE SYSTEMS [PS001]
Deluge systems, where provided, will be Safety Critical unless it can be shown that
they provide negligible benefit in risk reduction for each identified Major Accident.
Safety Critical Deluge Systems will comprise all equipment designed to provide
firewater coverage to end users, from the ring main branch via an actuated (deluge)
valve to downstream nozzles.
The Safety Critical components for deluge, mini-deluge, and multi-jet control
systems should include the following
Deluge Valve.
Pipework from the inlet valve and downstream, including branch pipework
and nozzles.
Control / Trigger Solenoid Valves.
Pneumatic Trigger Lines.
Deluge Pressure Switches (indicating Deluge Release).
Low Control Air Pressure Switch / Alarm.
Potential Safety Critical components for the above systems include the
following
Manual bypass valves
Manual Inlet and discharge valves
A.33. FIRE AND EXPLOSION PROTECTION [PS002]
Safety Critical Fire and Explosion Protection represents all the mechanisms that are
put in place in order to reduce the consequence of fires and explosions.
Blast Walls and Supporting Structure.
Self-Closing Doors in Fire / Blast Walls.
Maintenance of Explosion Vent Paths.
Explosion Blow-Out Panels and Cladding.
A.34. HELIDECK FOAM SYSTEM [PS003]
Helideck Fixed Foam Monitors, and the Aviation Fuel Storage Foam System, where
provided will be Safety Critical unless it can be shown that the benefit from using
foam-based products for helideck and heli-fuel fire-fighting is negligible, AND there
is no other legislative requirement for helideck foam monitors or heli-fuel protection.

DEP 80.80.00.15 EPE
March 2005
Page 64
The Helideck Foam System comprises all equipment required to function in order for
a suitable concentration of foam to be applied via the Helideck Foam Monitors and
Aviation Fuel Storage Foam System.
The Safety Critical components of the Foam System should include the
following
Helideck Monitors.
Foam Concentrate Tanks.
Foam Pipework and Valves.
Foam Pumps.
Foam Proportioning Units.
Means of Activation.
A.35. FIREWATER PUMPS [PS004]
Fire Pumps will be Safety Critical unless it can be shown that there is negligible
benefit from using active fire protection systems, supplied by the fire pumps, during
a Major Accident.
The Fire Pumps components are likely to comprise all the essential equipment
required to supply the Firewater ring main and end-users with water at the required
pressure and flow rate.
Fire Pump Drivers.
Pump Units.
Start Mechanisms (where applicable) e.g. Electric, Hydraulic, Manual.
Fuel supply and storage (day-tanks)
HVAC Supply to Fire Pump Enclosure, (if driven by Fire Pump Driver).
Pressure Relief Valves.
Pressure Control Valves.
Surge Protection Devices.
Jockey Pumps.
Fire Pumps Local Control Panels.

DEP 80.80.00.15 EPE
March 2005
Page 65
A.36. FIREWATER RINGMAIN [PS005]
The Firewater distribution system will be Safety Critical unless it can be shown that
there is negligible benefit in mitigating the effects of any identified Major Accident
Hazard.
The Fire Main is likely to comprise the means by which firewater is conveyed from
the Fire Pumps Discharge to the end-users.
Ring Main Pipework (including supports) from the 1st Manual Isolation Valve
downstream of Fire Pumps Discharge to the end-user activation valve,-
Deluge Sets Inlet Isolation Valve,
Helideck Monitors Manual Isolation Valve,
Sprinkler Systems Manual Isolation Valve,
Fire Hydrants Isolation Valve,
Fire Hose Isolation Valve.
Low Ring Main Pressure Switches.
Fire Main Pressure Control Valves.
Potential Safety Critical components are as follows
Fire Main Sectioning Valves. It is recommended that Fire Main Sectioning

valve criticalities are assessed on a case-by-case basis to determine whether
manual operation of sectioning valves during a Major Accident is a credible
emergency response action and if credit is given in the Major Accident
Hazard analysis for this action.
A.37. PASSIVE FIRE PROTECTION [PS006]
Safety Critical Passive Fire Protection represents the methods used to protect
structure and equipment from the effect of fires.
All PFP applied structure and equipment will be Safety Critical unless it can
be shown by assessment that its contribution to risk reduction for any Major
Accident Hazard is negligible.
Passive Fire Protection should be shown in the Installation HSE Case,

Installation Description.

DEP 80.80.00.15 EPE
March 2005
Page 66
A.38. GASEOUS FIRE PROTECTION SYSTEMS [PS007]
Gaseous Fire Protection Systems are normally provided for asset protection to
generators and turbines from the effects of fires initiating in the equipment enclosure
and are therefore not considered Safety Critical. However these systems should be
classed as Safety Critical if they are assessed to reduce the probability of escalation
for these types of incident. They may also be considered to reduce escalation if they
would allow emergency drilling operations to be completed, (by allowing the drilling
generator to continue to run) during a wellbay / drilling module incident.
Gaseous Fire Protection System components comprise the essential equipment

required to extinguish fires from Diesel Generator Enclosures, or Turbine Hoods,
where installed. This includes all methods of sealing the enclosure which they
protect and its leak tight integrity.
The critical components on Gaseous Extinguishing Systems are as follows:
Control / Release Mechanism.
Pipework and Discharge Nozzles.
Gas Storage Cylinders, Valves and Regulators.
Enclosure fire dampers and sealing arrangements.
Other possible Safety Critical Gaseous Fire Protection Systems include the TR
Galley Hood Protection System. It should be considered as Safety Critical if it
reduces the likelihood of escalation of a galley fire.
A.39. FINE WATER SPRAY (FWS) SYSTEMS [PS008]
As with Gaseous Fire Protection Systems, Fine Water Spray Systems are normally
provided for asset protection to generators and turbines from the effects of fires
initiating in the equipment enclosure and are therefore not considered Safety
Critical. However these systems should be classed as Safety Critical if they are
assessed to reduce the probability of escalation for these types of incident.
They may also be considered to reduce escalation if they would allow emergency
drilling operations to be completed, (by allowing the drilling generator to continue to
run) during a wellbay / drilling module incident.
The critical components of the Drilling Generator Protection Systems are as follows:
Accumulators.
Gas Charging Mechanism.
Release Mechanism.
Pipework.
Nozzles.
Water Reservoir.
Enclosure Fire Dampers, Doors and Leak Tight Integrity.

DEP 80.80.00.15 EPE
March 2005
Page 67
A.40. SPRINKLER SYSTEMS [PS009]
Sprinkler Systems are normally provided to protect areas where there is no

hydrocarbon inventory, and the hazards arise from cellulosic type fires with lower
heat potential only. Examples of sprinkler-protected areas are accommodation
modules, tea-shacks, office areas, etc. Note that Mini-Deluge / Multi-Jet Control
systems, which are normally used to protect utility areas or machinery areas where
fires with higher generated temperatures can be expected, should be grouped with
deluge systems.
Hence, sprinkler systems comprise all the fixed active fire protection systems not
classed as deluge, mini-deluge, or multi-jet control systems.
The Safety Criticality of sprinkler systems should be assessed on an area by area

basis. Where the benefit of an installed system to personnel safety can be shown to
be negligible i.e. the risk of fire is very low, then it should not be considered Safety
Critical.
Examples of areas where sprinkler systems may be Safety Critical are in heavily
manned areas, or areas where personnel will be sleeping, such as accommodation
and large office modules. Paint Stores should also be considered as these may
contain highly flammable paint which could produce large amounts of smoke and
toxic fumes.
Examples of sprinkler systems which are not likely to be Safety Critical are those
that protect areas such as Workshops, and Temporary Offices, etc. Fires originating
in these areas are not normally considered as Major Accident Hazards, and are not
considered to have a significant potential to escalate into a Major Accident. It is
likely that any fire originating in these areas would be extinguished manually, or
would not have the potential to escalate.
A.41. POWER MANAGEMENT SYSTEM [PS010]
Consideration should be given to risks from platform generation HV breaker circuits.

Where the failure of this system to operate on demand is likely to cause a fire or
explosion in a switchroom where personnel may be present, this may be considered
a Major Accident Hazard, and would need to be included in the list of Major Accident
Hazards in the installation HSE Case. The HV tripping circuits and/or trip monitoring
circuits would then be classed as Safety Critical.
A.42. FIXED FOAM SYSTEM [PS011]
Fixed Foam Systems, where provided, may be Safety Critical if the system is
assessed as having a significant benefit in controlling liquid pool fires beyond that
provided by water deluge systems. The assessment should take into account the
benefit from applying foam to extinguish the fire and reduce the amount of smoke
generated.

DEP 80.80.00.15 EPE
March 2005
Page 68
The Foam System comprises all equipment required for a suitable concentration of
foam to be applied via a central or dedicated foam system. The components to be
considered are as follows:
Foam Concentrate Tanks
Foam Pipework and Valves
Foam Pumps
Foam Proportioning Units
Means of Activation
A.43. SAND FILTERS [PS012]
Where sand erosion is assessed to have a critical effect on process piping and
vessel wear rates, the means by which sand is removed from the system may be
Safety and Environmentally Critical. Sand erosion may cause the pipework to fail
leading to loss of containment.
A.44. CHEMICAL INJECTION SYSTEMS [PS013]
The injection of chemicals into the process stream to prevent material deterioration,
or to reduce the toxicity of the process fluid is a Safety and Environmentally Critical
function. Typical chemicals include the following:
H2S Scavenger
Corrosion Inhibitor
Anti-Hydrate
Anti-Scale
Anti-Wax
The following equipment associated with the injection of these chemicals will be
Safety Critical if the loss of injection could result in significant degradation of
downstream pipework and equipment leading to loss of containment.
H2S Scavenger Injection systems will be Safety Critical if failure could cause high
H2S levels in the downstream process where suitable barriers relating to the H2S
Zone are not already in place:
Pumps and Motors,
Pipework and Valves,
Flexible hoses,
Injection rate monitoring and alarms

DEP 80.80.00.15 EPE
March 2005
Page 69
The assessment should take into account the length of time required to cause
pipework or equipment failure, and any alarm systems provided to alert the operator
of loss of chemical injection. The likelihood of operator intervention following
activation of the alarm should also be considered.
A.45. NAVIGATION AIDS (NAVAIDS) [PS014]
Safety Critical Navigation Aids will comprise all the facilities required to enable the
installation and its structures and appurtenances to be recognised by marine and
aviation traffic and ensure a safe line of approach or departure for helicopters,
thereby preventing collision with the installation.
Main, Secondary and Subsidiary Navigation Lights (Offshore).
Foghorns (Offshore).
Aircraft Warning (obstruction) lights on appurtenances (Onshore / Offshore).
A.46. COLLISION AVOIDANCE SYSTEMS [PS015]
The marine or installation radar system is provided to detect marine traffic on a

potential collision course with the installation. All equipment provided to enable ship
movements to be monitored and for assessment and warning of the risk to the
installation should be considered Safety Critical.
The radar system itself may be installed on the Standby Vessel and is not part of the
installation hardware. However, because the failure of the system could directly
contribute to the risk from ship collision, it should be considered critical to the
installation.
The following are components of the Collision Avoidance System. It is

recommended that the review takes into account current practice, operating location
and the arguments detailed in the HSE Case before selecting Safety Critical
components:
Radar Transmitter / Receiver
Radar Processor, Logic and Software
Radar Screen(s) (Master / Slave)
Radar Early Warning System (REWS)
Automatic Radar Plotting Aid (ARPA)
Automatic Identification System (AIS)

DEP 80.80.00.15 EPE
March 2005
Page 70
A.47. METEOROLOGICAL DATA GATHERING SYSTEM [PS016]
The Meteorological Data Gathering System is provided to manage information

relating to sea and weather conditions. This information is stored and used to
provide critical information for the following activities:
Helicopter Operations
Marine Operations (Supply, Standby and other passing vessels)
Ongoing Structural Assessment for continued suitability of support structures.
The common name in EPE for the overall Meteorological Data Gathering System is
MetNet 3G.
Sensors, distributed around the installation, (pressure, temperature, wind

speed & direction, humidity, wave height, visibility, etc.)
Sensor Mounting Brackets
Associated cabling and junction boxes
Master Control Unit (PACE Computer)
Data display units
Telecommunications to allow data interpretation

DEP 80.80.00.15 EPE
March 2005
Page 71
A.48. EMERGENCY SHUTDOWN SYSTEM (ESD) [SD001]
ESD Systems are Safety and Environmentally Critical.
The basis for selection of the ESD system is that it prevents a Major Safety and/or
Environmental Accident, or contributes to preventing escalation of an accident. It
does this by providing interpretation of input signals from ESD or F&G initiators, and
effecting executive actions to end elements such as process valves or electrical
tripping circuits.
The ESD system is likely to consist of all the equipment required to sense any
abnormal process events, provide input signals to the logic solver, process the
information and provide output signals to initiate executive actions. Reference
should be made to the IPF / SIL class, as described in Section 4.4.
The Safety and Environmentally Critical components should include the

following
ESD initiators such as pressure, temperature and level switches, (including

cabling and junction boxes).
ESD Logic Solvers.
Outputs (including cabling) to end elements, (e.g. process valves). Note that
pneumatic control circuits (e.g. solenoid valves) should be considered as part
of the end-element.
All outputs to circuits which trip electrical equipment, e.g. pump motors,
process heaters, etc.
Potential Safety and Environmentally Critical components
It should be noted that the scope of the ESD system should not include trip-circuits
(breakers) to High Voltage equipment, e.g. Tripping of Power Generation. This is
covered under the power management system and requires to be assessed on a
case-by-case basis. Trip monitoring circuits that pre-warn the operator of a defect in
the HV Tripping circuits should also be considered. See separate notes on Power
Management System.
A.49. DEPRESSURISATION SYSTEM [SD002]
The Depressurisation System is likely to include all valves that facilitate emergency
depressurisation of flammable or harmful inventories. Reference should be made to
the IPF / SIL class when determining criticality as described in Section 4.4.
Blowdown Valves.
Pneumatic/Hydraulic Actuators and local control circuits.
Any rate-determining elements (e.g. orifice plates) that are essential for the
system to achieve its performance requirements.

DEP 80.80.00.15 EPE
March 2005
Page 72
It should be noted that relief valves are not part of this system, and should be
covered under the SCE PC007 (Relief System). Also, Flare and Blowdown system
pipework should be covered under the SCE PC005 (Piping Systems). All vessels in
the blowdown / flare system should be covered under the SCE PC001 (Pressure
Vessels).
A.50. HIGH INTEGRITY PRESSURE PROTECTION SYSTEMS (HIPPS) [SD003]
HIPPS Systems are Safety and Environmentally Critical.
HIPPS Systems are used to provide instrumented over-pressurisation protection to

pipelines, equipment or piping systems that do not have sufficient mechanical
protection for the maximum envisaged fluid pressure. The HIPPS logic solver and
components are required to be dedicated to the equipment they protect (i.e. not part
of the platform ESD system), fail-safe, and highly reliable by design.
HIPPS are also sometimes known as Instrumented Over Pressure Protection

Systems (IOPPS).
It should be noted that HIPPS Systems will naturally be classed as Safety and
Environmentally Critical through the IPF / SIL assessment.
A.51. WELL ISOLATION [SD004]
Well Isolation covers all components that have a role in the isolation of the well, or
annulus, following a hazardous event.
Safety Critical Well Isolation Equipment
This includes isolation of production or gas injection wells, onshore and offshore
topsides, and where the subsea wells are deemed Safety Critical, from remote
subsea production wells.
A failure of any Safety Critical component could cause loss of containment

downstream, due to overpressurisation, or escalation of an existing fire/explosion
with the potential to cause death or serious injury to one or more person(s).
Typical Safety Critical components are as follows:
Xmas Trees (including actuated and manual isolation valves UMGV, PWV,
Swab, LMGV, etc.)
SSSVs
Actuated Gas Lift Isolation Valves
Injection Check Valves / Storm Chokes
Environmentally Critical Well Isolation Equipment
This includes isolation of production or gas injection wells, onshore and offshore
topsides, and remote subsea production wells.
A failure of any Environmentally Critical component could cause loss of containment

downstream, due to overpressurisation, or escalation of an existing incident with the
potential to cause a major environmental hazard.

DEP 80.80.00.15 EPE
March 2005
Page 73
Environmentally Critical components are as listed above.
Potential Safety Critical Well Isolation Equipment
Well isolation equipment and components for water injection wells are not
considered Safety Critical, unless there is a credible risk of back-flow of the
reservoir fluid to the water injection pipework. Conductors and conductor guides are
covered under the SCE SI001 (Subsea/Hull/GBS/Foundation Structures) and SI002
If it can be shown that the hydraulic control panel has failure modes that would
prevent fail-safe operation, then this should be deemed as Safety Critical.
Potential Environmentally Critical Well Isolation Equipment
Well isolation equipment and components for water injection wells are not
considered Environmentally Critical, unless there is a credible risk of back-flow of
the reservoir fluid to the water injection pipework. Conductors and conductor guides
are covered under the SCE SI001 (Subsea/Hull/GBS/Foundation Structures) and
SI002 (Topsides/Surface Structures).
A.52. PIPELINE ISOLATION VALVES [SD005]
The basis for selection of Pipeline Isolation Valves is that they are provided with an
ESD function to automatically isolate a flammable or harmful pipeline inventory from
the topsides or onshore process. The Instrumented Protection Function (IPF)
process can be used to assess whether a particular valve is Safety or
Environmentally Critical.
The critical components should include the following
Riser ESDVs and ESDV Bypass Valves offshore.
Pipeline Isolation Valves onshore.
Pneumatic/Hydraulic Actuators and local control circuits associated with these

valves.
A.53. PROCESS EMERGENCY SHUTDOWN VALVES (ESDVS) [SD006]
Safety and Environmentally Critical Valves
The basis for selection of ESDVs is that they are provided with an ESD function to
automatically isolate a flammable or hazardous topsides inventory on detection of
an Major Accident and thus are provided to limit the effects of a Major Accident.
The Instrumented Protection Function (IPF) process can be used to assess whether
a particular valve is Safety Critical as described in Section 4.4.
The critical components should include the following
Emergency Shutdown Sectioning Valves (ESDVs).
Pneumatic/Hydraulic Actuators and local control circuits associated with these

valves.

DEP 80.80.00.15 EPE
March 2005
Page 74
Potential critical valves
It should be noted that control valves, non-return valves, choke valves and/or
manually operated valves should not be part of this group. At present their role as
isolation valves during a Major Accident is not considered critical unless they
automatically fail-closed and have a tight shut-off (TSO) requirement. Any valves
within this category must be periodically function tested.
A.54. SUBSEA ISOLATION VALVES (SSIVS) [SD007]
Safety and Environmentally Critical SSIVs
SSIVs are Safety and Environmentally Critical as they isolate the inventory in the
pipelines from the riser and topsides in the event of a Major Accident which affects
the risers. When determining the criticality of SSIVs, consideration to the benefit
taken in the risk model (refer to Installation HSE Case) should be made.
Critical components of an SSIV system are as follows
Sub-sea valves, actuators and local control circuits that are provided to
isolate a pipeline inventory from the riser and topsides. This may include
subsea non-return valves, where credit is taken in the risk model.
A.55. DRILLING WELL CONTROL EQUIPMENT [SD008]
Well control equipment required during drilling operations is Safety and

Environmentally Critical. The assessment should consider the likelihood that a
failure could cause loss of control of the well and result in a drilling blowout.
Components to be considered are as follows:
Drilling BOPs
BOP Hydraulic Control System
Diverters
Kelly Cocks and Stub-in Valves
Well Kill System
Flow and Gas Detection (including Kick Detection) for Drilling Operations
Cement System

DEP 80.80.00.15 EPE
March 2005
Page 75
A.56. UTILITY AIR SYSTEMS [SD009]
Potentially Safety Critical utility air systems
Utility Air systems may be critical if their failure could result in the consequential
failure of another Safety Critical end-user. For example, where instrument air
systems supply critical shutdown valves, the dew-point of the supplied air may be
critical in that ice-plugs can form in instrument tubing when air is released. The
result is that air lines can become blocked and valves fail to close.

DEP 80.80.00.15 EPE
March 2005
Page 76
A.57. TEMPORARY REFUGE / PRIMARY MUSTER AREAS [ER001]
The term Temporary Refuge (TR) is based on UK legislation. In other regions, this
SCE may be known as the Primary Muster and Command Area, and it includes all
the associated safety systems.
The TR is a composite Safety Critical Element that comprises those systems that
are required to operate in order to enable personnel to muster safely and to provide
a command and control facility during a Major Accident. The TR is required to
remain functional for sufficient time to allow emergency procedures to be
implemented and if necessary, evacuation of all personnel from the platform.
The Safety Critical systems that should make up the TR are as follows:
All Primary TR Structure, including TR supports, and all Secondary TR

Structure, including dropped object protection, the failure of which could
impair the structural integrity of the TR. These components should be covered
by SCE SI002 (Topsides/Surface Structures).
The boundary fabric and penetrations in the TR need to be inspected to

identify any degradation that would increase the rate at which smoke or gas
could build up inside the TR if it reaches the TR boundary during a Major
Accident. This includes structural plating or cladding that forms the TR fabric
skin plus doors and windows to external areas that form part of the TR
boundary. These components should be covered by SCE SI002
Passive Fire Protection applied to any of the items listed above. This should
be covered by SCE PS006 (Passive Fire Protection).
Explosion Protection (Walls with nominal blast resistance, or pre-defined vent

paths) intended to provide protection to the TR from explosions. This should
be covered by SCE PS002 (Fire and Explosion Protection).
All systems required to prevent the ingress of smoke and gas into the TR
which includes the TR HVAC supply fans, ductwork, and boundary supply
and extract fire-dampers. All smoke and gas detection provided at the TR
HVAC inlets. The TR HVAC and smoke and gas detection should be covered
by SCEs IC002 (Non-Hazardous Area Ventilation) and DS001 (Fire & Gas
Detection), respectively.
All telecommunications required to enable emergency information to be

communicated to personnel onboard, and all telecommunications essential to
co-ordinate emergency response with external parties. This includes the PA
System, UHF Radio System, Marine VHF Radio, ICC Air-Band Radio and
INMARSAT voice communication. The Safety Critical Telecommunications
should be covered under SCE ER004 (Communication Systems).
All designated escape routes and muster areas within the TR, including all
permanent signage and markings that facilitate mustering within the TR.
Escape Lighting within the TR / Control Room. This includes all lighting units
with self-contained battery back-up that do not require generated power. This
should be covered under SCE ER003 (Emergency / Escape Lighting).
TR Sprinkler System (where installed). The assessment should take into

account the likelihood of a TR Fire large enough to cause death or serious
injury, if this is not already assessed as part of the HSE Case Hazard
Assessment.

DEP 80.80.00.15 EPE
March 2005
Page 77
All designated Emergency Control Points, used to coordinate emergency
response from the installation. These areas are sometimes referred to as
emergency Command Centres.
Potential Safety Critical systems that may be considered are as follows
Internal fire-dampers may also be considered if they are assessed to provide

a significant secondary barrier to the primary inlet / extract dampers.
Certain non-essential communications systems, such as platform telephones

should be considered. The assessment should take into account the methods
of communication used during muster exercises and drills.
Emergency lighting that is fed from the emergency switchboard.

Consideration should be given to the degree of illumination that would be
required within the TR during an emergency, coupled with the availability of
emergency power at the time.
Galley Hood Fire Suppression System (e.g. CO2 / Water Fog), where fitted.
The assessment should take into account the likelihood of a Galley fire large
enough to cause death or serious injury, if this is not already assessed as part
of the HSE Case Hazard Assessment.
Galley Hood Automatic Shutter System, where fitted. The assessment should
take into account the likelihood of a Galley fire large enough to cause death
or serious injury, if this is not already assessed as part of the HSE Case
Hazard Assessment.
A.58. ESCAPE AND EVACUATION ROUTES [ER002]
Safety Critical Escape and Evacuation Routes will comprise the designated platform
escape ways and associated facilities that could realistically be required during a
Major Accident. This is likely to include escape ways required to allow all personnel
to leave any place of work and proceed to the Temporary Refuge (TR) (Offshore) or
other muster area (Onshore) safely. It should also cover internal escape ways within
the living quarters, offices or workspaces outside the TR, where personnel may be
required to leave any area within the living quarters, office or workspace and
proceed to their primary muster points within the Temporary Refuge (TR) or
elsewhere. On Offshore Installations, from these muster points they may then be
required to leave the TR and proceed to either the Helideck, or the Lifeboat muster
stations, depending on the chosen method of evacuation. The escape routes and
external muster areas in these locations should also be considered Safety Critical.
The scope of Safety Critical Escape and Evacuation Routes should include
the following
all designated escape routes, including all permanent signage and markings
that facilitate escape from work areas back to the TR (Offshore) or designated
muster area (Onshore) during an Major Accident. It would not normally
include any permanent signs for escape routes, safety equipment and
lifesaving appliances.
For offshore installations all designated evacuation routes and external

muster areas, including all permanent signage and markings that facilitate
evacuation from the platform by primary, secondary, or tertiary means, (such
as ladders to sea, etc.).

DEP 80.80.00.15 EPE
March 2005
Page 78
For onshore plants, any gate or barrier that would automatically allow
personnel to evacuate the plant boundary during an incident.
For Offshore Installations the main escape routes are normally shown on the
Platform Station Bill, and in the Installation HSE Case.
Potential Safety Critical Escape and Evacuation Routes are as follows:
Offshore flotel and bridge gangway / landing areas should be considered, at

times where these are the designated evacuation routes for personnel during
combined operations.
A.59. EMERGENCY / ESCAPE LIGHTING [ER003]
Safety Critical Escape Lighting should consist of the minimum level of illumination
required to co-ordinate and enable escape, muster and evacuation during a Major
Accident.
The Safety Critical lighting systems are as follows
All battery-backed lighting units, (escape lighting) including internal switching

and back-up batteries.
Potential Safety Critical lighting systems are as follows
Additional lighting units supplied via the emergency switchboard, (emergency

lighting) where these may provide the only illumination in certain areas.
Safety Critical Lighting is unlikely to include units that are supplied via the main
switchboard only. Lighting required for aviation navigation should be covered by the
SCE ER006 (Helicopter Facilities).
A.60. COMMUNICATION SYSTEMS [ER004]
Safety Critical telecommunications equipment is required during a Major Accident to

enable co-ordination of emergency response and allow for escape, muster and
evacuation.
The Safety Critical telecomms systems should include the following
Installation PA System, including amplifiers, repeaters and speakers, which

provide acoustic warnings and emergency instructions for escape and
evacuation, (Onshore and Offshore).
Visual Warning Signals in High Noise Areas, (Onshore and Offshore).
Emergency Response Team (ERT) UHF Radio system including hand-held

sets, and antennas (Offshore).
Marine VHF Radios, (Offshore).
ICC Air Band Radios, (Offshore).
Lifeboat VHF Radios, (Offshore).

DEP 80.80.00.15 EPE
March 2005
Page 79
Lifeboat EPIRBs, (Offshore).
INMARSAT Communication System, (Offshore).
CCTV System. This may be required to provide information on the condition

of escape ways, or to detect incidents in low-manning areas, (Onshore and
Offshore).
Potential Safety Critical telecomms systems that should be considered are as

follows
Normal platform or plant telephone system, or hand-held portable VHF radios

may be considered. These are systems commonly used during normal
operations, and practice muster drills.
A.61. UNINTERRUPTED POWER SUPPLY (UPS) [ER005]
Safety Critical UPS systems comprise all the power supplies required to supply
essential systems that may be required to enable the emergency response plan to
be executed during a Major Accident.
The Safety Critical UPS systems should include the following
Batteries, Rectifiers, Inverters, and cabling for the following UPS supplies,-
ESD and EDP Systems,
Fire and Gas System,
PA Audio and Visual Alarms,
SOLAS Communications,
Navigation Aids and Helideck Lighting
Note that individual battery-backed lighting units should be covered SCE ER003
(Emergency / Escape Lighting).
Potential Safety Critical UPS systems that should be considered are as

follows
Process Monitoring and Control. During and incident involving a power

outages, it may be desirable to monitor process conditions from the control
room, in order to assist the emergency response decision-making process.
A.62. HELICOPTER FACILITIES [ER006]
Safety Critical Helicopter Facilities will consist of all the structure and equipment
required to avoid a helicopter collision with the installation, or to enable personnel to
evacuate the installation by helicopter during a Major Accident.

DEP 80.80.00.15 EPE
March 2005
Page 80
Core Helicopter facilities should include the following:
Helideck non-slip surface and markings.
Helideck Equipment and Facilities as required by local aviation regulations,

(e.g. UK CAP 437) which is likely to include the following -
Portable Fire Fighting Equipment.
Rescue Equipment, as specified in UK CAP 437 Section 5.6, or other

local aviation regulations.
Helideck Structure and Support Structure.
Paint-Marking and Omni-Directional Warning Lights on structures such as the

Drilling Derrick, Telecomms Mast, Flare Stack, and Pedestal Cranes, where
applicable. These should be included under SCE PS014 (Navaids).
Helideck Perimeter Lighting.
Helideck Floodlighting.
Helideck Fixed Fire-Fighting Facilities, i.e. Foam Monitors. Note that this
component should be included in the SCE PS003 (Helideck Foam Systems).
Aviation Fuel Storage. Note that this component should be included in the
SCE PC012 (Helicopter Refuelling Equipment).
Aviation Fuel Pipework. Note that this component should be included in the
Aviation Fuel Pumps. Note that this component should be included in the
A.63. EMERGENCY POWER [ER007]
Where any Safety Critical Electrical Equipment is required to operate during a Major
Accident, and this equipment is supplied via the emergency board, and it does not
have UPS back-up, then the Emergency Electrical Supply should be considered
Safety Critical. If the equipment is connected to a UPS then the UPS should supply
the equipment for the duration of a Major Accident until either the event is over or
the installation has been abandoned.
An example of this is where HVAC Extract Fans may be required to be run,

following a release, in order to disperse a gas accumulation.
The assessment should take into account documented emergency procedures and
response.

DEP 80.80.00.15 EPE
March 2005
Page 81
A.64. MANUAL FIRE FIGHTING EQUIPMENT [ER008]
Manual Fire Fighting Equipment includes the following:
Fixed Oscillating Monitors (if applicable).
Hydrants.
Hoses.
Couplings.
Pressure Regulating Devices.
Nozzles.
Portable Oscillating Monitors.
Portable Fire Extinguishers
Mobile Fire Extiguishers
When selecting manual fire fighting equipment consideration should be given to the
level of benefit gained against identified Major Accident Hazards. It is recommended
that Installation Safety Personnel and the Emergency Procedures Manual should be
referenced to ascertain the likelihood that manual fire-fighting systems would be
used during a Major Accident for which other fire fighting systems such as deluge
are provided.
However, in some cases, the prompt and appropriate use of manual fire-fighting
equipment may prevent a small fire which in its own right would not be considered to
be a Major Accident Hazard from causing escalation that could lead to a Major
Accident. This use of manual fire fighting in this role could be deemed to be Safety
Critical.
A.65. PROCESS CONTROL AND ALARMS [ER009]
During most Major Accidents it is essential to monitor the status of the plant to
determine which safety systems have operated and whether the incident is
controlled or presenting a threat to the integrity of the installation. The Process
Control system allows monitoring of pressures, levels and temperatures. To
determine whether this information is Safety Critical during a Major Accident the
assessment should consider how critical this facility would be during an incident,
and if there are any other means of providing process monitoring facilities.
It should be noted that the monitoring of process conditions during an incident,

shutdown and blowdown are the only aspects of the process control system that
may be Safety Critical.

DEP 80.80.00.15 EPE
March 2005
Page 82
A.66. OPEN HAZARDOUS DRAINS SYSTEM [ER010]
Safety Critical Open Hazardous Drains
The Open Hazardous Drains system is considered Safety Critical as it is assessed

to have a significant role in removal of hydrocarbons or flammable liquids following a
loss of containment. It also has a role to play in removing deluge water from an area
during an incident. The deluge water will contain liquid hydrocarbons if a liquid loss
of containment has occurred.
Components of the Open Hazardous Drains system are as follows:
Drain boxes and gratings (Onshore and Offshore)
Open Hazardous Drains Pipework (Onshore and Offshore)
Liquid Seals (Offshore)
Gutters (Onshore)
Drain Pits (Onshore)
Holding Tanks (Onshore)
Any other forms of spill containment (Onshore)
Environmentally Critical Open Hazardous Drains
The Open Hazardous Drains system is considered Environmentally Critical as it is

assessed to have a significant role in removal of hydrocarbons to a safe area (e.g.
Drains tank or caisson) that may otherwise flow to the sea (offshore) or into local
groundwater.
A.67. OPEN NON-HAZARDOUS DRAINS SYSTEM [ER011]
The Open Non-Hazardous Drains system is not considered to be Safety Critical

unless it is assessed to have a significant role in removal of flammable or toxic
liquids following a loss of containment. Components of the Open Hazardous Drains
system are as follows:
Drain boxes and gratings (Offshore)
Open Non-Hazardous Drains Pipework (Onshore and Offshore)
Liquid Seals (Offshore)
Gutters (Onshore)
Drain Pits (Onshore)
Note that where Hazardous and Non-Hazardous Drains systems are

interconnected, the significance of the sealing arrangement between the two should
be considered.

DEP 80.80.00.15 EPE
March 2005
Page 83
Potential Environmentally Critical Open Non-Hazardous Drains
The Open Non-Hazardous Drains system may be Environmentally Critical if it is

assessed to have a significant role in removal of environmentally hazardous fluids to
a safe area (e.g. Drains tank or caisson) that may otherwise flow to the sea
(offshore) or into local groundwater. The review should take into account the types
and quantity of fluid stored in the area.
A.68. PERSONAL SURVIVAL EQUIPMENT (PSE) [LS001]
Safety Critical PSE will be that equipment supplied on an installation which may be
required to enable personnel to escape to the TR and/or evacuate the installation
during a Major Accident. It will also include equipment required by the Emergency
Support Crew / Emergency Response Team to carry out specific functions as
identified in the emergency response plan.
Safety Critical PSE should include the following:
Lifejackets, (Offshore).
Immersion Suits, (Offshore).
Grab Bags (Offshore - containing Survival Suits, Self-Rescue Sets,

Lifejackets, Flame-Retardant Gloves, Torches and Chemical Light Sticks).
Respiratory Protection Aids, where provided for escape and evacuation of

personnel from areas out with the TR or designated muster areas, (Onshore
and Offshore).
BA Sets, where provided for escape and evacuation of personnel from

specific areas, (Onshore and Offshore).
Potential Safety Critical PSE that should be considered is as follows:
Fire Suits and Fire Rescue Equipment, (Onshore and Offshore).
Chemical Handling Suits and Protective Equipment, (Onshore and Offshore).
A.69. RESCUE FACILITIES [LS002]
Safety Critical Rescue Facilities will be all those facilities required to enable
personnel to be rescued from the sea following evacuation from the platform, or
from a helicopter ditching.
Safety Critical rescue facilities should include the following
Standby Vessel and onboard facilities (means of retrieval of personnel,

search equipment, medical facilities, communications, etc.)
Fast Rescue Craft and launch and recovery mechanisms.
Daughter Craft and launch and recovery mechanisms.
Dacon scoops which are deployed when other rescue methods are not safe
to deploy due to weather conditions.

DEP 80.80.00.15 EPE
March 2005
Page 84
Radar system and related components. Note that the radar system is
included in SCE PS015 (Collision Avoidance Systems).
Potential Safety Critical rescue facilities are as follows
Depending on regional regulations, the Major Accident Hazards identified in the

HSE case and local rescue arrangements other systems may be Safety Critical:
Man Over Board (MOB) boat.
MOB Boat Lifting Facilities.
Lifeboats (Although covered in LS003 for platform abandonment a separate

Performance Standard may be required in LS003 for the rescue and recovery
function)
Search and Rescue Helicopters.
A.70. LIFEBOATS / TOTALLY ENCLOSED MOTOR PROPELLED SURVIVAL CRAFT

(TEMPSCS) [LS003]
Lifeboats, Free-fall Lifeboats (FFLBs) or TEMPSCs are Safety Critical as they may
be required during a Major Accident where there is either insufficient time to
evacuate the installation by helicopter or it is impossible for the helicopter to land
safely on the installation.
Included in the scope of this SCE will be all the facilities required to allow safe use
of the lifeboats/FFLBs/TEMPSC to evacuate the platform safely when the primary
method, (i.e. Helicopter) is not available.

Lifeboats/TEMPSC systems
All Lifeboats/FFLBs/TEMPSCs.
Launch and Release Mechanisms, including davits or freefall launch

structures.
Fuel, Start and Propulsion Systems.
Compressed Air System.
Lighting and Electrical Supply.
Sprinkler System.
Communications (VHF and EPIRB).
If lifeboats, FFLBs or TEMPSC are not provided on an offshore installation then an

alternative evacuation method will be Safety Critical such as marine access or
tertiary means of escape.

DEP 80.80.00.15 EPE
March 2005
Page 85
A.71. TERTIARY MEANS OF ESCAPE [LS004]
Safety Critical Tertiary Means of Escape will be the facilities required to enable
personnel to evacuate the platform in the event that they are unable to use the
primary (helicopter) or secondary (lifeboats) means.
The Safety Critical components (offshore) should include the following
Liferafts.
Stairways and Escape Ladders to Sea.
Personal Descent Devices (e.g. Donuts) and Evacuation Stations, (where

provided).
Escape Chutes / Skyscape systems, (where provided).
Potential Safety Critical tertiary means of escape (offshore) are as follows
Scramble nets and knotted ropes (where provided), which are not the
preferred means of escape, will not be considered as Safety Critical provided
sufficient other means of escape are available on the installation.
The Safety Critical components (onshore) should include the following
Boundary security gates, where provided, to enable personnel to evacuate

the installation perimeter area.

DEP 80.80.00.15 EPE
March 2005
Page 86
APPENDIX B PERFORMANCE STANDARD TEMPLATE

(INSTALLATION NAME) OPERATIONS PERFORMANCE STANDARD XXPS-E001
SAFETY CRITICAL ELEMENT: ESCAPE AND EVACUATION ROUTES

Goal: Goal of the SCE
FUNCTIONALITY
Assurance Task Ref. Assurance Task Description Acceptance (Pass / Fail) Criteria
FUNCTION 1: Description of function 1.

XXPS-E001-01-01 Description of Assurance Task (Maintenance, Test or Inspection) Activity. Details of measurable pass / fail criteria.
Assurance Task link to
Maintenance Activity (in SAP)
RELIABILITY / AVAILABILITY
Assurance Task Ref. Assurance Task Description Acceptance (Pass / Fail) Criteria
FUNCTION 2: Safety Critical Element Availability

XXPS-E001-02-01 Details of Availability requirements Details of measurable pass / fail criteria.
FUNCTION 3: Safety Critical Element Reliability
XXPS-E001-03-01 Details of Reliability requirements Details of measurable pass / fail criteria.

SURVIVABILITY
Event Assurance Task Description Acceptance (Pass / Fail) Criteria
Fire & Explosion Details of Survivability requirements against Fire and Explosion Details of measurable pass / fail criteria.
Structural Failure Details of Survivability requirements against Structural Failure Details of measurable pass / fail criteria.
Ship Collision Details of Survivability requirements against Ship Collision Details of measurable pass / fail criteria.
DEPENDENCY
System Criticality Applicable Performance Standards
Dependency on other SCEs

APPENDIX C GLOSSARY OF ABBREVIATIONS AND DEFINITIONS
AM Amplitude Modulation
BA Breathing Apparatus
BOP Blowout Preventor
CAP Civil Aviation Publication
CCTV Closed Circuit Television
CO2 Carbon Dioxide
DEP Design & Engineering Practice
EDP Emergency Depressurisation
Donut Personal Emergency Descent Device
EP Exploration & Production
EPIRB Emergency Position Indication Response Beacon
ERT Emergency Response Team
ESD Emergency Shut Down
ESDV Emergency Shutdown Valve
F&G Fire & Gas
FLOC Functional Location (SAP)
FM Frequency Modulation
FPSO Floating Production Storage & Offloading (Vessel)
FRC Fast Rescue Craft
FWS Fine Water Spray
GBS Gravity Base Structure
H2S Hydrogen Sulphide
HF High Frequency
HIPPS High Integrity Pressure Protection System
HSE Health, Safety & Environmental
HV High Voltage
HVAC Heating, Ventilation and Air Conditioning
ICC Installation Control Centre
ICP Independent Competent Person
IEC International Electrical Council
IG Inert Gas
IDC Inter-discipline Document Check
IPF Instrumented Protective Function
KO Knock-Out (Drum)
LMGV Lower Master Gate Valve
DEP 80.80.00.15 EPE
March 2005
Page 88
MAC Manual Alarm Call-point

MAH Major Accident Hazard
MOB Man Over Board (Boat)
MSF Module Support Frame
Navaids Navigation Aids
NDE Non-Destructive Examination
NGL Natural Gas Liquid
OMD Oil Mist Detection
PA Public Address
PFEER Prevention of Fire and Explosion and Emergency Response
Regulations
PFP Passive Fire Protection
PS Performance Standard
PSAP Performance Standards Assurance Project
PWV Production Wing Valve
SAP Systems, Applications, Products
SCE Safety Critical Element
SCR Safety Case Regulations
SIL System Integrity Level
SOLAS Safety of Life at Sea
SSIV Subsea Isolation Valve
SSSV Sub-Surface Shutdown Valve
TA Technical Authority
TEG Triethylene Glycol
TEMPSC Totally Enclosed Motor Propelled Survival Craft
TR Temporary Refuge
TSO Tight Shut-off
UHF Ultra-High Frequency
UK United Kingdom
UKCS United Kingdom Continental Shelf
UMGV Upper Master Gate Valve
UPS Uninterruptible Power Supply
VHF Very High Frequency
VR Valve Removal

DEP 80.80.00.15 EPE - Guidance For Selection of SCEs

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

DEP 80.80.00.15 EPE - Guidance For Selection of SCEs

Uploaded by

Copyright:

Available Formats

TECHNICAL STANDARD

GUIDANCE FOR THE SELECTION OF

DESIGN AND ENGINEERING PRACTICE

USER GUIDELINE PREFACE

Guidance for the Selection of Safety Critical Elements

Guidance for the Selection of Safety Critical Elements

Safety Critical Elements

Performance Standard Development

Guidance for the Selection of Safety Critical Elements

Expert Panel Review

Guidance for the Selection of Safety Critical Elements

2. THE ROLE OF SCES IN MANAGING HSE HAZARDS

Guidance for the Selection of Safety Critical Elements

3.2. SCE AND PERFORMANCE STANDARD MANAGEMENT PROCEDURE

3.3. MANAGEMENT OF CHANGE

Guidance for the Selection of Safety Critical Elements

4. SELECTION OF SCES AND DEFINITION OF PERFORMANCE STANDARDS

4.2. COMPOSITION AND ROLES OF EXPERT PANEL TO SELECT SCES

4.3. SCE SELECTION AND DOCUMENTATION PROCESS

Guidance for the Selection of Safety Critical Elements

4.4. USE OF IPF/SIL CLASSIFICATIONS IN SELECTION PROCESS

Guidance for the Selection of Safety Critical Elements

4.5. PERFORMANCE STANDARDS DEVELOPMENT PROCESS

Guidance for the Selection of Safety Critical Elements

Guidance for the Selection of Safety Critical Elements

5. THE DEFINITION OF MAJOR ACCIDENTS AND SCES

5.2. DEFINITION OF MAJOR ACCIDENTS

Guidance for the Selection of Safety Critical Elements

5.3. DEFINITION OF SAFETY CRITICAL ELEMENTS

5.4. DEFINITION OF PERFORMANCE STANDARDS

Guidance for the Selection of Safety Critical Elements

Guidance for the Selection of Safety Critical Elements

Table 1: Sample of Template to Record SCE Selection

Denotes Major Hazard

Table 2: Definition of Major Hazards in EPE

Guidance for the Selection of Safety Critical Elements

Table 3: Safety Critical Element Groups Structural Integrity

Safety Critical Element Safety / Environmental Hazards SCE Role

Loss of Containment (LoC) - Fire

LoC Hazardous. Substance

Soil / Groundwater Pollution

Guidance for the Selection of Safety Critical Elements

Table 4: Safety Critical Element Groups Process Containment

Safety Critical Element Safety / Environmental Hazards SCE Role

Vehicle / Helicopter Collision

Soil / Groundwater Pollution

Guidance for the Selection of Safety Critical Elements

Safety Critical Element Safety / Environmental Hazards SCE Role

Vehicle / Helicopter Collision

Soil / Groundwater Pollution

Guidance for the Selection of Safety Critical Elements

Table 6: Safety Critical Element Groups Protection Systems

Safety Critical Element Safety / Environmental Hazards SCE Role

Diving System Failure

PS003 Helideck Foam Systems To mitigate the effects of helideck fires.

PS004 Firewater Pumps To provide firewater to end users when required.

PS005 Firewater Ringmain To convey firewater to end users when required.

PS006 Passive Fire Protection To mitigate the effects of fires.

Guidance for the Selection of Safety Critical Elements

Table 7: Safety Critical Element Groups Shutdown Systems

Safety Critical Element Safety / Environmental Hazards SCE Role

Vehicle / Helicopter Collision