Effective management of

safety critical equipment

(SCE) Practical Lessons
 Agenda
Solid foundation, what you dont know can hurt
you
Practical analysis, rig (and risk) based assessment
Performance standards, not standard
performance, specific measureable and supported
by the Safety Management System (SMS)
Codes and standards, they are there for a reason
Continuous improvement.
 But First A Quote
When anyone asks me how I can best describe my
experience of nearly 40 years at sea, I merely say
uneventful.
Of course there have been winter gales and storms and fog
and the like, but in all my experience, I have never been in
an accident of any sort worth speaking about. I have seen
but one vessel in distress in all my years at sea. I never saw
a wreck and have never been wrecked, nor was I ever in any
predicament that threatened to end in disaster of any sort

Stena Clyde OIM some time before the engine room fire?
 No
Captain of the Titanic, E. J. Smith, a few years before the
Titanic sank.

One of our greatest risks is complacency!!

Despite having what we thought was a robust safety

case (after all, wed had one for years), the lives of 100
people were put at risk. As a direct result of the engine
room fire, we took a different approach to assessing
safety critical equipment adequacy which resulted in
significant improvements in our understanding of this
equipment and our management system arrangements.
 Solid Foundation
Safety case facilities description focused on the
wrong type of detailed information
Lack of in depth understanding of SCE and their role
in preventing and controlling major accident events
Lack of understanding regarding systems / process
safety
Detailed review and documentation of each SCE.
Focus on operability, inter- dependency and
potential failure mechanisms / limitations
 Practical SCE Analysis
Safety case emergency systems survivability
analysis (ESSA) high levels with no detailed
understanding of system boundaries and
function
Rig crew unfamiliar with a number of the SCE
Performance standards not linked to any
analysis off the shelf
 Practical SCE Analysis
Rig based cannot analyze safety critical
equipment properly from drawings / out of
date information or using an office based
consultant
Solid foundation - what does my safety critical
equipment actually include not always
apparent!!
Involve the workforce whilst they may
understand the equipment, they can also
learn what is specially safety critical and why
 SCE Analysis Approach
Rig Drawings, Safety Describe SCE
Case, Workshops, SCE
Performance Standards
Function and
Boundaries Practical outputs:
What is

Maintenance, Inspection and Testing Assurance Tasks

Safety Case MAEs,
Other System Failures Identify Potential
important?
What does it have

Functional Performance Standards

Vulnerability, Failure to Failure Modes
Safety, Redundancy
to do?
What do we need
Identify Causes
to it ensure
reliability
Monitoring-
Assess Failure
Effects routine testing
Auditing-
Inspection
Determine
Criticality
 SCE Analysis Example System Block
Diagram (Firewater)
Water from
Ballast Water Sea Chest
or Generator Accommodation
Cooling Water Sprinkler System
Pumps
Water return Fire Pump
from Main Fire Hose Stations
Generators

Emergency Fire Pump

Fire Hydrants

Engine Cooling Water / Forward Lifeboat Muster

Seawater Tank X-over Firewater Tank General Service Pump Area Deluge System
Vavles

Ring Main Drill Floor Deluge System

Anchor Winch Deluge

Generator Cooling Pump System
Level Control and Alarms General Service Pump
No. 2
Helideck Foam Cannons

Helifuel Foam System

Aft Lifeboat Muster Area

Deluge System
SCE Analysis Example System Layout
Diagram (Firewater)
 SCE Analysis Outputs
Significantly improved understanding of SCE
by the rig crew
Robust documentation of SCE for other crew
members / new staff
Useful performance standards Rig crew can
make informed decisions as to the
effectiveness of the SCE
Monitoring- functionality testing of all systems
and yes there were some surprises here
 Performance Standards
Before:
Individual PS incomplete (not all critical equipment
included), non specific, criteria not measurable, no
linkage with the SMS
After:
Covered all critical components, very specific and
measurable criteria, clear assurance tasks that can be
linked to the SMS
Increased knowledge of inter-dependent systems
Effect of a Major Accident Event on the SCE
survivability and function
Performance Standards - Before

PERFORMANCE STANDARD: SCE-09
ACTIVE FIRE PROTECTION
Active Fire Protection (SCE-09) on the Stena Clyde involves includes the firewater system, foam system and CO2 fire
protection system. The following block diagrams provide a visual overview of the Active Fire Protection systems.
Water from
Ballast Water
or Generator
Cooling Water
Pumps
Engine Cooling Water /
Seawater Tank X-over
Vavles
Generator Cooling Pump
Level Control and Alarms
No. 2
Performance Standards - After
Performance Objective: To provide means of protection FUNCTIONALITY FIREWATER SYSTEM
for fire-fighting (water, foam and CO2) in all relevant Performance Criteria Basis Performance Verification - Assurance Tasks
areas on the rig in sufficient quantities.
FUNCTION 1: To provide firewater storage and supply for main and emergency fire pumps in sufficient quantities.
SYSTEM OVERVIEW
1. The firewater tank shall be maintained at Design Basis Test generator cooling pump # 2 cross over valves to
minimum 2/3 full. supply the emergency fire water pump directly. Confirm
actuation results in water flow from appropriate pumps
(Tag Proc. ME224-01)
Function test level control alarm for firewater tank (Tag
Proc. ME224-01)
Sea Chest
Accommodation
Sprinkler System 2. The generator cooling pump #2 can be Design Basis Test operation of air conditioning cooling water pump
Water return Fire Pump switched over manually to provide water automatic cross over valves to supply the emergency fire
from Main Fire Hose Stations
Generators directly to the suction of the emergency water pump directly. Confirm actuation results in water flow
Emergency Fire Pump firewater pump. from appropriate pumps (Tag Proc. ME224-01)
Fire Hydrants
Test generator cooling pump # 2 cross over valves to
Forward Lifeboat Muster
Firewater Tank General Service Pump Area Deluge System supply the emergency fire water pump directly. Confirm
actuation results in water flow from appropriate pumps
Ring Main Drill Floor Deluge System
(Tag Proc. ME224-01)
Anchor Winch Deluge
System
FUNCTION 2: To supply firewater at the required pressure and flow rates for end users.
General Service Pump
Helideck Foam Cannons 1. General service pumps maintain ring main Design Basis Test ring main pressure sensor and alarm at the Control
pressure at 7 bar and can deliver water at a Room (Tag Proc. ME813-09)
Helifuel Foam System rate of 100 tonnes per hour @ 64m head.
Fall in ring main pressure alarms in Control
Aft Lifeboat Muster Area
Deluge System
Room between 4.5 4.8 bar.
2. The general service pump provides firewater Design Basis Verify general supply pump pressure at hydrant during
to ring main at a rate of 100 tonnes per hour DNV Rules function test. Confirm via pressure gauge on pump
@ 64m head. It can deliver at least one jet discharge (Tag Proc. ME813-09)
Port Propulsion Room simultaneously from each of any two fire
hydrants, hoses and 19 mm nozzles while
Release Mechanism
Starboard Propulsion maintaining a minimum pressure of 3.5 bar
at any hydrant.
Paint Locker 3. The emergency fire pump provides firewater Design Basis Verify fire pump pressure at hydrant during function test.
to the ring main at a rate of 130 tonnes per Confirm via pressure gauge on pump discharge (Tag Proc.
CO2 Bottles Control Room hour @ 120m head. It can deliver at least ME813-09)
one jet simultaneously from each of any two
Engine Room / Auxiliary fire hydrants, hoses and 19 mm nozzles
Machinery Room, while maintaining a minimum pressure of 3.5
Mechanics Store and
Separator Room bar at any hydrant.
Emergency Generator 4. The emergency fire pump provides Design Basis Function Test emergency fire pump for local start, remote
House automatic, remote and manual start ability to start and automatic start on ring main low pressure (Tag
ensure fire water is supplied to the rig main Proc. ME224-01)
Emergency Switchboard
Room for firewater users
5. The fire pump provides firewater to the ring Design Basis Verify fire pump pressure at hydrant during function test.
main at a rate of 100 tonnes per hour @ 64m Confirm via pressure gauge on pump discharge (Tag Proc.
head. It can deliver at least one jet ME813-09)
simultaneously from each of any two fire
hydrants, hoses and 19 mm nozzles while
maintaining a minimum pressure of 3.5 bar
at any hydrant.
Performance Standard Verification
Before:
Focused on class requirements, no proper linkage
with the Safety Case and the role of critical
equipment in managing major hazards
After:
Third party verification activities focused around the
improved performance standards
Much higher level of rigour and confidence in the
scheme
Three tiers: Review, Visual Examination, Function
Test, allows verification party to focus on areas
where deficiencies identified
 Performance Standard Verification -
After
Title ACTIVE FIRE PROTECTION Reference SCE-09

Extent All components comprising the system Revision 1

Task Task Details Frequency Performance PS Notes

Ref. Criteria Ref. Compliance
Type details of each task to be done in a separate cell months # Yes No

1 VISUAL EXAMINATION
1.1 Visual external examination of General Service Pumps 12

1.2 Visual external examination of General Service Pumps 60

1.3 Visual external examination of Emergency Fire water pump 12

1.4 Visual internal examination of Emergency Fire Water Pump 60
1.5 Visual external examination of deluge pump 12
1.6 Visual internal examination of deluge pump 60
1.7 Confirm pressure is maintained in ring main under normal conditions 12
1.8 Confirm GS pumps status is indicated in Control Room 12
1.9 Confirm emergency fire pump status is indicated in Control Room 12
1.10 Confirm deluge pump status is indicated in Control Room 12
1.12 Verify level in 3% AFFF Foam tank to ensure availability 12
1.13 Verify location and visually inspect hydrant equipment, foam eductors and 12
extinguishers against Safety Plan
1.14 Visual examination of CO2 Room and ensure it is located outside protected 12
area
1.15 Visual examination of CO2 bottles and release stations (confirm no debris 12
or paint impairing release mechanism on bottles)
 Performance Standard Verification -
After
2 FUNCTION TEST
2.1 Confirm GS pumps, emergency fire pump and deluge pump can be started 12
locally / remotely on main and emergency power as appropriate
2.2 Confirm firewater tank low level alarms in Control Room 12
2.3 Confirm emergency fire pump starts upon loss of ring main pressure 12
2.4 Confirm isolation valves on ring main are tested and operational 12
2.5 Test helideck foam monitors and ensure sufficient pressure and flow 12
capacity of foam
2.6 Test concentration AFFF and water in foam monitors 12
2.7 Test deluge systems for adequate initiation and coverage, including 12
condition of nozzles.
2.8 Test well test area monitors to ensure sufficient pressure and flow capacity 12
of fire water
2.9 Test hydrant equipment while under pressure 12
2.10 Function test of release station for audible / visual alarms, HVAC shutdown 12
in appropriate area for CO2 system

3 REVIEW
3.1 Review PM records to ensure that maintenance levels are acceptable. 12

3.2 Review relief valve certificates for ring main 12

3.3 Review portable and trolley mounted extinguisher service records 12
3.4 Review service reports for CO2 system 12
3.5 Review pressure test reports for CO2 system 12
 Codes and Standards
Have evolved to take account of learning from
history, including past events
With older rigs, we can often make a risk
based argument not to do things
Dont loose sight of inherent safety
Work to making things simple/ less
complicated.
Work to the new codes & standards/ best
practices
 Inherently Safe

Or emergency fire pump takes suction directly

from sea?
Other Improvements Implemented
Emergency Fire pump starts automatically when fire main
pressure drops can also be started manually. Previously
several steps had to be taken to provide fire main pressure
(see previous slide)
Emergency Ballast pumps installed This allows the rig to
recover from an angle of 15 by the head
Emergency Anchor Release Remote release fitted to
Temporary Refuge EEC, controlled release during black out
Gas detection system up graded Controls installed in
Temporary Refuge EEC
Other Improvements Implemented
Annual major hazard review:
Formal review focused on major hazard management aspects
Covers safety management systems and equipment
Some specific areas for focus
Change, including cumulative effects
Emergency preparedness
Management of safety critical elements
Operational limits and boundaries
Accident and incident trends
To help in the process of developing formal management
system performance standards
SMS Performance
Standards
We now understand
and manage this
well for equipment,
but what about
specific major
hazard management
aspects of the
SMS?????
Central Activities Leadership
Behaviour SMS Performance
Standards
Transferable Activities Competency and Training
Supervision
Communication
Work Activities Hazard Identification and Risk Assessment
Management of Third Parties
Management of Change
Permit to Work (and Isolation)
Maintenance
Marine Operations
Drilling Operations
Emergency Response
Improvement Activities Performance Monitoring and Improvement

Safety Critical Activity Performance Standard Layout

Performance Standard: Reference # Safety Critical Activity Name
Performance Objective: Describes the overall hazard management role of the safety critical element.
May be broken down into sub-elements depending upon complexity

Key Procedure and Tasks: Describes the components and limits of the safety critical activity. Includes
what key procedures and tasks are included, and where the interfaces or beginning and end points exist

Desired Safety Outcomes: Key Assurance: Activities or tasks undertaken to ensure that the
safety outcomes that demonstrate safety critical activity delvers the desired safety outcomes
the activity is being conducted /
implemented effectively Lead and lag
indicators
Leading Indicator: A measures of Criteria: The Monitoring / Frequency: How
process or inputs essential to criteria used to Reporting: How the often the indicator is
deliver the desired safety outcome measure whether indicator is monitored and
the desired safety monitored and reported
Lagging Indicator: A measure of
outcome is being reported
when a desired safety outcome has
achieved
not been achieved.
satisfactorily or not
G Y R
 SMS Performance Standards, e.g.
Performance Standard SCA-10 Maintenance
Performance Objective: To ensure that safety critical equipment functions per its design intent, and to the specified performance levels given in
the Safety Critical Equipment performance standards

Key Procedure and Tasks: TAG (computer-based planned maintenance system and associated maintenance routines), Maintenance
Procedures, Written Schemes (Document Performance Standards and Assurance Tasks)

Desired Safety Outcomes Assurance

1. Maintenance crew understand the importance of maintenance of Competence assurance system
safety critical equipment as defined in the written schemes and
their role in ensuring equipment meets specified performance
standards
2. The is no overdue maintenance on safety critical equipment Planned maintenance system, audits of planned maintenance system,
weekly and monthly reporting

3. Safety critical equipment meets performance standards when Planned maintenance system, audits of planned maintenance system,
tested weekly and monthly reporting, written schemes of examination
4. Risk assessments are conducted where equipment fails to meets Management of change, risk assessment
specified performance standards and appropriate risk control
measures are implemented
5. Equipment functions as intended in any emergency Emergency response tests, exercises and drills
Leading Indicator Criteria Monitoring / Reporting Frequency
Percentage of safety critical equipment G 95% Reporting of safety critical equipment maintenance Monthly
maintenance tasks that meet performance Y 90-94% status
standard requirements when tested R <90%
Percentage of safety critical equipment G 95% Reporting of safety critical equipment maintenance Monthly
maintenance tasks that are completed to Y 90-95% status
schedule R <90%