WW ALL X X S 05 049 I REV.2 - Upstream SCE Management Procedure November 2019

WW ALL X X S 05 049 I, Rev.
2
November 2019
UPSTREAM SAFETY CRITICAL

ELEMENTS (SCE) MANAGEMENT
PROCEDURE
PETRONAS UPSTREAM
Internal
[Type here] [Type here] [Type here]
Upstream Safety Critical Elements (SCE) WW ALL X X S 05 049 I, Rev.2
Management Procedure November 2019
PETRONAS UPSTREAM
-This page is intentionally left blank-
Internal
PETRONAS UPSTREAM
DOCUMENT AUTHORIZATION
Proprietary Information
This document contains proprietary information which belongs to

PETRONAS and must not be wholly or partially reproduced nor
disclosed without prior permission from PETRONAS
Internal
PETRONAS UPSTREAM
-This page is intentionally left blank-
Internal
PETRONAS UPSTREAM
TABLE OF CONTENTS
SECTION PAGE
DISTRIBUTION LIST .......................................................................................................... I
DOCUMENT DEVELOPMENT TEAM MEMBER .............................................................. II
AMENDMENT SUMMARY .................................................................................................. III
PREFACE .............................................................................................................................. IV
1.0 INTRODUCTION ....................................................................................................... 1

1.1 Objective .................................................................................... 1
1.2 Scope......................................................................................... 1
1.3 Review Requirements ................................................................... 2
1.4 Glossary of Terms ........................................................................ 2
2.0 OVERVIEW ............................................................................................................... 12

2.1 Major Accident Hazard.................................................................12
2.2 MAH Identification and Existing HSE Case and CIMAH .....................12
2.3 HSE Case and CIMAH Development Procedure and Safety Critical
Elements (SCE) Document ...........................................................14
2.4 Bow Tie .....................................................................................15
2.5 Overview Of the MAH and SCE Management Process .......................15
3.0 ROLES & RESPONSIBILITIES ............................................................................ 17

3.1 Key Roles & Responsibilities .........................................................17
4.0 MANAGEMENT OF BARRIER ............................................................................... 19

4.1 Critical Activity Catalogue ...........................................................20
5.0 SAFETY CRITICAL ELEMENTS ............................................................................ 21

5.1 Safety Critical Element Evolution through the Life- cycle of the Asset 27
6.0 IDENTIFICATION OF SCE FOR A GIVEN MAH .............................................. 29

6.1 SCE Identification at Group, Sub Group and Tag Level....................33
6.2 SCE Group Register in HSE Case..................................................33
6.3 SCE Group Barrier Owner ...........................................................33
7.0 PERFORMANCE STANDARD FOR SCE .............................................................. 36

7.1 Design Performance Standard (DPS) .............................................39
Internal
PETRONAS UPSTREAM
7.2 Operation Performance Standard ..................................................39

7.2.1 Generic Operation Performance Standards (GOPS) ..........................40
7.2.2 Drilling and Well Integrity Performance Standard ............................40
7.2.3 Site Specific Performance Standard ...............................................41
7.3 Management of SCE in Maintenance Plan .......................................44
7.4 Critical Spares for SCE ................................................................45
8.0 SCE VERIFICATION ............................................................................................... 47

8.1 Verification Scheme ....................................................................47
8.1.2 Verification Work Instruction (VWI) ...............................................47
8.1.3 Selection of Competent Person .....................................................48
8.2 Type of Verification .....................................................................50
8.3 Implementation of Verification Scheme for Operation SCE
Verification ................................................................................54
8.4 Management of Operation SCE Verification ....................................56
9.0 MANAGEMENT OF SCE DEVIATION ................................................................. 57
10.0 KPI MANAGEMENT OF SCE ................................................................................. 59
11.0 APPENDICES ........................................................................................................... 60

Appendix A: References .......................................................................60
Appendix B: BPW ................................................................................62
Appendix C: Sample Bowtie Diagram for Typical Major Accident Hazards ...63
Appendix D: Guidance on SCE Goals and Boundaries with Typical Equipment
Types ........................................................................................64
Appendix E: Sample Of GOPS ............................................................. 114
Appendix F: ...................................................................................... 123
a. Sample of SSPS ............................................................................ 123
b. SSPS Cover for Barrier Owner Approval ............................................ 125
Appendix G: Sample of SCE Verification ............................................... 126
Appendix H: Practical Recommendation ............................................... 132
Internal
PETRONAS UPSTREAM
DISTRIBUTION LIST
No. Title
Head, HSE System and Documentation, HSE Global Services, Upstream

Master
HSE
01 EVP, Upstream Business
02 SVP, Upstream
03 VP, Exploration
04 VP, LNG Marketing & Trading
05 VP, Malaysia Assets
06 VP, International Assets
07 VP, LNG Assets
08 VP, COE
09 Head, Upstream HSE
10 Head, HSE Global Services, Upstream HSE
11 Head, HSE Operations, Risk & Assurance, Upstream HSE
12 Head, Process Safety Management, Upstream HSE
13 Head, HSE Transformation, Upstream HSE
14 Head, HSE Planning & Stakeholder Management, Upstream HSE
15 Head, HSE Marketing & Trading
16 Head, HSE Exploration
17 Head, HSE Malaysia Assets
18 Head, HSE International Assets
Note:
A Document Holder is responsible to communicate and ensure compliance with the
requirements of this document.
Internal
PETRONAS UPSTREAM Page I

DOCUMENT DEVELOPMENT TEAM MEMBER
No. Name Designation Department
Yasmin Akbari Bt Specialist, Process Process & Technical Safety –

1.
Abdul Rahman Safety Upstream HSE
Manager, Maintenance Technical Excellence,

Abdullah Din
2. Management, Operational Excellence
Suhaimi
Operational Excellence
Manager, PTS – Process & Technical Safety –

Standards and Upstream HSE
3. Anneeza Abd Ghani
Performance, Process
Safety
Internal
PETRONAS UPSTREAM Page II

AMENDMENT SUMMARY
Special thanks to all PETRONAS personnel who have contributed to the

development of this document.
Approved
Rev Description Date Name
Tittle
 Swiss Cheese Barrier diagram was
updated (Page 10)

 Added SCE Group SI010: Wells
Structure (Page 39)
5/5/20 Maintenance Mr. Marvin
1.0 Updated SCE Group Title, SCE Goal &
14 Manager Ooi
Description (Pages 36-64) to be in sync
with: GENERIC OPERATION
PERFORMANCE STANDARD ASSURANCE,
EP OE GEN OPS, REVISION 1.0
 Strengthening SCE Identification to
focus on SCE definition and intent.
Changes in SCE identification flowchart
and appendix D.
Head, Datuk
 Establishment of Barrier Owner concept 01/06/
2.0 Upstream Joseph
 Emphasize on the requirement and 2019
HSE Podtung
methodology of Site Specific
Performance Standard
 Guideline and implementation strategy
for SCE Verification
Notes:
1) Document Custodian to update Amendment Record as and when
amendments/new revisions are received.
2) For description of amendment the Document Custodian should indicate
correction, modification, and update or delete issue.
3) Document Custodian to enter their company reference number, sign and date the
record of entry.
Internal
PETRONAS UPSTREAM Page III

PREFACE
This document provides a guideline for holistic Safety Critical Elements (SCE)
Management for PETRONAS operated upstream production facilities in compliance with
PTS 18.53.02 Mechanical Integrity.
The aim for this procedure is to provide assurance that the SCE are correctly managed
and risk of Major Accident Hazard (MAH) are demonstrated to ALARP levels and enhance
the technical integrity of all Upstream assets. Upstream SCE Management Procedure is
intended to assist individual installation management teams in identifying the applicable
SCE for a specific asset. It provides clear examples of SCE for consideration in the
identification and listing of SCE in order to meet the requirements of the HSE Case.
It defines the expectation of Site Specific Performance Standards development for the
identified SCEs. Therefore, it would be possible to demonstrate how the performance of
individual elements is directly linked to the Major Accident Hazards present on a
particular asset. As a result, it helps to facilitate asset and operating unit in establishing
appropriate assurance task for SCE that will lead to systematic maintenance plan and
contribute to PMMS smooth operation.
In order to strengthen the SCE Management process, this procedure stipulates the
requirement of SCE Verification. It provides clear understanding of the process and how
to implement it in the most cost effective and efficient way, while maintaining the same
quality as it is implemented anywhere in the world.
Optimistic SCE Management Deviation Process controls any deviation related to SCE in
order to ensure effective quality assurance and integrity of SCE.
This Procedure supersedes PETRONAS Safety Critical Element Manual EP OE MAN SCE
Rev 1.0 05 May 2014.
Internal
PETRONAS UPSTREAM Page IV

Upstream Safety Critical Elements (SCE) WW ALL X X S 05 049 I,
1.0 INTRODUCTION
1.1 Objective
(1) To facilitate and standardize Petronas Upstream Business for holistic SCE
Management inclusive of SCE identification in accordance to best industry
practise for Major Accident Hazard Management.
(2) To provide assurance that the necessary hardware barriers are correctly
managed and risk of Major Accident Hazard (MAH) to ALARP levels.
(3) To define the requirement and expectation of SCE Site Specific Performance
Standards and SCE Verification Process as well as providing a common
consistent process for all PETRONAS Upstream Business Operating Unit.
(4) To provide a safer operating environment for people, maximising the
understanding of the risks inherently involved in the extraction of
hydrocarbons, and minimising the exposure of personnel to these risks.
(5) To ensure transparency and visibility of the management of SCE
performance assurance.
1.2 Scope
(1) The SCE management process has six main stages:

i. Identification of MAH and identification of SCE, involved in managing
MAH;
ii. Definition of Performance Standards for these SCE;
iii. Development and implementation of the assurance processes that
maintain or ensure the continued suitability of the SCE, and that
these are meeting the Performance Standards;
iv. Management of SCE Deviation and;
v. Verification that all steps have been undertaken to ensure the
adequacy of assurance task & SCE meet its intent and thus that Major
Accident Hazards are being controlled.
Internal
PETRONAS UPSTREAM Page 1

1.3 Review Requirements
i. This Guideline shall be reviewed periodically at intervals not exceeding 5

years.
ii. It may be reviewed and revised earlier, if significant amendments from the
original latest revision are required.
1.4 Glossary of Terms
For the purpose of this Guideline, the definitions of terms, acronyms and
abbreviations used are as follows:
1.4.1 Specific Definition of Terms
No. Terms Description
The ability of an asset to perform it’s required

function effectively and efficiently whilst
1. Asset Integrity
safeguarding personnel life, the environment, the
asset and the reputation of the organization.
A measure put in place to prevent hazard
realisation and/or mitigate potential
consequences. Barriers may be physical (e.g.
2. Barrier
shields, isolation, separation, protective devices)
or non-physical (e.g. procedures, warnings,
training, drills).
A diagram that shows the risk(s) management

scheme in place in just one, easy to understand
3. picture. The diagram is shaped like a bow tie,
Bowtie
creating a clear differentiation between proactive
risk management on the left hand side and reactive
risk management on the right hand side.
This is a measure designed to minimise the

consequences of the detected MAHs. Their role is
4. Control
to limit escalation of the hazard and to control the
scale, intensity and duration of the hazard.
Internal

Documentation of the requirements to ensure the

integrity, reliability and functionality of control and
Recovery Barriers. It includes the listing of control
5. Critical Activities and Recovery Barriers for Major Risks and HSE
Catalogue (CAC) critical activities, HSE critical positions and
competency requirements, performance
standards, etc. associated with control and
Recovery Barriers.
An operation in which specific production

equipment or an entire production facility is taken
6. Decommissioning out of service. Specific decommissioning activities
may include engineering, procurement, removal,
disposal and abandonment.
This is a measure designed to detect the

7. Detection
occurrence of a MAH or the preceding events.
Action to safeguard the health and safety of
Emergency
8. persons on or near an installation in an
Response
emergency.
Escape is the process of leaving the installation in
an emergency when the evacuation system has
9. Escape failed; it may involve entering the sea directly and
is a ‘last resort’ method of getting people off the
installation
Evacuation is the process of personnel abandoning
the installation in a controlled manner preferably
10. Evacuation
using equipment provided (e.g. Helicopter,
Lifeboats).
An integral system in the PETRONAS Maintenance

Facility Status
11. Management System that provide visual, easy to
Monitoring (FSM)
read and to understand the status of the Asset
Internal

Integrity Sustaining work actions (PM) and the

Integrity Restoring works Actions (CM) and where
they currently are at with respect to the Latest
Allowed Finish Date.
Performance Standards for SCEs are expressed in

terms of FARSI described below:
 Functionality (what is required to do – Not
what it does – to fulfil its function)
 Availability (for what proportion of time will
it be capable of performing)
 Reliability (how likely it is to perform on
12. FARSI demand and means to achieve the desired
level)
 Survivability (does it have a role to perform
post event, does the equipment need to
keep its function during an incident and to
maintain this capacity), and
 Interdependency (do other system require
being functional for it to operate
Defined assurance activities required to be carried
out by competent Region/Country Maintenance
Team (or other approved, competent personnel
13. Function Test acting on their behalf) on a regular basis in
accordance with a maintenance task instruction in
order to demonstrate the continuing compliance
of the SCE with its performance standard.
The potential to cause harm, including ill health and

14. injury, damage to property, products or the
Hazard
environment; production losses or increased
liabilities.
Internal

A container with flammable material is a hazard

because it has the potential to cause fire and/or
explosion; an installation operation consisting of
lifting a module onto an offshore platform is a
hazardous activity because it has the potential for
dropping or releasing the module too fast causing
damage to the platform.
A hazard management communication document

Hazards and that demonstrates that hazards have been
15.
Effects Register identified, assessed, are being properly controlled
(HER) and that recovery preparedness measures are in
place in the event control is ever lost.
Activities or measures that have been identified in

the Hazard and Effects Management Process
(HEMP) as vital to ensure:
16.  Integrity of an asset and the associated

HSE Critical
control and Recovery Barriers i.e. the safety
Activities
critical elements (SCEs)
 The effectiveness of operational controls in
order to prevent incidents and/or mitigate
adverse HSE effects.
Inspection is the task performed to check

condition of an asset, through non-destructive
Inspection, means. Testing is the task performed to check
Testing and functionality of an asset, through providing an

17.
Preventive artificial demand on the function of the asset.
Maintenance Preventive Maintenance is the task performed to

restore condition of an asset through scheduled
servicing or replacement
Internal

A function comprising one or more Sensors, a

Logic Solver and one or more Final Elements
whose purpose is to prevent or mitigate
hazardous situations.
Instrumented
18. Protective An IPF is intended to achieve or maintain a safe
Function (IPF) state for the process, in respect of a specific
hazardous event.
In IEC 61508 and IEC 61511, an IPF is referred to

as a Safety Instrumented Function (SIF).
The activity to ensure physical assets continue to

perform the intended functions.
Inspection, Testing, and Preventive Maintenance

19. Maintenance
are three distinct categories of planned
maintenance.
Corrective maintenance is part of maintenance.
Major Accident Hazards (MAHs) are defined as

uncontrolled occurrence in the operation of as site
or pipeline which leaks with severe or catastrophic
consequences to people, assets, the environment
and / or company reputation. The consequences
may be a fire, explosion or the release of a
Major Accident dangerous substance involving death or serious
20.
Hazards personal injury to persons on the installation or
engaged in an activity on or in connection with it;
an event involving major damage to the structure
of the installation or plant affixed thereto or any
loss in the stability of the installation; the collision
of a helicopter with the installation; the failure of
life support systems for diving operations in
Internal

connection with the installation; and any other

event arising from a work activity involving death
or serious personal injury to five or more persons
on the installation or engaged in an activity in
connection with it.
Programmatic implementation of activities

Mechanical focusing on ensuring that SCEs are designed,
21.
Integrity installed and maintained to perform the intended
function throughout the life of a facility.
Measures taken to reduce the consequences of a

potential hazardous event. Mitigation measures
include:
 'Active' systems intended to detect and
22. Mitigation abate incidents (gas, fire, and smoke
alarms, shutdowns, deluge)
 'Passive' systems intended to guarantee the
primary functions (fire and blast walls,
protective coatings, drain systems) and
Defines the limit of safe operation permitted for a
particular asset if control and/or mitigation
measures are reduced and/or removed with the
23. MOPO
objective of maintaining a tolerable level of risk.
Considers combinations of hazards and hazardous
events.
Criteria against which Performance Standard
Pass / Fail
24. compliance with defined assurance activity is
criteria
demonstrated (or not demonstrated).
A measurable statement expressed in qualitative

Performance
25. or quantitative terms, of the performance required
Standard
of a system, item of equipment, person, or
Internal

procedure, and that is relied upon as the basis for

managing a hazard.
A mode of operation involving the temporary

26. Preservation suspension (mothballing) of a production facility
from service.
This is a measure designed to minimise the

27. Prevention
potential for a hazard to materialise.
Part of an installation and such of its structure,

plant equipment and systems (including computer
program) or any part thereof:
 the failure of which could cause or

Safety Critical
28. contribute substantially to the release of a
Element
hazard with Major Risks; or
 a purpose of which is to provide the barrier
to prevent or limit the effect of a major
accident
Dangerous failure class 0, a1, a2, 1, 2, 3, 4 or X,

derived from the consequences of failure on
demand and the Demand Rate.
Also known as IPF Class.
The definition in IEC 61511: discrete level (one to

Safety Integrity
29. four) for specifying the safety integrity
Level (SIL)
requirements of the safety instrumented functions
(IPF) to be allocated to the safety instrumented
systems (trip systems).
As per IEC standards, SIL 4 has the highest level

of safety integrity and SIL 1 has the lowest.
Internal

A set of SCEs with a common high level functional

objective as specified in the Safety Critical
30. SCE Category Elements Manual, EP OE MAN SCE, (e.g. Structural
Integrity, Process Containment, Ignition Control,
etc.).
A sub-set of SCE Category as specified in this

procedure (e.g. SI001 Sub-structure, SI002
31. SCE Group
Topsides Primary Structure, SI003 Heavy Lift
Cranes and Mechanical Handling, etc.).
Any protective device (mechanical, pneumatic,

hydraulic, electrical, electronic), which provides the
32. SCPD barrier to prevent or limit the effect of a hazard
with a major risk. The SCPD is part of the facilities
list of SCEs.
Verification represents the activities, in addition to

ITPM tasks, which are performed by an Subject
matter Expert or Independent Party (depending
on Tier of Verification), to confirm whether the
33. Verification
SCEs will be, are, and remain suitable, or are
adequately specified and constructed, and are
being maintained in adequate condition to meet
the requirements of the Performance Standards.
Written scheme for documenting the means of
Verification
34. Verification activities.
Scheme
Table 1: Specific Definition of Terms
Internal

1.4.2 Specific Abbreviations
No. Abbreviation Description
1. BDV Blow Down Valve
2. BSCPD Bypass Safety Critical Protective Device
3. CP Competent Person
4. EERA Escape, Evacuation and Rescue Analysis
5. ESD Emergency Shut Down
6. ESDV Emergency Shut Down Valve
Electrical Equipment Certified for Explosive

7. Ex
Atmospheres
8. FEED Front End Engineering and Design
9. FPSO Floating Production Storage and Offloading
10. FSM Facility Status Management
11. FSO Floating Storage and Offloading
12. GOPS Generic Operation Performance Standard
13. HAC Hazardous Area Classification
14. HAZID Hazard Identification
15. HAZOP Hazard and Operability Study
16. HEMP Hazards and Effects Management Process
United Kingdom HSE, Hazardous Installation

17. HID
Directorate
Internal

No. Abbreviation Description
18. IBC International Bulk Containers
19. IAP Integrated Assurance Planning
20. ICP Independent Competent Person
21. IOAIA Integrated Operational Asset Integrity Assurance
22. MAH Major Accident Hazard
23. MATTE Major Accident to the Environment
24. MI Mechanical Integrity
25. MOPO Matrix of Permitted Operations
26. NPHA Non-Process Hazard Analysis
27. PMMS PETRONAS Maintenance Management System
28. PRV Pressure Relief Valve
29. PTS PETRONAS Technical Standard
30. SCE Safety Critical Element
31. SSIV Sub-Sea Isolation Valve
Table 2: Definition of Abbreviation
Internal

2.0 OVERVIEW
2.1 Major Accident Hazard
(1) A Major Accident Hazard (MAH) is typically a hazard that can lead to a low
probability, high consequence event which requires a different approach to
the occupational, or personal, safety management processes and
programmes which are associated with higher frequency but lower
consequence events.
(2) The basic reason for this is that while single failures can cause dangerous
occurrences, Major Accidents do not generally happen as a result of a failure
of one piece of equipment or one wrong action by an individual. Instead,
they are epitomised by a series of failures of plant, personnel functions &
processes as well as procedures.
(3) The WW ALL X X S 05 038 I, November 2018 HSE Case and CIMAH (Control
of Industrial Major Accident Hazards) (CIMAH) Development Guideline is the
principal document that is used to identify the MAH and consequently
identify and confirm the barriers that are in place that prevent or mitigate
the consequences of the MAH.
2.2 MAH Identification and Existing HSE Case and CIMAH
(1) Part of the initial process of the HSE Case is to establish Hazard Effect
Register (HER) as per requirement stated in PTS 18.04.02 Hazard & Effect
Management Process (HEMP)
(2) Facilities may comprise platforms, pipelines and subsea systems. The
boundaries will be in accordance with the boundaries defined in the HSE
Case. PETRONAS Technical Standards are referred to:
a. PTS 18.04.03: Demonstration of Safe Design, Installation and
Operations of facilities
b. PTS 18.00.01: HSE Management System
c. PTS 18.04.02: Hazard & Effect Management Process (HEMP)
Internal

(3) The HSE Case and CIMAH Development Procedure explicitly requires the
identification of MAH as a separate population from the assessment of all
risks. This requirement for explicit identification of the MAH as a separate
sub-set of the asset risks is a characteristic of the MAH and SCE Management
System, as it deals specifically with the management of these low frequency,
high consequence hazards.
(4) MAH (and the subsequent SCE) should be identified in a dedicated subsection
of Part 2 of the HSE Case for an installation (refer Figure 1). For onshore
facilities in Malaysia, the document is the CIMAH Report, which requires a
dedicated subsection for this purpose.
Figure 1: Incorporation of the MAH and SCE into the standard HSE Case
Internal

2.3 HSE Case and CIMAH Development Procedure and Safety Critical
Elements (SCE) Document
(1) The HSE Case and CIMAH Development Procedure and Safety Critical
Element (SCE) Management Process forms a major part of the PETRONAS
Upstream Risk Management.
(2) HSE Case and CIMAH Development Procedure comprises of Major Accident
Hazard (MAH) identification and management in details, one of MAH
management is SCE Management which will be systematically describe in
this procedure.
(3) An overview of the document hierarchy for the Major Accident Hazard (MAH)
and Safety Critical Elements (SCE) Management Process showing all
documents are given in Figure 2.
PTS 18.04.03
Demonstration of
Safe Design,
Installation and
Operations of
facilities
PTS 18.53.02
(Mechanical Integrity)
Level 1
HSE Case and CIMAH Development

Procedure
Development of Bowties Guidelines
Safety Critical Elements Management

Procedure
Generic Operation Performance

Level 2
Standard (GOPS)
Site Specific HSE Case Verification Works Instruction
Site Specific SCE Elements SCE Deviation Management
Level 3
Figure 2: SCE Management Document Hierarchy
(4) Figure 2 shows the document hierarchy for the MAH and SCE management
Process. Some documents contain more detail and application guidance than
others, with the amount of detail increasing from Level 1 to Level 3
documents. Documents in Level 1 are produce at group level, Level 2 are
produced at business level, whereas documents in Level 3 are asset specific.
Internal

2.4 Bow Tie
(1) The Bow-Tie Analysis or method is simply a pictorial representation of how

the management of a hazard and its effects go towards minimizing the
consequence(s) arising from a hazardous event. Using the Bow-Tie
methodology to identify barriers essentially enables one to identify specific
roles and functions of each barrier and to understand the possible
consequence of the failure of a barrier.
(2) The Bow-Tie technique is incredibly versatile and broadly accepted as
industry best practice for the identification of SCEs. The detailed step-by-step
application of the method for performing a Bow-Tie Analysis is identical to
the methodology used when all risks are identified and evaluated.
(3) This is described in detail in PETRONAS PTS 18.04.02 “Hazards and Effects
Management Process (HEMP)” and systematically described in WW ALL X X S
05 053 I, Rev.1 Upstream HSE Development of Bowties Guidelines.
2.5 Overview Of the MAH and SCE Management Process
(1) This section gives an overview of the Major Accident Hazard and Safety
Critical Element Management process requirements, and the order in which
they should be undertaken. The flowchart in Figure 3 shows the stages
involved in SCE Management process:
Internal

HER AND HEMP STAGE 5

VERIFICATION ACTIVITIES
STAGE 1
IDENTIFY MAJOR ACCIDENT
HAZARDS
MAH SUITABILTY ASSESSMENT
• Likelihood
• Consequence BOW TIE and
• Risk FORMAL SAFETY
ASSESSMENT
DEMONSTRATION OF
QRA, EERA, ESSA,
MAH & SCE NHHA, Dropped Object,
MANAGEMENT STAGE 2 Ship Collision, TRIA, F&G
IDENTIFY SAFETY CRITICAL Mapping, HAC etc.
ELEMENTS
VERIFICATION GAP CLOSURE
• Avoid
• Prevent
• Control / Mitigate
•
CONTINUOUS IMPROVEMENT REVIEW, SCHEDULED UPDATES, AND
Emergency Response
•
CHANGE CONTROL PROCEDURES
FACILITY HSE CASE
VERIFICATION SCHEME
STAGE 3
DEFINE PERFORMANCE
STANDARDS
• Functionality VERIFICATION OF
• Availability SUITABILTIY AND EXECUTION
• Reliability
• Survivability
• Interactions / Dependencies
•
STAGE 4
DEVELOP/REVIEW AND
IMPLEMENT ASSURANCE
PROCESSES
SAFETY CASE
• Test VERIFICATION SCHEME
IMPLEMENTATION
• Inspect VERIFICATION OF
• Maintain SUITABILTIY AND EXECUTION
•
STAGE 5
SCE DEVIATION MANAGEMENT
• Identify
• Manage Interim Risk Until
VERIFICATION OF
Resolution SUITABILTIY AND EXECUTION
• Repair / Replace / Redesign /
• Rectify
Figure 3: Major Accident Hazard and Safety Critical Element

Management Process
Internal

3.0 ROLES & RESPONSIBILITIES
3.1 Key Roles & Responsibilities
(1) It is important to have the key roles established and understood in the SCE
Management process. Core SCE Management team are summarize and listed
in Table 3. Comprehensive BPW of SCE Management is documented in
Appendix B:
Personnel Roles And Responsibilities

 Single point accountability for safeguarding the
technical integrity of the asset in the Operate
phase.
 Accountable for ensuring that the assets are
Asset Owner
appropriately maintained and this includes ensuring
that all SCE have been identified and managed
 Approve SCE deviation
 Responsible for providing discipline specific
technical advice
 Support barrier owner of the Performance Standard
for their respective SCE Groups.
 Appointed and recognized as the highest technical
Technical Authorities
discipline SME.
 Endorse request for deviations or prolonged Bypass
of SCE needs their endorsement.
 Endorse Site Specific Performance Standard
 Approve SCE Register/List
 Approve Site Specific Performance Standard note 1
 Support and drive the development of SSPS

 Responsible for monitoring & ensure that the
Barrier Owners
assurance task for SCE under his/her is taken care
off.
 Participate in SCE Verification
Internal

Personnel Roles And Responsibilities

 Accountable for SCE Performance and Health
Status
 Lead and facilitate SCE identification process and
SSPS in a workshop
 Responsible to identify applicable GOPS to
Reliability & Integrity
identified SCE
 Develop SCE Register/List
 Conduct Bow Tie exercise
 Responsible for HSE Case development /SCE
review
Process Safety
 Monitor SCE Performance and Health Status via
PSPI
Table 3: Roles and Responsibilities of SCE Management
Note 1:
Barrier Owner to approve SET of SSPS that are assigned under him/her i.e. for
SSPS under instrument DS001, SD001, SD002, SD005, SD006 and etc. with
only ONE approval signature on the main page
Internal

4.0 MANAGEMENT OF BARRIER
(1) Barriers are intended individually or collectively to reduce possibility of MAH
to occur and to control and limit the consequence of MAH. Barrier includes
soft and physical hardware barriers.
(2) Physical hardware barrier is a physical equipment that is put in place to
prevent; control and limit MAH, known as SCE.
(3) Soft barriers include critical processes, human and organizational control
planning, and implementation guideline which includes, and not limited, to
the following PTS procedure:
i. PTS 18.22.02 Design Integrity;
ii. PTS 18.53.02 Mechanical Integrity;
iii. PTS 18.23.02 Operating Procedure;
iv. PTS 18.21.03 Pre Start Up Safety Review;
v. PTS 18.21.01 Process Hazard Analysis;
vi. PTS 18.23.03 Process Safety Information;
vii. PTS 18.23.02 Management of Change;
viii. PTS 18.23.05 Bypass Safety Critical Protective Device;
ix. PTS 18.21.02 Proprietary and License Technology Assessment
(4) Soft barrier and physical hardware barriers are interdependent and shall be
managed adequately to ensure these barriers remain effective over the life
of the facilities.
(5) The importance of barrier management and relation between soft and hard
barrier are describe in Figure 4.
Internal

Figure 4: Relation between hard and soft barrier
4.1 Critical Activity Catalogue
(1) Critical Activity Catalogue (CAC) describes the list of HSE Critical Tasks that
must be performed to ensure the functionality and integrity of control and
recovery of the physical hardware barriers. The CAC also defines for each
SCE Group, the HSE Critical Positions and their accountabilities,
responsibilities and competencies for performing the identified activity.
Development of CAC shall be in accordance to Hazard & Effect Management
Process (HEMP) PTS 18.04.02 and HSE Case and CIMAH Development
Procedure.
Internal

5.0 SAFETY CRITICAL ELEMENTS
(1) The key safety plant, systems and equipment required to manage Major
Accident Hazards are collectively known as Safety Critical Elements (SCEs).
The definition given in the United Kingdom Safety Case Regulations (UKSCR)
of a Safety Critical Element is:
“Such parts of an installation and such of its plant (including computer
programs), or any part there:
i. the failure of which could cause or contribute substantially to; or
ii. a purpose of which is to prevent, or limit the effect of - a major accident”
(2) It is to be considered as SCE when;
i. If by failing an item would cause a major accident;
ii. If by failing an item would significantly add to a major accident;
iii. If the purpose of an item is to prevent a major accident; and
iv. Finally, if the purpose of an item is to limit the effect of a major accident.
(3) As stated in Chapter 2, MAH are established from a Hazard Effect Register
(HER) as part of PTS 18.04.02 Hazard & Effect Management Process (HEMP)
and HSE Case development.
(4) MAH (MAH definition is based on risk matrix stipulates in PTS 18.04.02 HEMP)
control measure will be identified qualitatively via Bowtie concept &
quantitatively define via Formal Safety Assessment (FSA) review.
(5) SCEs are identified from analysing those Hazards under MAH category, and
constitute the means required to manage the associated risks. Level 4
Business Process Workflow (BPW) for HEMP is attached in Appendix B.
Internal

Hazard Effect Refer PTS 18.04.02 Hazard and Effect

Register Management Process
Major Accident WW ALL X X S 05 038 I HSE Case and CIMAH

Development Guideline
Hazard
WW ALL X X S 05 053 I, Rev.1 Development

of Bowties Guidelines
Bow Tie
‘
SCE Identification SCE Management Procedure (This procedure)

and Management
Figure 5: SCE identification as part of HSE Case Development
(6) The concept of SCEs is barriers that are put in between the hazard and the
consequence of the incident. This is explained with illustration of the SCEs
as plant barriers as shown in Figure 6. The holes in the barriers reflect a
path or route through which the hazard is realised. This is often referred to
as the “Swiss cheese model”. Refer sample bowtie with SCE indication in
Appendix C.
(7) Major Accident investigations indicate that such events do not occur because
of a single failure of plant or one individual’s mistake. It has been consistently
demonstrated that for a Major Accident to arise a combination of process,
plant integrity and personnel failures needs to happen.
(8) This arrangement of processes, plant and people are often referred to as the
barriers between a threat being present and an accident occurring. Any one
of the barriers can prevent the accident and multiple failures are required
before a major accident can happen.
Internal

(9) An example of plant barriers is shown in Figure 6. The holes in the barriers
indicate a potential path or route from which the presence of a hazard can
lead to an event occurring. This pictorial representation is also commonly
used in various other Industries than the offshore oil and gas (e.g. Health
and Aviation) to illustrate how a combination of failures can lead to an
accident event occurring.
(10) In Figure 6, each barrier type is represented by one or more Safety Critical
Elements and is designed to stop or minimise the effects of a hazard. In a

loss of containment of hydrocarbon for example, the barrier types are
describe in Table 4 below:
Barrier Types Definition
The ability of a structure to perform its required

function effectively and efficiently over a defined
Structural Integrity
time period whilst protecting health, safety and
the environment and preventing MAH.
In this case, keeping the hydrocarbon inside the

Process
process equipment means there is no escalation –
Containment
the hazard is being managed.
If the first barrier fails, then the hydrocarbon is

released, and may ignite. It is the job of the
Detection Systems detection systems to warn of this event before the
hazard can escalate, and initiate controlling
measures - allowing management of the hazard
The identification and escalation of the hazard

(either through the detection SCE, or through the
hazard now being self-evident) should then be
Shutdown Systems managed through use of such systems as
Emergency Shutdown, and Process Blowdown to
minimize the inventory that can fuel the on-going
incident.
Internal

The potential source of ignition shall be managed

by ignition control, to prevent gas release escalate
Ignition control
to initiate fire and explosion - the hazard being
managed
As the event continues, management of the

consequences of the incident are being managed
Protection Systems
through active and passive fire protection (such as
deluge, blast walls and fire retardant materials).
Emergency Should the incident escalate sufficiently, it may be

Response and necessary to control the risk to personnel by
Lifesaving removing them from proximity to the hazard
Table 4: Barrier type and definition
(11) Good barrier performance can be achieved through the adoption of well
written Performance Standards; and assurance & verification procedures.
(12) These procedures must be adhered to by personnel who are competent in
their defined roles in maintaining and assuring the performance of Safety
Critical Elements for a specific asset.
Internal

Figure 6: List of Typical SCE Elements
Internal

(13) A definitive list of barrier groups and a generic list of SCEs are provided in
Figure 6 of the report.
(14) These are generic listings and should be used when undertaking a review of
a particular asset’s hazards. The following caveats apply however:
i. The listing is intended to cover all possible SCEs;
ii. Not all of the SCEs listed in Figure 6 may be applicable for a particular
asset. Individual asset’s SCEs need to be determined on a case by case
basis; and
iii. No other grouping of SCE shall be considered.
(15) The information provided in Figure 6, whilst considered a practical and
comprehensive source of information, it is not a substitute for a full asset-
specific Safety Critical Element identification and analysis exercise, which
must still be carried out on an asset-by-asset basis.
Internal

5.1 Safety Critical Element Evolution through the Life- cycle of the Asset
(1) The identification and subsequently management of SCE should actually start
with the design and build stage of the facility. A new facility at handover to
Operations & Maintenance should already have the What, Where, How, and
When defined and pre-loaded into the PETRONAS Maintenance Management
System (PMMS).
(2) In operation phase, apart from Management of Change, SCE identification
should be revalidate during HSE Case development or renewal at every 5
years. Figure 7 depicts clear expectation on SCE management throughout the
asset lifecycle.
(3) In summary:
a. MAHs will be identified starting at the concept stage and continuously

updated throughout the FEED and detailed design stage
b. SCEs will be identified from the FEED stage onwards and after the end
of the construction and commissioning all relevant SCEs must have a
performance standard, the maintenance task list, maintenance
routine/assurance, verification and data loading into PMMS such that
the corresponding work order are timely generated
c. At the Operational stage of an asset, SCE identification will be
revalidated during HSE Case development and assurance task
assigned for each SCE shall be managed and conducted in timely
manner.
d. Deviation related to SCE assurance task will be managed in Facility
Status Management (FSM) with comprehensive review assessment to
include acceptance criteria, control and mitigation through Risk
Assessment with TA approval.
e. For existing facility where the above activities were not done,
retroactive actions to achieve same for the Operations phase is
necessary.
f. MAH can vary in severity and probability throughout the lifecycle of
the asset. This means that the SCEs might change accordingly.
g. To this end, the MAH and Safety Critical Elements (SCE) Management
Internal

Process requires a full review under the following conditions:
i. When a Management of Change process is initiated (e.g. major
change to design, process, inventories of hazardous materials,
personnel changes or operating context, etc.)
ii. During drilling or well intervention
iii. During decommissioning / abandonment
iv. Every five years during HSE Case revalidation.
FEASIBILITY CONCEPT SELECT SCOPE DEFINE

EXECUTION OPERATIONS DECOMMISIONING
(FEL 1) (FEL 2) (FEL 3)
Project Assurance Hazards identification Detailed Facilities Validation of Asset Decommissioning

Front End Engineering design Register HSE Case
Plan (PAP) (HAZID) for Selected
addressed Project Design (FEED)
Concept
Design Validate of Operation
Performance Initial Operation HSE HAZID
Case HSE Case
Standard (DPS) Lessons pertinent to HAZID 2
MAH and SCE have
been sought and Bow-Ties Revalidation of SCE SCE Identification
captured Analysis Identification in
HSE key studies/
Asset Register
Formal Safety
Assessment (FSA) SCE Verification
including Bow-Ties SCE identification in Validate site specific
Asset register and performance
loading into PMMS standard and
Design Case Case assurance task for
SCE
Site Specific
Performance ITPM loaded into
DPS Standards and PMMS
assurance measures
Implementation of
ITPM loaded into SCE performance
PMMS task and measures
Verify design Management of SCE

performance Maintenance
standards and Deviation
assurance measures
Management of SCE
Deviation
Project Design
Verification
SCE Verification
SCE Gap Closure

Implementation
SCE Status and KPI

Reporting
Figure 7: SCE Management Asset Life Cycle Management Asset Life Cycle
Internal

6.0 IDENTIFICATION OF SCE FOR A GIVEN MAH
(1) The Oil & Gas industry has had its fair share of disasters and as a result most
countries require some form of safety management for their plants.
(2) The Bow- Tie Model or Bow-Tie Analysis is considered best industry practice
for the identification of SCEs associated with a given hazard. Every SCE
belongs to at least one SCE group.
(3) In cases where more than one SCE group may be relevant to a single SCE,
only one can be assigned in the Asset Register. In these cases, a judgment
must be made on the most appropriate SCE group to select.
(4) This should take into account the prime function of the item and likely failure
modes as well as the maintenance and / or inspection that will be applied to
the item and hence how any failure would be detected. For example:
i. A process isolation ESD valve could conceivably be safety critical in

terms of its hydrocarbon containment role (PC005) and its role as an
ESD system end element (SD001). However, its prime role is to be
able to close to isolate process inventories and, therefore, the most
appropriate SCE group for it to be assigned to would be SD006
(Process ESD valve).
ii. A certified junction box within a fire and gas system loop could be
assigned DS001 fire and gas detection. However, as it is passive in its
fire and gas functionality and its most likely failure mode would be of
its EX classification. Therefore, it would be more appropriate to assign
it to IC003 (certified electrical equipment). Note that assigning an SCE
group in the Asset Register is used only for reporting purposes. It
should not preclude any other relevant performance assurance tasks
being assigned to the SCE.
Internal

Note 1: Refer Appendix D Process Safety for typical equipment types
Note 2: Refer Appendix D for typical equipment types
Figure 8: SCE identification as part of HSE Case Development
Internal

Figure 8 shows a flow chart of the process of identifying SCEs. Once a potential
SCE has been identified, the procedure starts at the top left-hand corner of the
flowchart in Figure 8. Apart from the start box, the color boxes consider equipment
related to process systems. The remaining boxes on of the diagram relate to non-
process systems (such as structural, floating structures and escape systems)
Contains hydrocarbon or hazardous substance:
 If the element in a system contains flammable hydrocarbons or

other hazardous substance, then there is the potential that failure
could result in a major accident event. Therefore, these items
would be considered as an SCE. Typically, these items would
include process pipework and vessels containing hydrocarbons,
and represent the process containment barrier grouping.
Part of a Control, Shutdown or Mitigation System:
 If the element is part of a control, shutdown, or mitigation system

then there is the potential that its function is to provide protection
against a major accident and their consequences. This would be
the case if it was designed to protect process equipment from
catastrophic failure. Typical examples are the facility Emergency
Shutdown Systems (ESD) and Passive Fire Protection (PFP). This
identifies those SCEs that are part of the Detection, Protection
and Shutdown systems barrier grouping.
 For facilities with IPF system, alarms and operator intervention
shall not be given credit as valid barriers nor shall they be
considered as SCEs. Note that for facilities that are designed
without IPF system with reference to Cause and Effect Matrix
(C&EM), basic process control system such as pressure control
valve (PCV), Level control valve (LCV) and the associated alarms,
etc. may be taken as barriers in the absent of other valid barriers.
In this case, the PCV, LCV and associated alarms shall be
considered as SCEs.
 The failure of an element may result, for example, in upset
conditions that lead to over-pressurisation of pipework or vessels
Internal

if they are not designed to withstand the event. This would lead
to a major accident due to loss of containment in the upstream or
downstream systems. An example of this type of system is a High
Integrity Pressure Protection System (HIPPS). This type of system
falls into the Shutdown Systems barrier grouping.
Can failure result in a major accident or inability to prevent, control or

mitigate?
 This would be a consideration for systems that are generally not

considered part of the process. For example, structural failure on
a mobile offshore facility may lead to loss of stability and a Major
Accident. In addition, systems such as the navigational aids help
prevent ship collision. Similarly cranes or lifting equipment may
cause a Major Accident in the event of their failure due to dropped
objects. This should identify the Structural Integrity barrier group
and also the Protection Systems grouping for elements such as
navigational aids, collision avoidance systems, etc.
Does the element prevent harm to people? This would include items that:
 Protect people and the environment from a major accident hazard

involving fire, explosion and the release of toxic gases and fumes.
 Ensure effective escape from affected areas of the site, evacuation
of the site or transference of people to a place of safety.
 This identifies SCEs that are part of the Emergency Response and
Life Saving barrier groupings
Note that Appendix D of this report tabulated SCE until tag or component
level under “typical equipment type”.
Internal

6.1 SCE Identification at Group, Sub Group and Tag Level
(1) SCE at group level will be part of MAH bowtie exercise and documented in
approved HSE Case. Definition of SCE group is stated in Appendix D.
(2) SCE identification shall be conducted (refer to Figure 8) after bowtie exercise
(refer Appendix C) and correctly assigned as SCE by utilizing flowchart in
Figure 8. Identified SCE shall be approved by each of the SCE barrier owner
as described in BPW in Appendix B.
(3) SCE is often dependent upon each other to function. The interaction
dependencies for SCE should be clearly defined and interface between the
relevant SCEs clearly identified during SCE identification. This is to ensure
that no critical interdependencies are overlooked.
6.2 SCE Group Register in HSE Case
(1) Identified SCE group will be documented in HSE case and shall be reviewed
& endorsed as Approved SCE Group Register in HSE Case.
(2) Site Specific Performance Standard (SSPS) shall be developed for each of
SCE group identified in approved SCE Register and further enhance to
include SCE at tag level and assigned assurance task.
(3) Detail of SCE identification process are clearly described in BPW Level 5 and
sample of SCE Register are documented in appendix B.
6.3 SCE Group Barrier Owner
(1) SCE Barrier Owner for each SCE Group is critical to provide clear line of sight
of the SCE performance to function when it is required and accountable to
ensure barrier management work process is implemented.
(2) Dedicated SCE Group (e.g. SI001, SI002, PC001, PC002, PC003 and etc)
Barrier Owner that shall be assigned for each asset based on job description
or equivalent depending on organization structure of an Asset/Country.
(3) SCE Barrier Owner accountable for barrier performance and own the results.
He / She shall monitor compliance and performance of the barrier type to
relevant standards and ensure that performance improvement are
developed and in place.
Internal

(4) As a summary, barrier owner accountabilities include the following but not
limited to:
 Implement the barrier management work process i.e. SCE
Management work process;
 Monitor compliance & performance of the barrier type to relevant
standard; and
 Analyze barrier performance periodically and identify of performance
improvement, intervention plan in place & completed action plan.
(5) Barrier Owner responsibilities include the following but not limited to:
 Establish and approve SCE List and SSPS, where required,
communicate it clearly and provide consistency in the requirements
of the barrier type;
 Review periodically the health of the barrier through SCE Pass/ Fail
Criteria as required in PTS 18.53.02 Mechanical Integrity , PSPIs or
Asset-specific KPIs and drive improvements;
 Know how to implement the barrier to deliver the business results i.e.
being the SME or first-point-of-contact for the barrier type;
 Champion the work process by communicating its performance, the
accomplishments, the success stories and the challenges that remain
 Monitor work process performance and process tool use across the
site i.e. compliance to procedures and effective use of the tools (e.g.
forms, templates, online tools, etc.);
 Develop, drive or provide training material to the Learning
Department and coordinate training or refresher sessions when
required;
 Conduct, drive and lead yearly management reviews/work process
effectiveness reviews/health checks to identify success or
opportunities for improvements; and
 Develop yearly intervention plan, secure budget and resources to
execute the plan and monitor progress.
(6) Taken Rotating Equipment PC003 as an example. Rotating equipment is
identified at group level and normally will consist of few other SCEs i.e.
Detection System (DS001) as SCE interdependencies.
Internal

(7) Join review among barrier owner for SSPS, is required for i.e. PC003 SCE
group. Other SCE barrier owner that involved in PC003 shall be responsible
to ensure his/her barrier perform well and comply to the standard and
requirement.
(8) SCE Barrier Owner for i.e. PC003 (Rotating) shall be accountable to ensure
that correct SCE tagging at appropriate level, the assurance task,
acceptance criteria have been completed and approved prior to uploading
into PMMS. (SSPS is described detail in Chapter 7).
Internal

7.0 PERFORMANCE STANDARD FOR SCE
(1) A Performance Standard (PS) is a statement, which can be expressed in

qualitative or quantitative terms, of the performance required of a system,
item of equipment, person or procedure. PS defines the expected
performance or goal for each SCE to function in order to prevent MAH. The
PS is used as the basis for managing the hazard, e.g. planning, measuring,
control or auditing, through the lifecycle of the installation. This means that
any SCE needs an associated PS which describes the essential requirements
that must be maintained or provided on demand, throughout the lifecycle of
the installation.
(2) Therefore, a performance standard for an SCE may be different at the Design
Stage, than it is at the in Operations.
(3) Reviewing the performance standard continued suitability is extremely
important and should be done whenever there is a major change in the
operating context of the installation.
(4) For a performance standard to be suitable it should contain all of the
following:
(5) The goal or function of the SCE;
i. The functional performance requirement for the following criteria:
Functionality, Availability/Reliability and Survivability;
ii. Any dependencies on other SCEs;
iii. The pass/fail acceptance criteria by which performance of the SCE will
be measured and recorded;
iv. The reference material from which the acceptance criteria should be
derived; and
v. Any contingency actions that may be taken into consideration when
performance criteria are not met.
(6) Concepts that must be considered in the creation of the Performance
Standard include the following:
i. Functionality – What is it required to do?
 Functionality defines the key duties that the SCE is required to

perform. The minimum level at which that function is achieved
must also be defined. Criteria are considered ‘measureable’ where
Internal

it is possible for a person carrying out an assurance activity to
clearly understand what the critical requirement is, and to be able
to measure or observe that the criteria is being achieved.
 During the operational phase of the installation, the performance

standard has to reflect how it shall be assured that the SCE is
maintained above the minimum acceptable condition. This may
not be the same as the design criteria. An acceptable level of safe
degradation should be defined. Availability – For what proportion
of time will the equipment be available to perform on demand?
ii. Availability is the percentage of time where the SCE is ready to
perform on demand. An emergency generator will generally be
unavailable during planned maintenance. If any part of a system is
defective, the system will have reduced Availability.
iii. Reliability – How likely is it to perform on demand?
 Reliability is intrinsically linked to Availability, but is subtly
different. Reliability refers to the ability of the item to perform on
demand (i.e. how good it is at reacting when required, due to the
quality of its design, maintenance or operation). Performance
Standard criteria for Reliability can be expressed in terms of
Probability of Failure on Demand (PFD), Safety Integrity Level
(SIL) or Mean Time between Failure (MTBF). The frequency and
results of testing must be such that the Reliability target is
confirmed.
 During operations, the ability to meet this is demonstrated by
functional testing at an appropriate interval. From these tests,
accurate data must be recorded and reviewed in detail to assess
if the required Reliability is being achieved. If the required level
of Reliability is not being achieved, appropriate action must then
be taken to improve it. This may include system redesign,
amendment of test intervals or revision of the maintenance
strategy.
 Targets for Reliability in operation may not be possible for some
SCEs as there may be no possibility to collect sufficient data to
Internal

assure the target is met. In cases such as deluge valves or fire
pumps there should be a general expectation that they shall
operate on demand every time. It is vital that Technicians
understand this concept and record when failures are observed
during routine testing, i.e. that the reliability of an SCE is
compromised when they have to carry out corrective maintenance
in order for the intended function to complete its action.
iv. Survivability - How will the system perform post event.
 The performance standard criteria for survivability (e.g. after a
fire, explosion, ship impact, dropped object, extreme weather
etc.) must be define if the SCE is required to operate in the event
of a Major Accident and should state for how long the system
should continue to be effective. Each SCE should be considered
against the MAHs defined in the HSE Case. Does the MAH have
the possibility to impair the ability of the SCE to operate? If so,
how this shall be mitigated.
v. Interdependencies – which other SCEs are required to function in
order for the SCE to function.
 SCEs are often dependent upon each other in order to function.
Consider the following examples:
 Hydrocarbon containment relies on Structural elements to
support the containing equipment and piping
 Structural elements rely on Passive Fire Protection to
ensure they meet Survivability criteria
 Fire & Gas systems rely on Emergency Power and UPS to
ensure they provide protection during power outage or
ESD
 The interactions and dependencies for the SCE under
consideration should be clearly defined and the interface
between the relevant SCEs clearly identified. This is to ensure
that no critical interdependencies are overlooked.
(7) The above five criteria: Functionality, Availability, Reliability, Survivability
and Interdependencies is often referred to under the acronym FARSI and
are defined in the HSE Offshore Installations (Prevention of Fire and
Internal

Explosion, and Emergency Response) Regulations (SI 1995/743) and PTS
18.53.02 Mechanical Integrity.
(8) Performance standards and acceptance criteria are also set at anything
from a system and / or area to an individual maintainable item.
Examples of SCEs at system level are:
 Fire detection system
 Emergency escape lighting system
 Fire water pump system
And at item level:
 Pressure vessel containing hydrocarbon

 Pipeline emergency valve
 Electrical motor operating in a potentially hazardous area
 Emergency generator.
7.1 Design Performance Standard (DPS)
(1) DPS defines the parameter, which can be measured or assessed so that
the suitability and effectiveness of each SCE can be assured and verified
during the project phase.
(2) DPS will be developed and approved during FEED after SCE identification
is completed during Design HSE Case Development.
(3) Details of design performance standard and its content are further
elaborated in Design Performance Standard (WW ALL X X S 05050 I, Rev.
1).
7.2 Operation Performance Standard
(1) Operation Performance Standard (OPS) is developed to focus on the

Functionality, Availability, Reliability, Survivability and Interdependencies
(FARSI) of the SCE to adequately prevent, detect, ranked and mitigate
MAH.
(2) It is critical to ensure & verify that all relevant SCE integrity are intact &
functioning effectively as intended throughout the operational life.
(3) OPS as per Figure 2 recites in Level 2 & 3, which consists of Generic
Operation Performance Standard (GOPS) as the main reference & Site
Internal

Specific Performance Standard (SSPS) for the effective site
implementation.
7.2.1 Generic Operation Performance Standards (GOPS)
(1) GOPS is a guideline developed at business level as a guidance for

Upstream to establish FARSI and minimum requirements that must
be performed for SCE to maintain its integrity throughout the
asset’s operational life. These shall include acceptance criteria that
the SCEs must meet and shall be developed in detail to enable the
practical assurance for barriers to remain effective
(2) As far as practicable, the functionality of SCE described in GOPS

shall be assured in 2 ways:
a) By assurance task, which involve routine, checking of their

design, maintenance, inspection and testing.
b) Verification activities that required to be performed to confirm
on the adequacy of assurance task.
(3) The GOPS is revised every 5 yearly or when there is significant

changes to design and maintenance strategy as part of verification
finding and etc. GOPS shall be endorsed by GTAs and SSPS shall
be developed with reference to GOPS.
7.2.2 Drilling and Well Integrity Performance Standard
(1) Drilling and well integrity performance standard are part of OPS and
is developed with reference to GOPS. Complete SCE management
requirement related to well are manage under PTG 25.00.22 Well
Integrity Management System.
(2) Well Integrity Management System specify detail assurance task

requirement for the following SCE Performance Standard:
 SI-007: Drilling Systems

 SI-010: Well Structures
 PC-008: Wells Hydrocarbon Containment
Internal

 PC-013: Well Intervention/Well Control Equipment
 SD-004: Well Isolation
 SD-008: Drilling Well Control Equipment
7.2.3 Site Specific Performance Standard
(1) Site Specific Performance Standard (SSPS) is developed to suit

the site/facility with making reference to the applicable GOPS. The
SSPS content shall in all cases comply with the GOPS in term of
Functional Criteria, Minimum Acceptance Criteria, and Measurable
Unit. While in some cases, minor changes to the Assurance Tasks,
and different frequency of the asset specific task list in
consideration of the availability of a more relevant, applicable and
practical practice (which shall be supported by relevant technical
standards) is acceptable. Such changes shall be reviewed and
endorsed by the discipline Technical Authority and approved by
Barrier Owner of respective SCE Group. Table 2 describes
functionality expectation in SSPS.
Functionality Expectation
a. Main aspect in functionality goal is the assurance task.

Assurance represents activities (preventive
maintenance strategies including inspection, planned
maintenance and testing) performed by the Operator to
ensure that SCEs are consistently and continuously
meeting Performance Standard requirements.
Assurance
Task
b. For the majority of SCEs, assurance tasks during the
operational phase are achieved through the carrying out
of the maintenance and inspection processes (including
functional tests). In some cases there is also a direct
inter-dependence between the planning of
maintenance/inspection tasks and the PSs, most notably
Internal

with regard to the reliability / availability performance
requirements.
c. SCE assurance activities to be carried out on the Asset

on a regular basis by suitably qualified and competent
personnel (Asset/ Country or other approved
personnel), will generally involve the following activities:
i. Function testing of the SCE;
ii. Visual inspection of the SCE;
iii. Preventative maintenance/inspection of the SCE;
iv. OR combinations of the above;
v. OR replacement/repair of the SCE (corrective

maintenance)
In each performance standard, against each defined

criteria as they arise in each of the PS parameters, there
is a brief description of the assurance tasks that are to
Responsible be undertaken (where applicable) by the Asset/Country
Party / Production department (or on their behalf by an
Accountable approved 3rd party, or specialist equipment
Party manufacturers). These tasks are required to be carried
out to ensure that all elements of the PS are met and
maintained throughout the operating phase of the
installation life cycle
Performance Standards set-out the performance

Minimum expectation of an SCE which must be measured and
Acceptable assessed against the predefined acceptance criteria so
Criteria that the ongoing suitability and effectiveness of each
SCE can be verified
Internal

Frequency of assurance task are subject to PTS, code

and standard requirement, Original Equipment
Frequency
Manufacturer (OEM) and Safety Integrated Level (SIL)
recommendation.
Assurance Value used in the decision making process to

confirm this compliance, with a PASS being the desired
outcome. Pass / Fail criteria are used for the following
activities carried out as part of an SCE function test:
i. Pass / Fail against a measurable / quantifiable

parameter, e.g. specified valve closure time; or
ii. Pass / Fail against a specific outcome occurring /

Measurable
not occurring (Yes / No) – qualitative parameter, e.g.
unit- Pass /
alarm indicates / does not indicate as a result of test;
Fail criteria
or
(Assurance
Value) iii. Pass / Fail against a subjective judgment, e.g.
visual inspection or maintenance activity – qualitative
parameter.
Examples of measured values would be ESD valve

closure time or a relief valve lift pressure. It is very
important to differentiate between a pass and a pass
after fix i.e. to record that a remedial action was
required before achieving a successful test
Verification Task and The tasks shall be verified at the appropriate interval by
Supporting competent personnel and contractors.
Documents for
Verifications
Table 5: Contents of SSPS
Internal

7.3 Management of SCE in Maintenance Plan
(1) Referring to PTS 18.53.02 Mechanical Integrity, every identified SCE shall
have an effective ITPM. Appropriate ITPM tasks shall be established &
implemented in order to identify, predict or prevent the failure of SCE.
(2) The following guidance are related to SCEs Maintenance Plan :
a. The SSPS will be translated into ITPM task list and uploaded into PMMS
and the task list from the SSPS shall be defined as SCE Performance
Standard in PMMS.
b. ITPM tasks shall be timely executed, recorded and results are analyzed
with respect to the performance standards.
c. Effective quality assurance and control process for the ITPM performed
on SCE shall be established so that it will be properly executed to ensure
safety and sustainable production. The process shall include:
 Equipment meets design specifications and comply with applicable
standards, codes, and engineering practices (covered by PTS
18.53.06 Design Integrity)
 Personnel involved in inspection, testing, or performing work on SCE

are competent as per the requirements specified in CAC
 Test equipment are properly calibrated and maintained
 Maintenance tools, materials, spare parts, and equipment are

suitable for the application for which they will be used, and
 Verification and approval of technical specifications for direct charge

materials (non-stock materials), by the appointed TA
d. SCE Assurance task and non SCE Assurance task could be in the same
work order with clear indication to acknowledge that the task list is
Performance Standard task list. By diligently conducting the ITPM on
the SCE and recording their results, SCE can be assured to have
achieved the performance standard requirements.
e. Note that every SCE function test carried out will therefore be assessed
as a Pass / Fail. Those SCEs which fail the initial test/inspection and
which cannot be readily repaired / replaced or which fail a re-test clearly
indicate that the SCE is not functioning in accordance with its PS
Internal

requirement. This condition potentially affects the asset ability to
respond to MAHs as described in the HSE Case. Action will therefore
have to be taken urgently to address the SCE non-compliance and to
ensure that it is returned to its required functionality.
f. Ineffective or any abnormal finding for SCE shall be closed accordingly

and overdue in closing the finding shall be risk analyzed and approved
by respective TA. It shall be managed via FSM with risk assessment
that address sufficient control, mitigation, inherent risk and residue risk
to support the ineffective SCE.
(3) It is important to ensure that the correct “SCE indicator” are assigned to SCE
at system or tag level prior uploading into PMMS, refer to appendix D for
SCE boundary in PMMS.
(4) Note that, in some cases (i.e. Well intervention, Drilling Well Control
Equipment, etc.) where the assurance tasks are performed outside of the
PMMS by external party owning the equipment or facility, the Asset Owner
should be able to verify that required tasks are duly communicated to the
party, being performed, recorded, and reported as required)
7.4 Critical Spares for SCE
(1) Critical spares for SCE should be identified to ensure that SCE can be
returned to full operation in as short a time as possible in the event of failure.
(2) Critical spares for SCE is recommended to be identified via e.g. critical spares
workshop by the technical subject matter expert whose familiar with the
environment in which the equipment will operate and the maintenance.
As a guidance, SCE critical spare selection process should take the following
considerations:
 Equipment or parts with Low Mean Time between Failures (MTBF),
routinely replaced during maintenance and subject to sudden failure
and parts that without which the SCE will not function
 Equipment or parts with long delivery lead time and geographical
location factor. Note that geographical location plays important role
i.e. where difficulties may be experienced in importing material in a
Internal

timely manner
 Equipment or parts that OEM recommended to be spare parts lists
For project, during detail design stage where the design has been confirmed
and finalized and the maintenance strategy has been formed, predicted data
can be applied to the equipment to provide contingency of SCE failure.
Internal

8.0 SCE VERIFICATION
(1) Verification represents the activities, in addition to Assurance, which are

performed by Competent Person (CP), to confirm whether the SCEs will
be, are, and remain suitable, or adequately specified and constructed, and
are being maintained in adequate condition to meet the requirements of the
SSPS.
(2) Verification is a requirement stipulated in PTS 18.53.02 Mechanical Integrity
(MI).
(3) Typically, verification activities shall comprise the following activities:
a) Periodic desktop (office) review of respective Asset documentation
relating to testing / inspection / maintenance records in order to
confirm continuing suitability of SCEs;
b) Periodic review of the implementation of the relevant integrity
assurance procedures and management systems on which SCE
integrity assurance depends, and
c) Periodic offshore (site) witnessing of test / inspection / maintenance
activities, condition examination of SCEs, and interview of personnel
involved/responsible for assurance tasks.
8.1 Verification Scheme

(1) Verification scheme include all relevant activities plan in verification scheme
i.e. exact list of activities to be verified, by whom, when, and in what way
(2) The overall list of activities to be verified at the asset should be formally
agreed with asset owner
(3) Verification scheme consist of 2 major parts i.e. Verification Work Instruction
(VWI) and selection of the competent person.
8.1.2 Verification Work Instruction (VWI)
(1) VWI specifies the activities to examine the Safety Critical

Elements, and how they are meeting the Performance Standards
as specified for each asset.
(2) VWI includes SCE group and sub-group in that asset containing
the following elements, as a minimum:
Internal

 The SCE Group, the SCE Goal, the Functional Criteria,
Assurance Task, Verification Task, list of Documents required,
and Verification Frequency and Sampling Size.
8.1.3 Selection of Competent Person

(1) Verification activities detailed in the VWI are required to be carried
out by competent person who is the Subject Matter Expert (SME)
for that particular SCE. Example for selection of SME are listed in
Table 6.
Selection Of SME Justification
1. Discipline Engineer:
 SME engineer with minimum of 7 years of

experience in one or more elements of the
design, manufacturer, maintenance and
operation of offshore or onshore asset and
recognized
 Have theoretical and practical knowledge,
and actual experience of the type of plant
to be examined
 Understand the consequence of the non-
1. Competence function of the SCE verification item.
2. The main day-to-day duties of these engineers

i. Surveys, examinations, maintenance/
inspection reviews and technical audits
onshore/offshore against Performance
Standards, MCF Elements 4.1, 5.6 & 7.2, with
reference to the PTS, Malaysian/Country
Requirement and International Standards.
i. Properly complete the VWI, attaching relevant

evidences (pictures, reports, etc.)
Internal

Selection Of SME Justification
ii. Provide clear and concise technical reports.

1. The Verification Team consists of the following
engineering disciplines but not limited to:
 Structural Engineer
 Static Engineer
 Rotating Equipment Engineer
 Pipeline Engineer
 Instrumentation & Control Engineer
2. Verification Team
 Electrical Engineer
Composition
 Process Engineer
 Well Engineer
 Fire & Safety Engineer
 MCI
 OSR Inspector
The team is coordinated by the respective
Verification Focal Point.
1. Understand the intent of the Regulations, how

compliance is achieved, how SCEs shall be
suitable on a continuous basis and operate on
demand.
3. Training
2. General SCE / Verification awareness training
to be conducted for all site personnel including
contractors.
Table 6: Selection of SME
(2) Note that for Tier 2 SCE Verification, it is essential the competent
person shall be independent from the asset/country being verified
and appointed by Head of Asset, in compliance with PTS 18.53.02
Mechanical Integrity (MI) requirement and would be would be
adhered as Independent Competent Person (ICP).
(3) This is to ensure that the verification activities to be performed
Internal

are done so without undue pressure to conform to a perceived
expectation of the outcome of the verification.
(4) Their function will not involve the consideration of an aspect, or a
thing liable to be examined, for which they bear or have borne
such responsibility as might compromise their objectivity.
(5) What this means in practice is that a competent person for Tier 2
SCE Verification cannot be involved in specifying, engineering,
executing or purchasing the design, construction, commissioning,
operation or decommissioning of an verifier asset. They may be
involved in checking, certifying, inspecting or otherwise
undertaking independent assessments of the conformity of the
asset during these phases of asset life, but cannot be otherwise
involved.
8.2 Type of Verification

(1) There are basically 2 phases of verification: SCE Verification for Project
Design, which is a one off and conducted at different stage of the project;
and the SCE Verification for Operation, which is throughout the
operational life of the asset. The summary of activities involved in each is
detailed in the tables below.
a) SCE Verification for Project and Design
i. Table 7 below described verification throughout project

phase. This is to ensure that before SCEs become
operational they have been subject to a suitable
verification process. Whether a project or modification
introducing new / additional SCEs is “greenfield” (all new)
or “brownfield” (major upgrade or change to existing
facilities), a Verification Scheme must be in place to
suitably detail the Verification activities, as described
previously, for the various phases as describe in Table 7.
Details of Project and design verification is stated in WW
ALL X X S 05050 I, Rev. 1, SCE Design Performance
Standards Management for Upstream Project.
Internal

Project Manager Example of Verification
Phase
SCE Assurance Activities
Identify and record  Comment on the List of
SCEs being installed SCEs
or impacted by the  Define high level Verification
Project / Modification Work Instruction
SCE Identification
 Review and comment on
Master Document Register
provided by Engineering
contractor
Design Documents:  Review Design
P&IDs / C&Es / Documentation
Calculations /  Audit Design Process
Design Specification Data  Review technical deviations
Sheets etc. to Performance Standard
 Provide record of review
including comment
Quality Assurance  Review / examine
Checks on equipment Procurement Orders and
Procurement
/ materials ordered Goods received
and received
QA Plans  Examine / witness
Quality Assurance Fabrication / Construction
Inspections / Reviews  Review Fabrication /
Fabrication / Construction Dossiers
Construction (Material / Welding / Non
Destructive Testing /
Facilities Acceptance
Test/Testing records)
Transportation / Quality Assurance  Examine equipment Review
Installation Inspections records
Internal

Project Manager Example of Verification
Phase
SCE Assurance Activities
Testing of SCEs /  Witness testing
Specified Plant to  Examine equipment against
assure compliance design
Site Commissioning
with Performance  Review records
Standards  Review punch-list items
 Review technical deviations
Compile and review  Review Asset Register and
closeout packs Performance
Populate relevant Standard/Assurance Task,
Asset Manager Maintenance Reference Plan
databases for SCE and SAP status, and
maintenance / Verification Scheme for
Close out / Handover
inspection suitability e.g. maintenance/
to Operations
Issue handover inspection
documentation  Review outstanding punch-
detailing any list items and status of
outstanding items, Verification
including Verification
activities and findings
Table 7: Verification throughout project phase
ii. SCE Verification for Operation
 Initial Suitability
Table 8 below is specific to operation verification (for new
operations) initial suitability for an existing facility where the
MAH/SCE management is just being implemented. This is to ensure
that before SCEs become operational they have been subject to a
suitable verification process.
Internal

Head of Asset Example of Verification Activities
 Review SCE List/Register to confirm

Develop SCE List / Asset completeness
Register (SCE)  Subject SCEs in the list to Flow Chart to
confirm they are SCEs.
 Review Performance Standards to verify
Develop Site Specific
suitability
Performance Standard
 Review Assurance Task to verify suitability
 Review SAP to confirm Mplan is complete in
Upload Mplan into SAP
SAP
Table 8: Operation Verification for Initial Suitability
 Ongoing- Suitability
Table 9 below is specific for on-going suitability verification. These
verification activities will continue throughout the life cycle of the
respective assets.
Type Example of CP Verification Activities
 Witness SCE Assurance activities (e.g. tests /

inspections / musters, etc.).
 Visually examine condition of SCEs (e.g. piping,
vessels, hazardous area equipment, etc.).
On Site (Offshore /  Review compliance with SCE Assurance Processes
Terminal) (e.g. Control of Temporary Equipment,

Management of By-Pass, Control of Lock Open/Lock
Close Valves, Management of Defined Life Repairs
etc.), through inspection and testing, and the
review of any offshore records.
 Review Maintenance and Inspection records

confirming they are:
Office
 suitable for assuring the Performance Standard
 conducted at the specified frequency
Internal

Type Example of CP Verification Activities
 reported correctly stating ‘As-Found’ and ‘As-

Left’ condition
 reporting remedial work and ensuring it has been
correctly prioritized / executed
 Review planned maintenance deferrals, and
deviation management.
 Detailed Procedural Compliance Review (typically
on a less frequent basis) of specific SCE
assurance management systems, e.g. Piping and
Vessels Inspection strategy encompassing the
RBI implementation, defined life repairs etc. i-
AIR Style reviews can be used as a basis for these
types of assessment.
Table 9: Ongoing operation verification process
8.3 Implementation of Verification Scheme for Operation SCE Verification

(1) Implementation of SCE verification throughout Petronas Upstream Assets
could be conducted in several system providing the requirement identified in
chapter 8.1 are fulfilled.
(2) Verification can be divided and conducted into 2 Tiers as shown in Table 10.
Type Of Initial On-Going Suitability
Verification Suitability Tier 1 Tier 2
Applicable for Verification is Verification is

new operation conducted conducted by
only internally within independent
Definition
asset/facility. party as
See 8.2 (ii)
specified in
section 8.1 and
PTS 18.53.02
Internal

Type Of Initial On-Going Suitability
Verification Suitability Tier 1 Tier 2
MI.
Frequency One off 3 Yearly 5 Yearly

Verification Desktop review, Approved VWI Checklist. Refer to
Scheme refer to Table 8 GOPS.
SME to conduct SCE Verification as Independent and
per stipulated requirement under full compliance
section 8.1.2 with verification
scheme under
Competent
section 8.1.2/PTS
person
MI and shall be
appointed by
Head of Asset/
Country
SCE Appointed by Head of Asset to manage SCE Verification
Verification Process
Focal Person
Verification Approved VWI Checklist. Refer to GOPS.
Scheme
Sample All Verification may be based on
sampling i.e. 20%
Table 10: Definition & for criteria SCE Verification Tier 1&2
(3) Implementation or operationalization of SCE verification Tier 1 should be

optimized via Offshore Self-Regulation Management System (OSRMS), MY
ALL P 05 001 1 and Integrated Assurance Planning (IAP).
(4) SCE Verification Tier 2 is conducted via Integrated Operational Asset
Integrity Assurance (IOAIA) by MPM (utilize external ICP and full
compliance with verification scheme under section 8.1.2).
(5) Verification checklist used are approved and found adequate and complete
to be used as VWI. For Example, at Malaysian Asset (MA). Verification
implementation at asset may conducted as per Table 11.
Internal

Verification Malaysia International
Tier Asset Asset
Head of asset to
Tier 1 OSRMS Tier 1/ IAP
appoint CP.
OSRMS Tier 2/ Head of Country shall

IOAIA. Head of Asset appoint ICP as per
Tier 2 shall appoint ICP as PTS MI requirement
per PTS MI
requirement
Table 11: SCE Verification Implementation
The result shall be analyzed for further analysis and gap closure plan. A
complete workflow for SCE verification inclusive Verification Work
Instruction is provided in Appendix B.
8.4 Management of Operation SCE Verification

(1) Operation SCE Verification is coordinated and led by verification focal point
(e.g. Process safety) appointed by Head of Asset.
(2) Review meeting shall be held to agree on the verification findings with the
presence of SME/ICP, Process Safety, SCE barrier owner and respective TA.
(3) Any gap identification found during verification with existing SCE shall be
address in the VWI report and discuss during challenge session. The
management shall be advised on the SCE verification findings and status of
intervention plan during e.g. PSM Steering Committee meeting or its
equivalent.
(4) PSM Steering Committee Meeting shall monitor the close out and ensure it is
satisfactory acceptable and completed with evidence. The time scale for
closure of findings shall be agreed between the SCE barrier owner, TAs and
Management on a case-by-case basis.
(5) A complete BPW workflow for SCE verification management is provided in
Appendix B.
Internal

9.0 MANAGEMENT OF SCE DEVIATION
(1) For Upstream, the system for the Works Management for SCE is the
PETRONAS Maintenance Management System (PMMS).
(2) All deviations to SCE including its Performance Standard and the Works
Management of its sustaining (i.e. Preventive Maintenance) and Restorative
(i.e. Corrective Maintenance) must be formally managed, reviewed and
approved.
(3) Failure modes found on SCEs which are affecting the reliability, integrity,
performance standards, and mitigated through repairs or replacements,
redesign, re-rating, or through temporary measures shall be managed via
Management of Change as stated in PTS Mechanical Integrity 18.53.02.
(4) Bypassing of any Safety Critical Protection Device (SCPD), required to be
managed as per stated in PTS Bypassing of Safety Critical Protective Device
18.23.05.
(5) Management of deviation related to changes of Latest Allowable Finish Date
(LAFD) is managed via e.g. Facility Status Management (FSM) Deviation
Management System.
(6) A Deviation Management in FSM typically involves the following:
i. The Requestor
ii. The Reviewer
iii. The Approver
(7) The Requestor is typically from the line e.g. maintenance supervisor. Before
raising a request to deviate, he/she should have checked that all other
means have been exhausted and with support by his/her field maintenance
manager, must invoke a deviation knowing that these are Safety Critical
Elements that could have immediate MAH impact, as per define in SCE
criticality PM deviation shall include acceptable criteria, control and
mitigation through RA or RCA and shall be approved by relevant TAs.
(8) The Reviewer is typically the respective discipline technical authority. The
role is to technically review the request and make the call whether to
Support or ask for Rework (i.e. of the request. Example: to add/ modify the
mitigation proposed) or Reject the request.
Internal

(9) The Approver is from the Asset holder function of the location. He/she makes
this call after checking the situation, the Reviewer’s input and either Approve
or ask for Rework or Reject the request.
For more details, see the document FSM User Guide, EP OE GUIDE FSM.
Figure 9: Relationship between PMMS and FSM
Internal

10.0 KPI MANAGEMENT OF SCE
(1) Key Performance Indicator related to SCE management as per defined in

PTS 18.06.04 HSE Performance and Reporting shall be monitored, analysed
and reported periodically to assess the effectiveness and integrity of the
SCEs.
(2) As a minimum but not limited to, the following leading KPIs need to be
monitored and presented monthly to management
a. Number of Instrumented Protective Function (IPF) Failed
/ Activated on Demand
b. Number of Pressure Relieve Devices (PRD) Failed /
Activated on Demand
c. Safety Critical Protective Device (SCPD) Bypass
d. Overdue Temporary EMOC
e. Number of Pressure Relief Device (PRD) Activation
f. Number of Critical Piping below Minimum Allowable
Thickness
g. SCE CM/PM Overdue
Internal

11.0 APPENDICES
Appendix A: References
(1) PTS 18.53.02 Mechanical Integrity January, 2017
(2) PTS 18.23.02 Management Of Change December, 2018
(3) PTS 18.00.01 HSE Management System and HSE Case March, 2019.
(4) PTS 18.04.02 Hazards and Effects Management Process August, 2017
(5) PTS 18.21.01 Process Hazard Analysis, December, 2018
(6) PTS 18.06.01 Incident Notification, Investigation and Reporting March, 2016
(7) PTS 18.23.05 Bypass of Safety Critical Device Protection October, 2018
(8) WW ALL X X M 04 016I Upstream Inspection & Maintenance Assurance

Guideline (U-IMAGe), July 2018
(9) MY ALL M 04 005 Equipment Criticality Assessment, Rev 0 October 2012
(10) UHSE GU 0011 Development of Bowties Guidelines, Rev 0, August 2015
(11) HSE Case and CIMAH Development Procedure, WW ALL X X S 05 038 I

November 2018
(12) The Public Enquiry into the Piper Alpha Disaster – Lord W Douglas Cullen
(13) Offshore Installations (Safety Case) Regulations, 2005 (SI 2005 / 3117).
(14) A Guide to the Offshore Installations (Safety Case) Regulations, 2005.
(15) Guidelines for the Management of Safety Critical Elements – Energy Institute
(16) Assurance and Verification Practitioners Guide – STEP change in Safety
(17) Guidance for the Topic Assessment of the Major Accident Hazard Aspects of
Safety Cases – HSE, HID Offshore Division
(18) PETRONAS Mandatory Control Framework - Section IV Hazards and Effects

Management Process
Internal

(19) American Institute of Chemical Engineers, Global Congress on Process Safety,
2010, unpublished paper “Lessons Learned from Real World Application of the
Bow-Tie Method”
(20) HSE Offshore Installations (Prevention of Fire and Explosion, and Emergency
Response) Regulations (SI 1995 / 743)
(21) Website www.leger.ca “Literature Review on Risk” (Recensement des

écrits sur le risque)
(22) Combined Glossary of Terms – Center for Chemical Process Safety, 2005
Internal

Appendix B: BPW
Business Process Workflow (BPW)
Internal

Upstream Safety Critical Element (SCE) WW ALL X X S 05 049 I,
Appendix C: Sample Bowtie Diagram for Typical Major Accident Hazards
Figure 10: Sample BOWTIE Diagram for Typical Major Accident Hazard from PTS 18.04.02 HEMP
Internal
Appendix D: Guidance on SCE Goals and Boundaries with Typical Equipment Types
Note: Typical equipment types list tabulated minimum requirement for SCE list until tag level.
Description System Level/
SCE Goal Typical Equipment Types
Boundaries
SCE Group : SI001
SCE Group Title : Structure (Subsea Jacket / Vessel Hull / GBS / Foundation / Weathertight Enclosures / Piles etc)
Failure of the hull or structure 1. To provide and maintain  Foundations, including piles and At system level,
can have serious structural integrity under all pile guides and concrete supports e.g. hull
consequences expected conditions through  Jacket and substructure, Gravity
service life. Based Structure (GBS)
 Vessel hull steel work and plating
 Vessel bulkheads, underwater void
2. To Provide sufficient spaces and double bottoms
robustness to maintain  Sea water draw down system for
availability of critical systems GBS
during a major accident  Foundations, including piles and
event. pile guides and shallow foundation
System Level /
Description SCE Goal Typical Equipment Types
Boundaries
SCE Group : SI002
SCE Group Title : Topsides Primary Structure (incl. Helidecks, Crane Pedestals; Bridges; Flare Tower)
The topside structures provide 1. To provide and maintain  Integrated deck / cellar At module and
support to personnel and SCEs structural integrity under deck / module support elevation level
including hydrocarbon all expected conditions frame / deck trusses
processing systems, blast walls through service life.  Module structure /
and evacuation facilities. The To provide sufficient robustness module supports
inadvertent failure of to maintain availability of  Bridge structure and supports
structures could result in the critical systems during a major  TR structure, plating (skin)
release of hazardous materials incident. and supporting structure
and the impairment of HSE Topsides anchor and mooring
Internal
System Level /
Boundaries
SCE Group : SI002
SCE Group Title : Topsides Primary Structure (incl. Helidecks, Crane Pedestals; Bridges; Flare Tower)
critical functions. A dedicated Points load transfer system
secure, safe and adequately
 Structural steel supporting safety
supported helideck is required
critical process equipment
to provide a safe landing areas
for helicopters arriving and  Dropped object protection
departing the installation  Muster platforms and lifeboat
enabling safe transportation to davits
and from the Installation under  Escape and evacuation structure
normal working conditions and and supports
emergency evacuation when
required.  Flares, vents and drilling derrick
structures
 Helidecks supporting structure
 Telecom tower
 Grating, handrail and staircase
System Level /
Boundaries
SCE Group : SI003
SCE Group Title : Heavy Lift Cranes and Mechanical Handling
Failure of lifting appliances To maintain suitable integrity so  Overhead gantry crane / At item level, i.e. per
can potentially result in that loads or any lifting monorails in hydrocarbon crane
damage to equipment component does not fail in a process area
containing toxic or flammable manner that could cause or  Offshore platform
material. contribute to a Major Accident pedestal crane
Event.  Control mechanisms
(brakes, limit switches,
clutches)
Internal
System Level
/ Boundaries
SCE group : SI004
SCE Group Title : Stability systems (Incl. Ballast, Bilge, Cargo, FPSO / FSO offloading, Computer Management Systems)
Ship-shaped structures are 1. The stability system shall  Ballast and bilge pumps At system level,
required to maintain a stable facilitate ballasting and  Associated actuated valves, piping e.g. hull
operating platform at all times trimming of the vessel, while and instrumentation
to facilitate safe operation of taking into account prevailing  Loading / Stability Management
process plant & equipment and environmental conditions, System
protect personnel onboard operating requirements and
from exposure to maritime fluids movements within the
environment. structure.
The Ballast system shall 2. Maintain stability of the
provide a means of vessel and reduce stresses
controlling the vessels within the hull during
draught, list and trim. The cargo oil loading, off-loading and
Bilge system is to dispose of ballasting operations.
accumulated oil / water from
machinery spaces thus
contributing to ensuring the
vessel’s stability is
maintained.
The Cargo Loading Control
Software system shall process
and display information
required to endure the
continued stability and
structural integrity of the
vessel within the limitations
detailed in the Stability
Manuals.
Internal
System Level
/ Boundaries
SCE Group : SI005
SCE Group Title : Road Vehicles (Company Owned)
The safe transportation of To ensure the road-worthiness of Company owned vehicles such as At item level, i.e. per
petroleum product and Company operated road vehicles. light vehicles (including pool cars, vehicle
personnel by road vehicles ambulances and forklift trucks),
shall take all necessary heavy goods vehicles, trailers and
measures to safeguard light and heavy buses
personnel, publics and
property from accident
hazards in connection with
such transportation.
System Level
/ Boundaries
SCE Group : SI006
SCE Group Title : Mooring System
Failure of the Mooring To prevent / avoid significant Anchors, chains, capstan and chain At system level
System could cause a loss of vessel movement that would lead stoppers, turret structure, cathodic
stability / control of the to overstressing or rupture of protection, main and radial bearings,
FPSO or Ship Collision. risers, offloading hose etc. mooring head, swivels, winches and
mooring system control
Turret Position Monitoring System
Dolphin Structure (Breasting)
Internal
System Level
/ Boundaries
SCE Group : SI007
SCE Group Title : Drilling Systems
Drilling systems derrick and To enable safe performance of Drilling Systems (Offshore and Onshore) At sub-system level
heave compensation. drilling operations. which control the well during operations to
prevent blow-out or damage to well or (equipment is
related facilities normally provided
by service
Note:
provider/contractor.
 If equipment and services
Derrick, drawworks, riser slip joint, Assets should verify
are provided by
sensors and emergency disconnect. that contractor
contractors, the owner /
adheres to the PS
operator should ensure
requirements)
such performance
assurance is executed by
the contractors and duly
reported to the owner
 Performance assurance is
done outside PMMS
 Asset Owner should be
able to verify that required
tasks are duly
communicated to the
party, being performed,
recorded, and reported as
required).
Internal
System Level
/ Boundaries
SCE Group : SI008
SCE Group Title : Bridge Connections to Support Vessels
This applies to bridges To enable safe evacuation of At system level

connecting the Installation to personnel from the installation to
other Installations e.g. the support vessel.
MODUs, accommodation
modules, hotel platform etc.
Failure of such bridges would
impair escape from the
installation.
System Level
/ Boundaries
SCE Group : SI009
SCE Group Title : Concrete and Onshore Structures
This applies to all concrete and Concrete foundations, tank farm and At area or system
onshore structures to where 1. Ability of a component either single or
multiple to support loads throughout its remote containment level
such element shall be suitable
for all loads and function to service life.
Drains system containment
satisfy continuous operation 2. To resist structural failure due (Concrete Bundwalls and
to fracture, fatigue or Floors)
deformation.
Concrete Buildings- only buildings
located in process area.
Internal
System Level
/ Boundaries
SCE Group : SI010
SCE Group Title : Wells Structure
Wellhead assembly including To provide and maintain structural Surface Casing At system level
surface casing, cement, integrity under all expected Cement
conductor and etc. shall actions through service life. Conductor
maintain its suitability Annulus
throughout continued
operation over
whole well age.
System Level
/ Boundaries
SCE Group : PC001
SCE Group Title : Pressure Vessels
Continued Integrity of To maintain integrity of the Vessels in the following services: At item level, i.e.
Pressure vessels (including pressure envelope.  oil or gas production, processing, per Vessel
all fittings and fixtures handling and export
mounted directly on the  condensate / NGL processing,
vessel and the vessel handling and export
supports) are vital in the  gas injection
containment of  fuel gas, treatment and heating
hydrocarbons  flare scrubber / knock out drum
 flammable chemical
 steam generation
 inert gas storage
Typical equipment example:

- Pressure Vessel
Internal
System Level
/ Boundaries
SCE Group : PC001
SCE Group Title : Pressure Vessels
- Filter (if designed using ASME VIII
code)
- Contactor glycol
- Drum, HP Flare knock-out
- Glycol stripping column
- Separator
- Scrubber
- Strainer (if designed using ASME
VIII code)
System Level
/ Boundaries
SCE Group : PC002
SCE Group Title : Heat Exchangers
Continued Integrity of Heat To maintain integrity of the To contain hydrocarbon inventories At item level,
exchangers (including all pressure envelope. within the envelope of the production e.g. per Heat
fittings and fixtures mounted facilities during normal and upset Exchanger
directly onto them conditions of Heat Exchangers in the
and their supports) are following services:
vital in the containment of  oil or gas production, processing,
hydrocarbons handling and export
 condensate / NGL processing,
handling and export
 gas injection
 fuel gas, treatment and heating
 flare scrubber / knock out drum
 flammable chemical
Typical Equipment example:

Internal
System Level
/ Boundaries
SCE Group : PC002
SCE Group Title : Heat Exchangers
- Aftercooler
- Fuel gas preheater
- Exchanger
- Heater (incl. Electric)
- Superheater
- Cooler
System Level
/ Boundaries
SCE Group : PC003
SCE Group Title : Rotating Equipment
Continued Integrity of rotating To maintain leak tight integrity. Process hydrocarbon pumps, At item level,
equipment (Pumps & compressors and turbo expanders in e.g. per compressor
compressors) including all following services:
fittings and fixtures mounted  oil or gas production, processing,
directly on the equipment and handling and export
the equipment supports, are  condensate / NGL processing,
vital in the containment of handling and export
hydrocarbons  gas injection
 fuel gas, treatment, heating and
distribution
 flare scrubber / knock out drum
 handling flammable or hazardous
chemical
 inert gas transfer
 gas turbines (including blade
containment)
Compressor Trip:
Internal
System Level
/ Boundaries
SCE Group : PC003
SCE Group Title : Rotating Equipment
 Vibration
 Overspeed
 Seal system (mechanical/dry gas)
 Surge protection (for centrifugal
compressor)
Typical equipment in
hydrocarbon service examples:
- Compressor
- Turbine
- Gas turbine control panel
- Vibration panels
 Pump
System Level
/ Boundaries
SCE Group : PC004
SCE Group Title : Tanks (Including IBC's) Containing hazardous (flammable, toxic, etc) fluids
Continued Integrity of To maintain leak tight integrity. Hydrocarbon or hazardous material At item level, i.e. per
flammable liquid-containing process tanks in the following tank
storage tanks (including all services:
fittings and fixtures mounted  oil production, processing,
directly to the tanks and tank handling and export
supports) are vital in the  condensate processing, handling
containment of hydrocarbons and export
 flammable or hazardous
chemicals (subject to
HEMP)
Internal
System Level
/ Boundaries
SCE Group : PC004
SCE Group Title : Tanks (Including IBC's) Containing hazardous (flammable, toxic, etc) fluids
 crude oil storage
 diesel tanks (subject to HEMP)
Note:
1. This includes Concrete Storage
Tanks for the above services
2. Diesel tanks are treated differently
because although diesel is flammable it
is not readily ignited unless it is in
contact with a hot surface, is at high
pressure, or is in a mist. The risk from
Major Accidents involving diesel
releases is assessed in the HSE Case
and supporting studies.
System Level
/ Boundaries
SCE Group : PC005
SCE Group Title : Piping Systems
This PS addresses all To maintain leak tight the integrity of Piping systems containing flammable At sub-system level
components containing pipework (including instrument tubing or hazardous fluids under pressure: (PS normally tagged
hydrocarbons or chemicals and flexible hoses) which contain toxic,  within and between operating at Corrosion Loop
having the potential to kill on flammable, or explosive liquid or gas. units level)
release due to toxic or  within and between modules
flammable effects.  choke valves located in high sand For choke valve, at
wells with 0.1mm/yr erosion rate equipment level
 all hydrocarbon piping in PRBI are
SCE
Internal
System Level
/ Boundaries
SCE Group : PC005
SCE Group Title : Piping Systems
Note: Piping system includes;
flanges, valves, fittings, instrument
tappings, permanent flexible hoses
and instrument tubing. However,
these are not registered as SCE at
tag level.
System Level
/ Boundaries
SCE Group : PC006
SCE Group Title : Pipelines & Risers
Loss of pipeline or riser To maintain integrity of the pressure Pipelines, risers and pig At item level i.e. per
integrity adjacent to the envelope. launchers/receivers in the following pipeline
Installation could result in services:
potential loss of life or  export / import crude oil
damage to the asset. Riser  export / import gas
integrity is critical considering  export / import condensate /
the large associated inventory NGLs
of hydrocarbons and proximity  production reservoir fluids from
to the platform. Loss of remote well
pipeline or riser integrity  flammable chemicals used for
adjacent to the Installation injection into remote wells
could also result in MATTE  lift gas
events  gas
Internal
Description SCE Goal System Level

Typical Equipment Types
/ Boundaries
SCE Group : PC007
SCE Group Title : Relief System (PRV, PSV, PVV and Burst Disc)
Relief valves play a critical To prevent a loss of containment  Safety relief valve At item level, i.e.
role in under- or over- (and protection against implosion)  Pressure Vacuum Valve per relief valve
pressure protection, of process fluids in upset  Associated relief pipework
thereby reducing the conditions and the controlled
likelihood of hydrocarbon disposal of hydrocarbon fluids. Note: Recommended to refer to
releases. Safeguarding Memorandum
Arrangements are required to (hydrocarbon related) under “Ultimate
be provided for the prevention Protection”. All the PSVs and capacity-
of the determining component listed under
ignition of explosive or ultimate shall be SCE.
flammable vapours emanating
from vents.

/ Boundaries
SCE Group : PC008
SCE Group Title : Wells’ Hydrocarbon Containment
At item level, i.e.
Well Containment – covers all To maintain integrity of envelop Well containment systems for per well head
components that provide an for containment of well pressure onshore, offshore and subsea
envelope for containment of in the event of an emergency. wells for oil and gas production,
well pressure. (this statement is confusing with gas lift and water injection
SD004) including xmas tree, tubing,
packers, and tubing hangers
Typical equipment Examples:

- Wellheads and all pressure-
containing connections
Internal

/ Boundaries
SCE Group : PC008
SCE Group Title : Wells’ Hydrocarbon Containment
- Xmas Trees (including tree body and
all pressure retaining components)
- Well Plugs
- Annulus Side Valves and Annulus
Pressure Monitoring
- Injection Check Valves / Storm
Chokes
- Well Test Equipment
- Monitoring devices for well
conditions, (e.g. Scale, Sand,
CO2, H2S, Well Growth, etc.)

/ Boundaries
SCE Group : PC009
SCE Group Title : Fired Heaters (Including Boilers)
Fired heaters provides heat To prevent Fire and Explosion in  Fired Heater At item level i.e. per
transfer fluid heating for Fired Heaters.  Boiler (Fired) Heater
offshore platform oil and gas
production (e.g. heat transfer
fluid for glycol regeneration
system, hot oil systems etc.).
Internal

/ Boundaries
SCE Group : PC010
SCE Group Title : Gas Tight Floor and Walls
Gas tight floor / walls are To provide vapour containing  Gas-tight floors of gravity base At module and
required to prevent spread of barrier that minimise the structures preventing vapours from elevation level
gas into critical areas. migration spread of toxic or oil in the storage cells from entering
hydrocarbon gases. the leg.
 Some walls in closely constructed
Facilities to limit gas spread during
an incident.

/ Boundaries
SCE Group : PC011
SCE Group Title : Tanker Loading Systems (Crude Oil)
Gas tight floor / walls are To provide vapour containing  Gas-tight floors of gravity base At module and
required to prevent spread of barrier that minimise the structures preventing vapours from elevation level
gas into critical areas. migration spread of toxic or oil in the storage cells from entering
hydrocarbon gases. the leg.
 Some walls in closely constructed
Facilities to limit gas spread during
an incident.
Internal

/ Boundaries
SCE Group : PC012
SCE Group Title : Helicopter Refueling Equipment
Helicopter refueling system To prevent release of helifuel from Fuel storage tank, pipework, special At system level
consist of tank laydown skid, pressurised fuel systems which fittings, hoses, fuelling nozzles, fuel (PS is normally
deluge system, storage tank, could lead to a fire. filters, fuel pumps, sampling points tagged at Heli
fuel pumps, filter and metering To prevent / avoid a helicopter and bonding to structure and refueling package
system. crash due to contaminated fuel. helicopter level)
To prevent a static discharge
which could ignite a fuel source.

/ Boundaries
SCE Group : PC013
SCE Group Title : Well Intervention / Well Control Equipment (Including BOP System / Connector / Diverter /
Cement System, Ramrig, Drilling Instrumentation, Well Control Equipment)
Containment of hydrocarbons To provide a means of detecting Wireline lifting / support structure A- At system level
in wells is required to prevent and hydrostatically controlling frame)
associated fires and explosions an influx of well fluid / gas, to • Wireline winches and braking (normally equipment
affecting the Installation. prevent a blow-out / loss of well system is provided by
Emergency releases such as control. • Lubricators service provider.
blow outs need to be controlled To provide an alternative, • Wireline BOPs Asset owners should
safely. independently powered means of • Hydraulic supply verify that 3rd party
controlling the well. adheres to the PS
requirements)
Note:
are provided by
Internal

/ Boundaries
SCE Group : PC013
SCE Group Title : Well Intervention / Well Control Equipment (Including BOP System / Connector / Diverter /
Cement System, Ramrig, Drilling Instrumentation, Well Control Equipment)
such performance
done outside PMMS
tasks are duly
communicated to the
required).

/ Boundaries
SCE Group : PC014
SCE Group Title : Moveable and Temporary Equipment
All temporary equipment To ensure temporary equipment Well test equipment (separator, At system level
(defined as equipment which properly connected and protected piping, gauge tank and burner boom)
will not be / has not been on without significantly increasing risk
board an installation for more on the facility Temporary compressor, generator,
than one year, including 3rd welding machine
party equipment) Note:
are provided by
Internal

/ Boundaries
SCE Group : PC014
SCE Group Title : Moveable and Temporary Equipment
such performance
normally done outside
PMMS
tasks are duly
communicated to the
required).

/ Boundaries
SCE Group : IC001
SCE Group Title : Hazardous Area Ventilation
This PS addresses the HVAC To prevent the formation of  Fans At system level
systems on Installation potentially hazardous  Dampers (PS normally tagged
including inlets, dampers, fans concentrations of flammable  Ducting at Ventilation
& ducting. and / or toxic gaseous mixtures  Associated instrumentation and package)
in hazardous areas by providing alarms
adequate ventilation to dilute,  Natural ventilation openings
disperse and
remove such mixtures to a
suitable location.
Internal

/ Boundaries
SCE Group : IC002
SCE Group Title : Non-Hazardous Area Ventilation
This PS addresses the HVAC To prevent the ingress or build-up • Fans At system level
systems on Installation of flammable gas-air mixtures or • Dampers (PS normally tagged
including inlets, dampers, fans life threatening atmosphere into • Ducting at Ventilation
& ducting. non- hazardous areas. • Associated instrumentation and package)
alarms
• Emergency cooling systems

/ Boundaries
SCE Group : IC003
SCE Group Title : Certified (Ex-rated) Electrical Equipment
The prevention of Electrical To minimize the likelihood of Within the hazardous areas; PS normally tagged
equipment igniting explosive ignition from electrical equipment Electrical motor including at system
gases or hydrocarbon fluids is in hazardous areas. protection circuits installed to / area level
an essential aspect of ignition prevent overload of electrical
control. equipment
Ex rating includes intrinsically • Lighting
safe equipment according to • Instrumentation
ATEX. • All other certified electrical
equipment
Internal

/ Boundaries
SCE Group : IC004
SCE Group Title : Cargo Tank Inert Gas System
This performance standard on To ensure that Cargo and Slop Typical equipment within the system: At system level
COTS containment integrity at Tanks atmosphere are maintained O2 monitoring, alarms and shutdown
FPSO Facilities. below the Lower Explosive Limit
(LEL).

/ Boundaries
SCE Group : IC005
SCE Group Title : Electrical Earthing Continuity (Earth Bonding)
Prevention of igniting explosive To minimize the likelihood of Typical earthing system comprises of At area level
or flammable atmospheres is a ignition from lightning and static earth rods, earth bar, earth cables
fundamental aspect of ignition discharge in hazardous areas. and connectors
control.

/ Boundaries
SCE Group : IC006
SCE Group Title : Fuel Gas Purge System
This PS addresses the need for To provide sufficient purging of Fuel gas purge system, which includes; At system level
purging of the open ended the flare or vent systems to - Fuel Gas Header
pipework to the flare to remove prevent oxygen ingress and the - Fuel Gas Filter (PS normally tagged
any hydrocarbon prior to possibility of detonation within the - Switch at Fuel Gas Purge
shutdown of the flare. flare and vent system Fuel Gas Level Indicator (depends on system level)
Internal
the system. If the system is

equipped with IPF, the level indicator
can be removed)

/ Boundaries
SCE Group : IC007
SCE Group Title : Inert Gas
Inert Gas is used to provide To provide an inert atmosphere Typical equipment within the At system level
an atmosphere in relevant within enclosed process system:
hydrocarbon containing systems in order to prevent the N2 supply, alarms and shutdown (PS normally
storage tanks which will ignition of flammable tagged at N2
prevent explosions and fires inventory. supply system)
occurring. The inert gas
used is essentially the
fuel gas from the main
generators or Nitrogen
generated onboard.

/ Boundaries
SCE Group : IC008
SCE Group Title : Miscellaneous Ignition Control Components
Prevention of igniting Component installed to • Vent / exhaust flame traps At item/system

explosive or flammable minimize the risk of a source • Anti-static devices, e.g. fan belts level
atmospheres is a ignition in a hazardous area. • Compressor / turbine exhaust &
fundamental aspect of temperature control (PS normally
Internal

/ Boundaries
SCE Group : IC008
SCE Group Title : Miscellaneous Ignition Control Components
ignition control including • tank vent, local vent to tagged at each
the provision of facilities to atmosphere exhaust or group
safely contain and dispose of vents/flame
of blowdown gas by traps)
controlled
combustion (i.e. Flare
System).

/ Boundaries
SCE Group : IC009
SCE Group Title : Flare Tip Ignition System
Flare Tip Ignition System To ensure that gas from the flare • Pilot flame At system level
system does not accumulate and • HV source
cause a hazard to the facility, • Panel (PS normally
following planned or emergency • Thermocouples / Temperature tagged at Flare
depressurization elements package)
Internal

/ Boundaries
SCE Group : DS001
SCE Group Title : Fire and Gas Detection
Fire & Gas detection facilities To detect all flammable gas • Flammable Gas Detection System At area or system
provide an early warning of risk accumulations, oil mist comprising: level
to personnel and facilities from accumulations, the presence of  all types of detectors fitted, which
toxic or explosive hazards. smoke or toxic gases (H2S and may include Catalytic detectors, (PS normally tagged
CO) and all fires and initiate an Infra-Red Point Detectors, Infra- at area group or
executive action Red Beam Detectors and Acoustic detection equipment
depressurization  Leak Detectors types)
 gas in service water detection
 HVAC gas detection
• Flammable gas detection functions

on main and any additional Fire
and Gas panels and outputs to end
elements
• Manual Alarm Call points (MACs)
System comprising:
 GPA Call points positioned at
various locations around the
installation
 manual alarm functions on main
and any additional Fire and Gas
panels and outputs to end
elements (only MAC that link to
Shutdown System)
• Oil Mist Detection (OMD) System

comprising:
 oil mist detector heads, normally
located in areas where oil mists
present a risk of fire and explosion
 oil mist detection alarm functions
Internal

/ Boundaries
SCE Group : DS001
SCE Group Title : Fire and Gas Detection
on main and additional Fire and
Gas panels and outputs to end
elements
• H2S Detection System

comprising:
 H2S detectors, alarm functions on
main and additional Fire and Gas
panels
 outputs to Facility alarm systems
including flashing warning beacons
and local sounder devices initiated
by H2S detection.
• Fire detection system comprising:

 detectors fitted, (ultra violet flame
detectors, infra-red flame
detectors, ionising smoke
detectors, optical smoke detectors,
heat detectors and frangible bulbs,
pneumatic trigger lines,
thermostatic heat detector, fusible
plug)
 detection functions on the main
and any additional fire and gas
panels and outputs to end
elements
Internal

/ Boundaries
SCE Group : DS002
SCE Group Title : Security Systems
Security Systems provide an Reduce likelihood of damage to  Access control devices At system level i.e.
additional level of equipment or harm to people (e.g.  Closed Circuit Television Cameras Access Control
surveillance and control CCTV, perimeter fencing, access (CCTV)s System
Of MAH at international asset control devices etc.)  Detectors and alarms
only.  Perimeter fences

/ Boundaries
SCE Group : DS003
SCE Group Title : Water in Condensate / Gas
Water in Condensate / Gas 1. Water in Condensate detection • Water Dew Point detection system At system level i.e.
monitoring system to prevent excessive • Automated Sampling system (filter Water in
corrosion in downstream and sensor) Condensate
equipment or hydrate Detection System
blockage.
2. Water Dew Point detection
system to prevent excessive
corrosion in
downstream equipment or
hydrate blockage.
Internal

/ Boundaries
SCE Group : PS001
SCE Group Title : Deluge Systems
The deluge systems is a wet To mitigate the consequence of • Deluge piping and nozzles At system / area
firefighting system with fire and explosion by providing • Deluge Valves level
separate detection system to cooling to structures and process • Manual push button
operate the plant and limiting (PS normally tagged
deluge valve. the spread of fire. at Deluge Skid)
Internal
System Level
Description SCE Goal Typical Equipment
/ Boundaries
SCE Group : PS002
SCE Group Title : Explosion Protection including Blast Barriers & Venting Provisions
Blast walls, blast-rated decks To protect personnel and SCEs • Blast / fire walls, including At area or item level
and blast shields protect from explosion effects by way of supporting steelwork, and (i.e. per blast / fire
personnel and safety critical shielding welded / bolted connections walls, or zone/level)
equipment and systems from • Pipe penetrations and cable
blast effects, including Note: Certain tasks are also transits in blast / fire walls and
overpressure loads, drag managed in SI009 (Onshore and decks
loads and projectiles. They Concrete Structure) and SI002 • Doors within blast / fire walls and
thereby play a critical role in (Topside Structure) where bulkheads
the mitigation of explosions. applicable depending on the work- • Supports for safety critical
pack arrangement (i.e. topside piping, vessels and equipment
inspection campaign / onshore • Explosion vents and relief panel
concrete inspection program). systems
• Temporary Refuge external fabric
(including doors, windows and
penetrations) and supporting
steelwork
• Blast resilient aspects of buildings
and fire protection aspects of
buildings
• Doors (especially the special door
closers / magnetic mechanism)
Internal
System Level
/ Boundaries
SCE Group: PS003
SCE Group Title: Helideck Fire Fighting Systems
Firewater systems can To extinguish or prevent the • Helideck Foam tank, valves and At system level i.e.
mitigate the effects of fires spread of helideck fire. fire monitors Helideck Foam
by application of foam • Dry Powder System System
blankets.
System Level
/ Boundaries
SCE Group: PS004
SCE Group Title: Fire Water Pumps (Include. Caissons, Tank & Supports)
Firewater systems mitigate the 1. To provide sufficient firewater • Firewater pumping system including At firewater pump set
effects of fires by cooling on demand to extinguish or limit Motors, Pumps, Couplings, Starter, skid level from intake
exposed surfaces and / or the spread and effects of a fire. Engines, Batteries, Fuel Systems, to inlet of ring main
applying foam blankets with Switches, Fire Water Caissons/Tank,
water supplied from dedicated
2. To provide cooling to structures Isolation Valves, as applicable
pumps. • Diesel Day Tank
and process plant.
•
Internal
System Level
/ Boundaries
SCE Group: PS004
SCE Group Title: Fire Water Pumps (Include. Caissons, Tank & Supports)
Firewater systems mitigate the 3. To provide sufficient firewater • Firewater pumping system including At firewater pump set
effects of fires by cooling on demand to extinguish or limit Motors, Pumps, Couplings, Starter, skid level from intake
exposed surfaces and / or the spread and effects of a fire. Engines, Batteries, Fuel Systems, to inlet of ring main
applying foam blankets with Switches, Fire Water Caissons/Tank,
water supplied from dedicated Isolation Valves, as applicable
To provide cooling to structures
pumps. • Diesel Day Tank
and process plant.
System Level
/ Boundaries
SCE Group : PS005
SCE Group Title : Fire Main and Other Distribution System
Firewater systems can To distribute sufficient firewater to  Firewater pumping system including At system / area
mitigate the effects of fires by all firewater systems Motors, Pumps, Couplings, Starter, level
cooling exposed surfaces and / Engines, Batteries, Fuel Systems,
or applying foam blankets. Switches, Fire Water Caissons/Tank, (PS normally tagged
Firewater needs to be
distributed from fire pump
Isolation Valves, as applicable at Fire Water Ring
 Diesel Day Tank Main system)
outlet to various areas of the
Installation by suitable piping  Firewater Ring Main (including
arrangements. supports) from the 1st manual
isolation valve downstream of fire
pump discharge to the end-user
activation valve
 Deluge set inlet isolation valve
 Firewater monitor & hydrant
isolation valve
 Sprinkler system manual isolation
valve
Internal
System Level
/ Boundaries
SCE Group : PS005
SCE Group Title : Fire Main and Other Distribution System
 Isolation valve
 Low ring main pressure switches
 Fire main pressure control valves
System Level
/ Boundaries
SCE Group : PS006
SCE Group Title : Passive Fire Protection (Incl. Doors, Walls and Penetrations)
PFP to help endurance in the To limit the effect of a fire on • Passive Fire protection coatings or At area level
event of a fire. structure, plant, safety systems barriers protecting critical structure,
and personnel. plant and safety systems. (PS normally tagged
at area/zone based
PFP systems)
Internal
Description SCE Goal System Level /

Boundaries
SCE Group : PS007
SCE Group Title : Gaseous Fire Protection Systems
Gaseous systems are To extinguish fires in rooms / - FM200 system At system level
generally used for enclosures where water based - Enclosure Extinguishers – CO2
extinguishing fires in places methods cannot be used. - Fire Suppression – Argonite (PS normally tagged
where application of water - Inergen gaseous – Inergen at Fire Suppression
based systems are - Snuffing System System)
inapplicable (e.g. containing
Electrical & Instrumentation
equipment etc.) as this would
lead to escalation of the fire
or additional hazards.
Description SCE Goal Typical Equipment System Level

/ Boundaries
SCE Group : PS008
SCE Group Title : Fine Water Spray Systems
Fine water spray systems To extinguish fires in rooms / - Water Mist System for Turbine, At system level
are generally used for enclosures where high volume Generators, Compressors
extinguishing fires in places water-based methods cannot be (PS normally tagged
where application of high used. at Fire Water Spray
capacity water & foam System / package)
systems are inapplicable
(e.g. containing internal
combustion machinery, Galley
equipment etc.) as this would
lead to escalation of the fire or
additional hazards.
Internal

/ Boundaries
SCE Group : PS009
SCE Group Title : Sprinkler Systems
Firewater systems can To control or extinguish localised At process / hydrocarbon area At system / area
mitigate the effects of fires fires and to prevent escalation of - Sprinkler head level
by cooling exposed fires. - Flow switch
surfaces and / or applying - Sprinkler nozzles (PS normally tagged
foam blankets. - Sprinkler vessels / tanks at Fire Water
A water sprinkler system is an Sprinkler System/
active fire protection measure Package)
that provides adequate
pressure and flowrate to a
water distribution piping
system, onto which water
sprinklers are connected.

/ Boundaries
SCE Group : PS010
SCE Group Title : Power Management System & Protection System
Power Management System To maintain the stability of the Electrical network monitoring At system level
(PMS) is required to ensure main power generating system and control systems
reliable and stable power by load sharing, shedding and
supply at the installation. The isolation of faulty circuits. Power management panel
PMS balances power demands
with the available power MCC / IMCS Electric Protection
supply, thus preventing Relays
disturbances or even
blackouts during operations.
Internal

/ Boundaries
SCE Group : PS011
SCE Group Title : Fixed Foam Systems
A fixed foam system is a To extinguish or prevent the - Foam system including foam
complete installation spread of process fire and to storage tank, piping, nozzle and
piped from a central foam enable the application of foam as etc.
tank, discharging through a shield. - Helideck Foam Monitor At system / area
fixed discharge nozzle on level
the installation being
protected in the event of
fire.

Boundaries
SCE Group : PS012
SCE Group Title : Sand Filtration / Removal System
Sand filter is used to remove To remove solid particles from the - Sand filters in flow line systems At item level, i.e.
sand and other solid particles well stream to reduce erosion of - Desander per filter
from the hydrocarbon to process equipment. - Sand accumulator
prevent erosion of downstream - Associated pump system
equipment.
Internal
System Level /
Boundaries
SCE Group : PS013
SCE Group Title : Chemical Injection Systems
Various chemicals are injected To ensure integrity of chemical - Corrosion inhibitors At system level
into the process system for injection application for flow - Biocide
intended application e.g. assurance and demulsification, - Glycol systems (if primary objective (PS normally tagged
corrosion inhibitors, proper metal passivation and is dehydration for corrosion at Chemical Injection
demulsifiers, sulfuric acid, reduction of biological and/or protection) Skid)
caustic, etc. chemical or electro chemical
corrosion and scaling problems. Typical Equipment:
- Chemical Injection Pump
- Storage Tanks
Note: PSVs & protective devices for

this system are not deemed Safety
Critical.
System Level /
Boundaries
SCE Group : PS014
SCE Group Title : Navigation Aids (Aircraft)
Navigation aids would 1. To avoid helicopter/aircraft  Aircraft warning (obstruction At system level i.e.
decrease the likelihood of collision with the installation. lights on masts or flare stacks aircraft warning lights
helicopter collision with the onshore / offshore)
installation. 2. To provide a safe landing  Main, secondary and subsidiary
area for helicopters. navigation lights offshore
3. To alert aircraft of the position

Internal
System Level /
Boundaries
SCE Group : PS014
SCE Group Title : Navigation Aids (Aircraft)
of the installation so that they may
take timely action to avoid the
area.”
System Level /
Boundaries
SCE Group : PS015
SCE Group Title : Collision Avoidance Systems (nav. aids, weather monitoring, lights foghorns & radar)
The failure of collision To avoid ship collision by passing or - Fixed radar system on installation At system level i.e.
avoidance systems would drifting vessels with the installation. offshore Facility radar system
increase the likelihood of - Radar systems installed on the
helicopter or vessel collision offshore standby vessels (SBV)
with the installation. - SBV Marine VHF radio
- Marine lantern
- Foghorn

Boundaries
SCE Group : PS016
SCE Group Title : METAOCEAN Data Gathering Systems
Metocean (meteorological To alert personnel to adverse - Meteorological sensors for air At system level
and oceanographic) data is weather by providing accurate, temperature, air humidity,
crucial to the design and continuous, real-time metocean atmospheric pressure, cloud height
operation of offshore data for decision making when and visibility
Internal

Boundaries
SCE Group : PS016
SCE Group Title : METAOCEAN Data Gathering Systems
installation. The Metocean conducting weather sensitive - Oceanographic sensors which
Data Gathering Systems activities to help prevent weather measure wave height, wave period
comprise of wind, wave and related incidents. and current speed, current direction
current measuring devices and motion sensor (HPR) for
and database system. Floating structures only
System Level /
Boundaries
SCE Group : SD001
SCE Group Title : Emergency Shutdown (ESD) Control System
Failure of the ESD control 1. To achieve safe shutdown of - Sensors: pressure, temperature, At system level i.e.
system could result in failure plant and equipment. flow, level, quality, position ESD Control System
to isolate leaks, control - Logic solvers: PLCs and solid state
ignition sources and 2. To prevent or mitigate the systems (hardware and software)
depressurise topside process consequences of a Major Accident - IPF SIL 1 Safety/ Environment/
equipment, implying potentially Event. Asset
catastrophic escalation.
- Final Elements: on/off valves
including their pneumatic/hydraulic
actuators and control circuits
(excluding pipeline isolation valves,
ESDVs and SSIVs which are covered
by other SCE barriers.
Typically includes:
- ESD Pushbutton with Maintenance
Override Switch (MOS)
Internal
System Level /
Boundaries
SCE Group : SD001
SCE Group Title : Emergency Shutdown (ESD) Control System
- ESD Pushbutton without MOS is
conducted during TA

Boundaries
SCE Group : SD002
SCE Group Title : Emergency Depressurisation (Blowdown)
Failure of blowdown would To prevent major escalation during - Blowdown valves At system level / area
increase the potential a fire incident by: - Shutdown valves group
duration of hydrocarbon - Blowdown pushbuttons
releases (i.e. gas to flare is 1. Preventing the rupture of - Pneumatic / hydraulic actuators and (PS normally tagged
not released). process equipment or pipework local control circuits at groups of
Furthermore, blowdown which may suffer a decrease in - Any rate-determining elements Depressurisation
reduces the risk of mechanical strength due to the (e.g. orifice plates) that are System)
catastrophic failure of exposure or impact from an essential for the system to achieve
process facilities exposure to external source of heat or fire. its performance requirements
flammable effects by 2. Ensuring a rapid reduction in (Care must be taken to prevent the
reducing containment the size of any hydrocarbon element from opened excessively or
pressure imposed stresses inventory. removed to prevent overpressure)
on the equipment.
Internal
System Level /
Boundaries
SCE Group : SD003
SCE Group Title : High Integrity Pressure Protection Systems (HIPPS)
HIPPS will shut off the source
of the high pressure before the To protect against - HIPPS Pressure Transmitters At system level
design pressure of the overpressurisation of gas - HIPPS valves including their
downstream system is transportation pipeline systems. actuators
exceeded, thus preventing loss
of containment through rupture
of a pipeline or vessel.
System Level /
Boundaries
SCE Group : SD004
SCE Group Title : Well Isolation
Well isolation system To isolate the well in response - X-mas Trees including actuated and At item level, i.e.
including components to an upset or abnormal event. manual isolation valves, Sub per well
related to isolating the Surface Safety Valves, actuated gas
well/ annulus lift isolation valves and injection
check valves / storm chokes
- ESPs / Beam pumps / ESPCPs /
PCPS / Jet pumps
Internal
System Level /
Boundaries
SCE Group : SD005
SCE Group Title : Pipeline Isolation Valves (Riser)
Riser isolation valves isolate To reduce the inventory released - Pipeline ESD valves, plant isolation At item level, i.e.
pipelines from topside in the event of a Major Accident or safety valves, pipeline block per isolation valve
facilities. The failure of riser Event. valves, pipeline check or non-
isolation valves in the event return valves
of a hydrocarbon leak topside - Pneumatic / hydraulic / electrical
could result in an indefinite actuators and control circuits
release given that pipelines
have very large volumes of
hydrocarbons and, unlike
topside process facilities, are
not depressurised to a safe
location on ESD.
System Level /
Boundaries
SCE Group : SD006
SCE Group Title : Emergency Shutdown Valves (ESDV)
Process ESD valves segregate To reduce the hydrocarbon - SD valves in hydrocarbon services At item level, i.e.
process systems. Failure to inventory released during Major per valve
- Note: Recommended to refer to
isolate process sections given Accident Event (MAE) by
Safeguarding Memorandum
a leak of hydrocarbons would segregating the affected area.
significantly increase the
amount of hydrocarbons
potentially released through
the leak, thus increasing the
risk of escalation.
Internal

Boundaries
SCE Group : SD007
SCE Group Title : Subsea Isolation Valves (SSIV) System
SSIV isolate subsea pipelines 1. To isolate the pipeline inventory - Subsea pipeline actuated ball valve At item level, i.e. per
from riser. The failure of SSIV in the event that the riser ESDV is and check valve valve.
in the event of a hydrocarbon unable to operate. - Subsea Isolation Valves (SSIVs)
leak at the riser could result in 2. To prevent additional pipeline including their actuators
an indefinite release given that inventory from causing escalation of
pipelines have very large an MAE.
volumes of hydrocarbons and,
unlike topside process
facilities, are not depressurised
to a safe location on ESD.
Description SCE Goal Typical Equipment Types System Level /

Boundaries
SCE Group : SD008
SCE Group Title : Drilling Well Control Equipment
Well control equipment To contain hydrocarbons and other - Drilling Blowout Preventers (BOP)s, At system level
required during drilling in hazardeous substances and to BOP Hydraulic Control System,
event of loss of control of isolate the well in response to any Choke manifold, Atmospheric and
the well, threat of blowout upset or abnormal event vacuum Degasser, Diverters, Kelly
Cocks and Stabin Valves, Well Kill
System, Flow and Gas Detection
(including Kick Detection) for
Drilling Operations
Internal

Boundaries
SCE Group : SD009
SCE Group Title : Instrument Air
Utility (Instrument) Air – only To prevent an unplanned and / or This element include: At system level i.e.
if the system is not fail out-of- sequence operation of - SD009 Instrument Air as SCE if the Instrument Air
safe safety critical air controlled IPF system not fail-safe and System
equipment, such as emergency operated by instrument air.
shutdown valves or deluge This element exclude:
systems. - SD009 Instrument Air if the
pressure low of instrument air will
automatically initiate IPF.Air system
including compressors/rotating
equipment, associated
instrumentation, air receiver,
distribution, air drier and pipe work
etc., where applicable

Boundaries
SCE Group : ER001
SCE Group Title : Temporary Refuge (TR) / Primary Muster Area
A Temporary Refuge is The arrangements for TR should - TR, muster area At refuge / area level
where personnel can safely provide sufficient protection to - TR boundary doors and external
muster, where major enable people to muster safely, to wall
accident events can be permit the emergency to be - TR communications, monitoring and
monitored, assessed and assessed and to allow the control equipment
controlled, and where appropriate parts of the
emergency activities, emergency response plan to be
including search & rescue executed during a Major Accident
Internal

Boundaries
SCE Group : ER001
SCE Group Title : Temporary Refuge (TR) / Primary Muster Area
and evacuation activities Event.
can be coordinated.
Muster Areas are provided in
numerous areas for
personnel to relocate to in
an emergency for further
instructions in the event of a
General Platform Alarm
being
sounded. Such areas will have
various lifesaving facilities
adjacent to them.
System Level
/ Boundaries
SCE Group : ER002
SCE Group Title : Escape Routes
Escape routes are safety To provide sufficient safe, readily - On offshore installations, the route At area level
critical in the context of the identifiable, escape routes for all from the primary muster points to i.e. Escape Route of
mustering process and search personnel to leave an area affected either the helideck, or lifeboat Module 1
& rescue. They provide egress by an incident, reach the TR from
from process areas and any part of the installation they are
access to Muster areas, likely to occupy and transfer from
Temporary Refuge and the TR to the TEMPSC embarkation
Escape devices in an points and Helideck (where
emergency applicable).
Internal
System Level
/ Boundaries
SCE Group : ER003
SCE Group Title : Emergency / Escape Lighting
Emergency lighting supports To provide adequate illumination at Lighting units with battery back up; At system / area level
emergency response emergency response locations and emergency warning lights i.e. Emergency
activities. Failure of the to escape routes in the event of a Lighting of Module 2
system could delay or impair major hazardous event.
the escape, mustering and
evacuation processes.

Boundaries
SCE Group : ER004
SCE Group Title : Internal, External & Emergency Communication
Emergency communication 1. To ensure that all personnel on Typical telecommunications systems At system level i.e.
systems play an essential role board or at site at any location are include: telecommunication
in the emergency response made aware of any need for - installation PA system system
plan. Effective platform alarm mustering or abandonment once - visual warning signals in high noise
systems reduce the exposure the decision has been made. areas, onshore and offshore)
of personnel to hazardous - Emergency Response Team (ERT)
effects, and two-way means 2. To ensure that the UHF radio system including hand-
of communication allow the communications systems and held sets, and antennas (offshore)
co-ordination of emergency information required for - Marine VHF radios (offshore).
response activities such as emergency response control, - ICC air band radios (offshore)
search & rescue and fire platform evacuation, and with all - lifeboat EPIRBs (offshore)
fighting. external parties identified in the - INMARSAT communication system
emergency plan are available. (offshore)
- telephone system
Internal
System Level /
Boundaries
SCE Group : ER005
SCE Group Title : Uninterruptable Power Supply (UPS)
UPS provides emergency To provide an uninterrupted - Typical UPS systems comprising of At item level
power to installation when power supply to the vital batteries, rectifiers, inverters (PS normally tagged
the main and emergency services during a Major cabling, ESD and EDP systems. at UPS System)
power supply fail. It will Accident Event (MAE) when System typically provide
provide near- normal power fails. uninterruptable emergency power to:
instantaneous protection - Fire and gas detection system
from main power - PA audio and visual alarm
interruptions by supplying - SOLAS communications (offshore)
power from batteries. - Navigation Aids and Helideck
Lighting (perimeter lights and
obstacle marking) (offshore)
- Emergency and Escape Lighting
- Process Monitoring and Control
Systems
- Pipeline Protection System, PPS
- Utility Plants
- Emergency Lighting
- Non-process computer installations
- Fire-fighting/ fire alarm systems
Telecoms
System Level /
Boundaries
SCE Group : ER006
SCE Group Title : Helicopter Facilities (incl. Markings, Nets, Obstacle Marking / Lighting etc.)
(helideck is utilize for chopper 1. To avoid collision by the - Marking, lighting, windsocks and At system level
landing ) helicopter with the installation. safety net protected surfaces an
essential safeguard for all flights,
Internal
System Level /
Boundaries
SCE Group : ER006
SCE Group Title : Helicopter Facilities (incl. Markings, Nets, Obstacle Marking / Lighting etc.)
A dedicated, secure and 2. To facilitate the evacuation including helicopter crash box
functional helideck is required of personnel from the - Note that only helideck that is still
to provide a safe landing area installation to the nearest in operation is considered as SCE
for helicopters arriving and place of safety.
departing the Installation
enabling safe transportation to
and from the Installation
under normal working
conditions and emergency
evacuation when required.
System Level /
Boundaries
SCE Group : ER007
SCE Group Title : Emergency Power (Incl. Generation & Distribution).
This PS addresses the To provide an emergency power - Typical emergency power supply At item level,
emergency power supplies supply to support essential system comprises of emergency e.g. generator
including the emergency facilities during an emergency diesel generator and switchboard,
generator, the emergency following loss of the normal power distribution boards and generator
switchboards, the essential supply. diesel day tank.
power distribution system.
Internal
System Level /
Boundaries
SCE Group : ER008
SCE Group Title : Manual Fire Fighting Equipment
Manual Fire-fighting To provide a means to extinguish - Fire Vehicle /Engine (for terminal) At category of
equipment fire vehicle fires, provide cooling to equipment equipment level
engine. This element to prevent escalation and to reduce
excludes portable fire incident thermal radiation on
escape routes.
extinguisher.
System Level /
Boundaries
SCE Group : ER009
SCE Group Title : Process Control & Alarms
Note that all the IPF shall be To ensure the production, For facilities with IPF system, At system level i.e.
identify under SD001. processing and utility systems alarms and operator intervention Process Control
The description below only operate efficiently within design shall not be given credit as valid System
applicable to system with no constraints and alarm limits by barriers nor shall they be
IPF available as ultimate shutting down the appropriate considered as SCEs. Note that for
parts of the process, thereby
protection. facilities that are designed without
eliminating risk of equipment
failure that could result in IPF system with reference to Cause
A process control system is accidental release of hydrocarbon. and Effect Matrix (C&EM), basic
used to monitor data and process control system such
control equipment on the as pressure control valve (PCV),
installation. It uses Level control valve (LCV) and the
electronic, hydraulic or associated alarms, etc. may be
pneumatic control systems. taken as barriers in the absent of
other valid barriers. In this case, the
PCV, LCV and associated alarms
shall be considered as SCEs
- Pressure, temperature, level, flow
and RPM monitoring shutdown
Internal
System Level /
Boundaries
SCE Group : ER009
SCE Group Title : Process Control & Alarms
transmitters.
- DCS
System Level /
Boundaries
SCE Group : ER010
SCE Group Title : Bunding and Drains (Hazardous and Non-hazardous)
Drain systems control liquid To contain and / or route - Offshore system providing At system level i.e.
spills. Drain systems are hazardous liquids to a safe drainage from process modules, open drain system
also safety critical as they location. including associated interceptors
may present paths for the - Onshore system providing
migration of hydrocarbon drainage from storage and
vapours from hazardous to process areas, including
non-hazardous areas. associated interceptors
Typical equipment example:
- Bunding
- Drain pumps
- Drain caisson
- Collection sump
Internal
System Level
/ Boundaries
SCE Group : ER011
SCE Group Title : Oil Spill Contingency (Oil Booms and Dispersants)
Oil Spill Contingency (Oil To limit the consequences of oil - Vessel, oil boom, dispersant, At system level i.e.
Booms and Dispersants) leaks to the environment. skimmer and tanks. oil spill contingency
- Site/onboard oil spill response system
equipment
System Level
/ Boundaries
SCE Group : LS001
SCE Group Title : Personal Survival Equipment (PSE)
Personal Survival Equipment 1. To provide all personnel  Typical items are: At category of
is provided to assist personnel escaping from a Major Accident - Life jackets, immersion suits, grab equipment level i.e.
in attempting to reach muster Event with suitable protective bags (containing, self-rescue sets, Breathing Apparatus
areas / escape to sea. clothing and equipment. flame- retardant gloves, torches sets
To provide personnel with emergency and chemical light sticks,
response roles with suitable respiratory protection aids for
protective clothing and equipment. escape), Breathing apparatus sets
(for rescue and escape), fire suits
and fire rescue equipment, and
protective equipment
Internal

Boundaries
SCE Group : LS002
SCE Group Title : Rescue Facilities (Standby Vessel Incl. Man Overboard boat / Fast Rescue Craft).
It is necessary to provide 1. To provide a good prospect of  Standby vessel (to be included as At category of
equipment to assist in the successfully rescuing casualties part of Emergency Response equipment level
recovery & rescue of following immediate notification of Monthly Task) and onboard i.e. standby vessel
personnel who have entered their entry to the sea, under facilities
the sea involuntarily or have conditions where the need to  Fast rescue craft and launch and
become trapped due to an rescue personnel from the sea is recovery mechanisms
emergency. likely to occur.  Daughter craft and launch and
recovery mechanisms
2. To identify errant vessels  Dacon scoops which are deployed
when other rescue methods are
not safe to deploy due to weather
conditions
 Radar system and related
components
 Emergency Response and Rescue
Vessel (ERRV), Helicopter
 two-way radio communications
(SBV Marine VHF radio)
 SBV (ERRV) Radar (if applicable)
 SBV (ERRV) Deck
Internal

Boundaries
SCE Group : LS003
SCE Group Title : TEMPSC / Lifeboats
This PS addresses Totally To facilitate a primary  TEMPSCs and life-rafts including At item level i.e.
Enclosed Motor Propelled means of evacuation launch mechanism and per Lifeboat or
Survival Crafts (TEMPSCs) and (TEMPSC) of personnel, embarkation area embarkation area
liferafts located on the independent of external  Lifeboats
Installation. resources.  Engine and propulsion system
 Release Gear
System Level /
Boundaries
SCE Group : LS004

SCE Group Title : Alternate Means of Escape (Liferafts, Scramble Nets and Ladders to Sea)
Alternate means of escape to To have a variety of alternate  Personal descent devices, knotted At system level,
sea for personnel. means of escape to sea for ropes, escape line, scramble nets i.e. for each means
personnel from the installation and ladders to sea. of escape
To provide alternative means when primary (TEMPSC) means  Liferafts
of escape for personnel not are unavailable.
evacuated by helicopter or
TEMPSC.
Internal
Appendix E: Sample Of GOPS
PETRONAS OPERATIONAL PERFORMANCE STANDARD AND ASSURANCE TASK - SHUTDOWN SYSTEM
SCE SD001 Emergency Shutdown (ESD) RESPONSIBLE TECHNICAL AUTHORITY – Chuan Kien Kek (GTS/
Control System PD&T)
GROUP-
SCE 1. To achieve safe shutdown of plant and equipment

GOAL - 2. To prevent or mitigate the consequences of a Major Accident Event
FUNCTIONALITY
Functional Assurance Responsible Min. Frequency Measurable Verification Supporting

Task Party Acceptance (mthly)** Unit Task Documents for
Criteria
Criteria Verification
1. To sense 1.1 Perform Instrument ESD 12 or Y/N '1.1.1 Witness  ESD Initiator
process or ESD Initiator Technician Initiators and To comply ESD Initiation (excluding Fire &
equipment (excluding Logics With IPF (excluding Fire Gas) and Logic
conditions that Fire & Gas) operates testing & Gas) Test for Test for
requires an ESD and correctly. frequency Automatic and Automatic and
initiation LogicTest and proof Manual Manual Initiators
(including Fire & i.Automatic test Initiators (IPF Procedures.
Gas and manual and Manual recommend Class of SIL 1 or  ESD Cause
inputs). Initiators (IPF ation. above) to and
Class of SIL 1 ensure it Effects Matrices.
or above) and operates as per  PM and
its Logic ESD Cause and Inspection
Solver shall Effects, if Historical Test
operate practicable report.
correctly as 1.1.2 Perform  Approved PM
detailed within sample visual plan,
the ESD Cause inspection of Fire and Gas Logic
and Effects. randomly Test Procedures.
Internal
selected  FGS Cause

Notes: Automatic and and
More than one Manual Effects Matrices
sensor can be Initiators and its FGS Initiator PM
selected. The Logic Solver to and Inspection
sensors verify physical Historical Test
selected must conditions and report.
be varied from integrity.  PMMS record
year to year 1.1.3 Review
and therefore Inspection
the sensors Checklist and
selected must Anomaly
be recorded. management
(including
reporting,
rectification,
repair and
modification
work, By-Pass,
Temporary
Repairs, etc.),
where
applicable.
1.1.4 Conduct
physical spot
check on
anomaly where
applicable to
confirm quality
of rectification.
Internal
1.2 Perform Instrument Fire and Gas 12 or Y/N '1.2.1 Witness

Fire and Gas Technician Logic To comply ESD logic solver
Logics Test operates With IPF test from Fire &
i. The ESD correctly. testing Gas System as
logic solver frequency defined in the
responds to and proof Cause & Effect
output(s) from test Matrices, if
the Fire & Gas recommend practicable.
System as ation 1.2.2 Perform
defined in the sample visual
Cause & Effect inspection of
Matrices. randomly
selected Fire &
Notes: Gas System
More than one Logic Solver to
sensor can be verify physical
selected. conditions and
The sensors integrity.
selected must 1.2.3 Review
be varied from Inspection
year to year Checklist and
and therefore Anomaly
the sensors management
selected must (including
be recorded. reporting,
rectification,
repair and
modification
work, By-Pass,
Temporary
Repairs, etc.),
where
applicable.
1.2.4 Conduct
physical spot
check on
anomaly where
Internal
applicable to
confirm quality
of rectification.
Instrument Fire Damper 12 or Y/N 2.1.1 Witness  Fire and Gas

2.1 Perform
2. To respond to Technician operates on To comply Hazardous Area Cause and
Hazardous
ESD inputs and demand. With IPF Ventilation Fire Effect As Built
Area
initiate testing Damper Matrices.
Ventilation
executive frequency Function Test as  Hazardous
Fire Damper
actions that and proof defined in the Area
Function Test
trip, isolate and test Cause & Effect Ventilation
(if applicable)
/ or recommend Matrices, if System Function
depressurize i) Following a ation practicable to Test Procedure
equipment. signal from the ensure fire and Test records.
HVAC control dampers  PM Task and
panel, fire operates on Inspection
dampers will demand (from Checklist.
respond as ESD inputs) as  PMMS record
detailled in the per design
FGS Cause intent. Fan and
and Effect Fire damper
Matrices. feedback status
shall be
ii) HVAC fire
acknowledged
dampers are
fully operable
Internal
across the full and recorded in

range of the FGS panel.
movements 2.1.2. Perform
(using local or sample physical
remote inspection of
initiation) randomly
selected
iii) Fan and fire
Hazardous Area
damper status
Ventilation
shall be
System to verify
indicated on
its physical
central
integrity.
monitored
2.1.3 Review
panels (fire
Inspection
dampers
Checklist and
status if
Anomaly
available at
management
FGS panel if
(including
applicable).
reporting,
rectification,
repair and
modification
work, By-Pass,
Temporary
Repairs, etc.),
where
applicable.
2.1.4 Conduct
physical spot
check on
anomaly where
applicable to
confirm quality
of rectification.
Internal
3. To provide Instrument SoE system 12 Y/N '3.1.1 Witness  SoE Test

3.1Perform
the appropriate Technician operates SoE Input Test Procedures
Sequence Of
input to correctly. (only where ESD Cause and
Event (SoE)
Sequence of installed) Effect Matrices.
Input Test
Event (SoE) verified against  Historical
(where
logger upon the Cause and Input results.
installed)
confirmation of Effect Matrices,  SOE Input PM
initiating event, i. The if practicable schedule.
i.e. Process Sequence Of 3.1.2 Perform  PMMS record
Shutdown. Event recorder sample physical
responds to inspection of
inputs from randomly
the ESD selected SOE
System as system
required by including its
the ESD Cause logger to verify
and Effect its physical
Matrices. integrity.
3.1.3 Review
Inspection
Checklist and
Anomaly
management
(including
reporting,
rectification,
repair and
modification
work, By-Pass,
Temporary
Repairs, etc.),
where
applicable.
3.1.4 Conduct
physical spot
check on
anomaly where
Internal
applicable to
confirm quality
of rectification.
Instrument 12 Y/N '4.1.1 Witness  Historical/Test

4. To monitor 4.1 Perform
Technician SCE Trip records,
the health of SCE Trip Alarm upon
Monitoring  Trip setting
any SCE trip Monitoring supply
Circuit Alarm data sheet,
circuits and to Circuit Alarm failure.
Test to ensure  SCE Trip
provide Test
whenever Monitoring
indication
The SCE failure of the Circuit Alarm Test
within the Alarm upon
tripping circuit tripping supply procedure.
control room of circuit fault.
supervision or a fault within  PMMS record
the fault within
system (where the trip
a trip circuit.
applicable) monitoring
shall give circuit occurs,
alarm in the the tripping
control room circuit
upon: supervision
system (where
i. Failure of the
applicable) shall
tripping circuit
give alarm in
supply.
the control
ii. A fault room, if
within the trip practicable
Internal
monitoring 4.1.2 Review

circuit. PMMS records,
PM task/test
records,
Inspection
Checklist and
Anomaly
management
(including
reporting,
rectification,
repair and
modification
work, By-Pass,
Temporary
Repairs, etc.),
where
applicable.
4.1.3 Conduct
physical spot
check on
anomaly where
applicable to
confirm quality
of rectification.
AVAILABILITY
The target availability of ESD System shall be 100% on demand.
RELIABILITY
The target reliability of ESD System shall be 100% on demand.
SURVIVABILITY
NA
Internal
INTERDEPENDENCIES
DS001 Fire and Gas Detection;
ER004 Internal, External and Emergency Communication;
SD002 Emergency Depressurisation (Blowdown);
SD006 Emergency Shutdown Valves (ESDV).
REFERENCES (For Assurance Task)
PTS 14.12.10 Classification, Verification and Implementation of Instrumented Protective Functions
PTS 14.12.12 Instrumented Protective System
PTS 14.12.11 Management of Instrumented Protective Function
IEC61508 – Functional Safety of Electrical/ Electronic/ programmable electronic safety-related system
IEC61511 – Functional Safety – Safety Instrumented System for the Process Industry
WW ALL M 04 002 PCSB Inspection and Maintenance Guidelines Revision 3b 2016
APPENDIX
Responsibility
Technical Authority
PETRONAS Name : Chua Kien
Signed Off
Review Kek (GTS/PD&T) 24/08/17
Date:
Number: Responsibility
Technical Authority
Signature :
Note**: Frequency is defaulted to 12months unless specified otherwise in the CIMG, CMMG, Statutory
requirements etc.
Internal
Appendix F:
a. Sample of SSPS
PETRONAS SITE SPECIFIC PERFORMANCE STANDARD AND ASSURANCE TASK
SCE GROUP- (Refer to GOPS) RESPONSIBLE TECHNICAL AUTHORITY– (Discipline of

the TA as per GOPS)
SCE GOAL- (Refer to GOPS)
SCE Sub element- (Refer to Appendix D for each SCE group under type of equipment)
FUNCTIONALITY
Functional Assurance Task Responsible Min. Frequency Measurable Verification Supporting

Party Task Documents
Criteria Acceptance (mthly)** Unit
for
Criteria Verification
(Refer to (I - Refer to (Refer to (i. OEM (i. As per any Y/N '(Refer to (Refer to
GOPS) GOPS GOPS) acceptance credible risk GOPS or GOPS or
criteria or assessment any any
ii - To ensure site
recommendation approved approved
specific ii. Refer to
i.e. IPF, RBI, VWI VWI
assurance task GOPS)
FMEA, RCM or Checklist) Checklist)
based on type of
equipment and ii. Refer to GOPS
additional (generic))
requirement as
per OEM
recommendation
s)
Internal
AVAILABILITY
(Refer to GOPS)
RELIABILITY
(Refer to GOPS)
SURVIVABILITY
(Refer HEMP/ Formal Safety Assessment/ESSA Study/ HSE Case for SCE Survivability)
INTERDEPENDENCIES
(Refer to GOPS or to add relevant additional interdependencies)
(Refer to GOPS and Original Engineering Manufacturing (OEM))
APPENDIX
(Include tag number for SCE Group or Subgroup)
PETRONAS
Responsibility Technical Signed Off
Review (Name) (Signature) (Date)
Authority Name : (TA1/TA2) Date:
Number:
Internal
b. SSPS Cover for Barrier Owner Approval
PETRONAS
SITE SPECIFIC
PERFORMANCE STANDARD
SCE Group List:

SCE Code List of SCE
Approved by Barrier Owner: ________________

Discipline : _________________
Internal
Appendix G: Sample of SCE Verification
IOAIA CHECKLIST
IOAIA ELEMENT / SCE Shutdown Systems
IOAIA ELEMENT / SCE SUB GROUP SD002 Emergency Depressurization (Blowdown)
IOAIA ELEMENT GOAL To prevent major escalation during a fire incident by:
1. Preventing the rupture of process equipment or pipework which may suffer a
decrease in mechanical strength due to the exposure or impact from an external
source of heat or fire.
2. Ensuring a rapid reduction in the size of any hydrocarbon inventory
RESPONSIBLE TECHNICAL Chua Kien Kek (GTS/PD&T)

AUTHORITY
FUNCTIONALITY
Requirements Rating (Asset)

Min. Measura Supporting High= 3
ble Documents
Functional Acceptance Verification Task Medium= 2 Remarks
for
Assurance Task Unit
Criteria Criteria Verification Low= 1
No Finding= 0
1.Depressuriz 1.1 Perform Blowdown Y/N 1.1.1 Witness Depressurizat

ation system Depressurization system Depressurization ion
activates (Blowdown) operates on (Blowdown) Activation (Blowdown)
upon Activation Test demand. Test Check to confirm Activation
confirmed fire Check that fire detection causes Test Check
detection. confirmed fire activation of the Procedures
detection causes depressurization Cause and
Internal
activation of the system in accordance Effect

depressurization with the Cause & Matrices,
system in Effect Matrices, if Historical
accordance with practicable. 1.1.2 Depressurizat
the Cause & Effect Review PMMS records, ion
Matrices. Notes: PM Task and Anomaly (Blowdown)
Fire detection is management Activation
covered by (including reporting, Test Records
Performance rectification, repair PM Schedule.
Standard DS001 and modification work, PMMS record
Fire and Gas By-Pass, Temporary
Detection. Repairs, etc.), where
applicable. 1.1.3
Conduct physical spot
check on anomaly
where applicable to
confirm quality of
rectification. 1.2.4
Verify the scope of
inspection work
mentioned in
inspection/test record
cover BDV corrosion,
physical condition and
leakage. Check
whether
inspection/test record
mentioned acceptance
criteria 1.2.5 To verify
the above inspection
requirement captured
in the PM (e.g. SAP,
CMMS) for Work Order
generation. 1.2.6
Confirm in BDV
functional test report
that the blow down
Internal
valves open upon

demand per the latest
ESD Cause & Effects
Matrix. Show proof of
test procedure &
records of tests done.
Check whether the
test record is filed
inside the PMMS.
2. Equipment 2.1 Perform Depressuriza Y/N 2.1.1. Witness Depressurizat

depressurizat Depressurization tion System Depressurization ion
ion to the (Blowdown) is in good (Blowdown) (Blowdown)
specified Performance Test working Performance Test and Performance
pressure and Inspection. i) condition. Record time to ensure Test
takes place Perform Test and pressure is reduced to Procedure,
within the record time to safe level within the Performance
prescribed reduce pressure to prescribed time, if Test
time. safe level. ii) practicable 2.1.2 Historical
Perform physical Perform random visual Test records,
inspection of the inspection on the PM Schedule.
Depressurization physical conditions of PMMS record
System. Inspection the depressurization
to include Solenoid system. 2.1.3 Review
valves, filter PMMS records, PM
regulators, BDV Task, Inspection
body and actuator, Checklist/records and
impulse tubing, Anomaly management
mech. position (including reporting,
indicator, fusible rectification, repair
plug and manual and modification work,
reset at local By-Pass, Temporary
panel/control Repairs, etc.), where
room. (Where applicable. 2.1.4
applicable). Notes: Conduct physical spot
‘iii) check on anomaly
Depressurization where applicable to
Internal
System operate at confirm quality of

pre-defined set rectification. 2.1.5
pressure as per Confirm if blowdown
plant procedure system relies upon
taking into mechanical timers to
consideration flare achieve a sequenced
design capacity. blowdown (i.e. avoid
Pressure reduction all BDVs opening at
up to safe working the same time) in the
pressure within event of a total ESD
specified time system power failure.
(second, s) ‘iv) Is mech. timers
(Blowdown Valves installed on each
(BDV): Where BDV? Take photo
applicable, 2.1.6 If no mechanical
shutdown & timers, then verify
blowdown valves that each of the dual
and pressure relief BDV solenoid coils is
valves are required connected to the dual
be inspected for separate power
leakage, damage supplies to avoid
and corrosion) ‘v failure of common
In cases where supply to cause
flare has been opening of all BDVs at
designed with the same time. 2.1.7
limited capacity, co Confirm that
BDV shall be respective blow down
designed to avoid valve opening time
opening all BDV's meet the ‘designed
simultaneously on stoke time as
loss of single identified in the
power supply to respective BDV’s
avoid exceeding inspection/test record.
flare tip capacity ( Check the time delay
Apply only for “ setting at each BDV
and confirm if it result
Internal
Sectionalized in correct blow down

Blowdown “) sequence.
AVAILABILITY
The target availibility of ESD System shall be 100% on demand.
RELIABILITY
Overall probability of successful opening on demand of blowdown valves shall not be less than the value specified in the current HSE
Case QRA.
SURVIVABILITY
N/A
INTERDEPENDENCIES
PC001 Pressure Vessels;

SD001 Emergency Shutdown (ESD) Control System;
PC007 Relief System (PRV, PSV, PVV and Burst Disc).
PTS 14.12.10 Classification, Verification and Implementation of Instrumented Protective Functions

PTS 14.12.12 Instrumented Protective System
PTS 14.12.11 Management of Instrumented Protective Function
IEC61508 – Functional Safety of Electrical/ Electronic/ programmable electronic safety-related system
IEC61511 – Functional Safety – Safety Instrumented System for the Process Industry PCSB Inspection and Maintenance Guideline
APPENDIX
Internal
Responsible Technical Authority Approval And Signature:
Name Chua Kien Kek
Designation Custodian (Measurement)
Date 31-Dec-18
Internal
Appendix H: Practical Recommendation
(1) The Asset Register is a pre-requisite data which consist of a comprehensive inventory of the equipment
in a facility
(2) Prior to SCE identification process or workshop, it is critical to ensure that asset register is verified. This
can be reinforced:
i. Verify Asset Register with the latest as-built P&ID, drawings
ii. Perform site verification- Site Asset Personnel to be engaged verify Asset Register is complete
prior to SCE Identification.

(3) The participants for each SCE identification session must be identified accordingly, and ensure to be
present during the session.
Internal

WW ALL X X S 05 049 I REV.2 - Upstream SCE Management Procedure November 2019

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

WW ALL X X S 05 049 I REV.2 - Upstream SCE Management Procedure November 2019

Uploaded by

Copyright:

Available Formats

WW ALL X X S 05 049 I, Rev.

UPSTREAM SAFETY CRITICAL

-This page is intentionally left blank-

This document contains proprietary information which belongs to

-This page is intentionally left blank-

DISTRIBUTION LIST .......................................................................................................... I

DOCUMENT DEVELOPMENT TEAM MEMBER .............................................................. II

AMENDMENT SUMMARY .................................................................................................. III

1.0 INTRODUCTION ....................................................................................................... 1

2.0 OVERVIEW ............................................................................................................... 12

3.0 ROLES & RESPONSIBILITIES ............................................................................ 17

4.0 MANAGEMENT OF BARRIER ............................................................................... 19

5.0 SAFETY CRITICAL ELEMENTS ............................................................................ 21

6.0 IDENTIFICATION OF SCE FOR A GIVEN MAH .............................................. 29

7.0 PERFORMANCE STANDARD FOR SCE .............................................................. 36

7.2 Operation Performance Standard ..................................................39

8.0 SCE VERIFICATION ............................................................................................... 47

9.0 MANAGEMENT OF SCE DEVIATION ................................................................. 57

10.0 KPI MANAGEMENT OF SCE ................................................................................. 59

11.0 APPENDICES ........................................................................................................... 60

Head, HSE System and Documentation, HSE Global Services, Upstream

01 EVP, Upstream Business

04 VP, LNG Marketing & Trading

05 VP, Malaysia Assets

06 VP, International Assets

07 VP, LNG Assets

09 Head, Upstream HSE

10 Head, HSE Global Services, Upstream HSE

11 Head, HSE Operations, Risk & Assurance, Upstream HSE

12 Head, Process Safety Management, Upstream HSE

13 Head, HSE Transformation, Upstream HSE

14 Head, HSE Planning & Stakeholder Management, Upstream HSE

15 Head, HSE Marketing & Trading

16 Head, HSE Exploration

17 Head, HSE Malaysia Assets

18 Head, HSE International Assets

PETRONAS UPSTREAM Page I

DOCUMENT DEVELOPMENT TEAM MEMBER

No. Name Designation Department

Yasmin Akbari Bt Specialist, Process Process & Technical Safety –

Manager, Maintenance Technical Excellence,

Manager, PTS – Process & Technical Safety –

PETRONAS UPSTREAM Page II

Special thanks to all PETRONAS personnel who have contributed to the

updated (Page 10)

PETRONAS UPSTREAM Page III

PETRONAS UPSTREAM Page IV

(1) The SCE management process has six main stages:

PETRONAS UPSTREAM Page 1

i. This Guideline shall be reviewed periodically at intervals not exceeding 5

1.4 Glossary of Terms

1.4.1 Specific Definition of Terms

No. Terms Description

The ability of an asset to perform it’s required

A diagram that shows the risk(s) management

This is a measure designed to minimise the

PETRONAS UPSTREAM Page 2

No. Terms Description

Documentation of the requirements to ensure the

An operation in which specific production

This is a measure designed to detect the

An integral system in the PETRONAS Maintenance