Achieving Best in Class Performance Standards

Sean OSullivan, Marathon Oil U.K. LLC.

Marathon Oil U.K. LLC

Why Performance Standards?

Prior to 1988, DoE and certification bodies defined what safety measures are required prescriptive legislation

Prescriptive legislation cannot account for the differences in hazards etc., between each installation
Doesnt allow for alternative solutions

The Cullen Report led to goal setting

Operators to identify their own Safety Critical Elements

Performance Standards are where Operators define their Safety Critical Elements and demonstrate how their goals are achieved Requirement [Offshore Safety Case Regulations, 2005] to define:
Functionality, Availability, Reliability, Survivability and Interaction/Dependency
Assessment of Safety Critical Elements

A systematic approach would define each function that is essential from each hazard assessment as safety critical




Smoke & Gas

It may be more efficient for a team to review the critical hardware components for preventing / mitigating major hazards only Major hazards are defined in Safety Case Regulations (2005): Fires or Explosions



Structural Integrity

Design vs Operational Information

When identifying what the requirements are for each Performance Standard (PS), the team must consider what information they are trying to convey. For an existing asset, this is likely to be the specific requirement for that asset, as it stands. The information will be used during maintenance and defect identification. As part of a design project, performance standards could be used to define the design strategy for safety critical elements. It is difficult to combine both in one document.

Layout of Performance Standards

Introductory Information
Important first stage to clarify why each system is Safety Critical Define purpose, scope and equipment items this standard covers Can save time later, e.g. distinguishing which ventilation dampers are Safety Critical Elements Define where additional information (e.g. drawings) are stored Define contingency arrangements what do you do if a failure is identified

Functional Criteria
Define the overall purpose(s) of the system, e.g. TEMPSC to enable the evacuation of all personnel from the platform

Looking to specify only the criteria that are relevant for the functionality of the system
Consider if, given the function is available and operational, will it be effective in its purpose can it be relied upon? Recognise that some systems may be safety related, or primarily provided for safety, but are not Safety Critical

SMART criteria where possible

Reference numerical criteria where possible, recognise good/best practice

Assurance Activities
Important addition to the Performance Standards Review whether checks are in place to prove that SCEs are effective
I.e. This is a demonstration that sufficient maintenance and testing is in place

If not already in place, can cross reference functional criteria with the maintenance management system such that PMRs can be flagged as safety critical It is essential to review the content of each PMR, however it may not be appropriate to specify the frequency of each PMR

Verification Activities
Use of an Independent Verifying Body is a legal requirement, however the Independent Verification Body (IVB) scope is defined by the operator The purpose of annual verification is to confirm that the SCEs are effective:
Do they function as specified

Typically the Minimum Activities of the IVB is defined the IVB is invited to continue reviewing information and witnessing tests until satisfied that we are / are not compliant

By defining the assurance activities and the IVB activities line by line against each functional criteria, we improve clarity of what is expected and what has been done, e.g. if anomalies are found

PFEER requirement to define in what circumstances the SCE is required to survive to provide its function Generally, this cannot be influenced after design, however supporting structures and SCE requirements may reference this E.g. Lifeboats to survive for 90 minutes limited ability to test survivability criteria. Assurance by design E.g. F&G system to operate for 90 minutes partially assured by functionality of the electrical power system with 90 minute functional criterion for battery back up

Reliability / Availability
PFEER requirement to define reliability / availability requirement Consider whether the Safety Case demands 100% availability are suitable contingency arrangements in place in case of failure?

What is a realistic availability? 99% ?

Is 100% availability realistic?

99.9% ?
Does your QRA demonstrate that with <100% availability the overall risk is acceptable? Can you measure or calculate availability? E.g. for key systems where some failures are expected Particularly useful for systems with many components
99.99% ?


PFEER Availability Assessment

Linking reactive task management to population data for each equipment item Failure rate and other reliability measures

Development of fault trees for each safety critical system How does each component influence the overall system?
Although data quality issues are difficult to overcome

By tracking availability over time we can see trends in SCE performance

Availability Calculation Source Data

Work orders are given:
A PFEER fault code, identifying the type of failure Time taken for repair to be completed

Work orders over a given time period are collated and summated by fault code

Probability of Failure on Demand (PFoD) is determined for each fault code, then PFoD is used in system specific fault trees to determine system PFoD Components with no failures in a period are treated conservatively, using statistical industry data

PFoD by Fault Tree





Case studies
Probability of Failure on Demand (PFoD)
1.4% 1.2%

0.8% 0.6% 0.4% 0.2% 0.0% 01-Jan-08 To 01-Jul-08 To 01-Jan-09 To 01-Jul-09 To 01-Jan-10 To 01-Jul-10 To 31-Dec-09 30-Jun-10 31-Dec-10 30-Jun-11 31-Dec-11 30-Jun-12

PS04 Isolation

PS04 Blowdown

Continuous Improvement
Performance standards are subject to regular review through use Suggestions for changes and clarifications are welcomed from the verifier and users One aspect of the Safety Case Thorough Review is to check the performance standards

It is perceived that the clarity of the performance standards aids their review and challenge

Summary (1/2)
Guidelines for the Management of Safety Critical Elements (2nd Edition), Energy Institute, give good guidance on the principles of Performance Standards, but additional effort in preparation and use of Performance Standards can yield benefits: The act of writing Performance Standards is an opportunity for an Operator to develop their understanding of what equipment is Safety Critical The layout is crucial and if successful, can drive the outcome to be easily understood and useful. For example, blank boxes are an automatic gap analysis e.g. Missing function testing routines. Upfront specification of the complete extent of a Performance Standard system can save time later.
Summary (2/2)
Documenting assurance activities is very useful in informing users of which tasks are safety critical, and defining how equipment is tested, particularly if this includes activities over several maintenance management systems. Matching verification activities to functional criteria helps clarify when following up anomalies. A thorough availability assessment is challenging to get right, but can be worthwhile in demonstrating adequate performance and identifying Safety Critical Element performance trends at an early stage

