Are you over cooking your Safety Critical Elements?

There is a lot of debate and variation in the process for deciding what should be categorised as an SCE. If you have too many SCE you're at risk of waterering down the broth so much it has no impact. With larger process plants where the management of SCE can cause a lot of overhead, it’s especially important to get this recipe right.

SCE over cooked

SCEs are a subgroup of control measures identified on a plant to protect it from major incidents occurring. Specific definitions of SCE will be given in the regional legislation the plant is operating in, but all follow a common theme. The definition for SCEs might look something like this:

Safety Critical Element

Means any part of a facility or its plant (including a computer program) -

    • That has the purpose of preventing, or limiting the effect of, a major incident; and
    • The failure of which could cause or contribute substantially to a major incident.

This requires some interpretation of the aspects of this definition

Facility or it’s Plant

A facility is defined in some regulations as the area under control of a person. The regulations may treat items within the area (plant, equipment etc.) separately, so these are not part of the facility.

Plant is not defined explicitly. The Oxford dictionary definition is “machinery used in an industrial or manufacturing process”, which appears applicable. This can be interpreted to mean that plant includes all the devices and machinery used to conduct operations at the facility.It can be easier to consider what plant does not include. The following should not be considered as SCE:

  • Personnel, organisations
  • Mobile/Portable Equipment (such as tools, vehicles, etc used at the facility)
  • Management systems and procedures
  • Training and competence
  • Structures, such as buildings, foundations, supports


There will be a requirement that an SCE have “the purpose of preventing or limiting the effect of a major incident”.

The definition refers to the purpose, not a secondary purpose or incidental effect. The interpretation is that purpose means the prime or sole intent of the part being considered.

Using LOPA to Identify SCE

So how do we take these definitions and implement a consistent methodology to SCE identification?Through experience supporting many plants with their safety cases, we have identified the most effective way to determine SCE is by using Layers of Protection Analysis (LOPA) during the risk assessment phase of a safety assessment. 


The rules of implementing independent protection layers (IPL) in LOPA align nicely to the SCE definition. IPL are:

    • Engineering Controls – therefore must be part of the plant
    • Effective – Purpose is to prevent the associated initiating event escalating to a major incident
    • Independent – The control is clearly defined from the initiating event and other IPL.
    • Auditable and Testable – Therefore can be verified which is another SCE requirement
    • Provide a specified risk reduction – If a control is not providing risk reduction it is not effective

By extracting the IPL that have been credited for risk reduction in the LOPA, we have a well-defined list of SCE. Applying LOPA rules correctly we can easily dismiss controls that appear to provide protection but might not be significant enough to be allocated independent risk reduction. This means time and money can be focused on looking after the equipment that is really important. (Note for identifying all control measures bowtie techniques can be used in a similar way, as these wil include administrative controls and help to determine effectiveness etc.).

Examples of what may be considered as an SCE

The following are some examples of what may be considered as SCE.

  • Safety Trips(sensor, pushbutton, logic solver, final element).
  • Pressure relief device (safety valve or rupture disk).
  • Secondary containment (bund)

What an SCE is not

Below are some areas we’ve seen where the rigors of managing SCE have been applied incorrectly.

  • Primary Containment of hazardous substance – Pressure Vessels, Pipework, turbine casings, pumps, seals. All have the purpose of containing the substance not preventing a Major Incident. WorkSafe’s 2017 Bulletin “Defining safety critical elements and demonstrating their independent verification at a major hazard facility” states “ The highlight here is that the ‘safety feature’ of the primary containment is the SCE not the primary containment itself.”
  • Primary Control – Control loops are designed to maintain the process withing the designed operating parameters not to protect against deviations. Failure of a control loop is usually an initiating event
  • Administrative controls – Controls involving human interactions are not SCE. This might include Management Systems, Operating Procedures, Responses to Alarms, Security Systems.
  • The last line of defence. This has been a phrase used by companies to reduce the numbers of SCE they manage by ignoring everything other than the final trip system or relief device. WorkSafe have referred to SCE as the “last lines of defence” (note not singular) but this interpretation does not stand up against the definition.
  • Trips in a safety shutdown system of control system, not identified in a risk assessment. I have come across some occasions where the identification of SCE has been attempted by reverse engineering from the trips on the plant. From experience, many historical implementations of trip systems have been carried out on an ad hoc “it seems reasonable to have a trip for that” basis. Using this method will result in potentially having more SCE than necessary.

For more information about Verification of SCE have a look at our website and for LOPA training you can find information here