Are you over cooking your Safety Critical Elements?

There is a lot of debate and variation in the process of deciding what should be categorised as an SCE. If you have too many SCE you're at risk of watering down the broth so much it has no impact. With larger process plants where the management of SCE can cause a lot of overhead, it’s especially important to get this recipe right.

SCEs are a subgroup of control measures identified on a plant to protect it from major incidents occurring. Specific definitions of SCE will be given in the regional legislation the plant is operating in, but all follow a common theme. The definition for SCEs might look something like this:

Safety Critical Element

This means any part of a facility or its plant (including a computer program) -

• • That has the purpose of preventing, or limiting the effect of, a major incident; and
  • The failure of which could cause or contribute substantially to a major incident.

This requires some interpretation of the aspects of this definition

Facility or its Plant

A facility is defined in some regulations as the area under the control of a person. The regulations may treat items within the area (plant, equipment etc.) separately, so these are not part of the facility.

Plant is not defined explicitly. The Oxford dictionary definition is “machinery used in an industrial or manufacturing process”, which appears applicable. This can be interpreted to mean that plant includes all the devices and machinery used to conduct operations at the facility. It can be easier to consider what plant does not include. The following should not be considered as SCE:

• Personnel, organisations
• Mobile/Portable Equipment (such as tools, vehicles, etc used at the facility)
• Management systems and procedures
• Training and competence
• Structures, such as buildings, foundations, supports

Purpose

There will be a requirement that an SCE has “the purpose of preventing or limiting the effect of a major incident”.

The definition refers to the purpose, not a secondary purpose or incidental effect. The interpretation is that purpose means the prime or sole intent of the part being considered.

Using LOPA to Identify SCE

So how do we take these definitions and implement a consistent methodology for SCE identification? Through experience supporting many plants with their safety cases, we have identified the most effective way to determine SCE is by using Layers of Protection Analysis (LOPA) during the risk assessment phase of a safety assessment. 

The rules of implementing independent protection layers (IPL) in LOPA align nicely with the SCE definition. IPL are:

• • Engineering Controls – therefore must be part of the plant
  • Effective – The purpose is to prevent the associated initiating event from escalating to a major incident
  • Independent – The control is clearly defined from the initiating event and other IPL.
  • Auditable and Testable – Therefore can be verified which is another SCE requirement
  • Provide a specified risk reduction – If a control is not providing risk reduction it is not effective

By extracting the IPL that have been credited for risk reduction in the LOPA, we have a well-defined list of SCE. Applying LOPA rules correctly we can easily dismiss controls that appear to provide protection but might not be significant enough to be allocated independent risk reduction. This means time and money can be focused on looking after the really important equipment. (Note for identifying all control measures bowtie techniques can be used similarly, as these will include administrative controls and help to determine effectiveness etc.).

Examples of what may be considered an SCE

The following are some examples of what may be considered SCE.

• Safety Trips(sensor, pushbutton, logic solver, final element).
• Pressure relief device (safety valve or rupture disk).
• Secondary containment (bund)

What an SCE is not

Below are some areas we’ve seen where the rigours of managing SCE have been applied incorrectly.

• Primary Containment of hazardous substances – Pressure Vessels, Pipework, turbine casings, pumps, seals. All have the purpose of containing the substance not preventing a Major Incident. WorkSafe’s 2017 Bulletin “Defining safety critical elements and demonstrating their independent verification at a major hazard facility” states “. The highlight here is that the ‘safety feature’ of the primary containment is the SCE, not the primary containment itself.”
• Primary Control – Control loops are designed to maintain the process within the designed operating parameters not to protect against deviations. Failure of a control loop is usually an initiating event
• Administrative controls – Controls involving human interactions are not SCE. This might include Management Systems, Operating Procedures, Responses to Alarms, and Security Systems.
• The last line of defence. This has been a phrase used by companies to reduce the number of SCE they manage by ignoring everything other than the final trip system or relief device. WorkSafe has referred to SCE as the “last lines of defence” (note not singular) but this interpretation does not stand up against the definition.
• Trips in a safety shutdown system or control system, not identified in a risk assessment. I have come across some occasions where the identification of SCE has been attempted by reverse engineering from the trips on the plant. From experience, many historical implementations of trip systems have been carried out on an ad hoc “it seems reasonable to have a trip for that” basis. Using this method will result in potentially having more SCE than necessary.

For more information about Verification of SCE have a look at our website https://www.safetysolutions.co.nz/consulting/auditing-and-verification-services/control-verification/ and for LOPA training you can find information here https://www.safetysolutions.co.nz/training/risk-bowtie-lopa-training-courses/layer-of-protection-analysis/