User Notes:

A controlled copy of the current version of this document is on Petrom Intranet EP. Before
making reference to this document, it is the user's responsibility to ensure that any copy is
current. For assistance, contact the Document Issuer.
This document is the property of Petrom EP. Neither the whole nor any part of this document
may be disclosed to others or reproduced, stored in a retrieval system, or transmitted in any
form by any means (electronic, mechanical, reprographic recording or otherwise) without
prior written consent of the owner.
Users are encouraged to participate in the ongoing improvement of this document by
providing constructive feedback.

Petrom EP Standard- HSEQ-RO-06-04-00

Valid from: 18.12.2008
Management of Technical Integrity
Page 2 of 11
Edition: 01

Table of Contents
1.

2.

Introduction

1.1.

Scope

1.2.

Objective

Regulatory content

2.1

Define System Boundaries

2.2

Hazard Identification

2.3.

Safety Critical Elements (SCE)

2.4.

Performance Standards

2.5.

Written Scheme of Examination

2.6.

Independent Competent Person

2.7.

Records

2.7.1

Definition of Failure

2.7.2

Failure Record Data Structure

2.8.

Management Review of Technical Integrity

2.8.1

Aims

2.8.2

Summary Procedure

3.

Responsibilities

4.

Terms and abbreviations

10

5.

Obsolete regulations

10

6.

Supporting documentation

10

7.

Distribution list

11

8.

Amendments from the previous edition

11

9.

Annexes

11

Petrom EP Standard- HSEQ-RO-06-04-00

Valid from: 18.12.2008
Management of Technical Integrity
Page 3 of 11
Edition: 01

1.

Introduction
1.1. Scope

This standard applies to all Petrom activities of the EP and EPS Divisions.
1.2. Objective
The objective of this standard is to establish the conditions that the technical integrity of
production facilities can be assured and that unplanned failures of equipment and associated
utilities are minimised.
The primary benefit of managing integrity is to minimise the potential of harm to persons.
This also has benefit in terms of minimising the impact on the environment. The concept of
integrity is to not have any unplanned failures (ruptures, leaks, emergency venting, etc) that
could result in release of hydrocarbons or chemicals to the atmosphere. Good integrity
management is then a control process to reduce risks of pollution and minimise emissions.
Additionally, well-maintained facilities will probably also keep running energy costs to a
minimum.
The principles of integrity management and independent verification apply throughout the
lifecycle of the facilities from design, construction, commissioning, start-up, production and
decommissioning (abandonment).
It is especially important to apply this standard whenever facilities are subject to change,
upgrade and modification. Major accidents have resulted when changes have been made to
the original design intent and the impact on technical integrity has not been fully assessed.
These changes do not have to be major; often a series of minor changes may in total have a
significant effect.
All facilities with the potential for a major accident (see Section 2.2 below) should be covered
by this standard including well systems (exploration, development, production and injection).
International standards exist for more specific aspects of technical integrity and these are
listed in Section 6.

2.

Regulatory content

The overall process to manage technical integrity is shown in Figure 1 below. The process is
sometimes referred to as the written scheme of examination, or verification scheme for safety
critical elements.

Petrom EP Standard- HSEQ-RO-06-04-00

Valid from: 18.12.2008
Management of Technical Integrity
Page 4 of 11
Edition: 01

Define System
Boundaries

HAZID,
Risk Assessment,
RAM Studies

Review
and
Feedback

List Safety Critical

Elements and
Associated
Performance
Standards

Written Scheme of
Examination:
- Verification
- ICP
- Records

Implementation
and Assessment of
Results

Figure 1: Management of Technical Integrity

The process shown in Figure 1 is described in more detail below.
2.1

Define System Boundaries

The boundaries would normally include the well system, flowlines, drilling/workover
equipment, production train (including control, detection, alarm and shutdown equipment),
utilities, structures, fire fighting and life saving equipment and storage/export system. For
offshore facilities, accommodation units should be included within the scope.
2.2

Hazard Identification

All facilities are required to have a risk assessment (refer to standard HSEQ-RO-04-02, Risk
Assessment Criteria, latest revision) and this will include various techniques for identifying
hazards, e.g. hazard and operability study (HAZOP), failure modes and effects analysis, etc.
The effects of the hazards when they become uncontrolled can be quantified using
consequence models, such as gas dispersion, fire and explosion analysis. Combining the
consequences with the likely frequency will result in a risk profile to be developed for various
accident scenarios. RAM studies will also be required to optimise the selection of equipment
to minimise the risks.
Petrom EP Standard- HSEQ-RO-06-04-00
Valid from: 18.12.2008
Management of Technical Integrity
Page 5 of 11
Edition: 01

The risk assessment should identify the major accident scenarios. The definition of a major
accident is:

A fire, explosion or the release of a dangerous substance involving death, serious injury
or environmental pollution (inside or outside of the facilities);

Major damage to the structure or facilities;

Collision of a helicopter with an offshore installation;

Failure of diving life support system (offshore installation);

Any other event involving death or serious injury to five or more persons.
The overall process of risk assessment and identifying major accident scenarios would be
within the scope of a HSE Case (refer to standard HSEQ-RO-05-02 latest revision).
2.3.

Safety Critical Elements (SCE)

The next stage in the process is to identify safety critical elements (SCE).
The definition of a SCE is:
-

Any part of the facilities (including software) the failure of which could cause or
contribute substantially to a major accident or the purpose is to prevent or limit the
effects of a major accident.

The HSE Case quantitative risk assessment (QRA) uses numerical data such as event and
failure rate frequencies to calculate risk levels. This is done by assessing the frequency of
initiating hazards and analysing the reliability of the mechanisms that are in place to prevent
escalation. The final consequences are based on harm to persons and are used to prioritise on
risk reduction measures.
The reliability data used in QRA can be used to derive inspection and test frequencies for
safety critical elements. However, this is not always possible. For example, an escape route is
a safety critical element but defining a test frequency based on QRA principles does not have
the same practical (or mathematical) basis as the test frequency for equipment or systems
which have historical failure rate data, e.g. an emergency shutdown valve. QRA also has
limitations because the consequence models cannot accurately represent the real world and
the likely behaviour or response of people which can often have significant impact on the final
outcome for a hazardous event.
In conclusion, the risk assessment calculations from the safety case provide part of the
information for selecting safety critical elements. However, expert judgement shall be used to
interpret the safety case studies, in consultation with operations personnel to select the safety
critical elements and develop the scope and frequency of inspection.
The selection philosophy makes use of the hazard management process which is applied
during the lifecycle of an installation from design, construction, drilling, operation, combined
operations, modifications, through to abandonment. The process takes the major accident
scenarios and examines the step by step development of the accident from initiating event
through to the point where the risk does not pose a further threat. The hazard management
process has five steps, as follows:

Prevention
Detection
Control

Systems to control the primary initiating events;

Systems to detect that the primary safeguards have failed;
Systems (or secondary safeguards) to prevent the event escalating and
bring the plant to a safe state;
Mitigation
Systems to minimise the effect of the failure of primary and secondary

safeguards;
Recovery
Systems to recover from the effects of the incident and return facilities

to a safe state.
Each step is systematically examined to assess the plant or equipment (and associated
software), that contributes to preventing escalation of the hazardous event. The plant or
equipment (and associated software) identified is recorded as safety critical.

Petrom EP Standard- HSEQ-RO-06-04-00

Valid from: 18.12.2008
Management of Technical Integrity
Page 6 of 11
Edition: 01

2.4.

Performance Standards

Performance standards shall be defined for safety critical elements. Performance standards
shall be developed on a system or component level using major hazard information,
reliability/availability data and operational judgement.
Performance standards shall include requirements relevant to the following categories:

Functionality

The intended purpose and fundamental design performance

requirement for an SCE.

The probability that the system will work on demand.

Reliability/Availability
Survivability

Interaction

The ability of the SCE to survive loadings from design

accidental events.
Dependencies and interactions with other systems or
performance standards.

System functional tests shall be implemented to verify that the individual SCE and their
interfaces perform to the required standard. The system functional tests are a reality check
and simulate, as close as possible, how the equipment is expected to function in an
emergency.
It is not always possible to carryout full functional tests on SCE when the installation is in the
operational lifecycle phase (e.g. for firewalls). In these cases other testing or inspection shall
be defined which shall give reasonable assurance that the SCE will stop the escalation of a
hazardous event.
Additionally some SCE are defined at the sub-system or component level (e.g. fire detectors)
and whilst they will be tested within an overall function test, individual component tests are
required for the assurance of component reliability.
2.5.

Written Scheme of Examination

The overall system for assurance of technical integrity should be documented in a written
scheme of examination. This would normally be integrated within the maintenance and
inspection program for the facilities to minimise any unnecessary duplication. The written
scheme of examination should be a controlled document.
The process of implementing the scheme is commonly referred to as verification and in
practice means providing assurance through measurement or testing that the facilities will
perform or maintain their technical integrity under normal and emergency design conditions.
2.6.

Independent Competent Person

A third party independent and competent person (ICP) shall be appointed to provide
verification that the written scheme is based on correct interpretation of the risks, is being
implemented correctly, records are accurate and are reviewed on an annual basis. The role of
the ICP is to provide an independent review of the overall system and not to be involved in
detailed inspection or testing. However, the ICP should have the freedom to witness any
critical test and drill down in order to satisfy themselves that the system is working
satisfactorily. Detailed guidance on the role and capabilities required by an ICP is provided in
Annex A.
2.7.

Records

Records of the performance history for the safety critical elements shall be maintained. A
consistent system for definitions and data collection shall be used to enable further analysis
and comparison with internal and industry standards.

Petrom EP Standard- HSEQ-RO-06-04-00

Valid from: 18.12.2008
Management of Technical Integrity
Page 7 of 11
Edition: 01

2.7.1 Definition of Failure

Revealed failure: detected at the instance of occurrence. Unrevealed failure: not detected until
the next test or demand. Failure modes are categorised as follows:

Critical

A failure which is both sudden and causes cessation of one or more

fundamental functions. This failure requires immediate corrective
action in order to return the item to a satisfactory condition.

Degraded

A failure which is gradual, partial or both. Such a failure does not cease
the fundamental functions, but compromises one or several functions.
In time, such a failure may develop into a critical failure.

Incipient

An imperfection in the state or condition of an item or equipment so

that a degraded or critical failure can be expected to result if corrective
action is not taken.

A failure mode is defined as the effect by which a failure is observed on the item, rather than
the effect a failure has on the system containing an item. For instance, if a gas detector fails to
respond when the gas concentration increases substantially; the failure mode is defined as
critical. The effect on the gas detection system may not be critical if other detectors in the
system detect and respond correctly to the increased gas concentration.
A planning and records system shall flag components or systems of components that are
defined as safety critical.
2.7.2 Failure Record Data Structure
Records of examination and test shall be logged in the history layout file for each safety
critical element. The file shall also be used to record modifications and all failures of the safety
critical elements. The record is formatted using the data collection structure from industry
standard references:
The record structure shall be as follows:

Operational Modes

Continuous;
Active, sleeping condition;
Activated from stand-by condition.

Internal Environment

Medium handled, operating pressure/temperature, corrosive

elements, etc.

External Environment
Failure Cause

Indoors, outdoors, open/sheltered, etc.

Failure Mode
Repair Time

Design error, fabrication/assembly error, incorrect installation,

operator abuse, etc.
Critical, degraded, incipient

Man-hours to analyse the failure, repair and return the item to a

state of readiness including any testing. It excludes the time to
detect the failure, time to isolate the equipment from the
process before repair, delay and waiting for spare parts and
tools.
Records which are not reliability oriented (e.g. results of structure damage surveys, failure
investigations, etc) should be stored in the document control centre with a cross-reference to
the written scheme of examination.
Records that are no longer current because of revisions or expiration of the relevant part of
the WSE shall be retained for at least six months or longer if required by local legislation.

Petrom EP Standard- HSEQ-RO-06-04-00

Valid from: 18.12.2008
Management of Technical Integrity
Page 8 of 11
Edition: 01

2.8.
2.8.1

Management Review of Technical Integrity

Aims

Formal management reviews should be carried out annually of the plans in place to ensure
Technical Integrity.
The review should take place away from daily operational activity and should aim to identify:

Changes, upgrades or modifications to facilities and their impact on technical integrity.

Progress against plans for upgrading, modifying or changing facilities.

Interpretation of results.

Future action plan.

The review shall look at past achievements, identify the key learning points and plan
improvements for the forthcoming year. In particular, the meeting shall identify whether the
technical integrity of the facilities is satisfactory and if any restrictions need to be placed on its
operation and manning.
2.8.2 Summary Procedure
On an annual basis the Production Manager shall convene a meeting to review the WSE for
safety critical elements. Attendees at the meeting shall typically include personnel as follows:

Production Manager (Chairperson).

Field Cluster Manager.
Plant Superintendent/Offshore Installation Manager.
Specialist Engineers (e.g. Mechanical, Process, C&I, Corrosion, etc).
HSEQ Representative.
ICP or its representative.

At the meeting the previous 12 months operation of the WSE for safety critical elements shall
be formally reviewed. A typical agenda could be as follows:

Review of actions arising from previous annual meeting.

Review of any changes, upgrades or modifications to the facilities.
Operations function: completion status report for the written scheme of examination.
Operations function: summary of unrevealed failures and damage to the installation.
Engineering function: summary review of examination and test results on safety critical
elements during the preceding 12 month period.
Engineering function: long term trend analysis.
Engineering function: appraisal of pipelines, risers, jacket structural integrity and
continued fitness for purpose.
Engineering function: appraisal of wells and topside facilities integrity (pressure
envelope) and continued fitness for purpose.
HSEQ Representative: impact on the safety case and report of relevant management
system audits.
Comments by the ICP on the continued fitness for purpose of the facilities.
Potential changes to operating conditions and loading on the facilities.
Revisions required to the written scheme of examination.
Comments by the ICP on changes to the WSE.

Actions arising from the annual review shall be formally recorded and tracked on a database.

3.

Responsibilities

The Assets Managers and Field Cluster managers are responsible for implementing
these standards for all production facilities where Petrom is the operator.

For a development project within an Asset the Project Manager (or Field Cluster
manager, if appointed) is responsible for implementing these standards prior to
handover to the operating group.
Petrom EP Standard- HSEQ-RO-06-04-00
Valid from: 18.12.2008
Management of Technical Integrity
Page 9 of 11
Edition: 01

4.

Terms and abbreviations

4.1

Terms
Independent Competent Person - The person can be an individual or a corporate entity
(when it sometimes referred to as an independent verification body).

Independent Verification Body - see ICP above.

RAM An acronym for reliability, availability and maintainability. Reliability measures

the likelihood that a system will operate for a given time. Maintainability measures how
quickly a system can be brought back into operation after a failure has occurred.
Availability measures the proportion of time that a system operates for, given that
failures can occur and are then repaired. Availability measures the combined effects of
reliability and maintainability.

Technical Integrity a concept that ensures the pressure containing envelope of the
hydrocarbon processing system will not fail and cause unplanned release of well fluids
and stored energy that could create a hazard. It is a concept that includes associated
utilities, supporting structures and special activities connected with the facilities (e.g. for
offshore: diving and helicopter operations). Technical integrity is sometimes referred to
as fit for intended purpose.

4.2

Abbreviations

EP Exploration & Production

EPS - Exploration & Production Services
HAZID Hazards Identification
HAZOP Hazards and Operability
ICP - Independent Competent Person
IVB- Independent Verification Body
QRA Quantitative Risk Assessment
RAM - Reliability, Availability and Maintainability
SCE Safety Critical Element(s)
WSE Written Scheme of Examination

5.
6.

Obsolete regulations

Supporting documentation
Petrom EP, Guidelines for HSEQ in Projects, document no HSEQ-RO-04-01 latest
revision.
Petrom EP, Risk Assessment Criteria Standard, document no HSEQ-RO-04-02 latest
revision.
Petrom EP, HSE Case Standard, document no HSEQ-RO-05-02 latest revision.
ISO/CD 19901-3 Petroleum and natural gas industries Specific requirements for
offshore structures Part 3: Topsides structure.
ISO/CD 19902 Petroleum and natural gas industries Fixed steel offshore structures.
ISO/CD 19904 Petroleum and natural gas industries Floating offshore structures
including station keeping.
IEC 61508 Functional safety of electrical/electronic/programmable electronic safetyrelated systems.
ANSI/API Standard 1160 Managing system integrity for hazardous liquid pipelines.
API Standard RP 579 Fitness for service.
ANSI/API Standard RP 580 Risk based inspection.

Petrom EP Standard- HSEQ-RO-06-04-00

Valid from: 18.12.2008
Management of Technical Integrity
Page 10 of 11
Edition: 01

7.

Distribution list

Petrom EP and EPS BU Managers;

Asset managers;
Field Cluster managers;
Project managers;
HSEQ EP;
HSEQ EPS.

8.

Amendments from the previous edition

Current edition
01

9.

Valid from
Approval date

Amended chapters
-

Annexes

Annex A

Selection criteria for Independent Competent Person (ICP)

Petrom EP Standard- HSEQ-RO-06-04-00

Valid from: 18.12.2008
Management of Technical Integrity
Page 11 of 11
Edition: 01

Annex A: Selection Criteria for an

Independent Competent Person (ICP)
The purpose of this Annex is to define the selection criteria, in terms of role and capabilities, for an
Independent Competent Person (ICP). It can be used as selection criteria to pre-qualify companies
that are being considered for appointment as an ICP.
Petrom shall appoint a third party ICP to consult and comment on the written scheme of examination
(WSE).
1.

Functions

The general functions that the ICP shall be required to perform are as follows:

Witness/review major functional testing of SCE;

Review and comment on the WSE including revisions;

Review and comment on the record of safety critical elements including revisions; and formally
note any comments following these reviews.

On an annual basis the ICP shall be requested to review and comment on the examination and test
records for the following plant and equipment:

Safety critical elements

Platform/ship structure and moorings (offshore)

Pipeline systems

Well systems (including well protectors for subsea wells

On an as required basis the ICP shall be requested to review and comment on the assessment and
remedial plans following damage or failure to safety critical elements, structures, pipelines and well
systems.
The ICP shall be required to attend the annual OMV Management Review of the WSE for Safety
Critical Elements and Asset Integrity.
2.

Required ICP Management System Capabilities

Selection of an ICP (and ongoing appraisal) shall be by assessment of their overall capabilities and
commitment to providing a quality service to a recognized benchmark, such as the ISO 9000 series of
standards. The ICP shall be appointed following satisfactory assessment of the management system
elements defined below.
2.1

Organization and Planning

The ICP shall have the capability to provide a full range of technical expertise for the specific facilities.
The ICP function shall be independent from any other services provided by the parent company (e.g.
quality assurance, engineering or consultancy services, etc). However, where an interface is required
(or necessary) the ICP shall have internal controls to assure independence. The interfaces shall be
clearly documented.
The ICP shall ensure that personnel of the appropriate competency are available for the expected
demands of an operation that works continuously. Suitable planning provision shall be made to
ensure back up for high workloads or sickness/leave. Where the ICP intends using second or third
party personnel, the individuals shall be independent of any potential conflicts of interest and have
equivalent standards of competency as full time ICP staff.

Petrom EP Standard- HSEQ-RO-06-04-00

Annex A of Petrom EP Standard
Valid from: 18.12.2008
Page 1 of 2
Management of Technical Integrity
Edition: 01

Where the ICP employs staff in other parts of its organization to carry out examination, testing or
engineering consultancy activities and they will be required to demonstrate sufficient independence
exists within their organization to prevent conflicts of interest.
2.2

Engineering and Document Control

The ICP shall have the engineering capability to enable sound technical decisions to be arrived at by
reference to in-house expertise, validating computer software models, legislative information,
technical standards and working knowledge of the exploration and production oil/gas industry.
Records and communications shall be subject to a formal document control which ensures that
transmittal, receipt, archive and retrieval facilities are efficient and secure. Appropriate back up
systems shall be in place.
2.3.

Competency Assurance

The ICP shall have a system in place to ensure the competency of any personnel who provide
services to Petrom. The system should be based on a generic framework as follows:

Task Definition

The required functions specified for the service to be provided shall

provide the basis for defining the tasks to be carried out by the ICP.
This will enable the correct level of skill for personnel to be defined to
perform the specified function. Normally this would be identified in a
job description/function for an individual.

Skill Measurement

A system which can measure the achieved level of skill to enable a

match with the tasks that an individual is expected to carry out. This
could include academic or in-house examinations, independent
certification from examination bodies or supervised work experience.

Skills Inventory

A maintained database of the skills levels for individuals. Typically this

would record references, professional qualifications, vocational
training, relevant proven experience.

Performance Monitoring
and Review
A system that will regularly appraise the performance of individuals
and provide feedback to improve or develop potential.

2.4.

Audit

The ICP shall have an audit system to assess that their working practices meet planned arrangements
and that they are suitable to carry out the functions for an ICP as defined in this procedure.

Petrom EP Standard- HSEQ-RO-06-04-00

Valid from: 18.12.2008
Annex A of Petrom EP Standard
Page 2 of 2
Management of Technical Integrity
Edition: 01